Bitcoin ABC 0.33.6
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <time.h>
12
13#ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16#endif
17#if defined(VERIFY) && defined(COVERAGE)
18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19#endif
20#include "secp256k1.c"
21
22#include "../include/secp256k1.h"
23#include "../include/secp256k1_preallocated.h"
24#include "testrand_impl.h"
25#include "checkmem.h"
26#include "testutil.h"
27#include "util.h"
28
29#include "../contrib/lax_der_parsing.c"
30#include "../contrib/lax_der_privatekey_parsing.c"
31
32#include "modinv32_impl.h"
33#ifdef SECP256K1_WIDEMUL_INT128
34#include "modinv64_impl.h"
35#include "int128_impl.h"
36#endif
37
38#define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
39
40static int COUNT = 64;
41static secp256k1_context *CTX = NULL;
42static secp256k1_context *STATIC_CTX = NULL;
43
44static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
45 const unsigned char *p = s;
46 size_t i;
47
48 for (i = 0; i < n; i++) {
49 if (p[i] != value) {
50 return 0;
51 }
52 }
53 return 1;
54}
55
56#define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \
57 int32_t _calls_to_callback = 0; \
58 secp256k1_callback _saved_callback = ctx->callback; \
59 callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \
60 { expr_or_stmt; } \
61 ctx->callback = _saved_callback; \
62 CHECK(_calls_to_callback == 1); \
63} while(0);
64
65/* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once
66 *
67 * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */
68#define CHECK_ERROR_VOID(ctx, expr_or_stmt) \
69 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback)
70#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \
71 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback)
72
73/* CHECK that
74 * - expr calls the illegal callback of ctx exactly once and,
75 * - expr == 0 (or equivalently, expr == NULL)
76 *
77 * Useful for checking functions that return an integer or a pointer. */
78#define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
79#define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0))
80
81static void counting_callback_fn(const char* str, void* data) {
82 /* Dummy callback function that just counts. */
83 int32_t *p;
84 (void)str;
85 p = data;
86 CHECK(*p != INT32_MAX);
87 (*p)++;
88}
89
90static void uncounting_illegal_callback_fn(const char* str, void* data) {
91 /* Dummy callback function that just counts (backwards). */
92 int32_t *p;
93 (void)str;
94 p = data;
95 CHECK(*p != INT32_MIN);
96 (*p)--;
97}
98
99static void random_field_element_magnitude(secp256k1_fe *fe, int m) {
100 secp256k1_fe zero;
101 int n = secp256k1_testrand_int(m + 1);
102 secp256k1_fe_normalize(fe);
103 if (n == 0) {
104 return;
105 }
106 secp256k1_fe_clear(&zero);
107 secp256k1_fe_negate(&zero, &zero, 0);
108 secp256k1_fe_mul_int_unchecked(&zero, n - 1);
109 secp256k1_fe_add(fe, &zero);
110#ifdef VERIFY
111 CHECK(fe->magnitude == n);
112#endif
113}
114
115static void random_fe_test(secp256k1_fe *x) {
116 unsigned char bin[32];
117 do {
118 secp256k1_testrand256_test(bin);
119 if (secp256k1_fe_set_b32_limit(x, bin)) {
120 return;
121 }
122 } while(1);
123}
124
125static void random_fe_non_zero_test(secp256k1_fe *fe) {
126 do {
127 random_fe_test(fe);
128 } while(secp256k1_fe_is_zero(fe));
129}
130
131static void random_fe_magnitude(secp256k1_fe *fe) {
132 random_field_element_magnitude(fe, 8);
133}
134
135static void random_ge_x_magnitude(secp256k1_ge *ge) {
136 random_field_element_magnitude(&ge->x, SECP256K1_GE_X_MAGNITUDE_MAX);
137}
138
139static void random_ge_y_magnitude(secp256k1_ge *ge) {
140 random_field_element_magnitude(&ge->y, SECP256K1_GE_Y_MAGNITUDE_MAX);
141}
142
143static void random_gej_x_magnitude(secp256k1_gej *gej) {
144 random_field_element_magnitude(&gej->x, SECP256K1_GEJ_X_MAGNITUDE_MAX);
145}
146
147static void random_gej_y_magnitude(secp256k1_gej *gej) {
148 random_field_element_magnitude(&gej->y, SECP256K1_GEJ_Y_MAGNITUDE_MAX);
149}
150
151static void random_gej_z_magnitude(secp256k1_gej *gej) {
152 random_field_element_magnitude(&gej->z, SECP256K1_GEJ_Z_MAGNITUDE_MAX);
153}
154
155static void random_group_element_test(secp256k1_ge *ge) {
156 secp256k1_fe fe;
157 do {
158 random_fe_test(&fe);
159 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
160 secp256k1_fe_normalize(&ge->y);
161 break;
162 }
163 } while(1);
164 ge->infinity = 0;
165}
166
167static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
168 secp256k1_fe z2, z3;
169 random_fe_non_zero_test(&gej->z);
170 secp256k1_fe_sqr(&z2, &gej->z);
171 secp256k1_fe_mul(&z3, &z2, &gej->z);
172 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
173 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
174 gej->infinity = ge->infinity;
175}
176
177static void random_gej_test(secp256k1_gej *gej) {
178 secp256k1_ge ge;
179 random_group_element_test(&ge);
180 random_group_element_jacobian_test(gej, &ge);
181}
182
183static void random_scalar_order_test(secp256k1_scalar *num) {
184 do {
185 unsigned char b32[32];
186 int overflow = 0;
187 secp256k1_testrand256_test(b32);
188 secp256k1_scalar_set_b32(num, b32, &overflow);
189 if (overflow || secp256k1_scalar_is_zero(num)) {
190 continue;
191 }
192 break;
193 } while(1);
194}
195
196static void random_scalar_order(secp256k1_scalar *num) {
197 do {
198 unsigned char b32[32];
199 int overflow = 0;
200 secp256k1_testrand256(b32);
201 secp256k1_scalar_set_b32(num, b32, &overflow);
202 if (overflow || secp256k1_scalar_is_zero(num)) {
203 continue;
204 }
205 break;
206 } while(1);
207}
208
209static void random_scalar_order_b32(unsigned char *b32) {
210 secp256k1_scalar num;
211 random_scalar_order(&num);
212 secp256k1_scalar_get_b32(b32, &num);
213}
214
215static void run_xoshiro256pp_tests(void) {
216 {
217 size_t i;
218 /* Sanity check that we run before the actual seeding. */
219 for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
220 CHECK(secp256k1_test_state[i] == 0);
221 }
222 }
223 {
224 int i;
225 unsigned char buf32[32];
226 unsigned char seed16[16] = {
227 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
228 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
229 };
230 unsigned char buf32_expected[32] = {
231 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
232 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
233 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
234 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
235 };
236 secp256k1_testrand_seed(seed16);
237 for (i = 0; i < 17; i++) {
238 secp256k1_testrand256(buf32);
239 }
240 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
241 }
242}
243
244static void run_selftest_tests(void) {
245 /* Test public API */
246 secp256k1_selftest();
247}
248
249static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
250 return a->built == b->built
251 && secp256k1_scalar_eq(&a->blind, &b->blind)
252 && secp256k1_gej_eq_var(&a->initial, &b->initial);
253}
254
255static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
256 return a->declassify == b->declassify
257 && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx)
258 && a->illegal_callback.fn == b->illegal_callback.fn
259 && a->illegal_callback.data == b->illegal_callback.data
260 && a->error_callback.fn == b->error_callback.fn
261 && a->error_callback.data == b->error_callback.data;
262}
263
264static void run_deprecated_context_flags_test(void) {
265 /* Check that a context created with any of the flags in the flags array is
266 * identical to the NONE context. */
267 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
268 SECP256K1_CONTEXT_VERIFY,
269 SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY };
270 secp256k1_context *none_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
271 int i;
272 for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
273 secp256k1_context *tmp_ctx;
274 CHECK(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE) == secp256k1_context_preallocated_size(flags[i]));
275 tmp_ctx = secp256k1_context_create(flags[i]);
276 CHECK(context_eq(none_ctx, tmp_ctx));
277 secp256k1_context_destroy(tmp_ctx);
278 }
279 secp256k1_context_destroy(none_ctx);
280}
281
282static void run_ec_illegal_argument_tests(void) {
283 secp256k1_pubkey pubkey;
284 secp256k1_pubkey zero_pubkey;
285 secp256k1_ecdsa_signature sig;
286 unsigned char ctmp[32];
287
288 /* Setup */
289 memset(ctmp, 1, 32);
290 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
291
292 /* Verify context-type checking illegal-argument errors. */
293 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ec_pubkey_create(STATIC_CTX, &pubkey, ctmp));
294 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
295 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
296 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
297 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL));
298 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
299 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
300 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
301 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
302 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
303 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
304 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
305 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
306 CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &pubkey) == 1);
307 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
308 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ec_pubkey_negate(STATIC_CTX, &zero_pubkey));
309 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_negate(CTX, NULL));
310 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
311}
312
313static void run_static_context_tests(int use_prealloc) {
314 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
315 CHECK(secp256k1_context_no_precomp == secp256k1_context_static);
316
317 {
318 unsigned char seed[32] = {0x17};
319
320 /* Randomizing secp256k1_context_static is not supported. */
321 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, seed));
322 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, NULL));
323
324 /* Destroying or cloning secp256k1_context_static is not supported. */
325 if (use_prealloc) {
326 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone_size(STATIC_CTX));
327 {
328 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
329 CHECK(my_static_ctx != NULL);
330 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
331 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone(STATIC_CTX, my_static_ctx));
332 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
333 free(my_static_ctx);
334 }
335 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_preallocated_destroy(STATIC_CTX));
336 } else {
337 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_clone(STATIC_CTX));
338 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_destroy(STATIC_CTX));
339 }
340 }
341
342 {
343 /* Verify that setting and resetting illegal callback works */
344 int32_t dummy = 0;
345 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_callback_fn, &dummy);
346 CHECK(STATIC_CTX->illegal_callback.fn == counting_callback_fn);
347 CHECK(STATIC_CTX->illegal_callback.data == &dummy);
348 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
349 CHECK(STATIC_CTX->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
350 CHECK(STATIC_CTX->illegal_callback.data == NULL);
351 }
352}
353
354static void run_proper_context_tests(int use_prealloc) {
355 int32_t dummy = 0;
356 secp256k1_context *my_ctx, *my_ctx_fresh;
357 void *my_ctx_prealloc = NULL;
358 unsigned char seed[32] = {0x17};
359
360 secp256k1_gej pubj;
361 secp256k1_ge pub;
362 secp256k1_scalar msg, key, nonce;
363 secp256k1_scalar sigr, sigs;
364
365 /* Fresh reference context for comparison */
366 my_ctx_fresh = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
367
368 if (use_prealloc) {
369 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
370 CHECK(my_ctx_prealloc != NULL);
371 my_ctx = secp256k1_context_preallocated_create(my_ctx_prealloc, SECP256K1_CONTEXT_NONE);
372 } else {
373 my_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
374 }
375
376 /* Randomize and reset randomization */
377 CHECK(context_eq(my_ctx, my_ctx_fresh));
378 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
379 CHECK(!context_eq(my_ctx, my_ctx_fresh));
380 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
381 CHECK(context_eq(my_ctx, my_ctx_fresh));
382
383 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
384 secp256k1_context_set_error_callback(my_ctx, secp256k1_default_illegal_callback_fn, NULL);
385 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
386 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
387
388 /* check if sizes for cloning are consistent */
389 CHECK(secp256k1_context_preallocated_clone_size(my_ctx) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
390
391 /*** clone and destroy all of them to make sure cloning was complete ***/
392 {
393 secp256k1_context *ctx_tmp;
394
395 if (use_prealloc) {
396 /* clone into a non-preallocated context and then again into a new preallocated one. */
397 ctx_tmp = my_ctx;
398 my_ctx = secp256k1_context_clone(my_ctx);
399 CHECK(context_eq(ctx_tmp, my_ctx));
400 secp256k1_context_preallocated_destroy(ctx_tmp);
401
402 free(my_ctx_prealloc);
403 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
404 CHECK(my_ctx_prealloc != NULL);
405 ctx_tmp = my_ctx;
406 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
407 CHECK(context_eq(ctx_tmp, my_ctx));
408 secp256k1_context_destroy(ctx_tmp);
409 } else {
410 /* clone into a preallocated context and then again into a new non-preallocated one. */
411 void *prealloc_tmp;
412
413 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
414 CHECK(prealloc_tmp != NULL);
415 ctx_tmp = my_ctx;
416 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
417 CHECK(context_eq(ctx_tmp, my_ctx));
418 secp256k1_context_destroy(ctx_tmp);
419
420 ctx_tmp = my_ctx;
421 my_ctx = secp256k1_context_clone(my_ctx);
422 CHECK(context_eq(ctx_tmp, my_ctx));
423 secp256k1_context_preallocated_destroy(ctx_tmp);
424 free(prealloc_tmp);
425 }
426 }
427
428 /* Verify that the error callback makes it across the clone. */
429 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
430 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
431 /* And that it resets back to default. */
432 secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
433 CHECK(my_ctx->error_callback.fn == secp256k1_default_error_callback_fn);
434 CHECK(context_eq(my_ctx, my_ctx_fresh));
435
436 /* Verify that setting and resetting illegal callback works */
437 secp256k1_context_set_illegal_callback(my_ctx, counting_callback_fn, &dummy);
438 CHECK(my_ctx->illegal_callback.fn == counting_callback_fn);
439 CHECK(my_ctx->illegal_callback.data == &dummy);
440 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
441 CHECK(my_ctx->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
442 CHECK(my_ctx->illegal_callback.data == NULL);
443 CHECK(context_eq(my_ctx, my_ctx_fresh));
444
445 /*** attempt to use them ***/
446 random_scalar_order_test(&msg);
447 random_scalar_order_test(&key);
448 secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
449 secp256k1_ge_set_gej(&pub, &pubj);
450
451 /* obtain a working nonce */
452 do {
453 random_scalar_order_test(&nonce);
454 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
455
456 /* try signing */
457 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
458
459 /* try verifying */
460 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
461
462 /* cleanup */
463 if (use_prealloc) {
464 secp256k1_context_preallocated_destroy(my_ctx);
465 free(my_ctx_prealloc);
466 } else {
467 secp256k1_context_destroy(my_ctx);
468 }
469 secp256k1_context_destroy(my_ctx_fresh);
470
471 /* Defined as no-op. */
472 secp256k1_context_destroy(NULL);
473 secp256k1_context_preallocated_destroy(NULL);
474}
475
476static void run_scratch_tests(void) {
477 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
478
479 size_t checkpoint;
480 size_t checkpoint_2;
481 secp256k1_scratch_space *scratch;
482 secp256k1_scratch_space local_scratch;
483
484 /* Test public API */
485 scratch = secp256k1_scratch_space_create(CTX, 1000);
486 CHECK(scratch != NULL);
487
488 /* Test internal API */
489 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
490 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
491 CHECK(scratch->alloc_size == 0);
492 CHECK(scratch->alloc_size % ALIGNMENT == 0);
493
494 /* Allocating 500 bytes succeeds */
495 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
496 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
497 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
498 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
499 CHECK(scratch->alloc_size != 0);
500 CHECK(scratch->alloc_size % ALIGNMENT == 0);
501
502 /* Allocating another 501 bytes fails */
503 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
504 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
505 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
506 CHECK(scratch->alloc_size != 0);
507 CHECK(scratch->alloc_size % ALIGNMENT == 0);
508
509 /* ...but it succeeds once we apply the checkpoint to undo it */
510 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
511 CHECK(scratch->alloc_size == 0);
512 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
513 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
514 CHECK(scratch->alloc_size != 0);
515
516 /* try to apply a bad checkpoint */
517 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
518 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
519 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */
520 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */
521
522 /* try to use badly initialized scratch space */
523 secp256k1_scratch_space_destroy(CTX, scratch);
524 memset(&local_scratch, 0, sizeof(local_scratch));
525 scratch = &local_scratch;
526 CHECK_ERROR(CTX, secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0));
527 CHECK_ERROR(CTX, secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500));
528 CHECK_ERROR_VOID(CTX, secp256k1_scratch_space_destroy(CTX, scratch));
529
530 /* Test that large integers do not wrap around in a bad way */
531 scratch = secp256k1_scratch_space_create(CTX, 1000);
532 /* Try max allocation with a large number of objects. Only makes sense if
533 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
534 * space. */
535 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
536 /* Try allocating SIZE_MAX to test wrap around which only happens if
537 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
538 * space is too small. */
539 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
540 secp256k1_scratch_space_destroy(CTX, scratch);
541
542 /* cleanup */
543 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
544}
545
546static void run_ctz_tests(void) {
547 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
548 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
549 int shift;
550 unsigned i;
551 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
552 for (shift = 0; shift < 32; ++shift) {
553 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
554 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
555 }
556 }
557 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
558 for (shift = 0; shift < 64; ++shift) {
559 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
560 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
561 }
562 }
563}
564
565/***** HASH TESTS *****/
566
567static void run_sha256_known_output_tests(void) {
568 static const char *inputs[] = {
569 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
570 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
571 "For this sample, this 63-byte string will be used as input data",
572 "This is exactly 64 bytes long, not counting the terminating byte",
573 "aaaaa",
574 };
575 static const unsigned int repeat[] = {
576 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
577 };
578 static const unsigned char outputs[][32] = {
579 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
580 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
581 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
582 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
583 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
584 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
585 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
586 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
587 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
588 };
589 unsigned int i, ninputs;
590
591 /* Skip last input vector for low iteration counts */
592 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
593 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
594
595 for (i = 0; i < ninputs; i++) {
596 unsigned char out[32];
597 secp256k1_sha256 hasher;
598 unsigned int j;
599 /* 1. Run: simply write the input bytestrings */
600 j = repeat[i];
601 secp256k1_sha256_initialize(&hasher);
602 while (j > 0) {
603 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
604 j--;
605 }
606 secp256k1_sha256_finalize(&hasher, out);
607 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
608 /* 2. Run: split the input bytestrings randomly before writing */
609 if (strlen(inputs[i]) > 0) {
610 int split = secp256k1_testrand_int(strlen(inputs[i]));
611 secp256k1_sha256_initialize(&hasher);
612 j = repeat[i];
613 while (j > 0) {
614 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
615 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
616 j--;
617 }
618 secp256k1_sha256_finalize(&hasher, out);
619 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
620 }
621 }
622}
623
668static void run_sha256_counter_tests(void) {
669 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
670 static const secp256k1_sha256 midstates[] = {
671 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
672 {0x00}, 0xfffc0},
673 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
674 {0x00}, 0x1fffc0},
675 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
676 {0x00}, 0x3fffc0},
677 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
678 {0x00}, 0x7fffc0},
679 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
680 {0x00}, 0xffffc0},
681 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
682 {0x00}, 0x1ffffc0},
683 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
684 {0x00}, 0x3ffffc0},
685 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
686 {0x00}, 0x7ffffc0},
687 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
688 {0x00}, 0xfffffc0},
689 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
690 {0x00}, 0x1fffffc0},
691 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
692 {0x00}, 0x3fffffc0},
693 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
694 {0x00}, 0x7fffffc0},
695 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
696 {0x00}, 0xffffffc0},
697 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
698 {0x00}, 0x1ffffffc0},
699 };
700 static const unsigned char outputs[][32] = {
701 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
702 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
703 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
704 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
705 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
706 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
707 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
708 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
709 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
710 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
711 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
712 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
713 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
714 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
715 };
716 unsigned int i;
717 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
718 unsigned char out[32];
719 secp256k1_sha256 hasher = midstates[i];
720 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
721 secp256k1_sha256_finalize(&hasher, out);
722 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
723 }
724}
725
726/* Tests for the equality of two sha256 structs. This function only produces a
727 * correct result if an integer multiple of 64 many bytes have been written
728 * into the hash functions. This function is used by some module tests. */
729static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
730 /* Is buffer fully consumed? */
731 CHECK((sha1->bytes & 0x3F) == 0);
732
733 CHECK(sha1->bytes == sha2->bytes);
734 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
735}
736
737static void run_hmac_sha256_tests(void) {
738 static const char *keys[6] = {
739 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
740 "\x4a\x65\x66\x65",
741 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
742 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
743 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
744 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
745 };
746 static const char *inputs[6] = {
747 "\x48\x69\x20\x54\x68\x65\x72\x65",
748 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
749 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
750 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
751 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
752 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
753 };
754 static const unsigned char outputs[6][32] = {
755 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
756 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
757 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
758 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
759 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
760 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
761 };
762 int i;
763 for (i = 0; i < 6; i++) {
764 secp256k1_hmac_sha256 hasher;
765 unsigned char out[32];
766 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
767 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
768 secp256k1_hmac_sha256_finalize(&hasher, out);
769 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
770 if (strlen(inputs[i]) > 0) {
771 int split = secp256k1_testrand_int(strlen(inputs[i]));
772 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
773 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
774 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
775 secp256k1_hmac_sha256_finalize(&hasher, out);
776 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
777 }
778 }
779}
780
781static void run_rfc6979_hmac_sha256_tests(void) {
782 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
783 static const unsigned char out1[3][32] = {
784 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
785 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
786 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
787 };
788
789 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
790 static const unsigned char out2[3][32] = {
791 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
792 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
793 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
794 };
795
796 secp256k1_rfc6979_hmac_sha256 rng;
797 unsigned char out[32];
798 int i;
799
800 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
801 for (i = 0; i < 3; i++) {
802 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
803 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
804 }
805 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
806
807 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
808 for (i = 0; i < 3; i++) {
809 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
810 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
811 }
812 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
813
814 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
815 for (i = 0; i < 3; i++) {
816 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
817 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
818 }
819 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
820}
821
822static void run_tagged_sha256_tests(void) {
823 unsigned char tag[32] = { 0 };
824 unsigned char msg[32] = { 0 };
825 unsigned char hash32[32];
826 unsigned char hash_expected[32] = {
827 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
828 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
829 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
830 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
831 };
832
833 /* API test */
834 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
835 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)));
836 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)));
837 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0));
838
839 /* Static test vector */
840 memcpy(tag, "tag", 3);
841 memcpy(msg, "msg", 3);
842 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
843 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
844}
845
846/***** MODINV TESTS *****/
847
848/* Compute the modular inverse of (odd) x mod 2^64. */
849static uint64_t modinv2p64(uint64_t x) {
850 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
851 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
852 * why. Start with L=0, for which it is true for every odd x that
853 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
854 int l;
855 uint64_t w = 1;
856 CHECK(x & 1);
857 for (l = 0; l < 6; ++l) w *= (2 - w*x);
858 return w;
859}
860
861
862/* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
863 *
864 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
865 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
866static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
867 uint16_t mul[32];
868 uint64_t c = 0;
869 int i, j;
870 int m_bitlen = 0;
871 int mul_bitlen = 0;
872
873 if (b != NULL) {
874 /* Compute the product of a and b, and put it in mul. */
875 for (i = 0; i < 32; ++i) {
876 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
877 c += (uint64_t)a[j] * b[i - j];
878 }
879 mul[i] = c & 0xFFFF;
880 c >>= 16;
881 }
882 CHECK(c == 0);
883
884 /* compute the highest set bit in mul */
885 for (i = 511; i >= 0; --i) {
886 if ((mul[i >> 4] >> (i & 15)) & 1) {
887 mul_bitlen = i;
888 break;
889 }
890 }
891 } else {
892 /* if b==NULL, set mul=a. */
893 memcpy(mul, a, 32);
894 memset(mul + 16, 0, 32);
895 /* compute the highest set bit in mul */
896 for (i = 255; i >= 0; --i) {
897 if ((mul[i >> 4] >> (i & 15)) & 1) {
898 mul_bitlen = i;
899 break;
900 }
901 }
902 }
903
904 if (m) {
905 /* Compute the highest set bit in m. */
906 for (i = 255; i >= 0; --i) {
907 if ((m[i >> 4] >> (i & 15)) & 1) {
908 m_bitlen = i;
909 break;
910 }
911 }
912
913 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
914 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
915 uint16_t mul2[32];
916 int64_t cs;
917
918 /* Compute mul2 = mul - m<<i. */
919 cs = 0; /* accumulator */
920 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
921 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
922 uint16_t sub = 0;
923 int p;
924 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
925 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
926 if (bitpos >= 0 && bitpos < 256) {
927 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
928 }
929 }
930 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
931 cs += mul[j];
932 cs -= sub;
933 mul2[j] = (cs & 0xFFFF);
934 cs >>= 16;
935 }
936 /* If remainder of subtraction is 0, set mul = mul2. */
937 if (cs == 0) {
938 memcpy(mul, mul2, sizeof(mul));
939 }
940 }
941 /* Sanity check: test that all limbs higher than m's highest are zero */
942 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
943 CHECK(mul[i] == 0);
944 }
945 }
946 memcpy(out, mul, 32);
947}
948
949/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
950static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
951 int i;
952 memset(out->v, 0, sizeof(out->v));
953 for (i = 0; i < 256; ++i) {
954 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
955 }
956}
957
958/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
959static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
960 int i;
961 memset(out, 0, 32);
962 for (i = 0; i < 256; ++i) {
963 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
964 }
965}
966
967/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
968static void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
969 int i;
970 for (i = 0; i < 16; ++i) {
971 int pos = secp256k1_testrand_bits(3);
972 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
973 x->v[pos] -= 0x40000000;
974 x->v[pos + 1] += 1;
975 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
976 x->v[pos] += 0x40000000;
977 x->v[pos + 1] -= 1;
978 }
979 }
980}
981
982/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
983static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
984 uint16_t tmp[16];
985 secp256k1_modinv32_signed30 x;
986 secp256k1_modinv32_modinfo m;
987 int i, vartime, nonzero;
988
989 uint16_to_signed30(&x, in);
990 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
991 uint16_to_signed30(&m.modulus, mod);
992
993 /* compute 1/modulus mod 2^30 */
994 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
995 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
996
997 /* Test secp256k1_jacobi32_maybe_var. */
998 if (nonzero) {
999 int jac;
1000 uint16_t sqr[16], negone[16];
1001 mulmod256(sqr, in, in, mod);
1002 uint16_to_signed30(&x, sqr);
1003 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1004 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1005 CHECK(jac == 0 || jac == 1);
1006 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1007 * jacobi symbols if and only if (mod % 4) == 3. */
1008 negone[0] = mod[0] - 1;
1009 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1010 mulmod256(sqr, sqr, negone, mod);
1011 uint16_to_signed30(&x, sqr);
1012 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1013 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1014 }
1015
1016 uint16_to_signed30(&x, in);
1017 mutate_sign_signed30(&m.modulus);
1018 for (vartime = 0; vartime < 2; ++vartime) {
1019 /* compute inverse */
1020 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1021
1022 /* produce output */
1023 signed30_to_uint16(out, &x);
1024
1025 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1026 mulmod256(tmp, out, in, mod);
1027 CHECK(tmp[0] == nonzero);
1028 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1029
1030 /* invert again */
1031 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1032
1033 /* check if the result is equal to the input */
1034 signed30_to_uint16(tmp, &x);
1035 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1036 }
1037}
1038
1039#ifdef SECP256K1_WIDEMUL_INT128
1040/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1041static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1042 int i;
1043 memset(out->v, 0, sizeof(out->v));
1044 for (i = 0; i < 256; ++i) {
1045 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1046 }
1047}
1048
1049/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1050static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1051 int i;
1052 memset(out, 0, 32);
1053 for (i = 0; i < 256; ++i) {
1054 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1055 }
1056}
1057
1058/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1059static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1060 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1061 int i;
1062 for (i = 0; i < 8; ++i) {
1063 int pos = secp256k1_testrand_bits(2);
1064 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1065 x->v[pos] -= (M62 + 1);
1066 x->v[pos + 1] += 1;
1067 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1068 x->v[pos] += (M62 + 1);
1069 x->v[pos + 1] -= 1;
1070 }
1071 }
1072}
1073
1074/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1075static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1076 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1077 uint16_t tmp[16];
1078 secp256k1_modinv64_signed62 x;
1079 secp256k1_modinv64_modinfo m;
1080 int i, vartime, nonzero;
1081
1082 uint16_to_signed62(&x, in);
1083 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1084 uint16_to_signed62(&m.modulus, mod);
1085
1086 /* compute 1/modulus mod 2^62 */
1087 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1088 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1089
1090 /* Test secp256k1_jacobi64_maybe_var. */
1091 if (nonzero) {
1092 int jac;
1093 uint16_t sqr[16], negone[16];
1094 mulmod256(sqr, in, in, mod);
1095 uint16_to_signed62(&x, sqr);
1096 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1097 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1098 CHECK(jac == 0 || jac == 1);
1099 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1100 * jacobi symbols if and only if (mod % 4) == 3. */
1101 negone[0] = mod[0] - 1;
1102 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1103 mulmod256(sqr, sqr, negone, mod);
1104 uint16_to_signed62(&x, sqr);
1105 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1106 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1107 }
1108
1109 uint16_to_signed62(&x, in);
1110 mutate_sign_signed62(&m.modulus);
1111 for (vartime = 0; vartime < 2; ++vartime) {
1112 /* compute inverse */
1113 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1114
1115 /* produce output */
1116 signed62_to_uint16(out, &x);
1117
1118 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1119 mulmod256(tmp, out, in, mod);
1120 CHECK(tmp[0] == nonzero);
1121 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1122
1123 /* invert again */
1124 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1125
1126 /* check if the result is equal to the input */
1127 signed62_to_uint16(tmp, &x);
1128 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1129 }
1130}
1131#endif
1132
1133/* test if a and b are coprime */
1134static int coprime(const uint16_t* a, const uint16_t* b) {
1135 uint16_t x[16], y[16], t[16];
1136 int i;
1137 int iszero;
1138 memcpy(x, a, 32);
1139 memcpy(y, b, 32);
1140
1141 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1142 while (1) {
1143 iszero = 1;
1144 for (i = 0; i < 16; ++i) {
1145 if (x[i] != 0) {
1146 iszero = 0;
1147 break;
1148 }
1149 }
1150 if (iszero) break;
1151 mulmod256(t, y, NULL, x);
1152 memcpy(y, x, 32);
1153 memcpy(x, t, 32);
1154 }
1155
1156 /* return whether y=1 */
1157 if (y[0] != 1) return 0;
1158 for (i = 1; i < 16; ++i) {
1159 if (y[i] != 0) return 0;
1160 }
1161 return 1;
1162}
1163
1164static void run_modinv_tests(void) {
1165 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1166 static const uint16_t CASES[][3][16] = {
1167 /* Test cases triggering edge cases in divsteps */
1168
1169 /* Test case known to need 713 divsteps */
1170 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1171 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1172 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1173 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1174 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1175 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1176 /* Test case known to need 589 divsteps, reaching delta=-140 and
1177 delta=141. */
1178 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1179 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1180 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1181 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1182 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1183 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1184 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1185 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1186 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1187 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1188 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1189 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1190 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1191 /* example needing 713 divsteps; delta=-2..3 */
1192 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1193 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1194 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1195 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1196 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1197 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1198 /* example needing 713 divsteps; delta=-2..3 */
1199 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1200 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1201 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1202 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1203 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1204 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1205 /* example needing 713 divsteps; delta=-2..3 */
1206 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1207 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1208 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1209 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1210 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1211 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1212 /* example reaching delta=-64..65; 661 divsteps */
1213 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1214 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1215 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1216 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1217 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1218 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1219 /* example reaching delta=-64..65; 661 divsteps */
1220 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1221 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1222 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1223 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1224 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1225 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1226 /* example reaching delta=-64..65; 661 divsteps */
1227 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1228 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1229 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1230 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1231 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1232 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1233 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1234 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1235 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1236 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1237 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1238 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1239 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1240 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1241 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1242 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1243 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1244 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1245 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1246 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1247 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1248 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1249 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1250 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1251 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1252 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1253 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1254 /* example doing 446 (f,g/2) steps; 523 divsteps */
1255 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1256 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1257 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1258 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1259 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1260 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1261 /* example doing 446 (f,g/2) steps; 523 divsteps */
1262 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1263 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1264 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1265 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1266 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1267 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1268 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1269 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1270 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1271 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1272 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1273 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1274 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1275 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1276 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1277 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1278 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1279 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1280 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1281 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1282 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1283 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1284 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1285 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1286 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1287 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1288 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1289 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1290 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1291 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1292 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1293 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1294 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1295 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1296
1297 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1298
1299 /* example needing 590 divsteps; delta=-5/2..7/2 */
1300 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1301 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1302 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1303 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1304 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1305 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1306 /* example needing 590 divsteps; delta=-3/2..5/2 */
1307 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1308 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1309 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1310 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1311 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1312 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1313 /* example needing 590 divsteps; delta=-3/2..5/2 */
1314 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1315 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1316 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1317 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1318 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1319 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1320 /* example needing 590 divsteps; delta=-5/2..7/2 */
1321 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1322 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1323 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1324 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1325 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1326 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1327 /* example needing 590 divsteps; delta=-3/2..5/2 */
1328 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1329 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1330 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1331 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1332 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1333 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1334 /* example reaching delta=-127/2..129/2; 571 divsteps */
1335 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1336 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1337 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1338 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1339 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1340 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1341 /* example reaching delta=-127/2..129/2; 571 divsteps */
1342 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1343 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1344 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1345 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1346 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1347 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1348 /* example reaching delta=-127/2..129/2; 571 divsteps */
1349 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1350 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1351 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1352 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1353 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1354 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1355 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1356 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1357 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1358 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1359 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1360 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1361 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1362 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1363 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1364 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1365 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1366 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1367 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1368 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1369 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1370 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1371 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1372 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1373 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1374 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1375 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1376 /* example doing 453 (f,g/2) steps; 514 divsteps */
1377 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1378 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1379 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1380 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1381 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1382 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1383 /* example doing 453 (f,g/2) steps; 514 divsteps */
1384 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1385 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1386 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1387 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1388 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1389 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1390 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1391 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1392 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1393 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1394 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1395 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1396 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1397 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1398 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1399 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1400 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1401 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1402 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1403 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1404 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1405 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1406 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1407 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1408 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1409 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1410 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1411 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1412 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1413 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1414 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1415 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1416 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1417 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1418
1419 /* Test cases with the group order as modulus. */
1420
1421 /* Test case with the group order as modulus, needing 635 divsteps. */
1422 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1423 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1424 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1425 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1426 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1427 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1428 /* example with group size as modulus needing 631 divsteps */
1429 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1430 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1431 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1432 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1433 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1434 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1435 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1436 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1437 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1438 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1439 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1440 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1441 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1442 /* Test case with the group size as modulus, needing 981 divsteps with
1443 broken eta handling. */
1444 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1445 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1446 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1447 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1448 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1449 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1450 /* Test case with the group size as modulus, input = 0. */
1451 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1452 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1453 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1454 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1455 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1456 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1457 /* Test case with the group size as modulus, input = 1. */
1458 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1459 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1460 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1461 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1462 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1463 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1464 /* Test case with the group size as modulus, input = 2. */
1465 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1466 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1467 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1468 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1469 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1470 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1471 /* Test case with the group size as modulus, input = group - 1. */
1472 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1473 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1474 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1475 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1476 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1477 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1478
1479 /* Test cases with the field size as modulus. */
1480
1481 /* Test case with the field size as modulus, needing 637 divsteps. */
1482 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1483 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1484 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1485 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1486 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1487 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1488 /* example with field size as modulus needing 637 divsteps */
1489 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1490 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1491 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1492 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1493 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1494 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1495 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1496 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1497 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1498 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1499 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1500 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1501 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1502 /* Test case with the field size as modulus, needing 935 divsteps with
1503 broken eta handling. */
1504 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1505 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1506 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1507 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1508 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1509 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1510 /* Test case with the field size as modulus, input = 0. */
1511 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1512 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1513 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1514 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1515 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1516 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1517 /* Test case with the field size as modulus, input = 1. */
1518 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1519 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1520 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1521 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1522 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1523 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1524 /* Test case with the field size as modulus, input = 2. */
1525 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1526 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1527 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1528 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1529 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1530 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1531 /* Test case with the field size as modulus, input = field - 1. */
1532 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1533 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1534 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1535 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1536 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1537 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1538
1539 /* Selected from a large number of random inputs to reach small/large
1540 * d/e values in various configurations. */
1541 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1542 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1543 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1544 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1545 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1546 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1547 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1548 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1549 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1550 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1551 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1552 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1553 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1554 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1555 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1556 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1557 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1558 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1559 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1560 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1561 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1562 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1563 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1564 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1565 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1566 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1567 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1568 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1569 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1570 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1571 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1572 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1573 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1574 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1575 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1576 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1577 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1578 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1579 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1580 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1581 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1582 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1583 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1584 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1585 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1586 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1587 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1588 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1589 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1590 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1591 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1592 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1593 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1594 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1595 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1596 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1597 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1598 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1599 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1600 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1601 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1602 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1603 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1604 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1605 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1606 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1607 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1608 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1609 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1610 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1611 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1612 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1613 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1614 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1615 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1616 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1617 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1618 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1619 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1620 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1621 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1622 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1623 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1624 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1625 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1626 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1627 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1628 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1629 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1630 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1631 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1632 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1633 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1634 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1635 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1636 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1637 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1638 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1639 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1640 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1641 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1642 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1643 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1644 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1645 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1646 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1647 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1648 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1649 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1650 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1651 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1652 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1653 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1654 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1655 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1656 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1657 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1658 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1659 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1660 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1661 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1662 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1663 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1664 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1665 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1666 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1667 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1668 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1669 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1670 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1671 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1672 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1673 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1674 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1675 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1676 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1677 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1678 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1679 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1680 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1681 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1682 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1683 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1684 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1685 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1686 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1687 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1688 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1689 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1690 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1691 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1692 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1693 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1694 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1695 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1696 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1697 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1698 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1699 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1700 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1701 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1702 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1703 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1704 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1705 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1706 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1707 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1708 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1709 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1710 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1711 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1712 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1713 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1714 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1715 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1716 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1717 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1718 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1719 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1720 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1721 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1722 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1723 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1724 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1725 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1726 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1727 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1728 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1729 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1730 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1731 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1732 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1733 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1734 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1735 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1736 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1737 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1738 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1739 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1740 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1741 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1742 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1743 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1744 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1745 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1746 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1747 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1748 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1749 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1750 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1751 };
1752
1753 int i, j, ok;
1754
1755 /* Test known inputs/outputs */
1756 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1757 uint16_t out[16];
1758 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1759 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1760#ifdef SECP256K1_WIDEMUL_INT128
1761 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1762 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1763#endif
1764 }
1765
1766 for (i = 0; i < 100 * COUNT; ++i) {
1767 /* 256-bit numbers in 16-uint16_t's notation */
1768 static const uint16_t ZERO[16] = {0};
1769 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1770 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1771 uint16_t id[16]; /* the inverse of xd mod md */
1772
1773 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1774 do {
1775 /* generate random xd and md (with many subsequent 0s and 1s) */
1776 secp256k1_testrand256_test((unsigned char*)xd);
1777 secp256k1_testrand256_test((unsigned char*)md);
1778 md[0] |= 1; /* modulus must be odd */
1779 /* If modulus is 1, find another one. */
1780 ok = md[0] != 1;
1781 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1782 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1783 } while (!(ok && coprime(xd, md)));
1784
1785 test_modinv32_uint16(id, xd, md);
1786#ifdef SECP256K1_WIDEMUL_INT128
1787 test_modinv64_uint16(id, xd, md);
1788#endif
1789
1790 /* In a few cases, also test with input=0 */
1791 if (i < COUNT) {
1792 test_modinv32_uint16(id, ZERO, md);
1793#ifdef SECP256K1_WIDEMUL_INT128
1794 test_modinv64_uint16(id, ZERO, md);
1795#endif
1796 }
1797 }
1798}
1799
1800/***** INT128 TESTS *****/
1801
1802#ifdef SECP256K1_WIDEMUL_INT128
1803/* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1804static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1805 int i;
1806 uint32_t carry = 0;
1807 for (i = 0; i < 16; ++i) {
1808 carry += a[i];
1809 carry += b[i];
1810 out[i] = carry;
1811 carry >>= 16;
1812 }
1813}
1814
1815/* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1816static void neg256(uint16_t* out, const uint16_t* a) {
1817 int i;
1818 uint32_t carry = 1;
1819 for (i = 0; i < 16; ++i) {
1820 carry += (uint16_t)~a[i];
1821 out[i] = carry;
1822 carry >>= 16;
1823 }
1824}
1825
1826/* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1827static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1828 uint16_t sign = sign_extend && (a[15] >> 15);
1829 int i, j;
1830 for (i = 15; i >= 0; --i) {
1831 uint16_t v = 0;
1832 for (j = 0; j < 16; ++j) {
1833 int frompos = i*16 + j + n;
1834 if (frompos >= 256) {
1835 v |= sign << j;
1836 } else {
1837 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1838 }
1839 }
1840 out[i] = v;
1841 }
1842}
1843
1844/* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1845static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1846 int i;
1847 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1848 for (i = 0; i < 4; ++i) {
1849 out[i] = v >> (16 * i);
1850 }
1851 for (i = 4; i < 16; ++i) {
1852 out[i] = sign;
1853 }
1854}
1855
1856/* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1857static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1858 int i;
1859 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1860 for (i = 0; i < 4; ++i) {
1861 out[i] = lo >> (16 * i);
1862 }
1863 for (i = 4; i < 8; ++i) {
1864 out[i] = hi >> (16 * (i - 4));
1865 }
1866 for (i = 8; i < 16; ++i) {
1867 out[i] = sign;
1868 }
1869}
1870
1871/* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1872static int int256is127(const uint16_t* v) {
1873 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1874 int i;
1875 for (i = 8; i < 16; ++i) {
1876 if (v[i] != 0) all_0 = 0;
1877 if (v[i] != 0xffff) all_1 = 0;
1878 }
1879 return all_0 || all_1;
1880}
1881
1882static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1883 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1884 load256two64(out, hi, lo, 0);
1885}
1886
1887static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1888 uint64_t lo;
1889 int64_t hi;
1890 secp256k1_int128 c = *v;
1891 lo = secp256k1_i128_to_u64(&c);
1892 secp256k1_i128_rshift(&c, 64);
1893 hi = secp256k1_i128_to_i64(&c);
1894 load256two64(out, hi, lo, 1);
1895}
1896
1897static void run_int128_test_case(void) {
1898 unsigned char buf[32];
1899 uint64_t v[4];
1900 secp256k1_int128 swa, swz;
1901 secp256k1_uint128 uwa, uwz;
1902 uint64_t ub, uc;
1903 int64_t sb, sc;
1904 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1905 uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1906 int i;
1907
1908 /* Generate 32-byte random value. */
1909 secp256k1_testrand256_test(buf);
1910 /* Convert into 4 64-bit integers. */
1911 for (i = 0; i < 4; ++i) {
1912 uint64_t vi = 0;
1913 int j;
1914 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1915 v[i] = vi;
1916 }
1917 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1918 secp256k1_u128_load(&uwa, v[1], v[0]);
1919 secp256k1_i128_load(&swa, v[1], v[0]);
1920 ub = v[2];
1921 sb = v[2];
1922 uc = v[3];
1923 sc = v[3];
1924 /* Load those also into 16-bit array representations. */
1925 load256u128(ruwa, &uwa);
1926 load256i128(rswa, &swa);
1927 load256u64(rub, ub, 0);
1928 load256u64(rsb, sb, 1);
1929 load256u64(ruc, uc, 0);
1930 load256u64(rsc, sc, 1);
1931 /* test secp256k1_u128_mul */
1932 mulmod256(ruwr, rub, ruc, NULL);
1933 secp256k1_u128_mul(&uwz, ub, uc);
1934 load256u128(ruwz, &uwz);
1935 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1936 /* test secp256k1_u128_accum_mul */
1937 mulmod256(ruwr, rub, ruc, NULL);
1938 add256(ruwr, ruwr, ruwa);
1939 uwz = uwa;
1940 secp256k1_u128_accum_mul(&uwz, ub, uc);
1941 load256u128(ruwz, &uwz);
1942 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1943 /* test secp256k1_u128_accum_u64 */
1944 add256(ruwr, rub, ruwa);
1945 uwz = uwa;
1946 secp256k1_u128_accum_u64(&uwz, ub);
1947 load256u128(ruwz, &uwz);
1948 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1949 /* test secp256k1_u128_rshift */
1950 rshift256(ruwr, ruwa, uc % 128, 0);
1951 uwz = uwa;
1952 secp256k1_u128_rshift(&uwz, uc % 128);
1953 load256u128(ruwz, &uwz);
1954 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1955 /* test secp256k1_u128_to_u64 */
1956 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1957 /* test secp256k1_u128_hi_u64 */
1958 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1959 /* test secp256k1_u128_from_u64 */
1960 secp256k1_u128_from_u64(&uwz, ub);
1961 load256u128(ruwz, &uwz);
1962 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1963 /* test secp256k1_u128_check_bits */
1964 {
1965 int uwa_bits = 0;
1966 int j;
1967 for (j = 0; j < 128; ++j) {
1968 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1969 }
1970 for (j = 0; j < 128; ++j) {
1971 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1972 }
1973 }
1974 /* test secp256k1_i128_mul */
1975 mulmod256(rswr, rsb, rsc, NULL);
1976 secp256k1_i128_mul(&swz, sb, sc);
1977 load256i128(rswz, &swz);
1978 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1979 /* test secp256k1_i128_accum_mul */
1980 mulmod256(rswr, rsb, rsc, NULL);
1981 add256(rswr, rswr, rswa);
1982 if (int256is127(rswr)) {
1983 swz = swa;
1984 secp256k1_i128_accum_mul(&swz, sb, sc);
1985 load256i128(rswz, &swz);
1986 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1987 }
1988 /* test secp256k1_i128_det */
1989 {
1990 uint16_t rsd[16], rse[16], rst[32];
1991 int64_t sd = v[0], se = v[1];
1992 load256u64(rsd, sd, 1);
1993 load256u64(rse, se, 1);
1994 mulmod256(rst, rsc, rsd, NULL);
1995 neg256(rst, rst);
1996 mulmod256(rswr, rsb, rse, NULL);
1997 add256(rswr, rswr, rst);
1998 secp256k1_i128_det(&swz, sb, sc, sd, se);
1999 load256i128(rswz, &swz);
2000 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2001 }
2002 /* test secp256k1_i128_rshift */
2003 rshift256(rswr, rswa, uc % 127, 1);
2004 swz = swa;
2005 secp256k1_i128_rshift(&swz, uc % 127);
2006 load256i128(rswz, &swz);
2007 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2008 /* test secp256k1_i128_to_u64 */
2009 CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2010 /* test secp256k1_i128_from_i64 */
2011 secp256k1_i128_from_i64(&swz, sb);
2012 load256i128(rswz, &swz);
2013 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2014 /* test secp256k1_i128_to_i64 */
2015 CHECK(secp256k1_i128_to_i64(&swz) == sb);
2016 /* test secp256k1_i128_eq_var */
2017 {
2018 int expect = (uc & 1);
2019 swz = swa;
2020 if (!expect) {
2021 /* Make sure swz != swa */
2022 uint64_t v0c = v[0], v1c = v[1];
2023 if (ub & 64) {
2024 v1c ^= (((uint64_t)1) << (ub & 63));
2025 } else {
2026 v0c ^= (((uint64_t)1) << (ub & 63));
2027 }
2028 secp256k1_i128_load(&swz, v1c, v0c);
2029 }
2030 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2031 }
2032 /* test secp256k1_i128_check_pow2 (sign == 1) */
2033 {
2034 int expect = (uc & 1);
2035 int pos = ub % 127;
2036 if (expect) {
2037 /* If expect==1, set swz to exactly 2^pos. */
2038 uint64_t hi = 0;
2039 uint64_t lo = 0;
2040 if (pos >= 64) {
2041 hi = (((uint64_t)1) << (pos & 63));
2042 } else {
2043 lo = (((uint64_t)1) << (pos & 63));
2044 }
2045 secp256k1_i128_load(&swz, hi, lo);
2046 } else {
2047 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2048 if (pos >= 64) {
2049 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2050 } else {
2051 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2052 }
2053 swz = swa;
2054 }
2055 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2056 }
2057 /* test secp256k1_i128_check_pow2 (sign == -1) */
2058 {
2059 int expect = (uc & 1);
2060 int pos = ub % 127;
2061 if (expect) {
2062 /* If expect==1, set swz to exactly -2^pos. */
2063 uint64_t hi = ~(uint64_t)0;
2064 uint64_t lo = ~(uint64_t)0;
2065 if (pos >= 64) {
2066 hi <<= (pos & 63);
2067 lo = 0;
2068 } else {
2069 lo <<= (pos & 63);
2070 }
2071 secp256k1_i128_load(&swz, hi, lo);
2072 } else {
2073 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2074 if (pos >= 64) {
2075 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2076 } else {
2077 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2078 }
2079 swz = swa;
2080 }
2081 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2082 }
2083}
2084
2085static void run_int128_tests(void) {
2086 { /* secp256k1_u128_accum_mul */
2087 secp256k1_uint128 res;
2088
2089 /* Check secp256k1_u128_accum_mul overflow */
2090 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2091 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2092 CHECK(secp256k1_u128_to_u64(&res) == 2);
2093 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2094 }
2095 { /* secp256k1_u128_accum_mul */
2096 secp256k1_int128 res;
2097
2098 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2099 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2100 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2101 CHECK(secp256k1_i128_to_u64(&res) == 2);
2102 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2103 secp256k1_i128_accum_mul(&res, 1, 1);
2104 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2105 secp256k1_i128_rshift(&res, 64);
2106 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2107
2108 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2109 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2110 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2111 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2112 CHECK(secp256k1_i128_to_u64(&res) == 0);
2113 secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2114 CHECK(secp256k1_i128_to_u64(&res) == 0);
2115 secp256k1_i128_rshift(&res, 64);
2116 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2117 }
2118 {
2119 /* Randomized tests. */
2120 int i;
2121 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2122 }
2123}
2124#endif
2125
2126/***** SCALAR TESTS *****/
2127
2128static void scalar_test(void) {
2129 secp256k1_scalar s;
2130 secp256k1_scalar s1;
2131 secp256k1_scalar s2;
2132 unsigned char c[32];
2133
2134 /* Set 's' to a random scalar, with value 'snum'. */
2135 random_scalar_order_test(&s);
2136
2137 /* Set 's1' to a random scalar, with value 's1num'. */
2138 random_scalar_order_test(&s1);
2139
2140 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2141 random_scalar_order_test(&s2);
2142 secp256k1_scalar_get_b32(c, &s2);
2143
2144 {
2145 int i;
2146 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2147 secp256k1_scalar n;
2148 secp256k1_scalar_set_int(&n, 0);
2149 for (i = 0; i < 256; i += 4) {
2150 secp256k1_scalar t;
2151 int j;
2152 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
2153 for (j = 0; j < 4; j++) {
2154 secp256k1_scalar_add(&n, &n, &n);
2155 }
2156 secp256k1_scalar_add(&n, &n, &t);
2157 }
2158 CHECK(secp256k1_scalar_eq(&n, &s));
2159 }
2160
2161 {
2162 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2163 secp256k1_scalar n;
2164 int i = 0;
2165 secp256k1_scalar_set_int(&n, 0);
2166 while (i < 256) {
2167 secp256k1_scalar t;
2168 int j;
2169 int now = secp256k1_testrand_int(15) + 1;
2170 if (now + i > 256) {
2171 now = 256 - i;
2172 }
2173 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2174 for (j = 0; j < now; j++) {
2175 secp256k1_scalar_add(&n, &n, &n);
2176 }
2177 secp256k1_scalar_add(&n, &n, &t);
2178 i += now;
2179 }
2180 CHECK(secp256k1_scalar_eq(&n, &s));
2181 }
2182
2183 {
2184 /* Test commutativity of add. */
2185 secp256k1_scalar r1, r2;
2186 secp256k1_scalar_add(&r1, &s1, &s2);
2187 secp256k1_scalar_add(&r2, &s2, &s1);
2188 CHECK(secp256k1_scalar_eq(&r1, &r2));
2189 }
2190
2191 {
2192 secp256k1_scalar r1, r2;
2193 secp256k1_scalar b;
2194 int i;
2195 /* Test add_bit. */
2196 int bit = secp256k1_testrand_bits(8);
2197 secp256k1_scalar_set_int(&b, 1);
2198 CHECK(secp256k1_scalar_is_one(&b));
2199 for (i = 0; i < bit; i++) {
2200 secp256k1_scalar_add(&b, &b, &b);
2201 }
2202 r1 = s1;
2203 r2 = s1;
2204 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2205 /* No overflow happened. */
2206 secp256k1_scalar_cadd_bit(&r2, bit, 1);
2207 CHECK(secp256k1_scalar_eq(&r1, &r2));
2208 /* cadd is a noop when flag is zero */
2209 secp256k1_scalar_cadd_bit(&r2, bit, 0);
2210 CHECK(secp256k1_scalar_eq(&r1, &r2));
2211 }
2212 }
2213
2214 {
2215 /* Test commutativity of mul. */
2216 secp256k1_scalar r1, r2;
2217 secp256k1_scalar_mul(&r1, &s1, &s2);
2218 secp256k1_scalar_mul(&r2, &s2, &s1);
2219 CHECK(secp256k1_scalar_eq(&r1, &r2));
2220 }
2221
2222 {
2223 /* Test associativity of add. */
2224 secp256k1_scalar r1, r2;
2225 secp256k1_scalar_add(&r1, &s1, &s2);
2226 secp256k1_scalar_add(&r1, &r1, &s);
2227 secp256k1_scalar_add(&r2, &s2, &s);
2228 secp256k1_scalar_add(&r2, &s1, &r2);
2229 CHECK(secp256k1_scalar_eq(&r1, &r2));
2230 }
2231
2232 {
2233 /* Test associativity of mul. */
2234 secp256k1_scalar r1, r2;
2235 secp256k1_scalar_mul(&r1, &s1, &s2);
2236 secp256k1_scalar_mul(&r1, &r1, &s);
2237 secp256k1_scalar_mul(&r2, &s2, &s);
2238 secp256k1_scalar_mul(&r2, &s1, &r2);
2239 CHECK(secp256k1_scalar_eq(&r1, &r2));
2240 }
2241
2242 {
2243 /* Test distributitivity of mul over add. */
2244 secp256k1_scalar r1, r2, t;
2245 secp256k1_scalar_add(&r1, &s1, &s2);
2246 secp256k1_scalar_mul(&r1, &r1, &s);
2247 secp256k1_scalar_mul(&r2, &s1, &s);
2248 secp256k1_scalar_mul(&t, &s2, &s);
2249 secp256k1_scalar_add(&r2, &r2, &t);
2250 CHECK(secp256k1_scalar_eq(&r1, &r2));
2251 }
2252
2253 {
2254 /* Test multiplicative identity. */
2255 secp256k1_scalar r1;
2256 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_one);
2257 CHECK(secp256k1_scalar_eq(&r1, &s1));
2258 }
2259
2260 {
2261 /* Test additive identity. */
2262 secp256k1_scalar r1;
2263 secp256k1_scalar_add(&r1, &s1, &secp256k1_scalar_zero);
2264 CHECK(secp256k1_scalar_eq(&r1, &s1));
2265 }
2266
2267 {
2268 /* Test zero product property. */
2269 secp256k1_scalar r1;
2270 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_zero);
2271 CHECK(secp256k1_scalar_eq(&r1, &secp256k1_scalar_zero));
2272 }
2273
2274 {
2275 /* Test halving. */
2276 secp256k1_scalar r;
2277 secp256k1_scalar_add(&r, &s, &s);
2278 secp256k1_scalar_half(&r, &r);
2279 CHECK(secp256k1_scalar_eq(&r, &s));
2280 }
2281}
2282
2283static void run_scalar_set_b32_seckey_tests(void) {
2284 unsigned char b32[32];
2285 secp256k1_scalar s1;
2286 secp256k1_scalar s2;
2287
2288 /* Usually set_b32 and set_b32_seckey give the same result */
2289 random_scalar_order_b32(b32);
2290 secp256k1_scalar_set_b32(&s1, b32, NULL);
2291 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2292 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2293
2294 memset(b32, 0, sizeof(b32));
2295 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2296 memset(b32, 0xFF, sizeof(b32));
2297 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2298}
2299
2300static void run_scalar_tests(void) {
2301 int i;
2302 for (i = 0; i < 128 * COUNT; i++) {
2303 scalar_test();
2304 }
2305 for (i = 0; i < COUNT; i++) {
2306 run_scalar_set_b32_seckey_tests();
2307 }
2308
2309 {
2310 /* Check that the scalar constants secp256k1_scalar_zero and
2311 secp256k1_scalar_one contain the expected values. */
2312 secp256k1_scalar zero, one;
2313
2314 CHECK(secp256k1_scalar_is_zero(&secp256k1_scalar_zero));
2315 secp256k1_scalar_set_int(&zero, 0);
2316 CHECK(secp256k1_scalar_eq(&zero, &secp256k1_scalar_zero));
2317
2318 CHECK(secp256k1_scalar_is_one(&secp256k1_scalar_one));
2319 secp256k1_scalar_set_int(&one, 1);
2320 CHECK(secp256k1_scalar_eq(&one, &secp256k1_scalar_one));
2321 }
2322
2323 {
2324 /* (-1)+1 should be zero. */
2325 secp256k1_scalar o;
2326 secp256k1_scalar_negate(&o, &secp256k1_scalar_one);
2327 secp256k1_scalar_add(&o, &o, &secp256k1_scalar_one);
2328 CHECK(secp256k1_scalar_is_zero(&o));
2329 secp256k1_scalar_negate(&o, &o);
2330 CHECK(secp256k1_scalar_is_zero(&o));
2331 }
2332
2333 {
2334 /* Test that halving and doubling roundtrips on some fixed values. */
2335 static const secp256k1_scalar HALF_TESTS[] = {
2336 /* 0 */
2337 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2338 /* 1 */
2339 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2340 /* -1 */
2341 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul),
2342 /* -2 (largest odd value) */
2343 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful),
2344 /* Half the secp256k1 order */
2345 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul),
2346 /* Half the secp256k1 order + 1 */
2347 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul),
2348 /* 2^255 */
2349 SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0),
2350 /* 2^255 - 1 */
2351 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful),
2352 };
2353 unsigned n;
2354 for (n = 0; n < sizeof(HALF_TESTS) / sizeof(HALF_TESTS[0]); ++n) {
2355 secp256k1_scalar s;
2356 secp256k1_scalar_half(&s, &HALF_TESTS[n]);
2357 secp256k1_scalar_add(&s, &s, &s);
2358 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2359 secp256k1_scalar_add(&s, &s, &s);
2360 secp256k1_scalar_half(&s, &s);
2361 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2362 }
2363 }
2364
2365 {
2366 /* Does check_overflow check catch all ones? */
2367 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2368 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2369 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2370 );
2371 CHECK(secp256k1_scalar_check_overflow(&overflowed));
2372 }
2373
2374 {
2375 /* Static test vectors.
2376 * These were reduced from ~10^12 random vectors based on comparison-decision
2377 * and edge-case coverage on 32-bit and 64-bit implementations.
2378 * The responses were generated with Sage 5.9.
2379 */
2380 secp256k1_scalar x;
2381 secp256k1_scalar y;
2382 secp256k1_scalar z;
2383 secp256k1_scalar zz;
2384 secp256k1_scalar r1;
2385 secp256k1_scalar r2;
2386 secp256k1_scalar zzv;
2387 int overflow;
2388 unsigned char chal[33][2][32] = {
2389 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2390 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2391 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2392 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2393 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2394 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2395 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2396 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2397 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2398 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2399 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2400 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2401 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2402 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2403 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2404 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2405 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2406 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2407 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2408 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2409 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2410 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2411 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2412 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2413 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2414 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2415 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2416 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2417 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2418 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2419 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2420 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2421 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2422 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2423 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2424 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2425 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2426 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2427 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2428 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2429 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2430 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2431 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2432 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2433 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2434 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2435 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2436 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2437 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2438 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2439 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2440 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2441 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2442 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2443 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2444 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2445 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2446 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2447 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2448 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2449 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2450 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2451 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2452 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2453 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2454 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2455 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2456 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2457 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2458 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2461 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2462 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2463 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2464 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2465 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2466 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2467 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2468 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2469 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2470 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2471 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2472 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2473 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2474 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2475 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2476 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2477 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2478 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2479 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2480 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2481 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2482 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2483 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2485 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2486 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2488 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2489 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2490 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2491 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2492 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2493 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2494 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2495 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2496 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2497 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2498 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2499 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2501 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2502 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2503 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2504 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2505 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2506 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2507 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2508 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2509 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2510 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2511 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2512 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2513 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2514 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2515 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2516 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2517 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2518 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2519 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2520 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2521 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2522 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2523 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2525 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2526 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2527 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2528 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2529 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2530 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2531 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2532 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2533 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2534 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2535 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2536 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2537 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2538 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2539 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2540 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2541 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2542 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2543 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2544 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2545 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2546 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2547 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2548 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2549 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2550 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2551 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2552 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2553 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2554 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2555 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2556 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2557 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2558 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2560 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2561 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2562 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2565 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2566 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2567 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2568 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2569 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2570 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2571 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2572 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2573 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2574 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2575 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2576 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2577 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2578 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2579 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2580 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2581 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2582 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2583 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2584 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2585 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2586 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2587 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2588 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2589 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2590 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2591 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2592 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2593 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2594 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2597 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2598 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2599 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2600 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2601 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2602 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2603 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2604 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2605 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2606 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2607 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2608 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2609 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2610 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2611 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2612 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2613 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2614 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2615 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2616 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2617 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2618 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2619 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2620 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2621 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2622 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2623 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2624 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2625 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2626 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2627 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2628 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2629 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2630 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2631 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2632 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2633 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2634 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2635 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2636 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2637 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2638 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2639 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2640 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2641 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2642 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2643 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2644 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2645 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2646 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2647 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2648 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2649 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2650 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2651 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2652 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2653 };
2654 unsigned char res[33][2][32] = {
2655 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2656 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2657 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2658 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2659 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2660 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2661 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2662 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2663 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2664 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2665 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2666 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2667 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2668 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2669 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2670 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2671 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2672 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2673 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2674 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2675 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2676 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2677 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2678 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2679 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2680 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2681 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2682 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2683 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2684 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2685 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2686 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2687 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2688 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2689 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2690 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2691 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2692 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2693 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2694 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2695 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2696 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2697 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2698 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2699 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2700 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2701 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2702 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2703 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2704 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2705 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2706 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2707 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2708 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2709 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2710 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2711 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2712 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2713 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2714 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2715 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2716 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2717 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2718 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2719 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2720 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2721 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2722 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2723 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2724 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2725 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2726 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2727 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2728 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2729 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2730 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2731 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2732 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2733 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2734 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2735 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2736 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2737 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2738 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2739 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2740 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2741 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2742 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2743 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2744 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2745 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2746 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2747 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2748 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2749 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2750 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2751 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2752 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2753 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2754 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2755 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2756 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2757 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2758 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2759 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2760 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2761 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2762 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2763 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2764 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2765 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2766 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2767 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2768 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2769 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2770 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2771 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2772 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2773 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2774 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2775 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2776 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2777 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2778 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2779 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2780 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2781 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2782 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2783 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2784 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2785 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2786 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2787 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2788 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2789 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2790 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2791 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2792 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2793 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2794 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2795 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2796 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2797 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2798 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2799 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2800 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2801 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2802 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2803 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2804 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2805 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2806 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2807 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2808 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2809 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2810 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2811 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2812 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2813 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2814 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2815 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2817 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2818 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2819 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2820 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2822 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2823 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2824 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2826 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2827 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2828 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2829 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2830 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2831 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2832 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2833 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2834 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2835 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2836 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2837 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2838 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2839 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2840 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2841 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2842 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2843 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2844 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2845 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2846 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2847 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2848 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2849 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2850 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2851 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2852 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2853 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2854 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2855 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2856 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2857 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2858 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2859 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2860 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2862 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2863 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2864 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2865 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2866 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2867 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2868 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2869 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2870 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2871 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2872 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2873 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2874 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2875 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2876 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2877 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2878 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2879 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2880 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2881 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2882 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2883 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2884 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2885 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2886 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2887 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2888 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2889 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2890 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2891 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2892 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2893 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2894 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2895 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2896 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2897 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2898 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2899 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2900 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2901 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2902 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2903 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2904 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2905 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2906 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2907 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2908 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2909 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2910 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2911 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2912 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2913 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2914 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2915 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2916 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2917 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2918 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2919 };
2920 for (i = 0; i < 33; i++) {
2921 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2922 CHECK(!overflow);
2923 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2924 CHECK(!overflow);
2925 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2926 CHECK(!overflow);
2927 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2928 CHECK(!overflow);
2929 secp256k1_scalar_mul(&z, &x, &y);
2930 CHECK(!secp256k1_scalar_check_overflow(&z));
2931 CHECK(secp256k1_scalar_eq(&r1, &z));
2932 if (!secp256k1_scalar_is_zero(&y)) {
2933 secp256k1_scalar_inverse(&zz, &y);
2934 CHECK(!secp256k1_scalar_check_overflow(&zz));
2935 secp256k1_scalar_inverse_var(&zzv, &y);
2936 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2937 secp256k1_scalar_mul(&z, &z, &zz);
2938 CHECK(!secp256k1_scalar_check_overflow(&z));
2939 CHECK(secp256k1_scalar_eq(&x, &z));
2940 secp256k1_scalar_mul(&zz, &zz, &y);
2941 CHECK(!secp256k1_scalar_check_overflow(&zz));
2942 CHECK(secp256k1_scalar_eq(&secp256k1_scalar_one, &zz));
2943 }
2944 }
2945 }
2946}
2947
2948/***** FIELD TESTS *****/
2949
2950static void random_fe_non_square(secp256k1_fe *ns) {
2951 secp256k1_fe r;
2952 random_fe_non_zero(ns);
2953 if (secp256k1_fe_sqrt(&r, ns)) {
2954 secp256k1_fe_negate(ns, ns, 1);
2955 }
2956}
2957
2958static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2959 secp256k1_fe an = *a;
2960 secp256k1_fe bn = *b;
2961 secp256k1_fe_normalize_weak(&an);
2962 return secp256k1_fe_equal(&an, &bn);
2963}
2964
2965static void run_field_convert(void) {
2966 static const unsigned char b32[32] = {
2967 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2968 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2969 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2970 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2971 };
2972 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
2973 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2974 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2975 );
2976 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2977 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2978 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2979 );
2980 secp256k1_fe fe2;
2981 unsigned char b322[32];
2982 secp256k1_fe_storage fes2;
2983 /* Check conversions to fe. */
2984 CHECK(secp256k1_fe_set_b32_limit(&fe2, b32));
2985 CHECK(secp256k1_fe_equal(&fe, &fe2));
2986 secp256k1_fe_from_storage(&fe2, &fes);
2987 CHECK(secp256k1_fe_equal(&fe, &fe2));
2988 /* Check conversion from fe. */
2989 secp256k1_fe_get_b32(b322, &fe);
2990 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2991 secp256k1_fe_to_storage(&fes2, &fe);
2992 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2993}
2994
2995static void run_field_be32_overflow(void) {
2996 {
2997 static const unsigned char zero_overflow[32] = {
2998 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2999 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3000 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3001 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3002 };
3003 static const unsigned char zero[32] = { 0x00 };
3004 unsigned char out[32];
3005 secp256k1_fe fe;
3006 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3007 secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3008 CHECK(secp256k1_fe_normalizes_to_zero(&fe) == 1);
3009 secp256k1_fe_normalize(&fe);
3010 CHECK(secp256k1_fe_is_zero(&fe) == 1);
3011 secp256k1_fe_get_b32(out, &fe);
3012 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3013 }
3014 {
3015 static const unsigned char one_overflow[32] = {
3016 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3017 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3018 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3019 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3020 };
3021 static const unsigned char one[32] = {
3022 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3023 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3024 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3025 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3026 };
3027 unsigned char out[32];
3028 secp256k1_fe fe;
3029 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3030 secp256k1_fe_set_b32_mod(&fe, one_overflow);
3031 secp256k1_fe_normalize(&fe);
3032 CHECK(secp256k1_fe_cmp_var(&fe, &secp256k1_fe_one) == 0);
3033 secp256k1_fe_get_b32(out, &fe);
3034 CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3035 }
3036 {
3037 static const unsigned char ff_overflow[32] = {
3038 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3039 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3040 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3041 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3042 };
3043 static const unsigned char ff[32] = {
3044 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3045 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3046 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3047 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3048 };
3049 unsigned char out[32];
3050 secp256k1_fe fe;
3051 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3052 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3053 secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3054 secp256k1_fe_normalize(&fe);
3055 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3056 secp256k1_fe_get_b32(out, &fe);
3057 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3058 }
3059}
3060
3061/* Returns true if two field elements have the same representation. */
3062static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3063 int ret = 1;
3064 /* Compare the struct member that holds the limbs. */
3065 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3066 return ret;
3067}
3068
3069static void run_field_half(void) {
3070 secp256k1_fe t, u;
3071 int m;
3072
3073 /* Check magnitude 0 input */
3074 secp256k1_fe_get_bounds(&t, 0);
3075 secp256k1_fe_half(&t);
3076#ifdef VERIFY
3077 CHECK(t.magnitude == 1);
3078 CHECK(t.normalized == 0);
3079#endif
3080 CHECK(secp256k1_fe_normalizes_to_zero(&t));
3081
3082 /* Check non-zero magnitudes in the supported range */
3083 for (m = 1; m < 32; m++) {
3084 /* Check max-value input */
3085 secp256k1_fe_get_bounds(&t, m);
3086
3087 u = t;
3088 secp256k1_fe_half(&u);
3089#ifdef VERIFY
3090 CHECK(u.magnitude == (m >> 1) + 1);
3091 CHECK(u.normalized == 0);
3092#endif
3093 secp256k1_fe_normalize_weak(&u);
3094 secp256k1_fe_add(&u, &u);
3095 CHECK(check_fe_equal(&t, &u));
3096
3097 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3098 * which will also cause all carries to be 1, since all limbs that can
3099 * generate a carry are initially even and all limbs of P are odd in
3100 * every existing field implementation. */
3101 secp256k1_fe_get_bounds(&t, m);
3102 CHECK(t.n[0] > 0);
3103 CHECK((t.n[0] & 1) == 0);
3104 --t.n[0];
3105
3106 u = t;
3107 secp256k1_fe_half(&u);
3108#ifdef VERIFY
3109 CHECK(u.magnitude == (m >> 1) + 1);
3110 CHECK(u.normalized == 0);
3111#endif
3112 secp256k1_fe_normalize_weak(&u);
3113 secp256k1_fe_add(&u, &u);
3114 CHECK(check_fe_equal(&t, &u));
3115 }
3116}
3117
3118static void run_field_misc(void) {
3119 secp256k1_fe x;
3120 secp256k1_fe y;
3121 secp256k1_fe z;
3122 secp256k1_fe q;
3123 int v;
3124 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3125 int i, j;
3126 for (i = 0; i < 1000 * COUNT; i++) {
3127 secp256k1_fe_storage xs, ys, zs;
3128 if (i & 1) {
3129 random_fe(&x);
3130 } else {
3131 random_fe_test(&x);
3132 }
3133 random_fe_non_zero(&y);
3134 v = secp256k1_testrand_bits(15);
3135 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3136 secp256k1_fe_set_int(&q, v); /* q = v */
3137 z = x; /* z = x */
3138 secp256k1_fe_add(&z, &q); /* z = x+v */
3139 q = x; /* q = x */
3140 secp256k1_fe_add_int(&q, v); /* q = x+v */
3141 CHECK(check_fe_equal(&q, &z));
3142 /* Test the fe equality and comparison operations. */
3143 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3144 CHECK(secp256k1_fe_equal(&x, &x));
3145 z = x;
3146 secp256k1_fe_add(&z,&y);
3147 /* Test fe conditional move; z is not normalized here. */
3148 q = x;
3149 secp256k1_fe_cmov(&x, &z, 0);
3150#ifdef VERIFY
3151 CHECK(!x.normalized);
3152 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3153 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3154#endif
3155 x = q;
3156 secp256k1_fe_cmov(&x, &x, 1);
3157 CHECK(!fe_identical(&x, &z));
3158 CHECK(fe_identical(&x, &q));
3159 secp256k1_fe_cmov(&q, &z, 1);
3160#ifdef VERIFY
3161 CHECK(!q.normalized);
3162 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3163 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3164#endif
3165 CHECK(fe_identical(&q, &z));
3166 q = z;
3167 secp256k1_fe_normalize_var(&x);
3168 secp256k1_fe_normalize_var(&z);
3169 CHECK(!secp256k1_fe_equal(&x, &z));
3170 secp256k1_fe_normalize_var(&q);
3171 secp256k1_fe_cmov(&q, &z, (i&1));
3172#ifdef VERIFY
3173 CHECK(q.normalized && q.magnitude == 1);
3174#endif
3175 for (j = 0; j < 6; j++) {
3176 secp256k1_fe_negate_unchecked(&z, &z, j+1);
3177 secp256k1_fe_normalize_var(&q);
3178 secp256k1_fe_cmov(&q, &z, (j&1));
3179#ifdef VERIFY
3180 CHECK(!q.normalized && q.magnitude == z.magnitude);
3181#endif
3182 }
3183 secp256k1_fe_normalize_var(&z);
3184 /* Test storage conversion and conditional moves. */
3185 secp256k1_fe_to_storage(&xs, &x);
3186 secp256k1_fe_to_storage(&ys, &y);
3187 secp256k1_fe_to_storage(&zs, &z);
3188 secp256k1_fe_storage_cmov(&zs, &xs, 0);
3189 secp256k1_fe_storage_cmov(&zs, &zs, 1);
3190 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3191 secp256k1_fe_storage_cmov(&ys, &xs, 1);
3192 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3193 secp256k1_fe_from_storage(&x, &xs);
3194 secp256k1_fe_from_storage(&y, &ys);
3195 secp256k1_fe_from_storage(&z, &zs);
3196 /* Test that mul_int, mul, and add agree. */
3197 secp256k1_fe_add(&y, &x);
3198 secp256k1_fe_add(&y, &x);
3199 z = x;
3200 secp256k1_fe_mul_int(&z, 3);
3201 CHECK(check_fe_equal(&y, &z));
3202 secp256k1_fe_add(&y, &x);
3203 secp256k1_fe_add(&z, &x);
3204 CHECK(check_fe_equal(&z, &y));
3205 z = x;
3206 secp256k1_fe_mul_int(&z, 5);
3207 secp256k1_fe_mul(&q, &x, &fe5);
3208 CHECK(check_fe_equal(&z, &q));
3209 secp256k1_fe_negate(&x, &x, 1);
3210 secp256k1_fe_add(&z, &x);
3211 secp256k1_fe_add(&q, &x);
3212 CHECK(check_fe_equal(&y, &z));
3213 CHECK(check_fe_equal(&q, &y));
3214 /* Check secp256k1_fe_half. */
3215 z = x;
3216 secp256k1_fe_half(&z);
3217 secp256k1_fe_add(&z, &z);
3218 CHECK(check_fe_equal(&x, &z));
3219 secp256k1_fe_add(&z, &z);
3220 secp256k1_fe_half(&z);
3221 CHECK(check_fe_equal(&x, &z));
3222 }
3223}
3224
3225static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3226{
3227 secp256k1_fe c, an, bn;
3228 /* Variables in BE 32-byte format. */
3229 unsigned char a32[32], b32[32], c32[32];
3230 /* Variables in LE 16x uint16_t format. */
3231 uint16_t a16[16], b16[16], c16[16];
3232 /* Field modulus in LE 16x uint16_t format. */
3233 static const uint16_t m16[16] = {
3234 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3235 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3236 };
3237 uint16_t t16[32];
3238 int i;
3239
3240 /* Compute C = A * B in fe format. */
3241 c = *a;
3242 if (use_sqr) {
3243 secp256k1_fe_sqr(&c, &c);
3244 } else {
3245 secp256k1_fe_mul(&c, &c, b);
3246 }
3247
3248 /* Convert A, B, C into LE 16x uint16_t format. */
3249 an = *a;
3250 bn = *b;
3251 secp256k1_fe_normalize_var(&c);
3252 secp256k1_fe_normalize_var(&an);
3253 secp256k1_fe_normalize_var(&bn);
3254 secp256k1_fe_get_b32(a32, &an);
3255 secp256k1_fe_get_b32(b32, &bn);
3256 secp256k1_fe_get_b32(c32, &c);
3257 for (i = 0; i < 16; ++i) {
3258 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3259 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3260 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3261 }
3262 /* Compute T = A * B in LE 16x uint16_t format. */
3263 mulmod256(t16, a16, b16, m16);
3264 /* Compare */
3265 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3266}
3267
3268static void run_fe_mul(void) {
3269 int i;
3270 for (i = 0; i < 100 * COUNT; ++i) {
3271 secp256k1_fe a, b, c, d;
3272 random_fe(&a);
3273 random_fe_magnitude(&a);
3274 random_fe(&b);
3275 random_fe_magnitude(&b);
3276 random_fe_test(&c);
3277 random_fe_magnitude(&c);
3278 random_fe_test(&d);
3279 random_fe_magnitude(&d);
3280 test_fe_mul(&a, &a, 1);
3281 test_fe_mul(&c, &c, 1);
3282 test_fe_mul(&a, &b, 0);
3283 test_fe_mul(&a, &c, 0);
3284 test_fe_mul(&c, &b, 0);
3285 test_fe_mul(&c, &d, 0);
3286 }
3287}
3288
3289static void run_sqr(void) {
3290 secp256k1_fe x, s;
3291
3292 {
3293 int i;
3294 secp256k1_fe_set_int(&x, 1);
3295 secp256k1_fe_negate(&x, &x, 1);
3296
3297 for (i = 1; i <= 512; ++i) {
3298 secp256k1_fe_mul_int(&x, 2);
3299 secp256k1_fe_normalize(&x);
3300 secp256k1_fe_sqr(&s, &x);
3301 }
3302 }
3303}
3304
3305static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3306 secp256k1_fe r1, r2;
3307 int v = secp256k1_fe_sqrt(&r1, a);
3308 CHECK((v == 0) == (k == NULL));
3309
3310 if (k != NULL) {
3311 /* Check that the returned root is +/- the given known answer */
3312 secp256k1_fe_negate(&r2, &r1, 1);
3313 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3314 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
3315 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
3316 }
3317}
3318
3319static void run_sqrt(void) {
3320 secp256k1_fe ns, x, s, t;
3321 int i;
3322
3323 /* Check sqrt(0) is 0 */
3324 secp256k1_fe_set_int(&x, 0);
3325 secp256k1_fe_sqr(&s, &x);
3326 test_sqrt(&s, &x);
3327
3328 /* Check sqrt of small squares (and their negatives) */
3329 for (i = 1; i <= 100; i++) {
3330 secp256k1_fe_set_int(&x, i);
3331 secp256k1_fe_sqr(&s, &x);
3332 test_sqrt(&s, &x);
3333 secp256k1_fe_negate(&t, &s, 1);
3334 test_sqrt(&t, NULL);
3335 }
3336
3337 /* Consistency checks for large random values */
3338 for (i = 0; i < 10; i++) {
3339 int j;
3340 random_fe_non_square(&ns);
3341 for (j = 0; j < COUNT; j++) {
3342 random_fe(&x);
3343 secp256k1_fe_sqr(&s, &x);
3344 CHECK(secp256k1_fe_is_square_var(&s));
3345 test_sqrt(&s, &x);
3346 secp256k1_fe_negate(&t, &s, 1);
3347 CHECK(!secp256k1_fe_is_square_var(&t));
3348 test_sqrt(&t, NULL);
3349 secp256k1_fe_mul(&t, &s, &ns);
3350 test_sqrt(&t, NULL);
3351 }
3352 }
3353}
3354
3355/***** FIELD/SCALAR INVERSE TESTS *****/
3356
3357static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
3358 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3359 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3360);
3361
3362static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
3363 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3364 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3365);
3366
3367/* These tests test the following identities:
3368 *
3369 * for x==0: 1/x == 0
3370 * for x!=0: x*(1/x) == 1
3371 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3372 */
3373
3374static void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
3375{
3376 secp256k1_scalar l, r, t;
3377
3378 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3379 if (out) *out = l;
3380 if (secp256k1_scalar_is_zero(x)) {
3381 CHECK(secp256k1_scalar_is_zero(&l));
3382 return;
3383 }
3384 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3385 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3386 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3387 if (secp256k1_scalar_is_zero(&r)) return;
3388 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3389 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3390 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3391 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3392 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3393 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3394}
3395
3396static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3397{
3398 secp256k1_fe l, r, t;
3399
3400 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3401 if (out) *out = l;
3402 t = *x; /* t = x */
3403 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
3404 CHECK(secp256k1_fe_normalizes_to_zero(&l));
3405 return;
3406 }
3407 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3408 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3409 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3410 r = *x; /* r = x */
3411 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3412 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3413 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3414 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3415 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3416 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3417 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3418 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3419}
3420
3421static void run_inverse_tests(void)
3422{
3423 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3424 static const secp256k1_fe fe_cases[][2] = {
3425 /* 0 */
3426 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3427 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3428 /* 1 */
3429 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3430 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3431 /* -1 */
3432 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3433 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3434 /* 2 */
3435 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3436 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3437 /* 2**128 */
3438 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3439 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3440 /* Input known to need 637 divsteps */
3441 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3442 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3443 /* Input known to need 567 divsteps starting with delta=1/2. */
3444 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3445 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3446 /* Input known to need 566 divsteps starting with delta=1/2. */
3447 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3448 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3449 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3450 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3451 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3452 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3453 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3454 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3455 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3456 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3457 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3458 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3459 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3460 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3461 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3462 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3463 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3464 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3465 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3466 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3467 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3468 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3469 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3470 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3471 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3472 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3473 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3474 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3475 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3476 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3477 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3478 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3479 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3480 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3481 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3482 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3483 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3484 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3485 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3486 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3487 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3488 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3489 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3490 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3491 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3492 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3493 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3494 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3495 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3496 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3497 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3498 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3499 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3500 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3501 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3502 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3503 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3504 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3505 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3506 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3507 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3508 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3509 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3510 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3511 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3512 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3513 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3514 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3515 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3516 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3517 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3518 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3519 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3520 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3521 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3522 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3523 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3524 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3525 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3526 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3527 };
3528 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3529 static const secp256k1_scalar scalar_cases[][2] = {
3530 /* 0 */
3531 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3532 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3533 /* 1 */
3534 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3535 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3536 /* -1 */
3537 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3538 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3539 /* 2 */
3540 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3541 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3542 /* 2**128 */
3543 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3544 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3545 /* Input known to need 635 divsteps */
3546 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3547 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3548 /* Input known to need 566 divsteps starting with delta=1/2. */
3549 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3550 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3551 /* Input known to need 565 divsteps starting with delta=1/2. */
3552 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3553 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3554 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3555 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3556 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3557 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3558 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3559 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3560 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3561 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3562 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3563 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3564 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3565 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3566 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3567 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3568 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3569 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3570 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3571 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3572 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3573 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3574 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3575 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3576 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3577 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3578 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3579 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3580 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3581 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3582 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3583 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3584 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3585 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3586 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3587 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3588 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3589 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3590 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3591 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3592 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3593 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3594 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3595 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3596 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3597 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3598 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3599 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3600 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3601 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3602 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3603 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3604 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3605 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3606 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3607 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3608 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3609 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3610 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3611 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3612 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3613 };
3614 int i, var, testrand;
3615 unsigned char b32[32];
3616 secp256k1_fe x_fe;
3617 secp256k1_scalar x_scalar;
3618 memset(b32, 0, sizeof(b32));
3619 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3620 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3621 for (var = 0; var <= 1; ++var) {
3622 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3623 check_fe_equal(&x_fe, &fe_cases[i][1]);
3624 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3625 check_fe_equal(&x_fe, &fe_cases[i][0]);
3626 }
3627 }
3628 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3629 for (var = 0; var <= 1; ++var) {
3630 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3631 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3632 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3633 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3634 }
3635 }
3636 /* Test inputs 0..999 and their respective negations. */
3637 for (i = 0; i < 1000; ++i) {
3638 b32[31] = i & 0xff;
3639 b32[30] = (i >> 8) & 0xff;
3640 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3641 secp256k1_fe_set_b32_mod(&x_fe, b32);
3642 for (var = 0; var <= 1; ++var) {
3643 test_inverse_scalar(NULL, &x_scalar, var);
3644 test_inverse_field(NULL, &x_fe, var);
3645 }
3646 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3647 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3648 for (var = 0; var <= 1; ++var) {
3649 test_inverse_scalar(NULL, &x_scalar, var);
3650 test_inverse_field(NULL, &x_fe, var);
3651 }
3652 }
3653 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3654 for (testrand = 0; testrand <= 1; ++testrand) {
3655 for (i = 0; i < 64 * COUNT; ++i) {
3656 (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
3657 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3658 secp256k1_fe_set_b32_mod(&x_fe, b32);
3659 for (var = 0; var <= 1; ++var) {
3660 test_inverse_scalar(NULL, &x_scalar, var);
3661 test_inverse_field(NULL, &x_fe, var);
3662 }
3663 }
3664 }
3665}
3666
3667/***** GROUP TESTS *****/
3668
3669/* This compares jacobian points including their Z, not just their geometric meaning. */
3670static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3671 secp256k1_gej a2;
3672 secp256k1_gej b2;
3673 int ret = 1;
3674 ret &= a->infinity == b->infinity;
3675 if (ret && !a->infinity) {
3676 a2 = *a;
3677 b2 = *b;
3678 secp256k1_fe_normalize(&a2.x);
3679 secp256k1_fe_normalize(&a2.y);
3680 secp256k1_fe_normalize(&a2.z);
3681 secp256k1_fe_normalize(&b2.x);
3682 secp256k1_fe_normalize(&b2.y);
3683 secp256k1_fe_normalize(&b2.z);
3684 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3685 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3686 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3687 }
3688 return ret;
3689}
3690
3691static void test_ge(void) {
3692 int i, i1;
3693 int runs = 6;
3694 /* 25 points are used:
3695 * - infinity
3696 * - for each of four random points p1 p2 p3 p4, we add the point, its
3697 * negation, and then those two again but with randomized Z coordinate.
3698 * - The same is then done for lambda*p1 and lambda^2*p1.
3699 */
3700 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3701 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3702 secp256k1_fe zf, r;
3703 secp256k1_fe zfi2, zfi3;
3704
3705 secp256k1_gej_set_infinity(&gej[0]);
3706 secp256k1_ge_clear(&ge[0]);
3707 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3708 for (i = 0; i < runs; i++) {
3709 int j;
3710 secp256k1_ge g;
3711 random_group_element_test(&g);
3712 if (i >= runs - 2) {
3713 secp256k1_ge_mul_lambda(&g, &ge[1]);
3714 }
3715 if (i >= runs - 1) {
3716 secp256k1_ge_mul_lambda(&g, &g);
3717 }
3718 ge[1 + 4 * i] = g;
3719 ge[2 + 4 * i] = g;
3720 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3721 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3722 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3723 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3724 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3725 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3726 for (j = 0; j < 4; j++) {
3727 random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3728 random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3729 random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3730 random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3731 random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3732 }
3733 }
3734
3735 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3736 random_fe_non_zero_test(&zf);
3737 random_fe_magnitude(&zf);
3738 secp256k1_fe_inv_var(&zfi3, &zf);
3739 secp256k1_fe_sqr(&zfi2, &zfi3);
3740 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3741
3742 /* Generate random r */
3743 random_fe_non_zero_test(&r);
3744
3745 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3746 int i2;
3747 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3748 /* Compute reference result using gej + gej (var). */
3749 secp256k1_gej refj, resj;
3750 secp256k1_ge ref;
3751 secp256k1_fe zr;
3752 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3753 /* Check Z ratio. */
3754 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3755 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3756 CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3757 }
3758 secp256k1_ge_set_gej_var(&ref, &refj);
3759
3760 /* Test gej + ge with Z ratio result (var). */
3761 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3762 ge_equals_gej(&ref, &resj);
3763 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3764 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3765 CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3766 }
3767
3768 /* Test gej + ge (var, with additional Z factor). */
3769 {
3770 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3771 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3772 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3773 random_ge_x_magnitude(&ge2_zfi);
3774 random_ge_y_magnitude(&ge2_zfi);
3775 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3776 ge_equals_gej(&ref, &resj);
3777 }
3778
3779 /* Test gej + ge (const). */
3780 if (i2 != 0) {
3781 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3782 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3783 ge_equals_gej(&ref, &resj);
3784 }
3785
3786 /* Test doubling (var). */
3787 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3788 secp256k1_fe zr2;
3789 /* Normal doubling with Z ratio result. */
3790 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3791 ge_equals_gej(&ref, &resj);
3792 /* Check Z ratio. */
3793 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3794 CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3795 /* Normal doubling. */
3796 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3797 ge_equals_gej(&ref, &resj);
3798 /* Constant-time doubling. */
3799 secp256k1_gej_double(&resj, &gej[i2]);
3800 ge_equals_gej(&ref, &resj);
3801 }
3802
3803 /* Test adding opposites. */
3804 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3805 CHECK(secp256k1_ge_is_infinity(&ref));
3806 }
3807
3808 /* Test adding infinity. */
3809 if (i1 == 0) {
3810 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3811 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3812 ge_equals_gej(&ref, &gej[i2]);
3813 }
3814 if (i2 == 0) {
3815 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3816 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3817 ge_equals_gej(&ref, &gej[i1]);
3818 }
3819 }
3820 }
3821
3822 /* Test adding all points together in random order equals infinity. */
3823 {
3824 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3825 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3826 for (i = 0; i < 4 * runs + 1; i++) {
3827 gej_shuffled[i] = gej[i];
3828 }
3829 for (i = 0; i < 4 * runs + 1; i++) {
3830 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3831 if (swap != i) {
3832 secp256k1_gej t = gej_shuffled[i];
3833 gej_shuffled[i] = gej_shuffled[swap];
3834 gej_shuffled[swap] = t;
3835 }
3836 }
3837 for (i = 0; i < 4 * runs + 1; i++) {
3838 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3839 }
3840 CHECK(secp256k1_gej_is_infinity(&sum));
3841 free(gej_shuffled);
3842 }
3843
3844 /* Test batch gej -> ge conversion without known z ratios. */
3845 {
3846 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3847 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3848 for (i = 0; i < 4 * runs + 1; i++) {
3849 secp256k1_fe s;
3850 random_fe_non_zero(&s);
3851 secp256k1_gej_rescale(&gej[i], &s);
3852 ge_equals_gej(&ge_set_all[i], &gej[i]);
3853 }
3854 free(ge_set_all);
3855 }
3856
3857 /* Test that all elements have X coordinates on the curve. */
3858 for (i = 1; i < 4 * runs + 1; i++) {
3859 secp256k1_fe n;
3860 CHECK(secp256k1_ge_x_on_curve_var(&ge[i].x));
3861 /* And the same holds after random rescaling. */
3862 secp256k1_fe_mul(&n, &zf, &ge[i].x);
3863 CHECK(secp256k1_ge_x_frac_on_curve_var(&n, &zf));
3864 }
3865
3866 /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3867 {
3868 secp256k1_fe n;
3869 secp256k1_ge q;
3870 int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3871 secp256k1_fe_mul(&n, &zf, &r);
3872 ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3873 ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3874 ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3875 CHECK(ret_on_curve == ret_frac_on_curve);
3876 CHECK(ret_on_curve == ret_set_xo);
3877 if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
3878 }
3879
3880 /* Test batch gej -> ge conversion with many infinities. */
3881 for (i = 0; i < 4 * runs + 1; i++) {
3882 int odd;
3883 random_group_element_test(&ge[i]);
3884 odd = secp256k1_fe_is_odd(&ge[i].x);
3885 CHECK(odd == 0 || odd == 1);
3886 /* randomly set half the points to infinity */
3887 if (odd == i % 2) {
3888 secp256k1_ge_set_infinity(&ge[i]);
3889 }
3890 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3891 }
3892 /* batch convert */
3893 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3894 /* check result */
3895 for (i = 0; i < 4 * runs + 1; i++) {
3896 ge_equals_gej(&ge[i], &gej[i]);
3897 }
3898
3899 /* Test batch gej -> ge conversion with all infinities. */
3900 for (i = 0; i < 4 * runs + 1; i++) {
3901 secp256k1_gej_set_infinity(&gej[i]);
3902 }
3903 /* batch convert */
3904 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3905 /* check result */
3906 for (i = 0; i < 4 * runs + 1; i++) {
3907 CHECK(secp256k1_ge_is_infinity(&ge[i]));
3908 }
3909
3910 free(ge);
3911 free(gej);
3912}
3913
3914static void test_intialized_inf(void) {
3915 secp256k1_ge p;
3916 secp256k1_gej pj, npj, infj1, infj2, infj3;
3917 secp256k1_fe zinv;
3918
3919 /* Test that adding P+(-P) results in a fully initialized infinity*/
3920 random_group_element_test(&p);
3921 secp256k1_gej_set_ge(&pj, &p);
3922 secp256k1_gej_neg(&npj, &pj);
3923
3924 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3925 CHECK(secp256k1_gej_is_infinity(&infj1));
3926 CHECK(secp256k1_fe_is_zero(&infj1.x));
3927 CHECK(secp256k1_fe_is_zero(&infj1.y));
3928 CHECK(secp256k1_fe_is_zero(&infj1.z));
3929
3930 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3931 CHECK(secp256k1_gej_is_infinity(&infj2));
3932 CHECK(secp256k1_fe_is_zero(&infj2.x));
3933 CHECK(secp256k1_fe_is_zero(&infj2.y));
3934 CHECK(secp256k1_fe_is_zero(&infj2.z));
3935
3936 secp256k1_fe_set_int(&zinv, 1);
3937 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3938 CHECK(secp256k1_gej_is_infinity(&infj3));
3939 CHECK(secp256k1_fe_is_zero(&infj3.x));
3940 CHECK(secp256k1_fe_is_zero(&infj3.y));
3941 CHECK(secp256k1_fe_is_zero(&infj3.z));
3942
3943
3944}
3945
3946static void test_add_neg_y_diff_x(void) {
3947 /* The point of this test is to check that we can add two points
3948 * whose y-coordinates are negatives of each other but whose x
3949 * coordinates differ. If the x-coordinates were the same, these
3950 * points would be negatives of each other and their sum is
3951 * infinity. This is cool because it "covers up" any degeneracy
3952 * in the addition algorithm that would cause the xy coordinates
3953 * of the sum to be wrong (since infinity has no xy coordinates).
3954 * HOWEVER, if the x-coordinates are different, infinity is the
3955 * wrong answer, and such degeneracies are exposed. This is the
3956 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3957 * which this test is a regression test for.
3958 *
3959 * These points were generated in sage as
3960 *
3961 * load("secp256k1_params.sage")
3962 *
3963 * # random "bad pair"
3964 * P = C.random_element()
3965 * Q = -int(LAMBDA) * P
3966 * print(" P: %x %x" % P.xy())
3967 * print(" Q: %x %x" % Q.xy())
3968 * print("P + Q: %x %x" % (P + Q).xy())
3969 */
3970 secp256k1_gej aj = SECP256K1_GEJ_CONST(
3971 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3972 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3973 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3974 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3975 );
3976 secp256k1_gej bj = SECP256K1_GEJ_CONST(
3977 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3978 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3979 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3980 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3981 );
3982 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
3983 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3984 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3985 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3986 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3987 );
3988 secp256k1_ge b;
3989 secp256k1_gej resj;
3990 secp256k1_ge res;
3991 secp256k1_ge_set_gej(&b, &bj);
3992
3993 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3994 secp256k1_ge_set_gej(&res, &resj);
3995 ge_equals_gej(&res, &sumj);
3996
3997 secp256k1_gej_add_ge(&resj, &aj, &b);
3998 secp256k1_ge_set_gej(&res, &resj);
3999 ge_equals_gej(&res, &sumj);
4000
4001 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4002 secp256k1_ge_set_gej(&res, &resj);
4003 ge_equals_gej(&res, &sumj);
4004}
4005
4006static void run_ge(void) {
4007 int i;
4008 for (i = 0; i < COUNT * 32; i++) {
4009 test_ge();
4010 }
4011 test_add_neg_y_diff_x();
4012 test_intialized_inf();
4013}
4014
4015static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4016 secp256k1_gej t = *a;
4017 secp256k1_gej_cmov(&t, b, 0);
4018 CHECK(gej_xyz_equals_gej(&t, a));
4019 secp256k1_gej_cmov(&t, b, 1);
4020 CHECK(gej_xyz_equals_gej(&t, b));
4021}
4022
4023static void run_gej(void) {
4024 int i;
4025 secp256k1_gej a, b;
4026
4027 /* Tests for secp256k1_gej_cmov */
4028 for (i = 0; i < COUNT; i++) {
4029 secp256k1_gej_set_infinity(&a);
4030 secp256k1_gej_set_infinity(&b);
4031 test_gej_cmov(&a, &b);
4032
4033 random_gej_test(&a);
4034 test_gej_cmov(&a, &b);
4035 test_gej_cmov(&b, &a);
4036
4037 b = a;
4038 test_gej_cmov(&a, &b);
4039
4040 random_gej_test(&b);
4041 test_gej_cmov(&a, &b);
4042 test_gej_cmov(&b, &a);
4043 }
4044
4045 /* Tests for secp256k1_gej_eq_var */
4046 for (i = 0; i < COUNT; i++) {
4047 secp256k1_fe fe;
4048 random_gej_test(&a);
4049 random_gej_test(&b);
4050 CHECK(!secp256k1_gej_eq_var(&a, &b));
4051
4052 b = a;
4053 random_fe_non_zero_test(&fe);
4054 secp256k1_gej_rescale(&a, &fe);
4055 CHECK(secp256k1_gej_eq_var(&a, &b));
4056 }
4057}
4058
4059static void test_ec_combine(void) {
4060 secp256k1_scalar sum = secp256k1_scalar_zero;
4061 secp256k1_pubkey data[6];
4062 const secp256k1_pubkey* d[6];
4063 secp256k1_pubkey sd;
4064 secp256k1_pubkey sd2;
4065 secp256k1_gej Qj;
4066 secp256k1_ge Q;
4067 int i;
4068 for (i = 1; i <= 6; i++) {
4069 secp256k1_scalar s;
4070 random_scalar_order_test(&s);
4071 secp256k1_scalar_add(&sum, &sum, &s);
4072 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &s);
4073 secp256k1_ge_set_gej(&Q, &Qj);
4074 secp256k1_pubkey_save(&data[i - 1], &Q);
4075 d[i - 1] = &data[i - 1];
4076 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &sum);
4077 secp256k1_ge_set_gej(&Q, &Qj);
4078 secp256k1_pubkey_save(&sd, &Q);
4079 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4080 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4081 }
4082}
4083
4084static void run_ec_combine(void) {
4085 int i;
4086 for (i = 0; i < COUNT * 8; i++) {
4087 test_ec_combine();
4088 }
4089}
4090
4091static void test_group_decompress(const secp256k1_fe* x) {
4092 /* The input itself, normalized. */
4093 secp256k1_fe fex = *x;
4094 secp256k1_fe fez;
4095 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
4096 secp256k1_ge ge_quad, ge_even, ge_odd;
4097 secp256k1_gej gej_quad;
4098 /* Return values of the above calls. */
4099 int res_quad, res_even, res_odd;
4100
4101 secp256k1_fe_normalize_var(&fex);
4102
4103 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
4104 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4105 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4106
4107 CHECK(res_quad == res_even);
4108 CHECK(res_quad == res_odd);
4109
4110 if (res_quad) {
4111 secp256k1_fe_normalize_var(&ge_quad.x);
4112 secp256k1_fe_normalize_var(&ge_odd.x);
4113 secp256k1_fe_normalize_var(&ge_even.x);
4114 secp256k1_fe_normalize_var(&ge_quad.y);
4115 secp256k1_fe_normalize_var(&ge_odd.y);
4116 secp256k1_fe_normalize_var(&ge_even.y);
4117
4118 /* No infinity allowed. */
4119 CHECK(!ge_quad.infinity);
4120 CHECK(!ge_even.infinity);
4121 CHECK(!ge_odd.infinity);
4122
4123 /* Check that the x coordinates check out. */
4124 CHECK(secp256k1_fe_equal(&ge_quad.x, x));
4125 CHECK(secp256k1_fe_equal(&ge_even.x, x));
4126 CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4127
4128 /* Check that the Y coordinate result in ge_quad is a square. */
4129 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
4130
4131 /* Check odd/even Y in ge_odd, ge_even. */
4132 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4133 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4134
4135 /* Check secp256k1_gej_has_quad_y_var. */
4136 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
4137 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4138 do {
4139 random_fe_test(&fez);
4140 } while (secp256k1_fe_is_zero(&fez));
4141 secp256k1_gej_rescale(&gej_quad, &fez);
4142 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4143 secp256k1_gej_neg(&gej_quad, &gej_quad);
4144 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
4145 do {
4146 random_fe_test(&fez);
4147 } while (secp256k1_fe_is_zero(&fez));
4148 secp256k1_gej_rescale(&gej_quad, &fez);
4149 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
4150 secp256k1_gej_neg(&gej_quad, &gej_quad);
4151 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4152 }
4153}
4154
4155static void run_group_decompress(void) {
4156 int i;
4157 for (i = 0; i < COUNT * 4; i++) {
4158 secp256k1_fe fe;
4159 random_fe_test(&fe);
4160 test_group_decompress(&fe);
4161 }
4162}
4163
4164/***** ECMULT TESTS *****/
4165
4166static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4167 /* Tests the pre_g / pre_g_128 tables for consistency.
4168 * For independent verification we take a "geometric" approach to verification.
4169 * We check that every entry is on-curve.
4170 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4171 * (1) p, gg, and -q are colinear.
4172 * (2) p, gg, and -q are all distinct.
4173 * where gg is twice the generator, where the generator is the first table entry.
4174 *
4175 * Checking the table's generators are correct is done in run_ecmult_pre_g.
4176 */
4177 secp256k1_gej g2;
4178 secp256k1_ge p, q, gg;
4179 secp256k1_fe dpx, dpy, dqx, dqy;
4180 size_t i;
4181
4182 CHECK(0 < n);
4183
4184 secp256k1_ge_from_storage(&p, &pre_g[0]);
4185 CHECK(secp256k1_ge_is_valid_var(&p));
4186
4187 secp256k1_gej_set_ge(&g2, &p);
4188 secp256k1_gej_double_var(&g2, &g2, NULL);
4189 secp256k1_ge_set_gej_var(&gg, &g2);
4190 for (i = 1; i < n; ++i) {
4191 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4192 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4193 /* Check that p is not equal to gg */
4194 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
4195
4196 secp256k1_ge_from_storage(&q, &pre_g[i]);
4197 CHECK(secp256k1_ge_is_valid_var(&q));
4198
4199 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4200 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4201 /* Check that -q is not equal to gg */
4202 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
4203
4204 /* Check that -q is not equal to p */
4205 CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4206
4207 /* Check that p, -q and gg are colinear */
4208 secp256k1_fe_mul(&dpx, &dpx, &dqy);
4209 secp256k1_fe_mul(&dpy, &dpy, &dqx);
4210 CHECK(secp256k1_fe_equal(&dpx, &dpy));
4211
4212 p = q;
4213 }
4214}
4215
4216static void run_ecmult_pre_g(void) {
4217 secp256k1_ge_storage gs;
4218 secp256k1_gej gj;
4219 secp256k1_ge g;
4220 size_t i;
4221
4222 /* Check that the pre_g and pre_g_128 tables are consistent. */
4223 test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
4224 test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
4225
4226 /* Check the first entry from the pre_g table. */
4227 secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
4228 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4229
4230 /* Check the first entry from the pre_g_128 table. */
4231 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
4232 for (i = 0; i < 128; ++i) {
4233 secp256k1_gej_double_var(&gj, &gj, NULL);
4234 }
4235 secp256k1_ge_set_gej(&g, &gj);
4236 secp256k1_ge_to_storage(&gs, &g);
4237 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4238}
4239
4240static void run_ecmult_chain(void) {
4241 /* random starting point A (on the curve) */
4242 secp256k1_gej a = SECP256K1_GEJ_CONST(
4243 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4244 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4245 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4246 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4247 );
4248 /* two random initial factors xn and gn */
4249 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4250 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4251 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4252 );
4253 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
4254 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4255 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4256 );
4257 /* two small multipliers to be applied to xn and gn in every iteration: */
4258 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4259 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4260 /* accumulators with the resulting coefficients to A and G */
4261 secp256k1_scalar ae = secp256k1_scalar_one;
4262 secp256k1_scalar ge = secp256k1_scalar_zero;
4263 /* actual points */
4264 secp256k1_gej x;
4265 secp256k1_gej x2;
4266 int i;
4267
4268 /* the point being computed */
4269 x = a;
4270 for (i = 0; i < 200*COUNT; i++) {
4271 /* in each iteration, compute X = xn*X + gn*G; */
4272 secp256k1_ecmult(&x, &x, &xn, &gn);
4273 /* also compute ae and ge: the actual accumulated factors for A and G */
4274 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4275 secp256k1_scalar_mul(&ae, &ae, &xn);
4276 secp256k1_scalar_mul(&ge, &ge, &xn);
4277 secp256k1_scalar_add(&ge, &ge, &gn);
4278 /* modify xn and gn */
4279 secp256k1_scalar_mul(&xn, &xn, &xf);
4280 secp256k1_scalar_mul(&gn, &gn, &gf);
4281
4282 /* verify */
4283 if (i == 19999) {
4284 /* expected result after 19999 iterations */
4285 secp256k1_gej rp = SECP256K1_GEJ_CONST(
4286 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4287 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4288 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4289 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4290 );
4291 CHECK(secp256k1_gej_eq_var(&rp, &x));
4292 }
4293 }
4294 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4295 secp256k1_ecmult(&x2, &a, &ae, &ge);
4296 CHECK(secp256k1_gej_eq_var(&x, &x2));
4297}
4298
4299static void test_point_times_order(const secp256k1_gej *point) {
4300 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4301 secp256k1_scalar x;
4302 secp256k1_scalar nx;
4303 secp256k1_gej res1, res2;
4304 secp256k1_ge res3;
4305 unsigned char pub[65];
4306 size_t psize = 65;
4307 random_scalar_order_test(&x);
4308 secp256k1_scalar_negate(&nx, &x);
4309 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4310 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4311 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4312 CHECK(secp256k1_gej_is_infinity(&res1));
4313 secp256k1_ge_set_gej(&res3, &res1);
4314 CHECK(secp256k1_ge_is_infinity(&res3));
4315 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4316 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4317 psize = 65;
4318 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4319 /* check zero/one edge cases */
4320 secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_zero);
4321 secp256k1_ge_set_gej(&res3, &res1);
4322 CHECK(secp256k1_ge_is_infinity(&res3));
4323 secp256k1_ecmult(&res1, point, &secp256k1_scalar_one, &secp256k1_scalar_zero);
4324 secp256k1_ge_set_gej(&res3, &res1);
4325 ge_equals_gej(&res3, point);
4326 secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_one);
4327 secp256k1_ge_set_gej(&res3, &res1);
4328 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4329}
4330
4331/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4332 *
4333 * They are computed as:
4334 * - For a in [-2, -1, 0, 1, 2]:
4335 * - For b in [-3, -1, 1, 3]:
4336 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4337 */
4338static const secp256k1_scalar scalars_near_split_bounds[20] = {
4339 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4340 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4341 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4342 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4343 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4344 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4345 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4346 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4347 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4348 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4349 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4350 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4351 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4352 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4353 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4354 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4355 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4356 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4357 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4358 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4359};
4360
4361static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4362 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4363 secp256k1_scalar n1, n2;
4364 secp256k1_ge p;
4365 secp256k1_gej pj, p1j, p2j, ptj;
4366
4367 /* Generate random n1,n2 such that n1+n2 = -target. */
4368 random_scalar_order_test(&n1);
4369 secp256k1_scalar_add(&n2, &n1, target);
4370 secp256k1_scalar_negate(&n2, &n2);
4371
4372 /* Generate a random input point. */
4373 if (mode != 0) {
4374 random_group_element_test(&p);
4375 secp256k1_gej_set_ge(&pj, &p);
4376 }
4377
4378 /* EC multiplications */
4379 if (mode == 0) {
4380 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1);
4381 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2);
4382 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4383 } else if (mode == 1) {
4384 secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4385 secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4386 secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4387 } else {
4388 secp256k1_ecmult_const(&p1j, &p, &n1);
4389 secp256k1_ecmult_const(&p2j, &p, &n2);
4390 secp256k1_ecmult_const(&ptj, &p, target);
4391 }
4392
4393 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4394 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4395 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4396 CHECK(secp256k1_gej_is_infinity(&ptj));
4397}
4398
4399static void run_ecmult_near_split_bound(void) {
4400 int i;
4401 unsigned j;
4402 for (i = 0; i < 4*COUNT; ++i) {
4403 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4404 test_ecmult_target(&scalars_near_split_bounds[j], 0);
4405 test_ecmult_target(&scalars_near_split_bounds[j], 1);
4406 test_ecmult_target(&scalars_near_split_bounds[j], 2);
4407 }
4408 }
4409}
4410
4411static void run_point_times_order(void) {
4412 int i;
4413 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4414 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4415 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4416 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4417 );
4418 for (i = 0; i < 500; i++) {
4419 secp256k1_ge p;
4420 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4421 secp256k1_gej j;
4422 CHECK(secp256k1_ge_is_valid_var(&p));
4423 secp256k1_gej_set_ge(&j, &p);
4424 test_point_times_order(&j);
4425 }
4426 secp256k1_fe_sqr(&x, &x);
4427 }
4428 secp256k1_fe_normalize_var(&x);
4429 CHECK(secp256k1_fe_equal(&x, &xr));
4430}
4431
4432static void ecmult_const_random_mult(void) {
4433 /* random starting point A (on the curve) */
4434 secp256k1_ge a = SECP256K1_GE_CONST(
4435 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4436 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4437 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4438 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4439 );
4440 /* random initial factor xn */
4441 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4442 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4443 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4444 );
4445 /* expected xn * A (from sage) */
4446 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4447 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4448 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4449 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4450 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4451 );
4452 secp256k1_gej b;
4453 secp256k1_ecmult_const(&b, &a, &xn);
4454
4455 CHECK(secp256k1_ge_is_valid_var(&a));
4456 ge_equals_gej(&expected_b, &b);
4457}
4458
4459static void ecmult_const_commutativity(void) {
4460 secp256k1_scalar a;
4461 secp256k1_scalar b;
4462 secp256k1_gej res1;
4463 secp256k1_gej res2;
4464 secp256k1_ge mid1;
4465 secp256k1_ge mid2;
4466 random_scalar_order_test(&a);
4467 random_scalar_order_test(&b);
4468
4469 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
4470 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
4471 secp256k1_ge_set_gej(&mid1, &res1);
4472 secp256k1_ge_set_gej(&mid2, &res2);
4473 secp256k1_ecmult_const(&res1, &mid1, &b);
4474 secp256k1_ecmult_const(&res2, &mid2, &a);
4475 secp256k1_ge_set_gej(&mid1, &res1);
4476 secp256k1_ge_set_gej(&mid2, &res2);
4477 ge_equals_ge(&mid1, &mid2);
4478}
4479
4480static void ecmult_const_mult_zero_one(void) {
4481 secp256k1_scalar s;
4482 secp256k1_scalar negone;
4483 secp256k1_gej res1;
4484 secp256k1_ge res2;
4485 secp256k1_ge point;
4486 secp256k1_ge inf;
4487
4488 random_scalar_order_test(&s);
4489 secp256k1_scalar_negate(&negone, &secp256k1_scalar_one);
4490 random_group_element_test(&point);
4491 secp256k1_ge_set_infinity(&inf);
4492
4493 /* 0*point */
4494 secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_zero);
4495 CHECK(secp256k1_gej_is_infinity(&res1));
4496
4497 /* s*inf */
4498 secp256k1_ecmult_const(&res1, &inf, &s);
4499 CHECK(secp256k1_gej_is_infinity(&res1));
4500
4501 /* 1*point */
4502 secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_one);
4503 secp256k1_ge_set_gej(&res2, &res1);
4504 ge_equals_ge(&res2, &point);
4505
4506 /* -1*point */
4507 secp256k1_ecmult_const(&res1, &point, &negone);
4508 secp256k1_gej_neg(&res1, &res1);
4509 secp256k1_ge_set_gej(&res2, &res1);
4510 ge_equals_ge(&res2, &point);
4511}
4512
4513static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) {
4514 secp256k1_gej pointj, res2j;
4515 secp256k1_ge res2;
4516 secp256k1_gej_set_ge(&pointj, A);
4517 secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero);
4518 secp256k1_ge_set_gej(&res2, &res2j);
4519 ge_equals_gej(&res2, res);
4520}
4521
4522static void ecmult_const_edges(void) {
4523 secp256k1_scalar q;
4524 secp256k1_ge point;
4525 secp256k1_gej res;
4526 size_t i;
4527 size_t cases = 1 + sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]);
4528
4529 /* We are trying to reach the following edge cases (variables are defined as
4530 * in ecmult_const_impl.h):
4531 * 1. i = 0: s = 0 <=> q = -K
4532 * 2. i > 0: v1, v2 large values
4533 * <=> s1, s2 large values
4534 * <=> s = scalars_near_split_bounds[i]
4535 * <=> q = 2*scalars_near_split_bounds[i] - K
4536 */
4537 for (i = 0; i < cases; ++i) {
4538 secp256k1_scalar_negate(&q, &secp256k1_ecmult_const_K);
4539 if (i > 0) {
4540 secp256k1_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]);
4541 secp256k1_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]);
4542 }
4543 random_group_element_test(&point);
4544 secp256k1_ecmult_const(&res, &point, &q);
4545 ecmult_const_check_result(&point, &q, &res);
4546 }
4547}
4548
4549static void ecmult_const_mult_xonly(void) {
4550 int i;
4551
4552 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4553 for (i = 0; i < 2*COUNT; ++i) {
4554 secp256k1_ge base;
4555 secp256k1_gej basej, resj;
4556 secp256k1_fe n, d, resx, v;
4557 secp256k1_scalar q;
4558 int res;
4559 /* Random base point. */
4560 random_group_element_test(&base);
4561 /* Random scalar to multiply it with. */
4562 random_scalar_order_test(&q);
4563 /* If i is odd, n=d*base.x for random non-zero d */
4564 if (i & 1) {
4565 random_fe_non_zero_test(&d);
4566 secp256k1_fe_mul(&n, &base.x, &d);
4567 } else {
4568 n = base.x;
4569 }
4570 /* Perform x-only multiplication. */
4571 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4572 CHECK(res);
4573 /* Perform normal multiplication. */
4574 secp256k1_gej_set_ge(&basej, &base);
4575 secp256k1_ecmult(&resj, &basej, &q, NULL);
4576 /* Check that resj's X coordinate corresponds with resx. */
4577 secp256k1_fe_sqr(&v, &resj.z);
4578 secp256k1_fe_mul(&v, &v, &resx);
4579 CHECK(check_fe_equal(&v, &resj.x));
4580 }
4581
4582 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4583 for (i = 0; i < 2*COUNT; ++i) {
4584 secp256k1_fe x, n, d, r;
4585 int res;
4586 secp256k1_scalar q;
4587 random_scalar_order_test(&q);
4588 /* Generate random X coordinate not on the curve. */
4589 do {
4590 random_fe_test(&x);
4591 } while (secp256k1_ge_x_on_curve_var(&x));
4592 /* If i is odd, n=d*x for random non-zero d. */
4593 if (i & 1) {
4594 random_fe_non_zero_test(&d);
4595 secp256k1_fe_mul(&n, &x, &d);
4596 } else {
4597 n = x;
4598 }
4599 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4600 CHECK(res == 0);
4601 }
4602}
4603
4604static void ecmult_const_chain_multiply(void) {
4605 /* Check known result (randomly generated test problem from sage) */
4606 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
4607 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4608 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4609 );
4610 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4611 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4612 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4613 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4614 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4615 );
4616 secp256k1_gej point;
4617 secp256k1_ge res;
4618 int i;
4619
4620 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4621 for (i = 0; i < 100; ++i) {
4622 secp256k1_ge tmp;
4623 secp256k1_ge_set_gej(&tmp, &point);
4624 secp256k1_ecmult_const(&point, &tmp, &scalar);
4625 }
4626 secp256k1_ge_set_gej(&res, &point);
4627 ge_equals_gej(&res, &expected_point);
4628}
4629
4630static void run_ecmult_const_tests(void) {
4631 ecmult_const_mult_zero_one();
4632 ecmult_const_edges();
4633 ecmult_const_random_mult();
4634 ecmult_const_commutativity();
4635 ecmult_const_chain_multiply();
4636 ecmult_const_mult_xonly();
4637}
4638
4639typedef struct {
4640 secp256k1_scalar *sc;
4641 secp256k1_ge *pt;
4642} ecmult_multi_data;
4643
4644static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4645 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4646 *sc = data->sc[idx];
4647 *pt = data->pt[idx];
4648 return 1;
4649}
4650
4651static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4652 (void)sc;
4653 (void)pt;
4654 (void)idx;
4655 (void)cbdata;
4656 return 0;
4657}
4658
4659static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4660 int ncount;
4661 secp256k1_scalar sc[32];
4662 secp256k1_ge pt[32];
4663 secp256k1_gej r;
4664 secp256k1_gej r2;
4665 ecmult_multi_data data;
4666
4667 data.sc = sc;
4668 data.pt = pt;
4669
4670 /* No points to multiply */
4671 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4672
4673 /* Check 1- and 2-point multiplies against ecmult */
4674 for (ncount = 0; ncount < COUNT; ncount++) {
4675 secp256k1_ge ptg;
4676 secp256k1_gej ptgj;
4677 random_scalar_order(&sc[0]);
4678 random_scalar_order(&sc[1]);
4679
4680 random_group_element_test(&ptg);
4681 secp256k1_gej_set_ge(&ptgj, &ptg);
4682 pt[0] = ptg;
4683 pt[1] = secp256k1_ge_const_g;
4684
4685 /* only G scalar */
4686 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4687 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4688 CHECK(secp256k1_gej_eq_var(&r, &r2));
4689
4690 /* 1-point */
4691 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4692 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4693 CHECK(secp256k1_gej_eq_var(&r, &r2));
4694
4695 /* Try to multiply 1 point, but callback returns false */
4696 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4697
4698 /* 2-point */
4699 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4700 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4701 CHECK(secp256k1_gej_eq_var(&r, &r2));
4702
4703 /* 2-point with G scalar */
4704 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4705 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4706 CHECK(secp256k1_gej_eq_var(&r, &r2));
4707 }
4708
4709 /* Check infinite outputs of various forms */
4710 for (ncount = 0; ncount < COUNT; ncount++) {
4711 secp256k1_ge ptg;
4712 size_t i, j;
4713 size_t sizes[] = { 2, 10, 32 };
4714
4715 for (j = 0; j < 3; j++) {
4716 for (i = 0; i < 32; i++) {
4717 random_scalar_order(&sc[i]);
4718 secp256k1_ge_set_infinity(&pt[i]);
4719 }
4720 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4721 CHECK(secp256k1_gej_is_infinity(&r));
4722 }
4723
4724 for (j = 0; j < 3; j++) {
4725 for (i = 0; i < 32; i++) {
4726 random_group_element_test(&ptg);
4727 pt[i] = ptg;
4728 secp256k1_scalar_set_int(&sc[i], 0);
4729 }
4730 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4731 CHECK(secp256k1_gej_is_infinity(&r));
4732 }
4733
4734 for (j = 0; j < 3; j++) {
4735 random_group_element_test(&ptg);
4736 for (i = 0; i < 16; i++) {
4737 random_scalar_order(&sc[2*i]);
4738 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4739 pt[2 * i] = ptg;
4740 pt[2 * i + 1] = ptg;
4741 }
4742
4743 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4744 CHECK(secp256k1_gej_is_infinity(&r));
4745
4746 random_scalar_order(&sc[0]);
4747 for (i = 0; i < 16; i++) {
4748 random_group_element_test(&ptg);
4749
4750 sc[2*i] = sc[0];
4751 sc[2*i+1] = sc[0];
4752 pt[2 * i] = ptg;
4753 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4754 }
4755
4756 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4757 CHECK(secp256k1_gej_is_infinity(&r));
4758 }
4759
4760 random_group_element_test(&ptg);
4761 secp256k1_scalar_set_int(&sc[0], 0);
4762 pt[0] = ptg;
4763 for (i = 1; i < 32; i++) {
4764 pt[i] = ptg;
4765
4766 random_scalar_order(&sc[i]);
4767 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4768 secp256k1_scalar_negate(&sc[i], &sc[i]);
4769 }
4770
4771 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4772 CHECK(secp256k1_gej_is_infinity(&r));
4773 }
4774
4775 /* Check random points, constant scalar */
4776 for (ncount = 0; ncount < COUNT; ncount++) {
4777 size_t i;
4778 secp256k1_gej_set_infinity(&r);
4779
4780 random_scalar_order(&sc[0]);
4781 for (i = 0; i < 20; i++) {
4782 secp256k1_ge ptg;
4783 sc[i] = sc[0];
4784 random_group_element_test(&ptg);
4785 pt[i] = ptg;
4786 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4787 }
4788
4789 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4790 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4791 CHECK(secp256k1_gej_eq_var(&r, &r2));
4792 }
4793
4794 /* Check random scalars, constant point */
4795 for (ncount = 0; ncount < COUNT; ncount++) {
4796 size_t i;
4797 secp256k1_ge ptg;
4798 secp256k1_gej p0j;
4799 secp256k1_scalar rs;
4800 secp256k1_scalar_set_int(&rs, 0);
4801
4802 random_group_element_test(&ptg);
4803 for (i = 0; i < 20; i++) {
4804 random_scalar_order(&sc[i]);
4805 pt[i] = ptg;
4806 secp256k1_scalar_add(&rs, &rs, &sc[i]);
4807 }
4808
4809 secp256k1_gej_set_ge(&p0j, &pt[0]);
4810 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4811 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4812 CHECK(secp256k1_gej_eq_var(&r, &r2));
4813 }
4814
4815 /* Sanity check that zero scalars don't cause problems */
4816 for (ncount = 0; ncount < 20; ncount++) {
4817 random_scalar_order(&sc[ncount]);
4818 random_group_element_test(&pt[ncount]);
4819 }
4820 secp256k1_scalar_clear(&sc[0]);
4821 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4822 secp256k1_scalar_clear(&sc[1]);
4823 secp256k1_scalar_clear(&sc[2]);
4824 secp256k1_scalar_clear(&sc[3]);
4825 secp256k1_scalar_clear(&sc[4]);
4826 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4827 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4828 CHECK(secp256k1_gej_is_infinity(&r));
4829
4830 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4831 {
4832 const size_t TOP = 8;
4833 size_t s0i, s1i;
4834 size_t t0i, t1i;
4835 secp256k1_ge ptg;
4836 secp256k1_gej ptgj;
4837
4838 random_group_element_test(&ptg);
4839 secp256k1_gej_set_ge(&ptgj, &ptg);
4840
4841 for(t0i = 0; t0i < TOP; t0i++) {
4842 for(t1i = 0; t1i < TOP; t1i++) {
4843 secp256k1_gej t0p, t1p;
4844 secp256k1_scalar t0, t1;
4845
4846 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4847 secp256k1_scalar_cond_negate(&t0, t0i & 1);
4848 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4849 secp256k1_scalar_cond_negate(&t1, t1i & 1);
4850
4851 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4852 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4853
4854 for(s0i = 0; s0i < TOP; s0i++) {
4855 for(s1i = 0; s1i < TOP; s1i++) {
4856 secp256k1_scalar tmp1, tmp2;
4857 secp256k1_gej expected, actual;
4858
4859 secp256k1_ge_set_gej(&pt[0], &t0p);
4860 secp256k1_ge_set_gej(&pt[1], &t1p);
4861
4862 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4863 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4864 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4865 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4866
4867 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4868 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4869 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4870
4871 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4872 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4873 CHECK(secp256k1_gej_eq_var(&actual, &expected));
4874 }
4875 }
4876 }
4877 }
4878 }
4879}
4880
4881static int test_ecmult_multi_random(secp256k1_scratch *scratch) {
4882 /* Large random test for ecmult_multi_* functions which exercises:
4883 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4884 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4885 * - Including or excluding an nonzero a*G term (or such a term at all).
4886 * - Final expected result equal to infinity or not (roughly 50%).
4887 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4888 */
4889
4890 /* These 4 variables define the eventual input to the ecmult_multi function.
4891 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4892 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4893 * which form its normal inputs. */
4894 int filled = 0;
4895 secp256k1_scalar g_scalar = secp256k1_scalar_zero;
4896 secp256k1_scalar scalars[128];
4897 secp256k1_gej gejs[128];
4898 /* The expected result, and the computed result. */
4899 secp256k1_gej expected, computed;
4900 /* Temporaries. */
4901 secp256k1_scalar sc_tmp;
4902 secp256k1_ge ge_tmp;
4903 /* Variables needed for the actual input to ecmult_multi. */
4904 secp256k1_ge ges[128];
4905 ecmult_multi_data data;
4906
4907 int i;
4908 /* Which multiplication function to use */
4909 int fn = secp256k1_testrand_int(3);
4910 secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4911 fn == 1 ? secp256k1_ecmult_strauss_batch_single :
4912 secp256k1_ecmult_pippenger_batch_single;
4913 /* Simulate exponentially distributed num. */
4914 int num_bits = 2 + secp256k1_testrand_int(6);
4915 /* Number of (scalar, point) inputs (excluding g). */
4916 int num = secp256k1_testrand_int((1 << num_bits) + 1);
4917 /* Number of those which are nonzero. */
4918 int num_nonzero = secp256k1_testrand_int(num + 1);
4919 /* Whether we're aiming to create an input with nonzero expected result. */
4920 int nonzero_result = secp256k1_testrand_bits(1);
4921 /* Whether we will provide nonzero g multiplicand. In some cases our hand
4922 * is forced here based on num_nonzero and nonzero_result. */
4923 int g_nonzero = num_nonzero == 0 ? nonzero_result :
4924 num_nonzero == 1 && !nonzero_result ? 1 :
4925 (int)secp256k1_testrand_bits(1);
4926 /* Which g_scalar pointer to pass into ecmult_multi(). */
4927 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4928 /* How many EC multiplications were performed in this function. */
4929 int mults = 0;
4930 /* How many randomization steps to apply to the input list. */
4931 int rands = (int)secp256k1_testrand_bits(3);
4932 if (rands > num_nonzero) rands = num_nonzero;
4933
4934 secp256k1_gej_set_infinity(&expected);
4935 secp256k1_gej_set_infinity(&gejs[0]);
4936 secp256k1_scalar_set_int(&scalars[0], 0);
4937
4938 if (g_nonzero) {
4939 /* If g_nonzero, set g_scalar to nonzero value r. */
4940 random_scalar_order_test(&g_scalar);
4941 if (!nonzero_result) {
4942 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4943 CHECK(num_nonzero > filled);
4944 random_scalar_order_test(&sc_tmp);
4945 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4946 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4947 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4948 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4949 ++filled;
4950 ++mults;
4951 }
4952 }
4953
4954 if (nonzero_result && filled < num_nonzero) {
4955 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4956 random_scalar_order_test(&scalars[filled]);
4957 random_group_element_test(&ge_tmp);
4958 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4959 ++filled;
4960 }
4961
4962 if (nonzero_result) {
4963 /* Compute the expected result using normal ecmult. */
4964 CHECK(filled <= 1);
4965 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4966 mults += filled + g_nonzero;
4967 }
4968
4969 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4970 CHECK(filled <= 1 + !nonzero_result);
4971 CHECK(filled <= num_nonzero);
4972
4973 /* Add entries to scalars,gejs so that there are num of them. All the added entries
4974 * either have scalar=0 or point=infinity, so these do not change the expected result. */
4975 while (filled < num) {
4976 if (secp256k1_testrand_bits(1)) {
4977 secp256k1_gej_set_infinity(&gejs[filled]);
4978 random_scalar_order_test(&scalars[filled]);
4979 } else {
4980 secp256k1_scalar_set_int(&scalars[filled], 0);
4981 random_group_element_test(&ge_tmp);
4982 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4983 }
4984 ++filled;
4985 }
4986
4987 /* Now perform cheapish transformations on gejs and scalars, for indices
4988 * 0..num_nonzero-1, which do not change the expected result, but may
4989 * convert some of them to be both non-0-scalar and non-infinity-point. */
4990 for (i = 0; i < rands; ++i) {
4991 int j;
4992 secp256k1_scalar v, iv;
4993 /* Shuffle the entries. */
4994 for (j = 0; j < num_nonzero; ++j) {
4995 int k = secp256k1_testrand_int(num_nonzero - j);
4996 if (k != 0) {
4997 secp256k1_gej gej = gejs[j];
4998 secp256k1_scalar sc = scalars[j];
4999 gejs[j] = gejs[j + k];
5000 scalars[j] = scalars[j + k];
5001 gejs[j + k] = gej;
5002 scalars[j + k] = sc;
5003 }
5004 }
5005 /* Perturb all consecutive pairs of inputs:
5006 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5007 for (j = 0; j + 1 < num_nonzero; j += 2) {
5008 secp256k1_gej gej;
5009 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5010 secp256k1_gej_neg(&gej, &gejs[j]);
5011 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5012 }
5013 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5014 CHECK(num_nonzero >= 1);
5015 random_scalar_order_test(&v);
5016 secp256k1_scalar_inverse(&iv, &v);
5017 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5018 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5019 ++mults;
5020 }
5021
5022 /* Shuffle all entries (0..num-1). */
5023 for (i = 0; i < num; ++i) {
5024 int j = secp256k1_testrand_int(num - i);
5025 if (j != 0) {
5026 secp256k1_gej gej = gejs[i];
5027 secp256k1_scalar sc = scalars[i];
5028 gejs[i] = gejs[i + j];
5029 scalars[i] = scalars[i + j];
5030 gejs[i + j] = gej;
5031 scalars[i + j] = sc;
5032 }
5033 }
5034
5035 /* Compute affine versions of all inputs. */
5036 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5037 /* Invoke ecmult_multi code. */
5038 data.sc = scalars;
5039 data.pt = ges;
5040 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5041 mults += num_nonzero + g_nonzero;
5042 /* Compare with expected result. */
5043 CHECK(secp256k1_gej_eq_var(&computed, &expected));
5044 return mults;
5045}
5046
5047static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
5048 secp256k1_scalar sc;
5049 secp256k1_ge pt;
5050 secp256k1_gej r;
5051 ecmult_multi_data data;
5052 secp256k1_scratch *scratch_empty;
5053
5054 random_group_element_test(&pt);
5055 random_scalar_order(&sc);
5056 data.sc = &sc;
5057 data.pt = &pt;
5058
5059 /* Try to multiply 1 point, but scratch space is empty.*/
5060 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5061 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5062 secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty);
5063}
5064
5065static void test_secp256k1_pippenger_bucket_window_inv(void) {
5066 int i;
5067
5068 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
5069 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5070 /* Bucket_window of 8 is not used with endo */
5071 if (i == 8) {
5072 continue;
5073 }
5074 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
5075 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5076 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
5077 }
5078 }
5079}
5080
5085static void test_ecmult_multi_pippenger_max_points(void) {
5086 size_t scratch_size = secp256k1_testrand_bits(8);
5087 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
5088 secp256k1_scratch *scratch;
5089 size_t n_points_supported;
5090 int bucket_window = 0;
5091
5092 for(; scratch_size < max_size; scratch_size+=256) {
5093 size_t i;
5094 size_t total_alloc;
5095 size_t checkpoint;
5096 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5097 CHECK(scratch != NULL);
5098 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5099 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5100 if (n_points_supported == 0) {
5101 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5102 continue;
5103 }
5104 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5105 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5106 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5107 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5108 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 1));
5109 total_alloc--;
5110 }
5111 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5112 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
5113 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5114 }
5115 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5116}
5117
5118static void test_ecmult_multi_batch_size_helper(void) {
5119 size_t n_batches, n_batch_points, max_n_batch_points, n;
5120
5121 max_n_batch_points = 0;
5122 n = 1;
5123 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5124
5125 max_n_batch_points = 1;
5126 n = 0;
5127 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5128 CHECK(n_batches == 0);
5129 CHECK(n_batch_points == 0);
5130
5131 max_n_batch_points = 2;
5132 n = 5;
5133 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5134 CHECK(n_batches == 3);
5135 CHECK(n_batch_points == 2);
5136
5137 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5138 n = ECMULT_MAX_POINTS_PER_BATCH;
5139 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5140 CHECK(n_batches == 1);
5141 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5142
5143 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5144 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
5145 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5146 CHECK(n_batches == 2);
5147 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5148
5149 max_n_batch_points = 1;
5150 n = SIZE_MAX;
5151 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5152 CHECK(n_batches == SIZE_MAX);
5153 CHECK(n_batch_points == 1);
5154
5155 max_n_batch_points = 2;
5156 n = SIZE_MAX;
5157 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5158 CHECK(n_batches == SIZE_MAX/2 + 1);
5159 CHECK(n_batch_points == 2);
5160}
5161
5166static void test_ecmult_multi_batching(void) {
5167 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5168 secp256k1_scalar scG;
5169 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_scalar) * n_points);
5170 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5171 secp256k1_gej r;
5172 secp256k1_gej r2;
5173 ecmult_multi_data data;
5174 int i;
5175 secp256k1_scratch *scratch;
5176
5177 secp256k1_gej_set_infinity(&r2);
5178
5179 /* Get random scalars and group elements and compute result */
5180 random_scalar_order(&scG);
5181 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5182 for(i = 0; i < n_points; i++) {
5183 secp256k1_ge ptg;
5184 secp256k1_gej ptgj;
5185 random_group_element_test(&ptg);
5186 secp256k1_gej_set_ge(&ptgj, &ptg);
5187 pt[i] = ptg;
5188 random_scalar_order(&sc[i]);
5189 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5190 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5191 }
5192 data.sc = sc;
5193 data.pt = pt;
5194 secp256k1_gej_neg(&r2, &r2);
5195
5196 /* Test with empty scratch space. It should compute the correct result using
5197 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5198 scratch = secp256k1_scratch_create(&CTX->error_callback, 0);
5199 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5200 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5201 CHECK(secp256k1_gej_is_infinity(&r));
5202 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5203
5204 /* Test with space for 1 point in pippenger. That's not enough because
5205 * ecmult_multi selects strauss which requires more memory. It should
5206 * therefore select the simple algorithm. */
5207 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5208 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5209 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5210 CHECK(secp256k1_gej_is_infinity(&r));
5211 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5212
5213 for(i = 1; i <= n_points; i++) {
5214 if (i > ECMULT_PIPPENGER_THRESHOLD) {
5215 int bucket_window = secp256k1_pippenger_bucket_window(i);
5216 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5217 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5218 } else {
5219 size_t scratch_size = secp256k1_strauss_scratch_size(i);
5220 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5221 }
5222 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5223 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5224 CHECK(secp256k1_gej_is_infinity(&r));
5225 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5226 }
5227 free(sc);
5228 free(pt);
5229}
5230
5231static void run_ecmult_multi_tests(void) {
5232 secp256k1_scratch *scratch;
5233 int64_t todo = (int64_t)320 * COUNT;
5234
5235 test_secp256k1_pippenger_bucket_window_inv();
5236 test_ecmult_multi_pippenger_max_points();
5237 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5238 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5239 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
5240 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
5241 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
5242 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
5243 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
5244 while (todo > 0) {
5245 todo -= test_ecmult_multi_random(scratch);
5246 }
5247 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5248
5249 /* Run test_ecmult_multi with space for exactly one point */
5250 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5251 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5252 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5253
5254 test_ecmult_multi_batch_size_helper();
5255 test_ecmult_multi_batching();
5256}
5257
5258static void test_wnaf(const secp256k1_scalar *number, int w) {
5259 secp256k1_scalar x, two, t;
5260 int wnaf[256];
5261 int zeroes = -1;
5262 int i;
5263 int bits;
5264 secp256k1_scalar_set_int(&x, 0);
5265 secp256k1_scalar_set_int(&two, 2);
5266 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5267 CHECK(bits <= 256);
5268 for (i = bits-1; i >= 0; i--) {
5269 int v = wnaf[i];
5270 secp256k1_scalar_mul(&x, &x, &two);
5271 if (v) {
5272 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5273 zeroes=0;
5274 CHECK((v & 1) == 1); /* check non-zero elements are odd */
5275 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5276 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5277 } else {
5278 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5279 zeroes++;
5280 }
5281 if (v >= 0) {
5282 secp256k1_scalar_set_int(&t, v);
5283 } else {
5284 secp256k1_scalar_set_int(&t, -v);
5285 secp256k1_scalar_negate(&t, &t);
5286 }
5287 secp256k1_scalar_add(&x, &x, &t);
5288 }
5289 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5290}
5291
5292static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5293 secp256k1_scalar x, shift;
5294 int wnaf[256] = {0};
5295 int i;
5296 int skew;
5297 secp256k1_scalar num, unused;
5298
5299 secp256k1_scalar_set_int(&x, 0);
5300 secp256k1_scalar_set_int(&shift, 1 << w);
5301 /* Make num a 128-bit scalar. */
5302 secp256k1_scalar_split_128(&num, &unused, number);
5303 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5304
5305 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5306 secp256k1_scalar t;
5307 int v = wnaf[i];
5308 CHECK(v == 0 || v & 1); /* check parity */
5309 CHECK(v > -(1 << w)); /* check range above */
5310 CHECK(v < (1 << w)); /* check range below */
5311
5312 secp256k1_scalar_mul(&x, &x, &shift);
5313 if (v >= 0) {
5314 secp256k1_scalar_set_int(&t, v);
5315 } else {
5316 secp256k1_scalar_set_int(&t, -v);
5317 secp256k1_scalar_negate(&t, &t);
5318 }
5319 secp256k1_scalar_add(&x, &x, &t);
5320 }
5321 /* If skew is 1 then add 1 to num */
5322 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5323 CHECK(secp256k1_scalar_eq(&x, &num));
5324}
5325
5326/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5327 * rest is 0.*/
5328static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5329 int i;
5330 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5331 CHECK(wnaf[i] == 0);
5332 }
5333 for (i = 7; i >= 0; --i) {
5334 CHECK(wnaf[i] == wnaf_expected[i]);
5335 }
5336}
5337
5338static void test_fixed_wnaf_small(void) {
5339 int w = 4;
5340 int wnaf[256] = {0};
5341 int i;
5342 int skew;
5343 secp256k1_scalar num;
5344
5345 secp256k1_scalar_set_int(&num, 0);
5346 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5347 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5348 int v = wnaf[i];
5349 CHECK(v == 0);
5350 }
5351 CHECK(skew == 0);
5352
5353 secp256k1_scalar_set_int(&num, 1);
5354 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5355 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5356 int v = wnaf[i];
5357 CHECK(v == 0);
5358 }
5359 CHECK(wnaf[0] == 1);
5360 CHECK(skew == 0);
5361
5362 {
5363 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5364 secp256k1_scalar_set_int(&num, 0xffffffff);
5365 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5366 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5367 CHECK(skew == 0);
5368 }
5369 {
5370 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5371 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5372 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5373 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5374 CHECK(skew == 1);
5375 }
5376 {
5377 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5378 secp256k1_scalar_set_int(&num, 0x01010101);
5379 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5380 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5381 CHECK(skew == 0);
5382 }
5383 {
5384 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5385 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5386 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5387 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5388 CHECK(skew == 0);
5389 }
5390}
5391
5392static void run_wnaf(void) {
5393 int i;
5394 secp256k1_scalar n;
5395
5396 /* Test 0 for fixed wnaf */
5397 test_fixed_wnaf_small();
5398 /* Random tests */
5399 for (i = 0; i < COUNT; i++) {
5400 random_scalar_order(&n);
5401 test_wnaf(&n, 4+(i%10));
5402 test_fixed_wnaf(&n, 4 + (i % 10));
5403 }
5404 secp256k1_scalar_set_int(&n, 0);
5405 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5406 CHECK(secp256k1_scalar_is_zero(&n));
5407 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5408 CHECK(secp256k1_scalar_is_zero(&n));
5409}
5410
5411static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5412 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5413 *sc = *indata;
5414 *pt = secp256k1_ge_const_g;
5415 CHECK(idx == 0);
5416 return 1;
5417}
5418
5419static void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
5420 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5421 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5422 secp256k1_ge r;
5423 unsigned char bytes[65];
5424 size_t size = 65;
5425 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
5426 secp256k1_gej_set_infinity(&infj);
5427 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &rj1, x);
5428 secp256k1_ecmult(&rj2, &gj, x, &secp256k1_scalar_zero);
5429 secp256k1_ecmult(&rj3, &infj, &secp256k1_scalar_zero, x);
5430 secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
5431 secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &secp256k1_scalar_zero, test_ecmult_accumulate_cb, (void*)x, 1);
5432 secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x);
5433 secp256k1_ge_set_gej_var(&r, &rj1);
5434 ge_equals_gej(&r, &rj2);
5435 ge_equals_gej(&r, &rj3);
5436 ge_equals_gej(&r, &rj4);
5437 ge_equals_gej(&r, &rj5);
5438 ge_equals_gej(&r, &rj6);
5439 if (secp256k1_ge_is_infinity(&r)) {
5440 /* Store infinity as 0x00 */
5441 const unsigned char zerobyte[1] = {0};
5442 secp256k1_sha256_write(acc, zerobyte, 1);
5443 } else {
5444 /* Store other points using their uncompressed serialization. */
5445 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5446 CHECK(size == 65);
5447 secp256k1_sha256_write(acc, bytes, size);
5448 }
5449}
5450
5451static void test_ecmult_constants_2bit(void) {
5452 /* Using test_ecmult_accumulate, test ecmult for:
5453 * - For i in 0..36:
5454 * - Key i
5455 * - Key -i
5456 * - For i in 0..255:
5457 * - For j in 1..255 (only odd values):
5458 * - Key (j*2^i) mod order
5459 */
5460 secp256k1_scalar x;
5461 secp256k1_sha256 acc;
5462 unsigned char b32[32];
5463 int i, j;
5464 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5465
5466 /* Expected hash of all the computed points; created with an independent
5467 * implementation. */
5468 static const unsigned char expected32[32] = {
5469 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5470 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5471 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5472 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5473 };
5474 secp256k1_sha256_initialize(&acc);
5475 for (i = 0; i <= 36; ++i) {
5476 secp256k1_scalar_set_int(&x, i);
5477 test_ecmult_accumulate(&acc, &x, scratch);
5478 secp256k1_scalar_negate(&x, &x);
5479 test_ecmult_accumulate(&acc, &x, scratch);
5480 };
5481 for (i = 0; i < 256; ++i) {
5482 for (j = 1; j < 256; j += 2) {
5483 int k;
5484 secp256k1_scalar_set_int(&x, j);
5485 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5486 test_ecmult_accumulate(&acc, &x, scratch);
5487 }
5488 }
5489 secp256k1_sha256_finalize(&acc, b32);
5490 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5491
5492 secp256k1_scratch_space_destroy(CTX, scratch);
5493}
5494
5495static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5496 /* Using test_ecmult_accumulate, test ecmult for:
5497 * - Key 0
5498 * - Key 1
5499 * - Key -1
5500 * - For i in range(iter):
5501 * - Key SHA256(LE32(prefix) || LE16(i))
5502 */
5503 secp256k1_scalar x;
5504 secp256k1_sha256 acc;
5505 unsigned char b32[32];
5506 unsigned char inp[6];
5507 size_t i;
5508 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5509
5510 inp[0] = prefix & 0xFF;
5511 inp[1] = (prefix >> 8) & 0xFF;
5512 inp[2] = (prefix >> 16) & 0xFF;
5513 inp[3] = (prefix >> 24) & 0xFF;
5514 secp256k1_sha256_initialize(&acc);
5515 secp256k1_scalar_set_int(&x, 0);
5516 test_ecmult_accumulate(&acc, &x, scratch);
5517 secp256k1_scalar_set_int(&x, 1);
5518 test_ecmult_accumulate(&acc, &x, scratch);
5519 secp256k1_scalar_negate(&x, &x);
5520 test_ecmult_accumulate(&acc, &x, scratch);
5521
5522 for (i = 0; i < iter; ++i) {
5523 secp256k1_sha256 gen;
5524 inp[4] = i & 0xff;
5525 inp[5] = (i >> 8) & 0xff;
5526 secp256k1_sha256_initialize(&gen);
5527 secp256k1_sha256_write(&gen, inp, sizeof(inp));
5528 secp256k1_sha256_finalize(&gen, b32);
5529 secp256k1_scalar_set_b32(&x, b32, NULL);
5530 test_ecmult_accumulate(&acc, &x, scratch);
5531 }
5532 secp256k1_sha256_finalize(&acc, b32);
5533 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5534
5535 secp256k1_scratch_space_destroy(CTX, scratch);
5536}
5537
5538static void run_ecmult_constants(void) {
5539 /* Expected hashes of all points in the tests below. Computed using an
5540 * independent implementation. */
5541 static const unsigned char expected32_6bit20[32] = {
5542 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5543 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5544 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5545 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5546 };
5547 static const unsigned char expected32_8bit8[32] = {
5548 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5549 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5550 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5551 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5552 };
5553 /* For every combination of 6 bit positions out of 256, restricted to
5554 * 20-bit windows (i.e., the first and last bit position are no more than
5555 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5556 * this test. */
5557 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5558 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5559 }
5560
5561 /* For every combination of 8 consecutive bit positions, all 256 bit
5562 * patterns occur in the input scalars used in this test. */
5563 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5564 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5565 }
5566
5567 CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5568 test_ecmult_constants_2bit();
5569 }
5570}
5571
5572static void test_ecmult_gen_blind(void) {
5573 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5574 secp256k1_scalar key;
5575 secp256k1_scalar b;
5576 unsigned char seed32[32];
5577 secp256k1_gej pgej;
5578 secp256k1_gej pgej2;
5579 secp256k1_gej i;
5580 secp256k1_ge pge;
5581 random_scalar_order_test(&key);
5582 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5583 secp256k1_testrand256(seed32);
5584 b = CTX->ecmult_gen_ctx.blind;
5585 i = CTX->ecmult_gen_ctx.initial;
5586 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, seed32);
5587 CHECK(!secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5588 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5589 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5590 CHECK(!gej_xyz_equals_gej(&i, &CTX->ecmult_gen_ctx.initial));
5591 secp256k1_ge_set_gej(&pge, &pgej);
5592 ge_equals_gej(&pge, &pgej2);
5593}
5594
5595static void test_ecmult_gen_blind_reset(void) {
5596 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5597 secp256k1_scalar b;
5598 secp256k1_gej initial;
5599 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5600 b = CTX->ecmult_gen_ctx.blind;
5601 initial = CTX->ecmult_gen_ctx.initial;
5602 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5603 CHECK(secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5604 CHECK(gej_xyz_equals_gej(&initial, &CTX->ecmult_gen_ctx.initial));
5605}
5606
5607static void run_ecmult_gen_blind(void) {
5608 int i;
5609 test_ecmult_gen_blind_reset();
5610 for (i = 0; i < 10; i++) {
5611 test_ecmult_gen_blind();
5612 }
5613}
5614
5615/***** ENDOMORPHISH TESTS *****/
5616static void test_scalar_split(const secp256k1_scalar* full) {
5617 secp256k1_scalar s, s1, slam;
5618 const unsigned char zero[32] = {0};
5619 unsigned char tmp[32];
5620
5621 secp256k1_scalar_split_lambda(&s1, &slam, full);
5622
5623 /* check slam*lambda + s1 == full */
5624 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5625 secp256k1_scalar_add(&s, &s, &s1);
5626 CHECK(secp256k1_scalar_eq(&s, full));
5627
5628 /* check that both are <= 128 bits in size */
5629 if (secp256k1_scalar_is_high(&s1)) {
5630 secp256k1_scalar_negate(&s1, &s1);
5631 }
5632 if (secp256k1_scalar_is_high(&slam)) {
5633 secp256k1_scalar_negate(&slam, &slam);
5634 }
5635
5636 secp256k1_scalar_get_b32(tmp, &s1);
5637 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5638 secp256k1_scalar_get_b32(tmp, &slam);
5639 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5640}
5641
5642
5643static void run_endomorphism_tests(void) {
5644 unsigned i;
5645 static secp256k1_scalar s;
5646 test_scalar_split(&secp256k1_scalar_zero);
5647 test_scalar_split(&secp256k1_scalar_one);
5648 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5649 test_scalar_split(&s);
5650 test_scalar_split(&secp256k1_const_lambda);
5651 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5652 test_scalar_split(&s);
5653
5654 for (i = 0; i < 100U * COUNT; ++i) {
5655 secp256k1_scalar full;
5656 random_scalar_order_test(&full);
5657 test_scalar_split(&full);
5658 }
5659 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5660 test_scalar_split(&scalars_near_split_bounds[i]);
5661 }
5662}
5663
5664static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5665 unsigned char pubkeyc[65];
5666 secp256k1_pubkey pubkey;
5667 secp256k1_ge ge;
5668 size_t pubkeyclen;
5669
5670 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5671 /* Smaller sizes are tested exhaustively elsewhere. */
5672 int32_t i;
5673 memcpy(&pubkeyc[1], input, 64);
5674 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5675 for (i = 0; i < 256; i++) {
5676 /* Try all type bytes. */
5677 int xpass;
5678 int ypass;
5679 int ysign;
5680 pubkeyc[0] = i;
5681 /* What sign does this point have? */
5682 ysign = (input[63] & 1) + 2;
5683 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5684 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5685 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5686 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5687 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5688 if (xpass || ypass) {
5689 /* These cases must parse. */
5690 unsigned char pubkeyo[65];
5691 size_t outl;
5692 memset(&pubkey, 0, sizeof(pubkey));
5693 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5694 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5695 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5696 outl = 65;
5697 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5698 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5699 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5700 CHECK(outl == 33);
5701 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5702 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5703 if (ypass) {
5704 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5705 CHECK(pubkeyo[0] == ysign);
5706 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5707 memset(&pubkey, 0, sizeof(pubkey));
5708 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5709 secp256k1_pubkey_save(&pubkey, &ge);
5710 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5711 outl = 65;
5712 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5713 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5714 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5715 CHECK(outl == 65);
5716 CHECK(pubkeyo[0] == 4);
5717 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5718 }
5719 } else {
5720 /* These cases must fail to parse. */
5721 memset(&pubkey, 0xfe, sizeof(pubkey));
5722 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5723 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5724 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5725 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5726 }
5727 }
5728 }
5729}
5730
5731static void run_ec_pubkey_parse_test(void) {
5732#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5733 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5734 {
5735 /* Point with leading and trailing zeros in x and y serialization. */
5736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5737 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5738 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5739 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5740 },
5741 {
5742 /* Point with x equal to a 3rd root of unity.*/
5743 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5744 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5745 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5746 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5747 },
5748 {
5749 /* Point with largest x. (1/2) */
5750 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5751 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5752 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5753 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5754 },
5755 {
5756 /* Point with largest x. (2/2) */
5757 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5758 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5759 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5760 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5761 },
5762 {
5763 /* Point with smallest x. (1/2) */
5764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5766 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5767 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5768 },
5769 {
5770 /* Point with smallest x. (2/2) */
5771 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5773 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5774 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5775 },
5776 {
5777 /* Point with largest y. (1/3) */
5778 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5779 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5780 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5781 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5782 },
5783 {
5784 /* Point with largest y. (2/3) */
5785 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5786 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5787 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5788 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5789 },
5790 {
5791 /* Point with largest y. (3/3) */
5792 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5793 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5794 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5795 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5796 },
5797 {
5798 /* Point with smallest y. (1/3) */
5799 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5800 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5803 },
5804 {
5805 /* Point with smallest y. (2/3) */
5806 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5807 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5809 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5810 },
5811 {
5812 /* Point with smallest y. (3/3) */
5813 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5814 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5815 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5817 }
5818 };
5819#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5820 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5821 {
5822 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5823 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5824 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5825 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5826 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5827 },
5828 {
5829 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5830 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5831 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5832 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5833 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5834 },
5835 {
5836 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5837 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5838 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5839 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5840 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5841 },
5842 {
5843 /* x on curve, y is from y^2 = x^3 + 8. */
5844 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5845 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5846 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5847 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5848 }
5849 };
5850#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5851 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5852 {
5853 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5854 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5855 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5856 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5857 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5858 },
5859 {
5860 /* Valid if x overflow ignored (x = 1 mod p). */
5861 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5862 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5863 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5864 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5865 },
5866 {
5867 /* Valid if x overflow ignored (x = 1 mod p). */
5868 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5869 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5870 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5871 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5872 },
5873 {
5874 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5875 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5876 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5877 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5878 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5879 },
5880 {
5881 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5882 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5883 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5884 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5885 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5886 },
5887 {
5888 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5889 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5890 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5891 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5892 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5893 },
5894 {
5895 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5896 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5897 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5898 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5899 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5900 }
5901 };
5902 const unsigned char pubkeyc[66] = {
5903 /* Serialization of G. */
5904 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5905 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5906 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5907 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5908 0xB8, 0x00
5909 };
5910 unsigned char sout[65];
5911 unsigned char shortkey[2] = { 0 };
5912 secp256k1_ge ge;
5913 secp256k1_pubkey pubkey;
5914 size_t len;
5915 int32_t i;
5916
5917 /* Nothing should be reading this far into pubkeyc. */
5918 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
5919 /* Zero length claimed, fail, zeroize, no illegal arg error. */
5920 memset(&pubkey, 0xfe, sizeof(pubkey));
5921 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
5922 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5923 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
5924 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5925 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5926 /* Length one claimed, fail, zeroize, no illegal arg error. */
5927 for (i = 0; i < 256 ; i++) {
5928 memset(&pubkey, 0xfe, sizeof(pubkey));
5929 shortkey[0] = i;
5930 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
5931 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5932 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
5933 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5934 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5935 }
5936 /* Length two claimed, fail, zeroize, no illegal arg error. */
5937 for (i = 0; i < 65536 ; i++) {
5938 memset(&pubkey, 0xfe, sizeof(pubkey));
5939 shortkey[0] = i & 255;
5940 shortkey[1] = i >> 8;
5941 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5942 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
5943 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5944 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5945 }
5946 memset(&pubkey, 0xfe, sizeof(pubkey));
5947 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5948 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5949 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
5950 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5951 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5952 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5953 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65));
5954 /* NULL input string. Illegal arg and zeroize output. */
5955 memset(&pubkey, 0xfe, sizeof(pubkey));
5956 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5957 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65));
5958 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5959 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5960 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5961 memset(&pubkey, 0xfe, sizeof(pubkey));
5962 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5963 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
5964 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5965 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5966 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5967 memset(&pubkey, 0xfe, sizeof(pubkey));
5968 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5969 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
5970 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5971 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5972 /* Valid parse. */
5973 memset(&pubkey, 0, sizeof(pubkey));
5974 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5975 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
5976 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
5977 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5978 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
5979 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5980 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
5981 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
5982 SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity));
5983 ge_equals_ge(&secp256k1_ge_const_g, &ge);
5984 /* secp256k1_ec_pubkey_serialize illegal args. */
5985 len = 65;
5986 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED));
5987 CHECK(len == 0);
5988 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED));
5989 len = 65;
5990 SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
5991 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED));
5992 SECP256K1_CHECKMEM_CHECK(sout, 65);
5993 CHECK(len == 0);
5994 len = 65;
5995 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0));
5996 CHECK(len == 0);
5997 len = 65;
5998 SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
5999 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
6000 SECP256K1_CHECKMEM_CHECK(sout, 65);
6001 CHECK(len == 65);
6002 /* Multiple illegal args. Should still set arg error only once. */
6003 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65));
6004 /* Try a bunch of prefabbed points with all possible encodings. */
6005 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6006 ec_pubkey_parse_pointtest(valid[i], 1, 1);
6007 }
6008 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6009 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6010 }
6011 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6012 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6013 }
6014}
6015
6016static void run_eckey_edge_case_test(void) {
6017 const unsigned char orderc[32] = {
6018 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6019 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6020 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6021 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
6022 };
6023 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6024 unsigned char ctmp[33];
6025 unsigned char ctmp2[33];
6026 secp256k1_pubkey pubkey;
6027 secp256k1_pubkey pubkey2;
6028 secp256k1_pubkey pubkey_one;
6029 secp256k1_pubkey pubkey_negone;
6030 const secp256k1_pubkey *pubkeys[3];
6031 size_t len;
6032 /* Group order is too large, reject. */
6033 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6034 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6035 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6036 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6037 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6038 /* Maximum value is too large, reject. */
6039 memset(ctmp, 255, 32);
6040 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6041 memset(&pubkey, 1, sizeof(pubkey));
6042 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6043 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6044 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6045 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6046 /* Zero is too small, reject. */
6047 memset(ctmp, 0, 32);
6048 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6049 memset(&pubkey, 1, sizeof(pubkey));
6050 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6051 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6052 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6053 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6054 /* One must be accepted. */
6055 ctmp[31] = 0x01;
6056 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6057 memset(&pubkey, 0, sizeof(pubkey));
6058 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6059 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6060 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6061 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6062 pubkey_one = pubkey;
6063 /* Group order + 1 is too large, reject. */
6064 memcpy(ctmp, orderc, 32);
6065 ctmp[31] = 0x42;
6066 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6067 memset(&pubkey, 1, sizeof(pubkey));
6068 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6069 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6070 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6071 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6072 /* -1 must be accepted. */
6073 ctmp[31] = 0x40;
6074 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6075 memset(&pubkey, 0, sizeof(pubkey));
6076 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6077 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6078 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6079 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6080 pubkey_negone = pubkey;
6081 /* Tweak of zero leaves the value unchanged. */
6082 memset(ctmp2, 0, 32);
6083 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6084 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6085 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6086 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6087 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6088 /* Multiply tweak of zero zeroizes the output. */
6089 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6090 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6091 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6092 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6093 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6094 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6095 seckey, the seckey is zeroized. */
6096 memcpy(ctmp, orderc, 32);
6097 memset(ctmp2, 0, 32);
6098 ctmp2[31] = 0x01;
6099 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6100 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6101 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6102 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6103 memcpy(ctmp, orderc, 32);
6104 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6105 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6106 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6107 tweak, the seckey is zeroized. */
6108 memcpy(ctmp, orderc, 32);
6109 ctmp[31] = 0x40;
6110 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6111 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6112 memcpy(ctmp, orderc, 32);
6113 ctmp[31] = 0x40;
6114 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6115 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6116 memcpy(ctmp, orderc, 32);
6117 ctmp[31] = 0x40;
6118 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6119 tweak, the pubkey is zeroized. */
6120 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6121 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6122 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6123 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6124 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6125 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6126 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6127 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6128 * case the pubkey is zeroized. */
6129 memcpy(ctmp, orderc, 32);
6130 ctmp[31] = 0x40;
6131 memset(ctmp2, 0, 32);
6132 ctmp2[31] = 1;
6133 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6134 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6135 ctmp2[31] = 1;
6136 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6137 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6138 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6139 /* Tweak computation wraps and results in a key of 1. */
6140 ctmp2[31] = 2;
6141 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6142 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6143 ctmp2[31] = 2;
6144 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6145 ctmp2[31] = 1;
6146 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6147 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6148 /* Tweak mul * 2 = 1+1. */
6149 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6150 ctmp2[31] = 2;
6151 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6152 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6153 /* Zeroize pubkey on parse error. */
6154 memset(&pubkey, 0, 32);
6155 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2));
6156 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6157 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6158 memset(&pubkey2, 0, 32);
6159 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2));
6160 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6161 /* Plain argument errors. */
6162 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6163 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_verify(CTX, NULL));
6164 memset(ctmp2, 0, 32);
6165 ctmp2[31] = 4;
6166 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, NULL, ctmp2));
6167 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, NULL));
6168 memset(ctmp2, 0, 32);
6169 ctmp2[31] = 4;
6170 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, NULL, ctmp2));
6171 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, NULL));
6172 memset(ctmp2, 0, 32);
6173 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_add(CTX, NULL, ctmp2));
6174 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_add(CTX, ctmp, NULL));
6175 memset(ctmp2, 0, 32);
6176 ctmp2[31] = 1;
6177 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_mul(CTX, NULL, ctmp2));
6178 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_mul(CTX, ctmp, NULL));
6179 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, NULL, ctmp));
6180 memset(&pubkey, 1, sizeof(pubkey));
6181 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL));
6182 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6183 /* secp256k1_ec_pubkey_combine tests. */
6184 pubkeys[0] = &pubkey_one;
6185 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6186 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6187 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6188 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6189 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6190 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0));
6191 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6192 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6193 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1));
6194 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6195 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6196 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6197 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1));
6198 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6199 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6200 pubkeys[0] = &pubkey_negone;
6201 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6202 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6203 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6204 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6205 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6206 len = 33;
6207 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6208 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6209 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6210 /* Result is infinity. */
6211 pubkeys[0] = &pubkey_one;
6212 pubkeys[1] = &pubkey_negone;
6213 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6214 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6215 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6216 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6217 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6218 /* Passes through infinity but comes out one. */
6219 pubkeys[2] = &pubkey_one;
6220 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6221 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6222 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6223 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6224 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6225 len = 33;
6226 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6227 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6228 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6229 /* Adds to two. */
6230 pubkeys[1] = &pubkey_one;
6231 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6232 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6233 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6234 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6235 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6236}
6237
6238static void run_eckey_negate_test(void) {
6239 unsigned char seckey[32];
6240 unsigned char seckey_tmp[32];
6241
6242 random_scalar_order_b32(seckey);
6243 memcpy(seckey_tmp, seckey, 32);
6244
6245 /* Verify negation changes the key and changes it back */
6246 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6247 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6248 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6249 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6250
6251 /* Check that privkey alias gives same result */
6252 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6253 CHECK(secp256k1_ec_privkey_negate(CTX, seckey_tmp) == 1);
6254 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6255
6256 /* Negating all 0s fails */
6257 memset(seckey, 0, 32);
6258 memset(seckey_tmp, 0, 32);
6259 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6260 /* Check that seckey is not modified */
6261 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6262
6263 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6264 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6265 * doesn't just set seckey to a constant value in case of failure. */
6266 random_scalar_order_b32(seckey);
6267 memset(seckey, 0xFF, 16);
6268 memset(seckey_tmp, 0, 32);
6269 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6270 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6271}
6272
6273static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6274 secp256k1_scalar nonce;
6275 do {
6276 random_scalar_order_test(&nonce);
6277 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6278}
6279
6280static void test_ecdsa_sign_verify(void) {
6281 secp256k1_gej pubj;
6282 secp256k1_ge pub;
6283 secp256k1_scalar one;
6284 secp256k1_scalar msg, key;
6285 secp256k1_scalar sigr, sigs;
6286 int getrec;
6287 int recid;
6288 random_scalar_order_test(&msg);
6289 random_scalar_order_test(&key);
6290 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6291 secp256k1_ge_set_gej(&pub, &pubj);
6292 getrec = secp256k1_testrand_bits(1);
6293 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6294 See the commit messages of the commit that introduced this comment for details. */
6295 if (getrec) {
6296 random_sign(&sigr, &sigs, &key, &msg, &recid);
6297 CHECK(recid >= 0 && recid < 4);
6298 } else {
6299 random_sign(&sigr, &sigs, &key, &msg, NULL);
6300 }
6301 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6302 secp256k1_scalar_set_int(&one, 1);
6303 secp256k1_scalar_add(&msg, &msg, &one);
6304 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6305}
6306
6307static void run_ecdsa_sign_verify(void) {
6308 int i;
6309 for (i = 0; i < 10*COUNT; i++) {
6310 test_ecdsa_sign_verify();
6311 }
6312}
6313
6315static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6316 (void)msg32;
6317 (void)key32;
6318 (void)algo16;
6319 memcpy(nonce32, data, 32);
6320 return (counter == 0);
6321}
6322
6323static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6324 /* Dummy nonce generator that has a fatal error on the first counter value. */
6325 if (counter == 0) {
6326 return 0;
6327 }
6328 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6329}
6330
6331static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6332 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6333 if (counter < 3) {
6334 memset(nonce32, counter==0 ? 0 : 255, 32);
6335 if (counter == 2) {
6336 nonce32[31]--;
6337 }
6338 return 1;
6339 }
6340 if (counter < 5) {
6341 static const unsigned char order[] = {
6342 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6343 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6344 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6345 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6346 };
6347 memcpy(nonce32, order, 32);
6348 if (counter == 4) {
6349 nonce32[31]++;
6350 }
6351 return 1;
6352 }
6353 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6354 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6355 if (counter > 5) {
6356 return 0;
6357 }
6358 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6359}
6360
6361static int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
6362 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6363 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6364}
6365
6366static void test_ecdsa_end_to_end(void) {
6367 unsigned char extra[32] = {0x00};
6368 unsigned char privkey[32];
6369 unsigned char message[32];
6370 unsigned char privkey2[32];
6371 secp256k1_ecdsa_signature signature[6];
6372 secp256k1_scalar r, s;
6373 unsigned char sig[74];
6374 size_t siglen = 74;
6375 unsigned char pubkeyc[65];
6376 size_t pubkeyclen = 65;
6377 secp256k1_pubkey pubkey;
6378 secp256k1_pubkey pubkey_tmp;
6379 unsigned char seckey[300];
6380 size_t seckeylen = 300;
6381
6382 /* Generate a random key and message. */
6383 {
6384 secp256k1_scalar msg, key;
6385 random_scalar_order_test(&msg);
6386 random_scalar_order_test(&key);
6387 secp256k1_scalar_get_b32(privkey, &key);
6388 secp256k1_scalar_get_b32(message, &msg);
6389 }
6390
6391 /* Construct and verify corresponding public key. */
6392 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6393 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6394
6395 /* Verify exporting and importing public key. */
6396 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
6397 memset(&pubkey, 0, sizeof(pubkey));
6398 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6399
6400 /* Verify negation changes the key and changes it back */
6401 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6402 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6403 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6404 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6405 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6406
6407 /* Verify private key import and export. */
6408 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6409 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6410 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6411
6412 /* Optionally tweak the keys using addition. */
6413 if (secp256k1_testrand_int(3) == 0) {
6414 int ret1;
6415 int ret2;
6416 int ret3;
6417 unsigned char rnd[32];
6418 unsigned char privkey_tmp[32];
6419 secp256k1_pubkey pubkey2;
6420 secp256k1_testrand256_test(rnd);
6421 memcpy(privkey_tmp, privkey, 32);
6422 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6423 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6424 /* Check that privkey alias gives same result */
6425 ret3 = secp256k1_ec_privkey_tweak_add(CTX, privkey_tmp, rnd);
6426 CHECK(ret1 == ret2);
6427 CHECK(ret2 == ret3);
6428 if (ret1 == 0) {
6429 return;
6430 }
6431 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6432 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6433 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6434 }
6435
6436 /* Optionally tweak the keys using multiplication. */
6437 if (secp256k1_testrand_int(3) == 0) {
6438 int ret1;
6439 int ret2;
6440 int ret3;
6441 unsigned char rnd[32];
6442 unsigned char privkey_tmp[32];
6443 secp256k1_pubkey pubkey2;
6444 secp256k1_testrand256_test(rnd);
6445 memcpy(privkey_tmp, privkey, 32);
6446 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6447 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6448 /* Check that privkey alias gives same result */
6449 ret3 = secp256k1_ec_privkey_tweak_mul(CTX, privkey_tmp, rnd);
6450 CHECK(ret1 == ret2);
6451 CHECK(ret2 == ret3);
6452 if (ret1 == 0) {
6453 return;
6454 }
6455 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6456 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6457 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6458 }
6459
6460 /* Sign. */
6461 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6462 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6463 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6464 extra[31] = 1;
6465 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6466 extra[31] = 0;
6467 extra[0] = 1;
6468 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6469 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6470 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6471 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6472 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6473 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6474 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6475 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6476 /* Verify. */
6477 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6478 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6479 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6480 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6481 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6482 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6483 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6484 secp256k1_scalar_negate(&s, &s);
6485 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6486 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6487 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6488 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6489 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6490 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6491 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6492 secp256k1_scalar_negate(&s, &s);
6493 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6494 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6495 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6496 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6497
6498 /* Serialize/parse DER and verify again */
6499 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6500 memset(&signature[0], 0, sizeof(signature[0]));
6501 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6502 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6503 /* Serialize/destroy/parse DER and verify again. */
6504 siglen = 74;
6505 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6506 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6507 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6508 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6509}
6510
6511static void test_random_pubkeys(void) {
6512 secp256k1_ge elem;
6513 secp256k1_ge elem2;
6514 unsigned char in[65];
6515 /* Generate some randomly sized pubkeys. */
6516 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6517 if (secp256k1_testrand_bits(2) == 0) {
6518 len = secp256k1_testrand_bits(6);
6519 }
6520 if (len == 65) {
6521 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6522 } else {
6523 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6524 }
6525 if (secp256k1_testrand_bits(3) == 0) {
6526 in[0] = secp256k1_testrand_bits(8);
6527 }
6528 if (len > 1) {
6529 secp256k1_testrand256(&in[1]);
6530 }
6531 if (len > 33) {
6532 secp256k1_testrand256(&in[33]);
6533 }
6534 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6535 unsigned char out[65];
6536 unsigned char firstb;
6537 int res;
6538 size_t size = len;
6539 firstb = in[0];
6540 /* If the pubkey can be parsed, it should round-trip... */
6541 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6542 CHECK(size == len);
6543 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6544 /* ... except for the type of hybrid inputs. */
6545 if ((in[0] != 6) && (in[0] != 7)) {
6546 CHECK(in[0] == out[0]);
6547 }
6548 size = 65;
6549 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6550 CHECK(size == 65);
6551 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6552 ge_equals_ge(&elem,&elem2);
6553 /* Check that the X9.62 hybrid type is checked. */
6554 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6555 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6556 if (firstb == 2 || firstb == 3) {
6557 if (in[0] == firstb + 4) {
6558 CHECK(res);
6559 } else {
6560 CHECK(!res);
6561 }
6562 }
6563 if (res) {
6564 ge_equals_ge(&elem,&elem2);
6565 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6566 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6567 }
6568 }
6569}
6570
6571static void run_pubkey_comparison(void) {
6572 unsigned char pk1_ser[33] = {
6573 0x02,
6574 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6575 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6576 };
6577 const unsigned char pk2_ser[33] = {
6578 0x02,
6579 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6580 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6581 };
6582 secp256k1_pubkey pk1;
6583 secp256k1_pubkey pk2;
6584
6585 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6586 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6587
6588 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, NULL, &pk2) < 0));
6589 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, NULL) > 0));
6590 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6591 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6592 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6593 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6594 {
6595 secp256k1_pubkey pk_tmp;
6596 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6597 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0));
6598 {
6599 int32_t ecount = 0;
6600 secp256k1_context_set_illegal_callback(CTX, counting_callback_fn, &ecount);
6601 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6602 CHECK(ecount == 2);
6603 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6604 }
6605 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0));
6606 }
6607
6608 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6609 * an uncompressed encoding, these would have the opposite ordering */
6610 pk1_ser[0] = 3;
6611 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6612 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6613 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6614}
6615
6616static void run_random_pubkeys(void) {
6617 int i;
6618 for (i = 0; i < 10*COUNT; i++) {
6619 test_random_pubkeys();
6620 }
6621}
6622
6623static void run_ecdsa_end_to_end(void) {
6624 int i;
6625 for (i = 0; i < 64*COUNT; i++) {
6626 test_ecdsa_end_to_end();
6627 }
6628}
6629
6630static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6631 static const unsigned char zeroes[32] = {0};
6632
6633 int ret = 0;
6634
6635 secp256k1_ecdsa_signature sig_der;
6636 unsigned char roundtrip_der[2048];
6637 unsigned char compact_der[64];
6638 size_t len_der = 2048;
6639 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6640
6641 secp256k1_ecdsa_signature sig_der_lax;
6642 unsigned char roundtrip_der_lax[2048];
6643 unsigned char compact_der_lax[64];
6644 size_t len_der_lax = 2048;
6645 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6646
6647 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
6648 if (parsed_der) {
6649 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
6650 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6651 }
6652 if (valid_der) {
6653 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
6654 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6655 }
6656
6657 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
6658 if (parsed_der_lax) {
6659 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
6660 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6661 }
6662 if (valid_der_lax) {
6663 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6664 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6665 }
6666
6667 if (certainly_der) {
6668 ret |= (!parsed_der) << 2;
6669 }
6670 if (certainly_not_der) {
6671 ret |= (parsed_der) << 17;
6672 }
6673 if (valid_der) {
6674 ret |= (!roundtrips_der) << 3;
6675 }
6676
6677 if (valid_der) {
6678 ret |= (!roundtrips_der_lax) << 12;
6679 ret |= (len_der != len_der_lax) << 13;
6680 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6681 }
6682 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6683 if (parsed_der) {
6684 ret |= (!parsed_der_lax) << 16;
6685 }
6686
6687 return ret;
6688}
6689
6690static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6691 size_t i;
6692 for (i = 0; i < ptrlen; i++) {
6693 int shift = ptrlen - 1 - i;
6694 if (shift >= 4) {
6695 ptr[i] = 0;
6696 } else {
6697 ptr[i] = (val >> shift) & 0xFF;
6698 }
6699 }
6700}
6701
6702static void damage_array(unsigned char *sig, size_t *len) {
6703 int pos;
6704 int action = secp256k1_testrand_bits(3);
6705 if (action < 1 && *len > 3) {
6706 /* Delete a byte. */
6707 pos = secp256k1_testrand_int(*len);
6708 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6709 (*len)--;
6710 return;
6711 } else if (action < 2 && *len < 2048) {
6712 /* Insert a byte. */
6713 pos = secp256k1_testrand_int(1 + *len);
6714 memmove(sig + pos + 1, sig + pos, *len - pos);
6715 sig[pos] = secp256k1_testrand_bits(8);
6716 (*len)++;
6717 return;
6718 } else if (action < 4) {
6719 /* Modify a byte. */
6720 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6721 return;
6722 } else { /* action < 8 */
6723 /* Modify a bit. */
6724 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6725 return;
6726 }
6727}
6728
6729static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6730 int der;
6731 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6732 size_t tlen, elen, glen;
6733 int indet;
6734 int n;
6735
6736 *len = 0;
6737 der = secp256k1_testrand_bits(2) == 0;
6738 *certainly_der = der;
6739 *certainly_not_der = 0;
6740 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6741
6742 for (n = 0; n < 2; n++) {
6743 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6744 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6745 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6746 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6747 CHECK(nlen[n] <= 232);
6748 /* The top bit of the number. */
6749 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6750 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6751 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6752 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6753 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6754 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6755 *certainly_not_der = 1;
6756 }
6757 CHECK(nlen[n] + nzlen[n] <= 300);
6758 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6759 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6760 if (!der) {
6761 /* nlenlen[n] max 127 bytes */
6762 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6763 nlenlen[n] += add;
6764 if (add != 0) {
6765 *certainly_not_der = 1;
6766 }
6767 }
6768 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6769 }
6770
6771 /* The total length of the data to go, so far */
6772 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6773 CHECK(tlen <= 856);
6774
6775 /* The length of the garbage inside the tuple. */
6776 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6777 if (elen != 0) {
6778 *certainly_not_der = 1;
6779 }
6780 tlen += elen;
6781 CHECK(tlen <= 980);
6782
6783 /* The length of the garbage after the end of the tuple. */
6784 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6785 if (glen != 0) {
6786 *certainly_not_der = 1;
6787 }
6788 CHECK(tlen + glen <= 990);
6789
6790 /* Write the tuple header. */
6791 sig[(*len)++] = 0x30;
6792 if (indet) {
6793 /* Indeterminate length */
6794 sig[(*len)++] = 0x80;
6795 *certainly_not_der = 1;
6796 } else {
6797 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6798 if (!der) {
6799 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6800 tlenlen += add;
6801 if (add != 0) {
6802 *certainly_not_der = 1;
6803 }
6804 }
6805 if (tlenlen == 0) {
6806 /* Short length notation */
6807 sig[(*len)++] = tlen;
6808 } else {
6809 /* Long length notation */
6810 sig[(*len)++] = 128 + tlenlen;
6811 assign_big_endian(sig + *len, tlenlen, tlen);
6812 *len += tlenlen;
6813 }
6814 tlen += tlenlen;
6815 }
6816 tlen += 2;
6817 CHECK(tlen + glen <= 1119);
6818
6819 for (n = 0; n < 2; n++) {
6820 /* Write the integer header. */
6821 sig[(*len)++] = 0x02;
6822 if (nlenlen[n] == 0) {
6823 /* Short length notation */
6824 sig[(*len)++] = nlen[n] + nzlen[n];
6825 } else {
6826 /* Long length notation. */
6827 sig[(*len)++] = 128 + nlenlen[n];
6828 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6829 *len += nlenlen[n];
6830 }
6831 /* Write zero padding */
6832 while (nzlen[n] > 0) {
6833 sig[(*len)++] = 0x00;
6834 nzlen[n]--;
6835 }
6836 if (nlen[n] == 32 && !nlow[n]) {
6837 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6838 int i;
6839 for (i = 0; i < 16; i++) {
6840 sig[(*len)++] = 0xFF;
6841 }
6842 nlen[n] -= 16;
6843 }
6844 /* Write first byte of number */
6845 if (nlen[n] > 0) {
6846 sig[(*len)++] = nhbyte[n];
6847 nlen[n]--;
6848 }
6849 /* Generate remaining random bytes of number */
6850 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
6851 *len += nlen[n];
6852 nlen[n] = 0;
6853 }
6854
6855 /* Generate random garbage inside tuple. */
6856 secp256k1_testrand_bytes_test(sig + *len, elen);
6857 *len += elen;
6858
6859 /* Generate end-of-contents bytes. */
6860 if (indet) {
6861 sig[(*len)++] = 0;
6862 sig[(*len)++] = 0;
6863 tlen += 2;
6864 }
6865 CHECK(tlen + glen <= 1121);
6866
6867 /* Generate random garbage outside tuple. */
6868 secp256k1_testrand_bytes_test(sig + *len, glen);
6869 *len += glen;
6870 tlen += glen;
6871 CHECK(tlen <= 1121);
6872 CHECK(tlen == *len);
6873}
6874
6875static void run_ecdsa_der_parse(void) {
6876 int i,j;
6877 for (i = 0; i < 200 * COUNT; i++) {
6878 unsigned char buffer[2048];
6879 size_t buflen = 0;
6880 int certainly_der = 0;
6881 int certainly_not_der = 0;
6882 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
6883 CHECK(buflen <= 2048);
6884 for (j = 0; j < 16; j++) {
6885 int ret = 0;
6886 if (j > 0) {
6887 damage_array(buffer, &buflen);
6888 /* We don't know anything anymore about the DERness of the result */
6889 certainly_der = 0;
6890 certainly_not_der = 0;
6891 }
6892 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
6893 if (ret != 0) {
6894 size_t k;
6895 fprintf(stderr, "Failure %x on ", ret);
6896 for (k = 0; k < buflen; k++) {
6897 fprintf(stderr, "%02x ", buffer[k]);
6898 }
6899 fprintf(stderr, "\n");
6900 }
6901 CHECK(ret == 0);
6902 }
6903 }
6904}
6905
6906/* Tests several edge cases. */
6907static void test_ecdsa_edge_cases(void) {
6908 int t;
6909 secp256k1_ecdsa_signature sig;
6910
6911 /* Test the case where ECDSA recomputes a point that is infinity. */
6912 {
6913 secp256k1_gej keyj;
6914 secp256k1_ge key;
6915 secp256k1_scalar msg;
6916 secp256k1_scalar sr, ss;
6917 secp256k1_scalar_set_int(&ss, 1);
6918 secp256k1_scalar_negate(&ss, &ss);
6919 secp256k1_scalar_inverse(&ss, &ss);
6920 secp256k1_scalar_set_int(&sr, 1);
6921 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr);
6922 secp256k1_ge_set_gej(&key, &keyj);
6923 msg = ss;
6924 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6925 }
6926
6927 /* Verify signature with r of zero fails. */
6928 {
6929 const unsigned char pubkey_mods_zero[33] = {
6930 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6931 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6932 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6933 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6934 0x41
6935 };
6936 secp256k1_ge key;
6937 secp256k1_scalar msg;
6938 secp256k1_scalar sr, ss;
6939 secp256k1_scalar_set_int(&ss, 1);
6940 secp256k1_scalar_set_int(&msg, 0);
6941 secp256k1_scalar_set_int(&sr, 0);
6942 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
6943 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
6944 }
6945
6946 /* Verify signature with s of zero fails. */
6947 {
6948 const unsigned char pubkey[33] = {
6949 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6950 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6951 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6952 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6953 0x01
6954 };
6955 secp256k1_ge key;
6956 secp256k1_scalar msg;
6957 secp256k1_scalar sr, ss;
6958 secp256k1_scalar_set_int(&ss, 0);
6959 secp256k1_scalar_set_int(&msg, 0);
6960 secp256k1_scalar_set_int(&sr, 1);
6961 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6962 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6963 }
6964
6965 /* Verify signature with message 0 passes. */
6966 {
6967 const unsigned char pubkey[33] = {
6968 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6969 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6970 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6971 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6972 0x02
6973 };
6974 const unsigned char pubkey2[33] = {
6975 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6976 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6977 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6978 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6979 0x43
6980 };
6981 secp256k1_ge key;
6982 secp256k1_ge key2;
6983 secp256k1_scalar msg;
6984 secp256k1_scalar sr, ss;
6985 secp256k1_scalar_set_int(&ss, 2);
6986 secp256k1_scalar_set_int(&msg, 0);
6987 secp256k1_scalar_set_int(&sr, 2);
6988 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6989 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6990 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6991 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6992 secp256k1_scalar_negate(&ss, &ss);
6993 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6994 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6995 secp256k1_scalar_set_int(&ss, 1);
6996 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6997 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6998 }
6999
7000 /* Verify signature with message 1 passes. */
7001 {
7002 const unsigned char pubkey[33] = {
7003 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
7004 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
7005 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7006 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7007 0x25
7008 };
7009 const unsigned char pubkey2[33] = {
7010 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7011 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7012 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7013 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7014 0x62
7015 };
7016 const unsigned char csr[32] = {
7017 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7018 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7019 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7020 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7021 };
7022 secp256k1_ge key;
7023 secp256k1_ge key2;
7024 secp256k1_scalar msg;
7025 secp256k1_scalar sr, ss;
7026 secp256k1_scalar_set_int(&ss, 1);
7027 secp256k1_scalar_set_int(&msg, 1);
7028 secp256k1_scalar_set_b32(&sr, csr, NULL);
7029 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7030 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7031 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7032 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7033 secp256k1_scalar_negate(&ss, &ss);
7034 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7035 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7036 secp256k1_scalar_set_int(&ss, 2);
7037 secp256k1_scalar_inverse_var(&ss, &ss);
7038 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7039 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7040 }
7041
7042 /* Verify signature with message -1 passes. */
7043 {
7044 const unsigned char pubkey[33] = {
7045 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7046 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7047 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7048 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7049 0xf1
7050 };
7051 const unsigned char csr[32] = {
7052 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7054 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7055 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7056 };
7057 secp256k1_ge key;
7058 secp256k1_scalar msg;
7059 secp256k1_scalar sr, ss;
7060 secp256k1_scalar_set_int(&ss, 1);
7061 secp256k1_scalar_set_int(&msg, 1);
7062 secp256k1_scalar_negate(&msg, &msg);
7063 secp256k1_scalar_set_b32(&sr, csr, NULL);
7064 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7065 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7066 secp256k1_scalar_negate(&ss, &ss);
7067 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7068 secp256k1_scalar_set_int(&ss, 3);
7069 secp256k1_scalar_inverse_var(&ss, &ss);
7070 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7071 }
7072
7073 /* Signature where s would be zero. */
7074 {
7075 secp256k1_pubkey pubkey;
7076 size_t siglen;
7077 unsigned char signature[72];
7078 static const unsigned char nonce[32] = {
7079 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7080 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7081 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7082 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7083 };
7084 static const unsigned char nonce2[32] = {
7085 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7086 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7087 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7088 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7089 };
7090 const unsigned char key[32] = {
7091 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7092 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7093 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7094 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7095 };
7096 unsigned char msg[32] = {
7097 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7098 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7099 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7100 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7101 };
7102 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
7103 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7104 msg[31] = 0xaa;
7105 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
7106 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, NULL, msg, key, precomputed_nonce_function, nonce2));
7107 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, &sig, NULL, key, precomputed_nonce_function, nonce2));
7108 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, &sig, msg, NULL, precomputed_nonce_function, nonce2));
7109 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7110 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7111 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey));
7112 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey));
7113 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, NULL));
7114 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7115 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL));
7116 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7117 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey));
7118 siglen = 72;
7119 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, NULL, &siglen, &sig));
7120 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, NULL, &sig));
7121 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL));
7122 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7123 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen));
7124 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, &sig, NULL, siglen));
7125 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7126 siglen = 10;
7127 /* Too little room for a signature does not fail via ARGCHECK. */
7128 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7129 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_normalize(CTX, NULL, NULL));
7130 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_compact(CTX, NULL, &sig));
7131 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_compact(CTX, signature, NULL));
7132 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1);
7133 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_compact(CTX, NULL, signature));
7134 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_compact(CTX, &sig, NULL));
7135 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7136 memset(signature, 255, 64);
7137 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7138 }
7139
7140 /* Nonce function corner cases. */
7141 for (t = 0; t < 2; t++) {
7142 static const unsigned char zero[32] = {0x00};
7143 int i;
7144 unsigned char key[32];
7145 unsigned char msg[32];
7146 secp256k1_ecdsa_signature sig2;
7147 secp256k1_scalar sr[512], ss;
7148 const unsigned char *extra;
7149 extra = t == 0 ? NULL : zero;
7150 memset(msg, 0, 32);
7151 msg[31] = 1;
7152 /* High key results in signature failure. */
7153 memset(key, 0xFF, 32);
7154 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7155 CHECK(is_empty_signature(&sig));
7156 /* Zero key results in signature failure. */
7157 memset(key, 0, 32);
7158 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7159 CHECK(is_empty_signature(&sig));
7160 /* Nonce function failure results in signature failure. */
7161 key[31] = 1;
7162 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7163 CHECK(is_empty_signature(&sig));
7164 /* The retry loop successfully makes its way to the first good value. */
7165 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7166 CHECK(!is_empty_signature(&sig));
7167 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7168 CHECK(!is_empty_signature(&sig2));
7169 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7170 /* The default nonce function is deterministic. */
7171 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7172 CHECK(!is_empty_signature(&sig2));
7173 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7174 /* The default nonce function changes output with different messages. */
7175 for(i = 0; i < 256; i++) {
7176 int j;
7177 msg[0] = i;
7178 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7179 CHECK(!is_empty_signature(&sig2));
7180 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7181 for (j = 0; j < i; j++) {
7182 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7183 }
7184 }
7185 msg[0] = 0;
7186 msg[31] = 2;
7187 /* The default nonce function changes output with different keys. */
7188 for(i = 256; i < 512; i++) {
7189 int j;
7190 key[0] = i - 256;
7191 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7192 CHECK(!is_empty_signature(&sig2));
7193 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7194 for (j = 0; j < i; j++) {
7195 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7196 }
7197 }
7198 key[0] = 0;
7199 }
7200
7201 {
7202 /* Check that optional nonce arguments do not have equivalent effect. */
7203 const unsigned char zeros[32] = {0};
7204 unsigned char nonce[32];
7205 unsigned char nonce2[32];
7206 unsigned char nonce3[32];
7207 unsigned char nonce4[32];
7208 SECP256K1_CHECKMEM_UNDEFINE(nonce,32);
7209 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7210 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7211 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7212 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7213 SECP256K1_CHECKMEM_CHECK(nonce,32);
7214 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7215 SECP256K1_CHECKMEM_CHECK(nonce2,32);
7216 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7217 SECP256K1_CHECKMEM_CHECK(nonce3,32);
7218 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7219 SECP256K1_CHECKMEM_CHECK(nonce4,32);
7220 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7221 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7222 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7223 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7224 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7225 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7226 }
7227
7228
7229 /* Privkey export where pubkey is the point at infinity. */
7230 {
7231 unsigned char privkey[300];
7232 unsigned char seckey[32] = {
7233 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7234 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7235 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7236 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7237 };
7238 size_t outlen = 300;
7239 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7240 outlen = 300;
7241 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7242 }
7243}
7244
7245static void run_ecdsa_edge_cases(void) {
7246 test_ecdsa_edge_cases();
7247}
7248
7253static void test_ecdsa_wycheproof(void) {
7254 #include "wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h"
7255
7256 int t;
7257 for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) {
7258 secp256k1_ecdsa_signature signature;
7259 secp256k1_sha256 hasher;
7260 secp256k1_pubkey pubkey;
7261 const unsigned char *msg, *sig, *pk;
7262 unsigned char out[32] = {0};
7263 int actual_verify = 0;
7264
7265 memset(&pubkey, 0, sizeof(pubkey));
7266 pk = &wycheproof_ecdsa_public_keys[testvectors[t].pk_offset];
7267 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7268
7269 secp256k1_sha256_initialize(&hasher);
7270 msg = &wycheproof_ecdsa_messages[testvectors[t].msg_offset];
7271 secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len);
7272 secp256k1_sha256_finalize(&hasher, out);
7273
7274 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset];
7275 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7276 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7277 }
7278 CHECK(testvectors[t].expected_verify == actual_verify);
7279 }
7280}
7281
7282/* Tests cases from Wycheproof test suite. */
7283static void run_ecdsa_wycheproof(void) {
7284 test_ecdsa_wycheproof();
7285}
7286
7287#ifdef ENABLE_MODULE_ECDH
7288# include "modules/ecdh/tests_impl.h"
7289#endif
7290
7291#ifdef ENABLE_MODULE_MULTISET
7292# include "modules/multiset/tests_impl.h"
7293#endif
7294
7295#ifdef ENABLE_MODULE_RECOVERY
7296# include "modules/recovery/tests_impl.h"
7297#endif
7298
7299#ifdef ENABLE_MODULE_SCHNORR
7300# include "modules/schnorr/tests_impl.h"
7301#endif
7302
7303#ifdef ENABLE_MODULE_EXTRAKEYS
7304# include "modules/extrakeys/tests_impl.h"
7305#endif
7306
7307#ifdef ENABLE_MODULE_SCHNORRSIG
7308# include "modules/schnorrsig/tests_impl.h"
7309#endif
7310
7311#ifdef ENABLE_MODULE_ELLSWIFT
7312# include "modules/ellswift/tests_impl.h"
7313#endif
7314
7315static void run_secp256k1_memczero_test(void) {
7316 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7317 unsigned char buf2[sizeof(buf1)];
7318
7319 /* secp256k1_memczero(..., ..., 0) is a noop. */
7320 memcpy(buf2, buf1, sizeof(buf1));
7321 secp256k1_memczero(buf1, sizeof(buf1), 0);
7322 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7323
7324 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7325 memset(buf2, 0, sizeof(buf2));
7326 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7327 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7328}
7329
7330static void run_secp256k1_byteorder_tests(void) {
7331 {
7332 const uint32_t x = 0xFF03AB45;
7333 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7334 unsigned char buf[4];
7335 uint32_t x_;
7336
7337 secp256k1_write_be32(buf, x);
7338 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7339
7340 x_ = secp256k1_read_be32(buf);
7341 CHECK(x == x_);
7342 }
7343
7344 {
7345 const uint64_t x = 0xCAFE0123BEEF4567;
7346 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7347 unsigned char buf[8];
7348 uint64_t x_;
7349
7350 secp256k1_write_be64(buf, x);
7351 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7352
7353 x_ = secp256k1_read_be64(buf);
7354 CHECK(x == x_);
7355 }
7356}
7357
7358static void int_cmov_test(void) {
7359 int r = INT_MAX;
7360 int a = 0;
7361
7362 secp256k1_int_cmov(&r, &a, 0);
7363 CHECK(r == INT_MAX);
7364
7365 r = 0; a = INT_MAX;
7366 secp256k1_int_cmov(&r, &a, 1);
7367 CHECK(r == INT_MAX);
7368
7369 a = 0;
7370 secp256k1_int_cmov(&r, &a, 1);
7371 CHECK(r == 0);
7372
7373 a = 1;
7374 secp256k1_int_cmov(&r, &a, 1);
7375 CHECK(r == 1);
7376
7377 r = 1; a = 0;
7378 secp256k1_int_cmov(&r, &a, 0);
7379 CHECK(r == 1);
7380
7381}
7382
7383static void fe_cmov_test(void) {
7384 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7385 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7386 static const secp256k1_fe max = SECP256K1_FE_CONST(
7387 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7388 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7389 );
7390 secp256k1_fe r = max;
7391 secp256k1_fe a = zero;
7392
7393 secp256k1_fe_cmov(&r, &a, 0);
7394 CHECK(fe_identical(&r, &max));
7395
7396 r = zero; a = max;
7397 secp256k1_fe_cmov(&r, &a, 1);
7398 CHECK(fe_identical(&r, &max));
7399
7400 a = zero;
7401 secp256k1_fe_cmov(&r, &a, 1);
7402 CHECK(fe_identical(&r, &zero));
7403
7404 a = one;
7405 secp256k1_fe_cmov(&r, &a, 1);
7406 CHECK(fe_identical(&r, &one));
7407
7408 r = one; a = zero;
7409 secp256k1_fe_cmov(&r, &a, 0);
7410 CHECK(fe_identical(&r, &one));
7411}
7412
7413static void fe_storage_cmov_test(void) {
7414 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7415 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7416 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
7417 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7418 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7419 );
7420 secp256k1_fe_storage r = max;
7421 secp256k1_fe_storage a = zero;
7422
7423 secp256k1_fe_storage_cmov(&r, &a, 0);
7424 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7425
7426 r = zero; a = max;
7427 secp256k1_fe_storage_cmov(&r, &a, 1);
7428 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7429
7430 a = zero;
7431 secp256k1_fe_storage_cmov(&r, &a, 1);
7432 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7433
7434 a = one;
7435 secp256k1_fe_storage_cmov(&r, &a, 1);
7436 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7437
7438 r = one; a = zero;
7439 secp256k1_fe_storage_cmov(&r, &a, 0);
7440 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7441}
7442
7443static void scalar_cmov_test(void) {
7444 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7445 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
7446 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
7447 );
7448 secp256k1_scalar r = max;
7449 secp256k1_scalar a = secp256k1_scalar_zero;
7450
7451 secp256k1_scalar_cmov(&r, &a, 0);
7452 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7453
7454 r = secp256k1_scalar_zero; a = max;
7455 secp256k1_scalar_cmov(&r, &a, 1);
7456 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7457
7458 a = secp256k1_scalar_zero;
7459 secp256k1_scalar_cmov(&r, &a, 1);
7460 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0);
7461
7462 a = secp256k1_scalar_one;
7463 secp256k1_scalar_cmov(&r, &a, 1);
7464 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7465
7466 r = secp256k1_scalar_one; a = secp256k1_scalar_zero;
7467 secp256k1_scalar_cmov(&r, &a, 0);
7468 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7469}
7470
7471static void ge_storage_cmov_test(void) {
7472 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7473 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7474 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7475 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7476 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7477 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7478 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7479 );
7480 secp256k1_ge_storage r = max;
7481 secp256k1_ge_storage a = zero;
7482
7483 secp256k1_ge_storage_cmov(&r, &a, 0);
7484 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7485
7486 r = zero; a = max;
7487 secp256k1_ge_storage_cmov(&r, &a, 1);
7488 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7489
7490 a = zero;
7491 secp256k1_ge_storage_cmov(&r, &a, 1);
7492 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7493
7494 a = one;
7495 secp256k1_ge_storage_cmov(&r, &a, 1);
7496 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7497
7498 r = one; a = zero;
7499 secp256k1_ge_storage_cmov(&r, &a, 0);
7500 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7501}
7502
7503static void run_cmov_tests(void) {
7504 int_cmov_test();
7505 fe_cmov_test();
7506 fe_storage_cmov_test();
7507 scalar_cmov_test();
7508 ge_storage_cmov_test();
7509}
7510
7511int main(int argc, char **argv) {
7512 /* Disable buffering for stdout to improve reliability of getting
7513 * diagnostic information. Happens right at the start of main because
7514 * setbuf must be used before any other operation on the stream. */
7515 setbuf(stdout, NULL);
7516 /* Also disable buffering for stderr because it's not guaranteed that it's
7517 * unbuffered on all systems. */
7518 setbuf(stderr, NULL);
7519
7520 /* find iteration count */
7521 if (argc > 1) {
7522 COUNT = strtol(argv[1], NULL, 0);
7523 } else {
7524 const char* env = getenv("SECP256K1_TEST_ITERS");
7525 if (env && strlen(env) > 0) {
7526 COUNT = strtol(env, NULL, 0);
7527 }
7528 }
7529 if (COUNT <= 0) {
7530 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7531 return EXIT_FAILURE;
7532 }
7533 printf("test count = %i\n", COUNT);
7534
7535 /* run test RNG tests (must run before we really initialize the test RNG) */
7536 run_xoshiro256pp_tests();
7537
7538 /* find random seed */
7539 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7540
7541 /*** Setup test environment ***/
7542
7543 /* Create a global context available to all tests */
7544 CTX = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
7545 /* Randomize the context only with probability 15/16
7546 to make sure we test without context randomization from time to time.
7547 TODO Reconsider this when recalibrating the tests. */
7548 if (secp256k1_testrand_bits(4)) {
7549 unsigned char rand32[32];
7550 secp256k1_testrand256(rand32);
7551 CHECK(secp256k1_context_randomize(CTX, rand32));
7552 }
7553 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
7554 that write to the context. The API does not support cloning the static context, so we use
7555 memcpy instead. The user is not supposed to copy a context but we should still ensure that
7556 the API functions handle copies of the static context gracefully. */
7557 STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
7558 CHECK(STATIC_CTX != NULL);
7559 memcpy(STATIC_CTX, secp256k1_context_static, sizeof(secp256k1_context));
7560 CHECK(!secp256k1_context_is_proper(STATIC_CTX));
7561
7562 /*** Run actual tests ***/
7563
7564 /* selftest tests */
7565 run_selftest_tests();
7566
7567 /* context tests */
7568 run_proper_context_tests(0); run_proper_context_tests(1);
7569 run_static_context_tests(0); run_static_context_tests(1);
7570 run_deprecated_context_flags_test();
7571
7572 /* scratch tests */
7573 run_scratch_tests();
7574
7575 /* integer arithmetic tests */
7576#ifdef SECP256K1_WIDEMUL_INT128
7577 run_int128_tests();
7578#endif
7579 run_ctz_tests();
7580 run_modinv_tests();
7581 run_inverse_tests();
7582
7583 /* hash tests */
7584 run_sha256_known_output_tests();
7585 run_sha256_counter_tests();
7586 run_hmac_sha256_tests();
7587 run_rfc6979_hmac_sha256_tests();
7588 run_tagged_sha256_tests();
7589
7590 /* scalar tests */
7591 run_scalar_tests();
7592
7593 /* field tests */
7594 run_field_half();
7595 run_field_misc();
7596 run_field_convert();
7597 run_field_be32_overflow();
7598 run_fe_mul();
7599 run_sqr();
7600 run_sqrt();
7601
7602 /* group tests */
7603 run_ge();
7604 run_gej();
7605 run_group_decompress();
7606
7607 /* ecmult tests */
7608 run_ecmult_pre_g();
7609 run_wnaf();
7610 run_point_times_order();
7611 run_ecmult_near_split_bound();
7612 run_ecmult_chain();
7613 run_ecmult_constants();
7614 run_ecmult_gen_blind();
7615 run_ecmult_const_tests();
7616 run_ecmult_multi_tests();
7617 run_ec_combine();
7618
7619 /* endomorphism tests */
7620 run_endomorphism_tests();
7621
7622 /* EC point parser test */
7623 run_ec_pubkey_parse_test();
7624
7625 /* EC key edge cases */
7626 run_eckey_edge_case_test();
7627
7628 /* EC key arithmetic test */
7629 run_eckey_negate_test();
7630
7631#ifdef ENABLE_MODULE_ECDH
7632 /* ecdh tests */
7633 run_ecdh_tests();
7634#endif
7635
7636 /* ecdsa tests */
7637 run_ec_illegal_argument_tests();
7638 run_pubkey_comparison();
7639 run_random_pubkeys();
7640 run_ecdsa_der_parse();
7641 run_ecdsa_sign_verify();
7642 run_ecdsa_end_to_end();
7643 run_ecdsa_edge_cases();
7644 run_ecdsa_wycheproof();
7645
7646#ifdef ENABLE_MODULE_MULTISET
7647 run_multiset_tests();
7648#endif
7649
7650#ifdef ENABLE_MODULE_RECOVERY
7651 /* ECDSA pubkey recovery tests */
7652 run_recovery_tests();
7653#endif
7654
7655#ifdef ENABLE_MODULE_SCHNORR
7656 /* Schnorr signature tests */
7657 run_schnorr_tests();
7658#endif
7659
7660#ifdef ENABLE_MODULE_EXTRAKEYS
7661 run_extrakeys_tests();
7662#endif
7663
7664#ifdef ENABLE_MODULE_SCHNORRSIG
7665 run_schnorrsig_tests();
7666#endif
7667
7668#ifdef ENABLE_MODULE_ELLSWIFT
7669 run_ellswift_tests();
7670#endif
7671
7672 /* util tests */
7673 run_secp256k1_memczero_test();
7674 run_secp256k1_byteorder_tests();
7675
7676 run_cmov_tests();
7677
7678 /*** Tear down test environment ***/
7679 free(STATIC_CTX);
7680 secp256k1_context_destroy(CTX);
7681
7682 secp256k1_testrand_finish();
7683
7684 printf("no problems found\n");
7685 return 0;
7686}
flags
int flags
Definition: bitcoin-tx.cpp:546
SECP256K1_CHECKMEM_UNDEFINE
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:76
SECP256K1_CHECKMEM_CHECK
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:78
tests_impl.h
run_ecdh_tests
static void run_ecdh_tests(void)
Definition: tests_impl.h:145
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
ecdsa_secp256k1_sha256_bitcoin_test.h
wycheproof_ecdsa_signatures
static const unsigned char wycheproof_ecdsa_signatures[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:173
wycheproof_ecdsa_public_keys
static const unsigned char wycheproof_ecdsa_public_keys[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:73
wycheproof_ecdsa_messages
static const unsigned char wycheproof_ecdsa_messages[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:13
SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:2
testvectors
static const wycheproof_ecdsa_testvector testvectors[SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:636
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
ECMULT_TABLE_SIZE
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_const_xonly
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
secp256k1_ecmult_const_K
static const secp256k1_scalar secp256k1_ecmult_const_K
Definition: ecmult_const_impl.h:94
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:602
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:732
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:398
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:413
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:159
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:353
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:573
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:723
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:793
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:640
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:811
tests_impl.h
run_ellswift_tests
void run_ellswift_tests(void)
Definition: tests_impl.h:179
sum
volatile double sum
Definition: examples.cpp:10
tests_impl.h
run_extrakeys_tests
static void run_extrakeys_tests(void)
Definition: tests_impl.h:470
secp256k1_fe_cmov
#define secp256k1_fe_cmov
Definition: field.h:96
secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
secp256k1_fe_negate
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:215
secp256k1_fe_mul_int
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:237
secp256k1_fe_normalizes_to_zero_var
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
secp256k1_fe_cmp_var
#define secp256k1_fe_cmp_var
Definition: field.h:87
secp256k1_fe_normalize_weak
#define secp256k1_fe_normalize_weak
Definition: field.h:79
secp256k1_fe_is_odd
#define secp256k1_fe_is_odd
Definition: field.h:86
secp256k1_fe_mul
#define secp256k1_fe_mul
Definition: field.h:94
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
secp256k1_fe_add
#define secp256k1_fe_add
Definition: field.h:93
secp256k1_fe_clear
#define secp256k1_fe_clear
Definition: field.h:84
secp256k1_fe_normalize_var
#define secp256k1_fe_normalize_var
Definition: field.h:80
secp256k1_fe_half
#define secp256k1_fe_half
Definition: field.h:102
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
secp256k1_fe_to_storage
#define secp256k1_fe_to_storage
Definition: field.h:97
secp256k1_fe_inv_var
#define secp256k1_fe_inv_var
Definition: field.h:100
secp256k1_fe_is_zero
#define secp256k1_fe_is_zero
Definition: field.h:85
secp256k1_fe_mul_int_unchecked
#define secp256k1_fe_mul_int_unchecked
Definition: field.h:92
secp256k1_fe_set_b32_limit
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
secp256k1_fe_is_square_var
#define secp256k1_fe_is_square_var
Definition: field.h:104
secp256k1_fe_get_bounds
#define secp256k1_fe_get_bounds
Definition: field.h:101
secp256k1_fe_from_storage
#define secp256k1_fe_from_storage
Definition: field.h:98
secp256k1_fe_set_b32_mod
#define secp256k1_fe_set_b32_mod
Definition: field.h:88
secp256k1_fe_negate_unchecked
#define secp256k1_fe_negate_unchecked
Definition: field.h:91
secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:90
secp256k1_fe_normalizes_to_zero
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
secp256k1_fe_inv
#define secp256k1_fe_inv
Definition: field.h:99
secp256k1_fe_sqr
#define secp256k1_fe_sqr
Definition: field.h:95
secp256k1_fe_normalize
#define secp256k1_fe_normalize
Definition: field.h:78
secp256k1_fe_equal
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_add_int
#define secp256k1_fe_add_int
Definition: field.h:103
secp256k1_fe_set_int
#define secp256k1_fe_set_int
Definition: field.h:83
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
secp256k1_gej_eq_var
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
SECP256K1_GE_X_MAGNITUDE_MAX
#define SECP256K1_GE_X_MAGNITUDE_MAX
Maximum allowed magnitudes for group element coordinates in affine (x, y) and jacobian (x,...
Definition: group.h:49
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
secp256k1_ge_x_on_curve_var
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
SECP256K1_GEJ_Y_MAGNITUDE_MAX
#define SECP256K1_GEJ_Y_MAGNITUDE_MAX
Definition: group.h:52
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_ge_x_frac_on_curve_var
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_xquad
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
SECP256K1_GE_Y_MAGNITUDE_MAX
#define SECP256K1_GE_Y_MAGNITUDE_MAX
Definition: group.h:50
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
secp256k1_gej_cmov
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.
SECP256K1_GEJ_Z_MAGNITUDE_MAX
#define SECP256K1_GEJ_Z_MAGNITUDE_MAX
Definition: group.h:53
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
SECP256K1_GEJ_X_MAGNITUDE_MAX
#define SECP256K1_GEJ_X_MAGNITUDE_MAX
Definition: group.h:51
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:70
int128_impl.h
secp256k1_int128
int128_t secp256k1_int128
Definition: int128_native.h:17
secp256k1_i128_load
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
Definition: int128_native_impl.h:45
secp256k1_i128_det
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
Definition: int128_native_impl.h:59
secp256k1_u128_check_bits
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:40
secp256k1_i128_rshift
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:66
secp256k1_u128_hi_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:32
secp256k1_i128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:71
secp256k1_i128_from_i64
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
Definition: int128_native_impl.h:80
secp256k1_u128_from_u64
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:36
secp256k1_i128_eq_var
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
Definition: int128_native_impl.h:84
secp256k1_i128_to_i64
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:75
secp256k1_i128_mul
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:49
secp256k1_u128_rshift
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:23
secp256k1_i128_check_pow2
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
Definition: int128_native_impl.h:88
secp256k1_u128_accum_u64
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:19
secp256k1_i128_accum_mul
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:53
secp256k1_u128_accum_mul
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:15
secp256k1_u128_load
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
Definition: int128_native_impl.h:7
secp256k1_u128_mul
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:11
secp256k1_u128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:28
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:55
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:11
cs
static void pool cs
Definition: mempool_eviction.cpp:13
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_jacobi32_maybe_var
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
modinv32_impl.h
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_jacobi64_maybe_var
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
modinv64_impl.h
tests_impl.h
run_multiset_tests
static void run_multiset_tests(void)
Definition: tests_impl.h:336
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:14
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
tests_wycheproof_generate.expected_verify
int expected_verify
Definition: tests_wycheproof_generate.py:46
tests_wycheproof_generate.out
string out
Definition: tests_wycheproof_generate.py:28
tinyformat::printf
void printf(const char *fmt, const Args &...args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1126
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8236
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:16
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:15
sig
SchnorrSig sig
Definition: processor.cpp:537
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:36
tests_impl.h
run_recovery_tests
static void run_recovery_tests(void)
Definition: tests_impl.h:326
prefix
const char * prefix
Definition: rest.cpp:813
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_half
static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a)
Multiply a scalar with the multiplicative inverse of 2.
secp256k1_scalar_split_128
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*2^128 = k.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:68
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:79
tests_impl.h
run_schnorr_tests
static void run_schnorr_tests(void)
Definition: tests_impl.h:512
tests_impl.h
run_schnorrsig_tests
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:819
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:323
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:212
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:226
ALIGNMENT
#define ALIGNMENT
Definition: util.h:156
secp256k1_default_error_callback_fn
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:82
secp256k1_read_be32
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:341
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:305
secp256k1_write_be32
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:349
secp256k1_write_be64
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:369
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:77
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:294
CHECK
#define CHECK(cond)
Definition: util.h:128
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:282
secp256k1_read_be64
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:357
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:142
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:193
secp256k1_scratch_space_destroy
static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition: secp256k1.c:227
secp256k1_context_is_proper
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:81
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:74
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:353
secp256k1_scratch_space_create
static secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition: secp256k1.c:222
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:258
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:465
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:339
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:704
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:196
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:751
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:761
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:614
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:379
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:290
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:313
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:573
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:558
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:272
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:192
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:363
secp256k1_selftest
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:85
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:596
secp256k1_tagged_sha256
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:787
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:202
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:444
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:425
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:162
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:687
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:203
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:400
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:633
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:676
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:195
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:629
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:660
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:728
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:412
secp256k1_context_static
SECP256K1_API const secp256k1_context * secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:223
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:724
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:111
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:175
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:91
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:151
ecmult_multi_data
Definition: tests.c:4639
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:4640
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:4641
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:68
secp256k1_callback::data
const void * data
Definition: util.h:69
secp256k1_context_struct
Definition: secp256k1.c:60
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:62
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:64
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:63
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:74
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:31
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:37
secp256k1_ecmult_gen_context::built
int built
Definition: ecmult_gen.h:33
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:36
secp256k1_fe_storage
Definition: field_10x26.h:50
secp256k1_fe
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:22
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::infinity
int infinity
Definition: group.h:19
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
secp256k1_gej::infinity
int infinity
Definition: group.h:32
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_modinv32_modinfo
Definition: modinv32.h:19
secp256k1_modinv32_modinfo::modulus_inv30
uint32_t modulus_inv30
Definition: modinv32.h:24
secp256k1_modinv32_modinfo::modulus
secp256k1_modinv32_signed30 modulus
Definition: modinv32.h:21
secp256k1_modinv32_signed30
Definition: modinv32.h:15
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:16
secp256k1_modinv64_modinfo
Definition: modinv64.h:23
secp256k1_modinv64_modinfo::modulus_inv62
uint64_t modulus_inv62
Definition: modinv64.h:28
secp256k1_modinv64_modinfo::modulus
secp256k1_modinv64_signed62 modulus
Definition: modinv64.h:25
secp256k1_modinv64_signed62
Definition: modinv64.h:19
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:20
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_sha256
Definition: hash.h:13
secp256k1_sha256::bytes
uint64_t bytes
Definition: hash.h:16
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:14
secp256k1_uint128
Definition: int128_struct.h:7
wycheproof_ecdsa_testvector::sig_offset
size_t sig_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:8
wycheproof_ecdsa_testvector::msg_offset
size_t msg_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:6
wycheproof_ecdsa_testvector::pk_offset
size_t pk_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:5
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_seed
static SECP256K1_INLINE void secp256k1_testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_impl.h
secp256k1_test_state
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
run_random_pubkeys
static void run_random_pubkeys(void)
Definition: tests.c:6616
CHECK_ILLEGAL_VOID
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:70
test_wnaf
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5258
run_inverse_tests
static void run_inverse_tests(void)
Definition: tests.c:3421
counting_callback_fn
static void counting_callback_fn(const char *str, void *data)
Definition: tests.c:81
mutate_sign_signed30
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:968
ec_pubkey_parse_pointtest
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5664
test_ecdsa_sign_verify
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6280
test_ge
static void test_ge(void)
Definition: tests.c:3691
CHECK_ERROR_VOID
#define CHECK_ERROR_VOID(ctx, expr_or_stmt)
Definition: tests.c:68
random_gej_x_magnitude
static void random_gej_x_magnitude(secp256k1_gej *gej)
Definition: tests.c:143
run_pubkey_comparison
static void run_pubkey_comparison(void)
Definition: tests.c:6571
run_ecdsa_sign_verify
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6307
run_field_misc
static void run_field_misc(void)
Definition: tests.c:3118
test_ecmult_gen_blind_reset
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5595
random_field_element_magnitude
static void random_field_element_magnitude(secp256k1_fe *fe, int m)
Definition: tests.c:99
run_ec_pubkey_parse_test
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5731
run_static_context_tests
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:313
random_sign
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6273
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6323
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6331
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
test_ecmult_multi_random
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4881
COUNT
static int COUNT
Definition: tests.c:40
mulmod256
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:866
random_fe_non_zero_test
static void random_fe_non_zero_test(secp256k1_fe *fe)
Definition: tests.c:125
ecmult_const_check_result
static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar *q, const secp256k1_gej *res)
Definition: tests.c:4513
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:78
gej_xyz_equals_gej
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3670
ecmult_gen_context_eq
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:249
run_tagged_sha256_tests
static void run_tagged_sha256_tests(void)
Definition: tests.c:822
run_sha256_counter_tests
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:668
random_scalar_order_b32
static void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:209
random_group_element_jacobian_test
static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:167
test_fixed_wnaf_small_helper
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5328
all_bytes_equal
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:44
test_intialized_inf
static void test_intialized_inf(void)
Definition: tests.c:3914
test_fixed_wnaf_small
static void test_fixed_wnaf_small(void)
Definition: tests.c:5338
main
int main(int argc, char **argv)
Definition: tests.c:7511
run_ecmult_const_tests
static void run_ecmult_const_tests(void)
Definition: tests.c:4630
fe_identical
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3062
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
run_eckey_edge_case_test
static void run_eckey_edge_case_test(void)
Definition: tests.c:6016
random_fe_non_square
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2950
run_secp256k1_byteorder_tests
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7330
run_ecmult_constants
static void run_ecmult_constants(void)
Definition: tests.c:5538
run_field_be32_overflow
static void run_field_be32_overflow(void)
Definition: tests.c:2995
test_modinv32_uint16
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:983
run_ecmult_chain
static void run_ecmult_chain(void)
Definition: tests.c:4240
test_inverse_field
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3396
run_ec_combine
static void run_ec_combine(void)
Definition: tests.c:4084
run_deprecated_context_flags_test
static void run_deprecated_context_flags_test(void)
Definition: tests.c:264
CTX
static secp256k1_context * CTX
Definition: tests.c:41
run_point_times_order
static void run_point_times_order(void)
Definition: tests.c:4411
random_group_element_test
static void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:155
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6729
CONDITIONAL_TEST
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:38
ecmult_const_commutativity
static void ecmult_const_commutativity(void)
Definition: tests.c:4459
int_cmov_test
static void int_cmov_test(void)
Definition: tests.c:7358
test_add_neg_y_diff_x
static void test_add_neg_y_diff_x(void)
Definition: tests.c:3946
test_ecmult_accumulate
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5419
test_point_times_order
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4299
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6690
run_hmac_sha256_tests
static void run_hmac_sha256_tests(void)
Definition: tests.c:737
test_ecmult_multi_batch_single
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5047
random_gej_test
static void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:177
signed30_to_uint16
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:959
is_empty_signature
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6361
run_field_half
static void run_field_half(void)
Definition: tests.c:3069
run_eckey_negate_test
static void run_eckey_negate_test(void)
Definition: tests.c:6238
scalar_test
static void scalar_test(void)
Definition: tests.c:2128
run_scalar_set_b32_seckey_tests
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2283
test_ecmult_multi
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4659
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6315
run_gej
static void run_gej(void)
Definition: tests.c:4023
run_ge
static void run_ge(void)
Definition: tests.c:4006
ge_storage_cmov_test
static void ge_storage_cmov_test(void)
Definition: tests.c:7471
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3357
fe_storage_cmov_test
static void fe_storage_cmov_test(void)
Definition: tests.c:7413
test_ec_combine
static void test_ec_combine(void)
Definition: tests.c:4059
random_gej_y_magnitude
static void random_gej_y_magnitude(secp256k1_gej *gej)
Definition: tests.c:147
test_secp256k1_pippenger_bucket_window_inv
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5065
run_ctz_tests
static void run_ctz_tests(void)
Definition: tests.c:546
test_ecmult_multi_pippenger_max_points
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5085
run_scalar_tests
static void run_scalar_tests(void)
Definition: tests.c:2300
test_random_pubkeys
static void test_random_pubkeys(void)
Definition: tests.c:6511
random_fe_test
static void random_fe_test(secp256k1_fe *x)
Definition: tests.c:115
test_gej_cmov
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4015
random_ge_y_magnitude
static void random_ge_y_magnitude(secp256k1_ge *ge)
Definition: tests.c:139
test_sqrt
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3305
scalar_cmov_test
static void scalar_cmov_test(void)
Definition: tests.c:7443
random_ge_x_magnitude
static void random_ge_x_magnitude(secp256k1_ge *ge)
Definition: tests.c:135
run_ecmult_gen_blind
static void run_ecmult_gen_blind(void)
Definition: tests.c:5607
test_ecdsa_end_to_end
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6366
run_sha256_known_output_tests
static void run_sha256_known_output_tests(void)
Definition: tests.c:567
test_ecmult_target
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4361
CHECK_ERROR
#define CHECK_ERROR(ctx, expr)
Definition: tests.c:79
random_gej_z_magnitude
static void random_gej_z_magnitude(secp256k1_gej *gej)
Definition: tests.c:151
random_scalar_order
static void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:196
run_ecdsa_end_to_end
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6623
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4644
ecmult_const_mult_xonly
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4549
run_proper_context_tests
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:354
random_fe_magnitude
static void random_fe_magnitude(secp256k1_fe *fe)
Definition: tests.c:131
test_fe_mul
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3225
test_group_decompress
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4091
test_ecmult_constants_2bit
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5451
run_cmov_tests
static void run_cmov_tests(void)
Definition: tests.c:7503
run_ecdsa_der_parse
static void run_ecdsa_der_parse(void)
Definition: tests.c:6875
ecmult_const_random_mult
static void ecmult_const_random_mult(void)
Definition: tests.c:4432
test_scalar_split
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5616
run_field_convert
static void run_field_convert(void)
Definition: tests.c:2965
test_ecdsa_der_parse
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6630
run_ec_illegal_argument_tests
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:282
run_ecdsa_wycheproof
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7283
test_ecmult_constants_sha
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5495
test_ecmult_multi_batching
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5166
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:90
run_sqrt
static void run_sqrt(void)
Definition: tests.c:3319
run_modinv_tests
static void run_modinv_tests(void)
Definition: tests.c:1164
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4338
uint16_to_signed30
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:950
run_xoshiro256pp_tests
static void run_xoshiro256pp_tests(void)
Definition: tests.c:215
run_wnaf
static void run_wnaf(void)
Definition: tests.c:5392
run_ecmult_multi_tests
static void run_ecmult_multi_tests(void)
Definition: tests.c:5231
run_selftest_tests
static void run_selftest_tests(void)
Definition: tests.c:244
coprime
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1134
run_sqr
static void run_sqr(void)
Definition: tests.c:3289
context_eq
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:255
test_ecmult_multi_batch_size_helper
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5118
random_scalar_order_test
static void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:183
check_fe_equal
static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2958
run_endomorphism_tests
static void run_endomorphism_tests(void)
Definition: tests.c:5643
run_scratch_tests
static void run_scratch_tests(void)
Definition: tests.c:476
test_ecdsa_wycheproof
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7253
run_ecmult_near_split_bound
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4399
run_ecdsa_edge_cases
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7245
fe_cmov_test
static void fe_cmov_test(void)
Definition: tests.c:7383
run_group_decompress
static void run_group_decompress(void)
Definition: tests.c:4155
ecmult_const_mult_zero_one
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4480
test_ecmult_accumulate_cb
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5411
ecmult_const_edges
static void ecmult_const_edges(void)
Definition: tests.c:4522
test_ecdsa_edge_cases
static void test_ecdsa_edge_cases(void)
Definition: tests.c:6907
ecmult_const_chain_multiply
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4604
run_ecmult_pre_g
static void run_ecmult_pre_g(void)
Definition: tests.c:4216
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4651
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:729
test_pre_g_table
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4166
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:42
test_fixed_wnaf
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5292
test_inverse_scalar
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3374
test_ecmult_gen_blind
static void test_ecmult_gen_blind(void)
Definition: tests.c:5572
run_secp256k1_memczero_test
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7315
run_fe_mul
static void run_fe_mul(void)
Definition: tests.c:3268
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6702
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:3362
run_rfc6979_hmac_sha256_tests
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:781
modinv2p64
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:849
ge_equals_ge
static void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: testutil.h:29
ge_equals_gej
static void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: testutil.h:38
random_fe
static void random_fe(secp256k1_fe *x)
Definition: testutil.h:13
random_fe_non_zero
static void random_fe_non_zero(secp256k1_fe *nz)
Definition: testutil.h:23
expect
#define expect(bit)
Definition: univalue_read.cpp:283
Generated on Thu Jun 25 2026 18:22:14 for Bitcoin ABC by doxygen 1.9.4