Bitcoin Core  27.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <string.h>
10 
11 #include <time.h>
12 
13 #ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14  #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15  #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16 #endif
17 #if defined(VERIFY) && defined(COVERAGE)
18  #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19 #endif
20 #include "secp256k1.c"
21 
22 #include "../include/secp256k1.h"
23 #include "../include/secp256k1_preallocated.h"
24 #include "testrand_impl.h"
25 #include "checkmem.h"
26 #include "testutil.h"
27 #include "util.h"
28 
29 #include "../contrib/lax_der_parsing.c"
30 #include "../contrib/lax_der_privatekey_parsing.c"
31 
32 #include "modinv32_impl.h"
33 #ifdef SECP256K1_WIDEMUL_INT128
34 #include "modinv64_impl.h"
35 #include "int128_impl.h"
36 #endif
37 
38 #define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
39 
40 static int COUNT = 64;
41 static secp256k1_context *CTX = NULL;
43 
44 static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
45  const unsigned char *p = s;
46  size_t i;
47 
48  for (i = 0; i < n; i++) {
49  if (p[i] != value) {
50  return 0;
51  }
52  }
53  return 1;
54 }
55 
56 #define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \
57  int32_t _calls_to_callback = 0; \
58  secp256k1_callback _saved_callback = ctx->callback; \
59  callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \
60  { expr_or_stmt; } \
61  ctx->callback = _saved_callback; \
62  CHECK(_calls_to_callback == 1); \
63 } while(0);
64 
65 /* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once
66  *
67  * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */
68 #define CHECK_ERROR_VOID(ctx, expr_or_stmt) \
69  CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback)
70 #define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \
71  CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback)
72 
73 /* CHECK that
74  * - expr calls the illegal callback of ctx exactly once and,
75  * - expr == 0 (or equivalently, expr == NULL)
76  *
77  * Useful for checking functions that return an integer or a pointer. */
78 #define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
79 #define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0))
80 
81 static void counting_callback_fn(const char* str, void* data) {
82  /* Dummy callback function that just counts. */
83  int32_t *p;
84  (void)str;
85  p = data;
86  CHECK(*p != INT32_MAX);
87  (*p)++;
88 }
89 
90 static void uncounting_illegal_callback_fn(const char* str, void* data) {
91  /* Dummy callback function that just counts (backwards). */
92  int32_t *p;
93  (void)str;
94  p = data;
95  CHECK(*p != INT32_MIN);
96  (*p)--;
97 }
98 
100  secp256k1_fe zero;
101  int n = secp256k1_testrand_int(m + 1);
103  if (n == 0) {
104  return;
105  }
106  secp256k1_fe_clear(&zero);
107  secp256k1_fe_negate(&zero, &zero, 0);
108  secp256k1_fe_mul_int_unchecked(&zero, n - 1);
109  secp256k1_fe_add(fe, &zero);
110 #ifdef VERIFY
111  CHECK(fe->magnitude == n);
112 #endif
113 }
114 
115 static void random_fe_test(secp256k1_fe *x) {
116  unsigned char bin[32];
117  do {
119  if (secp256k1_fe_set_b32_limit(x, bin)) {
120  return;
121  }
122  } while(1);
123 }
124 
126  do {
127  random_fe_test(fe);
128  } while(secp256k1_fe_is_zero(fe));
129 }
130 
133 }
134 
137 }
138 
141 }
142 
145 }
146 
149 }
150 
153 }
154 
156  secp256k1_fe fe;
157  do {
158  random_fe_test(&fe);
161  break;
162  }
163  } while(1);
164  ge->infinity = 0;
165 }
166 
168  secp256k1_fe z2, z3;
169  random_fe_non_zero_test(&gej->z);
170  secp256k1_fe_sqr(&z2, &gej->z);
171  secp256k1_fe_mul(&z3, &z2, &gej->z);
172  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
173  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
174  gej->infinity = ge->infinity;
175 }
176 
177 static void random_gej_test(secp256k1_gej *gej) {
178  secp256k1_ge ge;
181 }
182 
184  do {
185  unsigned char b32[32];
186  int overflow = 0;
188  secp256k1_scalar_set_b32(num, b32, &overflow);
189  if (overflow || secp256k1_scalar_is_zero(num)) {
190  continue;
191  }
192  break;
193  } while(1);
194 }
195 
197  do {
198  unsigned char b32[32];
199  int overflow = 0;
201  secp256k1_scalar_set_b32(num, b32, &overflow);
202  if (overflow || secp256k1_scalar_is_zero(num)) {
203  continue;
204  }
205  break;
206  } while(1);
207 }
208 
209 static void random_scalar_order_b32(unsigned char *b32) {
210  secp256k1_scalar num;
211  random_scalar_order(&num);
212  secp256k1_scalar_get_b32(b32, &num);
213 }
214 
215 static void run_xoshiro256pp_tests(void) {
216  {
217  size_t i;
218  /* Sanity check that we run before the actual seeding. */
219  for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
220  CHECK(secp256k1_test_state[i] == 0);
221  }
222  }
223  {
224  int i;
225  unsigned char buf32[32];
226  unsigned char seed16[16] = {
227  'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
228  'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
229  };
230  unsigned char buf32_expected[32] = {
231  0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
232  0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
233  0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
234  0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
235  };
236  secp256k1_testrand_seed(seed16);
237  for (i = 0; i < 17; i++) {
238  secp256k1_testrand256(buf32);
239  }
240  CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
241  }
242 }
243 
244 static void run_selftest_tests(void) {
245  /* Test public API */
247 }
248 
250  return a->built == b->built
254 }
255 
256 static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
257  return a->declassify == b->declassify
261  && a->error_callback.fn == b->error_callback.fn
263 }
264 
266  /* Check that a context created with any of the flags in the flags array is
267  * identical to the NONE context. */
268  unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
272  int i;
273  for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
274  secp256k1_context *tmp_ctx;
276  tmp_ctx = secp256k1_context_create(flags[i]);
277  CHECK(context_eq(none_ctx, tmp_ctx));
278  secp256k1_context_destroy(tmp_ctx);
279  }
280  secp256k1_context_destroy(none_ctx);
281 }
282 
283 static void run_ec_illegal_argument_tests(void) {
284  secp256k1_pubkey pubkey;
285  secp256k1_pubkey zero_pubkey;
287  unsigned char ctmp[32];
288 
289  /* Setup */
290  memset(ctmp, 1, 32);
291  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
292 
293  /* Verify context-type checking illegal-argument errors. */
295  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
296  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
297  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
298  CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL));
299  SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
300  CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
301  SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
302  CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
303  CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
304  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
305  CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
306  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
308  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
311  CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
312 }
313 
314 static void run_static_context_tests(int use_prealloc) {
315  /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
317 
318  {
319  unsigned char seed[32] = {0x17};
320 
321  /* Randomizing secp256k1_context_static is not supported. */
324 
325  /* Destroying or cloning secp256k1_context_static is not supported. */
326  if (use_prealloc) {
328  {
329  secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
330  CHECK(my_static_ctx != NULL);
331  memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
333  CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
334  free(my_static_ctx);
335  }
337  } else {
340  }
341  }
342 
343  {
344  /* Verify that setting and resetting illegal callback works */
345  int32_t dummy = 0;
352  }
353 }
354 
355 static void run_proper_context_tests(int use_prealloc) {
356  int32_t dummy = 0;
357  secp256k1_context *my_ctx, *my_ctx_fresh;
358  void *my_ctx_prealloc = NULL;
359  unsigned char seed[32] = {0x17};
360 
361  secp256k1_gej pubj;
362  secp256k1_ge pub;
363  secp256k1_scalar msg, key, nonce;
364  secp256k1_scalar sigr, sigs;
365 
366  /* Fresh reference context for comparison */
368 
369  if (use_prealloc) {
371  CHECK(my_ctx_prealloc != NULL);
373  } else {
375  }
376 
377  /* Randomize and reset randomization */
378  CHECK(context_eq(my_ctx, my_ctx_fresh));
379  CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
380  CHECK(!context_eq(my_ctx, my_ctx_fresh));
381  CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
382  CHECK(context_eq(my_ctx, my_ctx_fresh));
383 
384  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
388 
389  /* check if sizes for cloning are consistent */
391 
392  /*** clone and destroy all of them to make sure cloning was complete ***/
393  {
394  secp256k1_context *ctx_tmp;
395 
396  if (use_prealloc) {
397  /* clone into a non-preallocated context and then again into a new preallocated one. */
398  ctx_tmp = my_ctx;
399  my_ctx = secp256k1_context_clone(my_ctx);
400  CHECK(context_eq(ctx_tmp, my_ctx));
402 
403  free(my_ctx_prealloc);
405  CHECK(my_ctx_prealloc != NULL);
406  ctx_tmp = my_ctx;
407  my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
408  CHECK(context_eq(ctx_tmp, my_ctx));
409  secp256k1_context_destroy(ctx_tmp);
410  } else {
411  /* clone into a preallocated context and then again into a new non-preallocated one. */
412  void *prealloc_tmp;
413 
415  CHECK(prealloc_tmp != NULL);
416  ctx_tmp = my_ctx;
417  my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
418  CHECK(context_eq(ctx_tmp, my_ctx));
419  secp256k1_context_destroy(ctx_tmp);
420 
421  ctx_tmp = my_ctx;
422  my_ctx = secp256k1_context_clone(my_ctx);
423  CHECK(context_eq(ctx_tmp, my_ctx));
425  free(prealloc_tmp);
426  }
427  }
428 
429  /* Verify that the error callback makes it across the clone. */
432  /* And that it resets back to default. */
433  secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
435  CHECK(context_eq(my_ctx, my_ctx_fresh));
436 
437  /* Verify that setting and resetting illegal callback works */
440  CHECK(my_ctx->illegal_callback.data == &dummy);
441  secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
443  CHECK(my_ctx->illegal_callback.data == NULL);
444  CHECK(context_eq(my_ctx, my_ctx_fresh));
445 
446  /*** attempt to use them ***/
449  secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
450  secp256k1_ge_set_gej(&pub, &pubj);
451 
452  /* obtain a working nonce */
453  do {
455  } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
456 
457  /* try signing */
458  CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
459 
460  /* try verifying */
461  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
462 
463  /* cleanup */
464  if (use_prealloc) {
466  free(my_ctx_prealloc);
467  } else {
469  }
470  secp256k1_context_destroy(my_ctx_fresh);
471 
472  /* Defined as no-op. */
475 }
476 
477 static void run_scratch_tests(void) {
478  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
479 
480  size_t checkpoint;
481  size_t checkpoint_2;
482  secp256k1_scratch_space *scratch;
483  secp256k1_scratch_space local_scratch;
484 
485  /* Test public API */
486  scratch = secp256k1_scratch_space_create(CTX, 1000);
487  CHECK(scratch != NULL);
488 
489  /* Test internal API */
491  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
492  CHECK(scratch->alloc_size == 0);
493  CHECK(scratch->alloc_size % ALIGNMENT == 0);
494 
495  /* Allocating 500 bytes succeeds */
496  checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
497  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
498  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
499  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
500  CHECK(scratch->alloc_size != 0);
501  CHECK(scratch->alloc_size % ALIGNMENT == 0);
502 
503  /* Allocating another 501 bytes fails */
504  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
505  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
506  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
507  CHECK(scratch->alloc_size != 0);
508  CHECK(scratch->alloc_size % ALIGNMENT == 0);
509 
510  /* ...but it succeeds once we apply the checkpoint to undo it */
511  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
512  CHECK(scratch->alloc_size == 0);
514  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
515  CHECK(scratch->alloc_size != 0);
516 
517  /* try to apply a bad checkpoint */
518  checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
519  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
520  CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */
521  CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */
522 
523  /* try to use badly initialized scratch space */
525  memset(&local_scratch, 0, sizeof(local_scratch));
526  scratch = &local_scratch;
530 
531  /* Test that large integers do not wrap around in a bad way */
532  scratch = secp256k1_scratch_space_create(CTX, 1000);
533  /* Try max allocation with a large number of objects. Only makes sense if
534  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
535  * space. */
536  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
537  /* Try allocating SIZE_MAX to test wrap around which only happens if
538  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
539  * space is too small. */
540  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
542 
543  /* cleanup */
544  secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
545 }
546 
547 static void run_ctz_tests(void) {
548  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
549  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
550  int shift;
551  unsigned i;
552  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
553  for (shift = 0; shift < 32; ++shift) {
554  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
555  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
556  }
557  }
558  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
559  for (shift = 0; shift < 64; ++shift) {
560  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
561  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
562  }
563  }
564 }
565 
566 /***** HASH TESTS *****/
567 
568 static void run_sha256_known_output_tests(void) {
569  static const char *inputs[] = {
570  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
571  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
572  "For this sample, this 63-byte string will be used as input data",
573  "This is exactly 64 bytes long, not counting the terminating byte",
574  "aaaaa",
575  };
576  static const unsigned int repeat[] = {
577  1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
578  };
579  static const unsigned char outputs[][32] = {
580  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
581  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
582  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
583  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
584  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
585  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
586  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
587  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
588  {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
589  };
590  unsigned int i, ninputs;
591 
592  /* Skip last input vector for low iteration counts */
593  ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
594  CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
595 
596  for (i = 0; i < ninputs; i++) {
597  unsigned char out[32];
598  secp256k1_sha256 hasher;
599  unsigned int j;
600  /* 1. Run: simply write the input bytestrings */
601  j = repeat[i];
603  while (j > 0) {
604  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
605  j--;
606  }
607  secp256k1_sha256_finalize(&hasher, out);
608  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
609  /* 2. Run: split the input bytestrings randomly before writing */
610  if (strlen(inputs[i]) > 0) {
611  int split = secp256k1_testrand_int(strlen(inputs[i]));
613  j = repeat[i];
614  while (j > 0) {
615  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
616  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
617  j--;
618  }
619  secp256k1_sha256_finalize(&hasher, out);
620  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
621  }
622  }
623 }
624 
669 static void run_sha256_counter_tests(void) {
670  static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
671  static const secp256k1_sha256 midstates[] = {
672  {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
673  {0x00}, 0xfffc0},
674  {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
675  {0x00}, 0x1fffc0},
676  {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
677  {0x00}, 0x3fffc0},
678  {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
679  {0x00}, 0x7fffc0},
680  {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
681  {0x00}, 0xffffc0},
682  {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
683  {0x00}, 0x1ffffc0},
684  {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
685  {0x00}, 0x3ffffc0},
686  {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
687  {0x00}, 0x7ffffc0},
688  {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
689  {0x00}, 0xfffffc0},
690  {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
691  {0x00}, 0x1fffffc0},
692  {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
693  {0x00}, 0x3fffffc0},
694  {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
695  {0x00}, 0x7fffffc0},
696  {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
697  {0x00}, 0xffffffc0},
698  {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
699  {0x00}, 0x1ffffffc0},
700  };
701  static const unsigned char outputs[][32] = {
702  {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
703  {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
704  {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
705  {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
706  {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
707  {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
708  {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
709  {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
710  {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
711  {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
712  {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
713  {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
714  {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
715  {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
716  };
717  unsigned int i;
718  for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
719  unsigned char out[32];
720  secp256k1_sha256 hasher = midstates[i];
721  secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
722  secp256k1_sha256_finalize(&hasher, out);
723  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
724  }
725 }
726 
727 /* Tests for the equality of two sha256 structs. This function only produces a
728  * correct result if an integer multiple of 64 many bytes have been written
729  * into the hash functions. This function is used by some module tests. */
730 static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
731  /* Is buffer fully consumed? */
732  CHECK((sha1->bytes & 0x3F) == 0);
733 
734  CHECK(sha1->bytes == sha2->bytes);
735  CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
736 }
737 
738 static void run_hmac_sha256_tests(void) {
739  static const char *keys[6] = {
740  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
741  "\x4a\x65\x66\x65",
742  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
743  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
744  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
745  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
746  };
747  static const char *inputs[6] = {
748  "\x48\x69\x20\x54\x68\x65\x72\x65",
749  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
750  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
751  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
752  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
753  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
754  };
755  static const unsigned char outputs[6][32] = {
756  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
757  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
758  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
759  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
760  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
761  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
762  };
763  int i;
764  for (i = 0; i < 6; i++) {
765  secp256k1_hmac_sha256 hasher;
766  unsigned char out[32];
767  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
768  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
770  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
771  if (strlen(inputs[i]) > 0) {
772  int split = secp256k1_testrand_int(strlen(inputs[i]));
773  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
774  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
775  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
777  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
778  }
779  }
780 }
781 
782 static void run_rfc6979_hmac_sha256_tests(void) {
783  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
784  static const unsigned char out1[3][32] = {
785  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
786  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
787  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
788  };
789 
790  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
791  static const unsigned char out2[3][32] = {
792  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
793  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
794  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
795  };
796 
798  unsigned char out[32];
799  int i;
800 
802  for (i = 0; i < 3; i++) {
804  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
805  }
807 
809  for (i = 0; i < 3; i++) {
811  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
812  }
814 
816  for (i = 0; i < 3; i++) {
818  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
819  }
821 }
822 
823 static void run_tagged_sha256_tests(void) {
824  unsigned char tag[32] = { 0 };
825  unsigned char msg[32] = { 0 };
826  unsigned char hash32[32];
827  unsigned char hash_expected[32] = {
828  0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
829  0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
830  0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
831  0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
832  };
833 
834  /* API test */
835  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
836  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)));
837  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)));
838  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0));
839 
840  /* Static test vector */
841  memcpy(tag, "tag", 3);
842  memcpy(msg, "msg", 3);
843  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
844  CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
845 }
846 
847 /***** MODINV TESTS *****/
848 
849 /* Compute the modular inverse of (odd) x mod 2^64. */
850 static uint64_t modinv2p64(uint64_t x) {
851  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
852  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
853  * why. Start with L=0, for which it is true for every odd x that
854  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
855  int l;
856  uint64_t w = 1;
857  CHECK(x & 1);
858  for (l = 0; l < 6; ++l) w *= (2 - w*x);
859  return w;
860 }
861 
862 
863 /* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
864  *
865  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
866  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
867 static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
868  uint16_t mul[32];
869  uint64_t c = 0;
870  int i, j;
871  int m_bitlen = 0;
872  int mul_bitlen = 0;
873 
874  if (b != NULL) {
875  /* Compute the product of a and b, and put it in mul. */
876  for (i = 0; i < 32; ++i) {
877  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
878  c += (uint64_t)a[j] * b[i - j];
879  }
880  mul[i] = c & 0xFFFF;
881  c >>= 16;
882  }
883  CHECK(c == 0);
884 
885  /* compute the highest set bit in mul */
886  for (i = 511; i >= 0; --i) {
887  if ((mul[i >> 4] >> (i & 15)) & 1) {
888  mul_bitlen = i;
889  break;
890  }
891  }
892  } else {
893  /* if b==NULL, set mul=a. */
894  memcpy(mul, a, 32);
895  memset(mul + 16, 0, 32);
896  /* compute the highest set bit in mul */
897  for (i = 255; i >= 0; --i) {
898  if ((mul[i >> 4] >> (i & 15)) & 1) {
899  mul_bitlen = i;
900  break;
901  }
902  }
903  }
904 
905  if (m) {
906  /* Compute the highest set bit in m. */
907  for (i = 255; i >= 0; --i) {
908  if ((m[i >> 4] >> (i & 15)) & 1) {
909  m_bitlen = i;
910  break;
911  }
912  }
913 
914  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
915  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
916  uint16_t mul2[32];
917  int64_t cs;
918 
919  /* Compute mul2 = mul - m<<i. */
920  cs = 0; /* accumulator */
921  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
922  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
923  uint16_t sub = 0;
924  int p;
925  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
926  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
927  if (bitpos >= 0 && bitpos < 256) {
928  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
929  }
930  }
931  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
932  cs += mul[j];
933  cs -= sub;
934  mul2[j] = (cs & 0xFFFF);
935  cs >>= 16;
936  }
937  /* If remainder of subtraction is 0, set mul = mul2. */
938  if (cs == 0) {
939  memcpy(mul, mul2, sizeof(mul));
940  }
941  }
942  /* Sanity check: test that all limbs higher than m's highest are zero */
943  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
944  CHECK(mul[i] == 0);
945  }
946  }
947  memcpy(out, mul, 32);
948 }
949 
950 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
951 static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
952  int i;
953  memset(out->v, 0, sizeof(out->v));
954  for (i = 0; i < 256; ++i) {
955  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
956  }
957 }
958 
959 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
960 static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
961  int i;
962  memset(out, 0, 32);
963  for (i = 0; i < 256; ++i) {
964  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
965  }
966 }
967 
968 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
970  int i;
971  for (i = 0; i < 16; ++i) {
972  int pos = secp256k1_testrand_bits(3);
973  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
974  x->v[pos] -= 0x40000000;
975  x->v[pos + 1] += 1;
976  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
977  x->v[pos] += 0x40000000;
978  x->v[pos + 1] -= 1;
979  }
980  }
981 }
982 
983 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
984 static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
985  uint16_t tmp[16];
988  int i, vartime, nonzero;
989 
990  uint16_to_signed30(&x, in);
991  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
992  uint16_to_signed30(&m.modulus, mod);
993 
994  /* compute 1/modulus mod 2^30 */
995  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
996  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
997 
998  /* Test secp256k1_jacobi32_maybe_var. */
999  if (nonzero) {
1000  int jac;
1001  uint16_t sqr[16], negone[16];
1002  mulmod256(sqr, in, in, mod);
1003  uint16_to_signed30(&x, sqr);
1004  /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1005  jac = secp256k1_jacobi32_maybe_var(&x, &m);
1006  CHECK(jac == 0 || jac == 1);
1007  /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1008  * jacobi symbols if and only if (mod % 4) == 3. */
1009  negone[0] = mod[0] - 1;
1010  for (i = 1; i < 16; ++i) negone[i] = mod[i];
1011  mulmod256(sqr, sqr, negone, mod);
1012  uint16_to_signed30(&x, sqr);
1013  jac = secp256k1_jacobi32_maybe_var(&x, &m);
1014  CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1015  }
1016 
1017  uint16_to_signed30(&x, in);
1018  mutate_sign_signed30(&m.modulus);
1019  for (vartime = 0; vartime < 2; ++vartime) {
1020  /* compute inverse */
1021  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1022 
1023  /* produce output */
1024  signed30_to_uint16(out, &x);
1025 
1026  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1027  mulmod256(tmp, out, in, mod);
1028  CHECK(tmp[0] == nonzero);
1029  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1030 
1031  /* invert again */
1032  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1033 
1034  /* check if the result is equal to the input */
1035  signed30_to_uint16(tmp, &x);
1036  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1037  }
1038 }
1039 
1040 #ifdef SECP256K1_WIDEMUL_INT128
1041 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1042 static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1043  int i;
1044  memset(out->v, 0, sizeof(out->v));
1045  for (i = 0; i < 256; ++i) {
1046  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1047  }
1048 }
1049 
1050 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1051 static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1052  int i;
1053  memset(out, 0, 32);
1054  for (i = 0; i < 256; ++i) {
1055  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1056  }
1057 }
1058 
1059 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1060 static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1061  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1062  int i;
1063  for (i = 0; i < 8; ++i) {
1064  int pos = secp256k1_testrand_bits(2);
1065  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1066  x->v[pos] -= (M62 + 1);
1067  x->v[pos + 1] += 1;
1068  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1069  x->v[pos] += (M62 + 1);
1070  x->v[pos + 1] -= 1;
1071  }
1072  }
1073 }
1074 
1075 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1076 static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1077  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1078  uint16_t tmp[16];
1081  int i, vartime, nonzero;
1082 
1083  uint16_to_signed62(&x, in);
1084  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1085  uint16_to_signed62(&m.modulus, mod);
1086 
1087  /* compute 1/modulus mod 2^62 */
1088  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1089  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1090 
1091  /* Test secp256k1_jacobi64_maybe_var. */
1092  if (nonzero) {
1093  int jac;
1094  uint16_t sqr[16], negone[16];
1095  mulmod256(sqr, in, in, mod);
1096  uint16_to_signed62(&x, sqr);
1097  /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1098  jac = secp256k1_jacobi64_maybe_var(&x, &m);
1099  CHECK(jac == 0 || jac == 1);
1100  /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1101  * jacobi symbols if and only if (mod % 4) == 3. */
1102  negone[0] = mod[0] - 1;
1103  for (i = 1; i < 16; ++i) negone[i] = mod[i];
1104  mulmod256(sqr, sqr, negone, mod);
1105  uint16_to_signed62(&x, sqr);
1106  jac = secp256k1_jacobi64_maybe_var(&x, &m);
1107  CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1108  }
1109 
1110  uint16_to_signed62(&x, in);
1111  mutate_sign_signed62(&m.modulus);
1112  for (vartime = 0; vartime < 2; ++vartime) {
1113  /* compute inverse */
1114  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1115 
1116  /* produce output */
1117  signed62_to_uint16(out, &x);
1118 
1119  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1120  mulmod256(tmp, out, in, mod);
1121  CHECK(tmp[0] == nonzero);
1122  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1123 
1124  /* invert again */
1125  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1126 
1127  /* check if the result is equal to the input */
1128  signed62_to_uint16(tmp, &x);
1129  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1130  }
1131 }
1132 #endif
1133 
1134 /* test if a and b are coprime */
1135 static int coprime(const uint16_t* a, const uint16_t* b) {
1136  uint16_t x[16], y[16], t[16];
1137  int i;
1138  int iszero;
1139  memcpy(x, a, 32);
1140  memcpy(y, b, 32);
1141 
1142  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1143  while (1) {
1144  iszero = 1;
1145  for (i = 0; i < 16; ++i) {
1146  if (x[i] != 0) {
1147  iszero = 0;
1148  break;
1149  }
1150  }
1151  if (iszero) break;
1152  mulmod256(t, y, NULL, x);
1153  memcpy(y, x, 32);
1154  memcpy(x, t, 32);
1155  }
1156 
1157  /* return whether y=1 */
1158  if (y[0] != 1) return 0;
1159  for (i = 1; i < 16; ++i) {
1160  if (y[i] != 0) return 0;
1161  }
1162  return 1;
1163 }
1164 
1165 static void run_modinv_tests(void) {
1166  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1167  static const uint16_t CASES[][3][16] = {
1168  /* Test cases triggering edge cases in divsteps */
1169 
1170  /* Test case known to need 713 divsteps */
1171  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1172  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1173  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1174  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1175  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1176  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1177  /* Test case known to need 589 divsteps, reaching delta=-140 and
1178  delta=141. */
1179  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1180  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1181  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1182  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1183  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1184  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1185  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1186  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1187  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1188  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1189  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1190  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1191  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1192  /* example needing 713 divsteps; delta=-2..3 */
1193  {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1194  0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1195  {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1196  0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1197  {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1198  0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1199  /* example needing 713 divsteps; delta=-2..3 */
1200  {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1201  0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1202  {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1203  0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1204  {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1205  0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1206  /* example needing 713 divsteps; delta=-2..3 */
1207  {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1208  0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1209  {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1210  0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1211  {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1212  0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1213  /* example reaching delta=-64..65; 661 divsteps */
1214  {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1215  0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1216  {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1217  0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1218  {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1219  0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1220  /* example reaching delta=-64..65; 661 divsteps */
1221  {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1222  0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1223  {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1224  0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1225  {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1226  0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1227  /* example reaching delta=-64..65; 661 divsteps */
1228  {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1229  0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1230  {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1231  0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1232  {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1233  0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1234  /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1235  {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1236  0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1237  {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1238  0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1239  {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1240  0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1241  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1242  {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1243  0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1244  {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1245  0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1246  {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1247  0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1248  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1249  {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1250  0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1251  {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1252  0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1253  {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1254  0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1255  /* example doing 446 (f,g/2) steps; 523 divsteps */
1256  {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1257  0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1258  {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1259  0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1260  {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1261  0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1262  /* example doing 446 (f,g/2) steps; 523 divsteps */
1263  {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1264  0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1265  {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1266  0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1267  {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1268  0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1269  /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1270  {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1271  0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1272  {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1273  0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1274  {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1275  0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1276  /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1277  {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1278  0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1279  {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1280  0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1281  {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1282  0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1283  /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1284  {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1285  0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1286  {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1287  0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1288  {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1289  0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1290  /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1291  {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1292  0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1293  {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1294  0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1295  {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1296  0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1297 
1298  /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1299 
1300  /* example needing 590 divsteps; delta=-5/2..7/2 */
1301  {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1302  0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1303  {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1304  0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1305  {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1306  0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1307  /* example needing 590 divsteps; delta=-3/2..5/2 */
1308  {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1309  0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1310  {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1311  0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1312  {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1313  0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1314  /* example needing 590 divsteps; delta=-3/2..5/2 */
1315  {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1316  0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1317  {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1318  0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1319  {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1320  0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1321  /* example needing 590 divsteps; delta=-5/2..7/2 */
1322  {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1323  0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1324  {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1325  0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1326  {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1327  0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1328  /* example needing 590 divsteps; delta=-3/2..5/2 */
1329  {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1330  0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1331  {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1332  0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1333  {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1334  0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1335  /* example reaching delta=-127/2..129/2; 571 divsteps */
1336  {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1337  0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1338  {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1339  0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1340  {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1341  0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1342  /* example reaching delta=-127/2..129/2; 571 divsteps */
1343  {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1344  0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1345  {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1346  0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1347  {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1348  0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1349  /* example reaching delta=-127/2..129/2; 571 divsteps */
1350  {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1351  0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1352  {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1353  0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1354  {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1355  0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1356  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1357  {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1358  0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1359  {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1360  0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1361  {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1362  0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1363  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1364  {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1365  0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1366  {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1367  0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1368  {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1369  0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1370  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1371  {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1372  0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1373  {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1374  0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1375  {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1376  0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1377  /* example doing 453 (f,g/2) steps; 514 divsteps */
1378  {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1379  0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1380  {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1381  0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1382  {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1383  0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1384  /* example doing 453 (f,g/2) steps; 514 divsteps */
1385  {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1386  0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1387  {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1388  0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1389  {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1390  0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1391  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1392  {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1393  0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1394  {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1395  0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1396  {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1397  0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1398  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1399  {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1400  0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1401  {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1402  0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1403  {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1404  0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1405  /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1406  {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1407  0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1408  {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1409  0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1410  {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1411  0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1412  /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1413  {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1414  0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1415  {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1416  0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1417  {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1418  0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1419 
1420  /* Test cases with the group order as modulus. */
1421 
1422  /* Test case with the group order as modulus, needing 635 divsteps. */
1423  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1424  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1425  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1426  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1427  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1428  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1429  /* example with group size as modulus needing 631 divsteps */
1430  {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1431  0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1432  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1433  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1434  {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1435  0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1436  /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1437  {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1438  0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1439  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1440  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1441  {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1442  0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1443  /* Test case with the group size as modulus, needing 981 divsteps with
1444  broken eta handling. */
1445  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1446  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1447  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1448  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1449  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1450  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1451  /* Test case with the group size as modulus, input = 0. */
1452  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1453  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1454  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1455  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1456  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1457  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1458  /* Test case with the group size as modulus, input = 1. */
1459  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1460  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1461  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1462  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1463  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1464  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1465  /* Test case with the group size as modulus, input = 2. */
1466  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1467  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1468  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1469  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1470  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1471  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1472  /* Test case with the group size as modulus, input = group - 1. */
1473  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1474  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1475  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1476  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1477  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1478  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1479 
1480  /* Test cases with the field size as modulus. */
1481 
1482  /* Test case with the field size as modulus, needing 637 divsteps. */
1483  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1484  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1485  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1486  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1487  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1488  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1489  /* example with field size as modulus needing 637 divsteps */
1490  {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1491  0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1492  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1493  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1494  {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1495  0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1496  /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1497  {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1498  0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1499  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1500  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1501  {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1502  0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1503  /* Test case with the field size as modulus, needing 935 divsteps with
1504  broken eta handling. */
1505  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1506  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1507  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1508  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1509  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1510  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1511  /* Test case with the field size as modulus, input = 0. */
1512  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1513  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1514  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1515  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1516  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1517  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1518  /* Test case with the field size as modulus, input = 1. */
1519  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1520  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1521  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1522  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1523  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1524  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1525  /* Test case with the field size as modulus, input = 2. */
1526  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1527  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1528  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1529  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1530  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1531  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1532  /* Test case with the field size as modulus, input = field - 1. */
1533  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1534  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1535  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1536  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1537  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1538  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1539 
1540  /* Selected from a large number of random inputs to reach small/large
1541  * d/e values in various configurations. */
1542  {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1543  0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1544  {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1545  0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1546  {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1547  0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1548  {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1549  0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1550  {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1551  0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1552  {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1553  0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1554  {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1555  0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1556  {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1557  0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1558  {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1559  0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1560  {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1561  0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1562  {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1563  0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1564  {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1565  0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1566  {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1567  0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1568  {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1569  0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1570  {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1571  0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1572  {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1573  0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1574  {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1575  0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1576  {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1577  0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1578  {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1579  0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1580  {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1581  0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1582  {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1583  0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1584  {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1585  0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1586  {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1587  0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1588  {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1589  0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1590  {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1591  0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1592  {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1593  0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1594  {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1595  0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1596  {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1597  0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1598  {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1599  0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1600  {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1601  0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1602  {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1603  0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1604  {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1605  0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1606  {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1607  0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1608  {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1609  0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1610  {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1611  0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1612  {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1613  0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1614  {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1615  0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1616  {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1617  0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1618  {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1619  0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1620  {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1621  0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1622  {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1623  0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1624  {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1625  0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1626  {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1627  0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1628  {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1629  0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1630  {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1631  0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1632  {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1633  0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1634  {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1635  0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1636  {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1637  0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1638  {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1639  0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1640  {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1641  0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1642  {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1643  0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1644  {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1645  0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1646  {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1647  0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1648  {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1649  0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1650  {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1651  0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1652  {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1653  0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1654  {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1655  0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1656  {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1657  0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1658  {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1659  0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1660  {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1661  0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1662  {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1663  0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1664  {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1665  0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1666  {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1667  0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1668  {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1669  0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1670  {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1671  0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1672  {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1673  0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1674  {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1675  0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1676  {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1677  0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1678  {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1679  0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1680  {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1681  0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1682  {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1683  0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1684  {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1685  0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1686  {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1687  0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1688  {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1689  0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1690  {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1691  0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1692  {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1693  0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1694  {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1695  0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1696  {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1697  0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1698  {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1699  0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1700  {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1701  0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1702  {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1703  0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1704  {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1705  0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1706  {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1707  0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1708  {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1709  0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1710  {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1711  0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1712  {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1713  0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1714  {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1715  0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1716  {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1717  0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1718  {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1719  0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1720  {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1721  0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1722  {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1723  0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1724  {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1725  0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1726  {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1727  0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1728  {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1729  0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1730  {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1731  0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1732  {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1733  0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1734  {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1735  0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1736  {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1737  0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1738  {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1739  0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1740  {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1741  0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1742  {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1743  0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1744  {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1745  0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1746  {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1747  0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1748  {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1749  0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1750  {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1751  0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1752  };
1753 
1754  int i, j, ok;
1755 
1756  /* Test known inputs/outputs */
1757  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1758  uint16_t out[16];
1759  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1760  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1761 #ifdef SECP256K1_WIDEMUL_INT128
1762  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1763  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1764 #endif
1765  }
1766 
1767  for (i = 0; i < 100 * COUNT; ++i) {
1768  /* 256-bit numbers in 16-uint16_t's notation */
1769  static const uint16_t ZERO[16] = {0};
1770  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1771  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1772  uint16_t id[16]; /* the inverse of xd mod md */
1773 
1774  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1775  do {
1776  /* generate random xd and md (with many subsequent 0s and 1s) */
1777  secp256k1_testrand256_test((unsigned char*)xd);
1778  secp256k1_testrand256_test((unsigned char*)md);
1779  md[0] |= 1; /* modulus must be odd */
1780  /* If modulus is 1, find another one. */
1781  ok = md[0] != 1;
1782  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1783  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1784  } while (!(ok && coprime(xd, md)));
1785 
1786  test_modinv32_uint16(id, xd, md);
1787 #ifdef SECP256K1_WIDEMUL_INT128
1788  test_modinv64_uint16(id, xd, md);
1789 #endif
1790 
1791  /* In a few cases, also test with input=0 */
1792  if (i < COUNT) {
1793  test_modinv32_uint16(id, ZERO, md);
1794 #ifdef SECP256K1_WIDEMUL_INT128
1795  test_modinv64_uint16(id, ZERO, md);
1796 #endif
1797  }
1798  }
1799 }
1800 
1801 /***** INT128 TESTS *****/
1802 
1803 #ifdef SECP256K1_WIDEMUL_INT128
1804 /* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1805 static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1806  int i;
1807  uint32_t carry = 0;
1808  for (i = 0; i < 16; ++i) {
1809  carry += a[i];
1810  carry += b[i];
1811  out[i] = carry;
1812  carry >>= 16;
1813  }
1814 }
1815 
1816 /* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1817 static void neg256(uint16_t* out, const uint16_t* a) {
1818  int i;
1819  uint32_t carry = 1;
1820  for (i = 0; i < 16; ++i) {
1821  carry += (uint16_t)~a[i];
1822  out[i] = carry;
1823  carry >>= 16;
1824  }
1825 }
1826 
1827 /* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1828 static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1829  uint16_t sign = sign_extend && (a[15] >> 15);
1830  int i, j;
1831  for (i = 15; i >= 0; --i) {
1832  uint16_t v = 0;
1833  for (j = 0; j < 16; ++j) {
1834  int frompos = i*16 + j + n;
1835  if (frompos >= 256) {
1836  v |= sign << j;
1837  } else {
1838  v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1839  }
1840  }
1841  out[i] = v;
1842  }
1843 }
1844 
1845 /* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1846 static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1847  int i;
1848  uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1849  for (i = 0; i < 4; ++i) {
1850  out[i] = v >> (16 * i);
1851  }
1852  for (i = 4; i < 16; ++i) {
1853  out[i] = sign;
1854  }
1855 }
1856 
1857 /* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1858 static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1859  int i;
1860  uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1861  for (i = 0; i < 4; ++i) {
1862  out[i] = lo >> (16 * i);
1863  }
1864  for (i = 4; i < 8; ++i) {
1865  out[i] = hi >> (16 * (i - 4));
1866  }
1867  for (i = 8; i < 16; ++i) {
1868  out[i] = sign;
1869  }
1870 }
1871 
1872 /* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1873 static int int256is127(const uint16_t* v) {
1874  int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1875  int i;
1876  for (i = 8; i < 16; ++i) {
1877  if (v[i] != 0) all_0 = 0;
1878  if (v[i] != 0xffff) all_1 = 0;
1879  }
1880  return all_0 || all_1;
1881 }
1882 
1883 static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1884  uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1885  load256two64(out, hi, lo, 0);
1886 }
1887 
1888 static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1889  uint64_t lo;
1890  int64_t hi;
1891  secp256k1_int128 c = *v;
1892  lo = secp256k1_i128_to_u64(&c);
1893  secp256k1_i128_rshift(&c, 64);
1894  hi = secp256k1_i128_to_i64(&c);
1895  load256two64(out, hi, lo, 1);
1896 }
1897 
1898 static void run_int128_test_case(void) {
1899  unsigned char buf[32];
1900  uint64_t v[4];
1901  secp256k1_int128 swa, swz;
1902  secp256k1_uint128 uwa, uwz;
1903  uint64_t ub, uc;
1904  int64_t sb, sc;
1905  uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1906  uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1907  int i;
1908 
1909  /* Generate 32-byte random value. */
1911  /* Convert into 4 64-bit integers. */
1912  for (i = 0; i < 4; ++i) {
1913  uint64_t vi = 0;
1914  int j;
1915  for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1916  v[i] = vi;
1917  }
1918  /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1919  secp256k1_u128_load(&uwa, v[1], v[0]);
1920  secp256k1_i128_load(&swa, v[1], v[0]);
1921  ub = v[2];
1922  sb = v[2];
1923  uc = v[3];
1924  sc = v[3];
1925  /* Load those also into 16-bit array representations. */
1926  load256u128(ruwa, &uwa);
1927  load256i128(rswa, &swa);
1928  load256u64(rub, ub, 0);
1929  load256u64(rsb, sb, 1);
1930  load256u64(ruc, uc, 0);
1931  load256u64(rsc, sc, 1);
1932  /* test secp256k1_u128_mul */
1933  mulmod256(ruwr, rub, ruc, NULL);
1934  secp256k1_u128_mul(&uwz, ub, uc);
1935  load256u128(ruwz, &uwz);
1936  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1937  /* test secp256k1_u128_accum_mul */
1938  mulmod256(ruwr, rub, ruc, NULL);
1939  add256(ruwr, ruwr, ruwa);
1940  uwz = uwa;
1941  secp256k1_u128_accum_mul(&uwz, ub, uc);
1942  load256u128(ruwz, &uwz);
1943  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1944  /* test secp256k1_u128_accum_u64 */
1945  add256(ruwr, rub, ruwa);
1946  uwz = uwa;
1947  secp256k1_u128_accum_u64(&uwz, ub);
1948  load256u128(ruwz, &uwz);
1949  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1950  /* test secp256k1_u128_rshift */
1951  rshift256(ruwr, ruwa, uc % 128, 0);
1952  uwz = uwa;
1953  secp256k1_u128_rshift(&uwz, uc % 128);
1954  load256u128(ruwz, &uwz);
1955  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1956  /* test secp256k1_u128_to_u64 */
1957  CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1958  /* test secp256k1_u128_hi_u64 */
1959  CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1960  /* test secp256k1_u128_from_u64 */
1961  secp256k1_u128_from_u64(&uwz, ub);
1962  load256u128(ruwz, &uwz);
1963  CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1964  /* test secp256k1_u128_check_bits */
1965  {
1966  int uwa_bits = 0;
1967  int j;
1968  for (j = 0; j < 128; ++j) {
1969  if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1970  }
1971  for (j = 0; j < 128; ++j) {
1972  CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1973  }
1974  }
1975  /* test secp256k1_i128_mul */
1976  mulmod256(rswr, rsb, rsc, NULL);
1977  secp256k1_i128_mul(&swz, sb, sc);
1978  load256i128(rswz, &swz);
1979  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1980  /* test secp256k1_i128_accum_mul */
1981  mulmod256(rswr, rsb, rsc, NULL);
1982  add256(rswr, rswr, rswa);
1983  if (int256is127(rswr)) {
1984  swz = swa;
1985  secp256k1_i128_accum_mul(&swz, sb, sc);
1986  load256i128(rswz, &swz);
1987  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1988  }
1989  /* test secp256k1_i128_det */
1990  {
1991  uint16_t rsd[16], rse[16], rst[32];
1992  int64_t sd = v[0], se = v[1];
1993  load256u64(rsd, sd, 1);
1994  load256u64(rse, se, 1);
1995  mulmod256(rst, rsc, rsd, NULL);
1996  neg256(rst, rst);
1997  mulmod256(rswr, rsb, rse, NULL);
1998  add256(rswr, rswr, rst);
1999  secp256k1_i128_det(&swz, sb, sc, sd, se);
2000  load256i128(rswz, &swz);
2001  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2002  }
2003  /* test secp256k1_i128_rshift */
2004  rshift256(rswr, rswa, uc % 127, 1);
2005  swz = swa;
2006  secp256k1_i128_rshift(&swz, uc % 127);
2007  load256i128(rswz, &swz);
2008  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2009  /* test secp256k1_i128_to_u64 */
2010  CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2011  /* test secp256k1_i128_from_i64 */
2012  secp256k1_i128_from_i64(&swz, sb);
2013  load256i128(rswz, &swz);
2014  CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2015  /* test secp256k1_i128_to_i64 */
2016  CHECK(secp256k1_i128_to_i64(&swz) == sb);
2017  /* test secp256k1_i128_eq_var */
2018  {
2019  int expect = (uc & 1);
2020  swz = swa;
2021  if (!expect) {
2022  /* Make sure swz != swa */
2023  uint64_t v0c = v[0], v1c = v[1];
2024  if (ub & 64) {
2025  v1c ^= (((uint64_t)1) << (ub & 63));
2026  } else {
2027  v0c ^= (((uint64_t)1) << (ub & 63));
2028  }
2029  secp256k1_i128_load(&swz, v1c, v0c);
2030  }
2031  CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2032  }
2033  /* test secp256k1_i128_check_pow2 (sign == 1) */
2034  {
2035  int expect = (uc & 1);
2036  int pos = ub % 127;
2037  if (expect) {
2038  /* If expect==1, set swz to exactly 2^pos. */
2039  uint64_t hi = 0;
2040  uint64_t lo = 0;
2041  if (pos >= 64) {
2042  hi = (((uint64_t)1) << (pos & 63));
2043  } else {
2044  lo = (((uint64_t)1) << (pos & 63));
2045  }
2046  secp256k1_i128_load(&swz, hi, lo);
2047  } else {
2048  /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2049  if (pos >= 64) {
2050  if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2051  } else {
2052  if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2053  }
2054  swz = swa;
2055  }
2056  CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2057  }
2058  /* test secp256k1_i128_check_pow2 (sign == -1) */
2059  {
2060  int expect = (uc & 1);
2061  int pos = ub % 127;
2062  if (expect) {
2063  /* If expect==1, set swz to exactly -2^pos. */
2064  uint64_t hi = ~(uint64_t)0;
2065  uint64_t lo = ~(uint64_t)0;
2066  if (pos >= 64) {
2067  hi <<= (pos & 63);
2068  lo = 0;
2069  } else {
2070  lo <<= (pos & 63);
2071  }
2072  secp256k1_i128_load(&swz, hi, lo);
2073  } else {
2074  /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2075  if (pos >= 64) {
2076  if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2077  } else {
2078  if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2079  }
2080  swz = swa;
2081  }
2082  CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2083  }
2084 }
2085 
2086 static void run_int128_tests(void) {
2087  { /* secp256k1_u128_accum_mul */
2088  secp256k1_uint128 res;
2089 
2090  /* Check secp256k1_u128_accum_mul overflow */
2091  secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2092  secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2093  CHECK(secp256k1_u128_to_u64(&res) == 2);
2094  CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2095  }
2096  { /* secp256k1_u128_accum_mul */
2097  secp256k1_int128 res;
2098 
2099  /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2100  secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2101  secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2102  CHECK(secp256k1_i128_to_u64(&res) == 2);
2103  secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2104  secp256k1_i128_accum_mul(&res, 1, 1);
2105  CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2106  secp256k1_i128_rshift(&res, 64);
2107  CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2108 
2109  /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2110  secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2111  CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2112  secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2113  CHECK(secp256k1_i128_to_u64(&res) == 0);
2114  secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2115  CHECK(secp256k1_i128_to_u64(&res) == 0);
2116  secp256k1_i128_rshift(&res, 64);
2117  CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2118  }
2119  {
2120  /* Randomized tests. */
2121  int i;
2122  for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2123  }
2124 }
2125 #endif
2126 
2127 /***** SCALAR TESTS *****/
2128 
2129 static void scalar_test(void) {
2130  secp256k1_scalar s;
2131  secp256k1_scalar s1;
2132  secp256k1_scalar s2;
2133  unsigned char c[32];
2134 
2135  /* Set 's' to a random scalar, with value 'snum'. */
2137 
2138  /* Set 's1' to a random scalar, with value 's1num'. */
2140 
2141  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2143  secp256k1_scalar_get_b32(c, &s2);
2144 
2145  {
2146  int i;
2147  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2148  secp256k1_scalar n;
2149  secp256k1_scalar_set_int(&n, 0);
2150  for (i = 0; i < 256; i += 4) {
2152  int j;
2154  for (j = 0; j < 4; j++) {
2155  secp256k1_scalar_add(&n, &n, &n);
2156  }
2157  secp256k1_scalar_add(&n, &n, &t);
2158  }
2159  CHECK(secp256k1_scalar_eq(&n, &s));
2160  }
2161 
2162  {
2163  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2164  secp256k1_scalar n;
2165  int i = 0;
2166  secp256k1_scalar_set_int(&n, 0);
2167  while (i < 256) {
2169  int j;
2170  int now = secp256k1_testrand_int(15) + 1;
2171  if (now + i > 256) {
2172  now = 256 - i;
2173  }
2174  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2175  for (j = 0; j < now; j++) {
2176  secp256k1_scalar_add(&n, &n, &n);
2177  }
2178  secp256k1_scalar_add(&n, &n, &t);
2179  i += now;
2180  }
2181  CHECK(secp256k1_scalar_eq(&n, &s));
2182  }
2183 
2184  {
2185  /* Test commutativity of add. */
2186  secp256k1_scalar r1, r2;
2187  secp256k1_scalar_add(&r1, &s1, &s2);
2188  secp256k1_scalar_add(&r2, &s2, &s1);
2189  CHECK(secp256k1_scalar_eq(&r1, &r2));
2190  }
2191 
2192  {
2193  secp256k1_scalar r1, r2;
2194  secp256k1_scalar b;
2195  int i;
2196  /* Test add_bit. */
2197  int bit = secp256k1_testrand_bits(8);
2198  secp256k1_scalar_set_int(&b, 1);
2200  for (i = 0; i < bit; i++) {
2201  secp256k1_scalar_add(&b, &b, &b);
2202  }
2203  r1 = s1;
2204  r2 = s1;
2205  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2206  /* No overflow happened. */
2207  secp256k1_scalar_cadd_bit(&r2, bit, 1);
2208  CHECK(secp256k1_scalar_eq(&r1, &r2));
2209  /* cadd is a noop when flag is zero */
2210  secp256k1_scalar_cadd_bit(&r2, bit, 0);
2211  CHECK(secp256k1_scalar_eq(&r1, &r2));
2212  }
2213  }
2214 
2215  {
2216  /* Test commutativity of mul. */
2217  secp256k1_scalar r1, r2;
2218  secp256k1_scalar_mul(&r1, &s1, &s2);
2219  secp256k1_scalar_mul(&r2, &s2, &s1);
2220  CHECK(secp256k1_scalar_eq(&r1, &r2));
2221  }
2222 
2223  {
2224  /* Test associativity of add. */
2225  secp256k1_scalar r1, r2;
2226  secp256k1_scalar_add(&r1, &s1, &s2);
2227  secp256k1_scalar_add(&r1, &r1, &s);
2228  secp256k1_scalar_add(&r2, &s2, &s);
2229  secp256k1_scalar_add(&r2, &s1, &r2);
2230  CHECK(secp256k1_scalar_eq(&r1, &r2));
2231  }
2232 
2233  {
2234  /* Test associativity of mul. */
2235  secp256k1_scalar r1, r2;
2236  secp256k1_scalar_mul(&r1, &s1, &s2);
2237  secp256k1_scalar_mul(&r1, &r1, &s);
2238  secp256k1_scalar_mul(&r2, &s2, &s);
2239  secp256k1_scalar_mul(&r2, &s1, &r2);
2240  CHECK(secp256k1_scalar_eq(&r1, &r2));
2241  }
2242 
2243  {
2244  /* Test distributitivity of mul over add. */
2245  secp256k1_scalar r1, r2, t;
2246  secp256k1_scalar_add(&r1, &s1, &s2);
2247  secp256k1_scalar_mul(&r1, &r1, &s);
2248  secp256k1_scalar_mul(&r2, &s1, &s);
2249  secp256k1_scalar_mul(&t, &s2, &s);
2250  secp256k1_scalar_add(&r2, &r2, &t);
2251  CHECK(secp256k1_scalar_eq(&r1, &r2));
2252  }
2253 
2254  {
2255  /* Test multiplicative identity. */
2256  secp256k1_scalar r1;
2258  CHECK(secp256k1_scalar_eq(&r1, &s1));
2259  }
2260 
2261  {
2262  /* Test additive identity. */
2263  secp256k1_scalar r1;
2265  CHECK(secp256k1_scalar_eq(&r1, &s1));
2266  }
2267 
2268  {
2269  /* Test zero product property. */
2270  secp256k1_scalar r1;
2273  }
2274 
2275  {
2276  /* Test halving. */
2277  secp256k1_scalar r;
2278  secp256k1_scalar_add(&r, &s, &s);
2279  secp256k1_scalar_half(&r, &r);
2280  CHECK(secp256k1_scalar_eq(&r, &s));
2281  }
2282 }
2283 
2285  unsigned char b32[32];
2286  secp256k1_scalar s1;
2287  secp256k1_scalar s2;
2288 
2289  /* Usually set_b32 and set_b32_seckey give the same result */
2291  secp256k1_scalar_set_b32(&s1, b32, NULL);
2292  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2293  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2294 
2295  memset(b32, 0, sizeof(b32));
2296  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2297  memset(b32, 0xFF, sizeof(b32));
2298  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2299 }
2300 
2301 static void run_scalar_tests(void) {
2302  int i;
2303  for (i = 0; i < 128 * COUNT; i++) {
2304  scalar_test();
2305  }
2306  for (i = 0; i < COUNT; i++) {
2308  }
2309 
2310  {
2311  /* Check that the scalar constants secp256k1_scalar_zero and
2312  secp256k1_scalar_one contain the expected values. */
2313  secp256k1_scalar zero, one;
2314 
2316  secp256k1_scalar_set_int(&zero, 0);
2318 
2320  secp256k1_scalar_set_int(&one, 1);
2322  }
2323 
2324  {
2325  /* (-1)+1 should be zero. */
2326  secp256k1_scalar o;
2330  secp256k1_scalar_negate(&o, &o);
2332  }
2333 
2334  {
2335  /* Test that halving and doubling roundtrips on some fixed values. */
2336  static const secp256k1_scalar HALF_TESTS[] = {
2337  /* 0 */
2338  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2339  /* 1 */
2340  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2341  /* -1 */
2342  SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul),
2343  /* -2 (largest odd value) */
2344  SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful),
2345  /* Half the secp256k1 order */
2346  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul),
2347  /* Half the secp256k1 order + 1 */
2348  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul),
2349  /* 2^255 */
2350  SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0),
2351  /* 2^255 - 1 */
2352  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful),
2353  };
2354  unsigned n;
2355  for (n = 0; n < sizeof(HALF_TESTS) / sizeof(HALF_TESTS[0]); ++n) {
2356  secp256k1_scalar s;
2357  secp256k1_scalar_half(&s, &HALF_TESTS[n]);
2358  secp256k1_scalar_add(&s, &s, &s);
2359  CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2360  secp256k1_scalar_add(&s, &s, &s);
2361  secp256k1_scalar_half(&s, &s);
2362  CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2363  }
2364  }
2365 
2366  {
2367  /* Does check_overflow check catch all ones? */
2368  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2369  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2370  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2371  );
2372  CHECK(secp256k1_scalar_check_overflow(&overflowed));
2373  }
2374 
2375  {
2376  /* Static test vectors.
2377  * These were reduced from ~10^12 random vectors based on comparison-decision
2378  * and edge-case coverage on 32-bit and 64-bit implementations.
2379  * The responses were generated with Sage 5.9.
2380  */
2381  secp256k1_scalar x;
2382  secp256k1_scalar y;
2383  secp256k1_scalar z;
2384  secp256k1_scalar zz;
2385  secp256k1_scalar r1;
2386  secp256k1_scalar r2;
2387  secp256k1_scalar zzv;
2388  int overflow;
2389  unsigned char chal[33][2][32] = {
2390  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2391  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2392  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2393  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2394  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2395  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2396  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2397  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2398  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2399  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2400  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2401  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2402  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2403  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2404  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2405  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2406  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2407  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2408  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2409  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2410  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2411  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2412  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2413  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2414  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2415  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2416  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2417  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2418  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2419  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2420  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2421  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2422  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2423  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2424  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2425  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2426  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2427  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2428  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2429  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2430  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2431  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2432  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2433  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2434  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2435  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2436  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2437  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2438  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2439  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2440  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2441  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2442  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2443  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2444  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2445  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2446  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2447  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2448  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2449  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2450  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2451  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2452  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2453  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2454  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2455  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2456  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2457  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2458  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2459  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2460  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2461  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2462  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2463  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2464  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2465  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2466  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2467  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2468  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2469  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2470  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2471  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2472  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2473  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2474  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2475  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2476  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2477  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2478  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2479  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2480  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2481  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2482  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2483  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2484  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2485  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2486  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2487  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2488  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2489  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2490  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2491  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2492  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2493  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2494  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2495  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2496  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2497  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2498  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2499  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2500  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2501  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2502  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2503  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2504  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2505  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2506  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2507  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2508  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2509  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2510  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2511  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2512  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2513  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2514  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2515  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2516  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2517  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2518  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2519  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2520  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2521  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2522  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2523  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2524  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2525  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2526  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2527  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2528  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2529  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2530  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2531  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2532  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2533  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2534  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2535  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2536  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2537  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2538  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2539  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2540  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2541  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2542  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2543  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2544  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2545  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2546  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2547  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2548  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2549  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2550  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2551  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2552  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2553  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2554  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2555  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2556  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2557  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2558  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2559  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2560  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2561  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2562  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2563  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2564  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2565  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2566  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2567  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2568  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2569  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2570  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2571  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2572  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2573  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2574  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2575  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2576  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2577  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2578  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2579  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2580  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2581  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2582  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2583  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2584  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2585  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2586  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2587  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2588  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2589  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2590  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2591  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2592  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2593  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2594  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2595  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2596  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2597  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2598  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2599  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2600  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2601  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2602  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2603  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2604  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2605  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2606  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2607  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2608  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2609  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2610  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2611  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2612  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2613  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2614  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2615  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2616  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2617  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2618  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2619  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2620  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2621  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2622  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2623  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2624  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2625  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2626  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2627  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2628  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2629  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2630  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2631  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2632  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2633  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2634  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2635  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2636  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2637  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2638  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2639  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2640  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2641  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2642  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2643  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2644  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2645  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2646  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2647  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2648  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2649  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2650  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2651  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2652  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2653  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2654  };
2655  unsigned char res[33][2][32] = {
2656  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2657  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2658  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2659  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2660  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2661  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2662  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2663  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2664  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2665  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2666  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2667  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2668  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2669  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2670  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2671  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2672  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2673  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2674  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2675  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2676  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2677  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2678  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2679  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2680  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2681  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2682  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2683  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2684  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2685  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2686  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2687  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2688  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2689  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2690  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2691  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2692  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2693  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2694  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2695  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2696  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2697  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2698  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2699  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2700  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2701  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2702  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2703  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2704  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2705  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2706  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2707  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2708  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2709  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2710  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2711  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2712  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2713  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2714  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2715  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2716  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2717  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2718  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2719  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2720  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2721  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2722  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2723  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2724  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2725  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2726  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2727  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2728  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2729  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2730  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2731  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2732  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2733  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2734  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2735  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2736  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2737  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2738  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2739  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2740  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2741  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2742  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2743  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2744  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2745  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2746  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2747  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2748  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2749  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2750  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2751  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2752  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2753  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2754  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2755  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2756  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2757  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2758  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2759  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2760  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2761  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2762  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2763  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2764  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2765  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2766  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2767  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2768  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2769  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2770  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2771  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2772  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2773  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2774  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2775  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2776  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2777  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2778  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2779  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2780  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2781  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2782  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2783  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2784  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2785  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2786  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2787  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2788  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2789  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2790  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2791  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2792  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2793  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2794  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2795  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2796  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2797  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2798  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2799  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2800  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2801  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2802  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2803  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2804  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2805  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2806  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2807  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2808  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2809  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2810  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2811  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2812  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2813  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2814  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2815  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2816  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2817  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2818  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2819  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2820  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2821  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2822  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2823  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2824  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2825  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2826  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2827  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2828  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2829  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2830  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2831  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2832  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2833  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2834  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2835  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2836  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2837  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2838  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2839  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2840  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2841  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2842  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2843  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2844  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2845  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2846  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2847  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2848  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2849  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2850  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2851  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2852  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2853  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2854  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2855  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2856  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2857  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2858  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2859  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2860  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2861  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2862  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2863  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2864  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2865  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2866  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2867  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2868  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2869  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2870  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2871  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2872  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2873  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2874  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2875  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2876  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2877  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2878  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2879  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2880  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2881  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2882  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2883  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2884  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2885  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2886  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2887  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2888  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2889  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2890  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2891  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2892  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2893  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2894  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2895  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2896  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2897  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2898  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2899  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2900  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2901  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2902  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2903  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2904  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2905  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2906  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2907  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2908  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2909  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2910  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2911  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2912  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2913  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2914  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2915  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2916  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2917  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2918  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2919  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2920  };
2921  for (i = 0; i < 33; i++) {
2922  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2923  CHECK(!overflow);
2924  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2925  CHECK(!overflow);
2926  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2927  CHECK(!overflow);
2928  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2929  CHECK(!overflow);
2930  secp256k1_scalar_mul(&z, &x, &y);
2931  CHECK(secp256k1_scalar_eq(&r1, &z));
2932  if (!secp256k1_scalar_is_zero(&y)) {
2933  secp256k1_scalar_inverse(&zz, &y);
2934  secp256k1_scalar_inverse_var(&zzv, &y);
2935  CHECK(secp256k1_scalar_eq(&zzv, &zz));
2936  secp256k1_scalar_mul(&z, &z, &zz);
2937  CHECK(secp256k1_scalar_eq(&x, &z));
2938  secp256k1_scalar_mul(&zz, &zz, &y);
2940  }
2941  secp256k1_scalar_mul(&z, &x, &x);
2942  CHECK(secp256k1_scalar_eq(&r2, &z));
2943  }
2944  }
2945 }
2946 
2947 /***** FIELD TESTS *****/
2948 
2950  secp256k1_fe r;
2951  random_fe_non_zero(ns);
2952  if (secp256k1_fe_sqrt(&r, ns)) {
2953  secp256k1_fe_negate(ns, ns, 1);
2954  }
2955 }
2956 
2957 static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2958  secp256k1_fe an = *a;
2959  secp256k1_fe bn = *b;
2961  return secp256k1_fe_equal(&an, &bn);
2962 }
2963 
2964 static void run_field_convert(void) {
2965  static const unsigned char b32[32] = {
2966  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2967  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2968  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2969  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2970  };
2972  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2973  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2974  );
2975  static const secp256k1_fe fe = SECP256K1_FE_CONST(
2976  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2977  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2978  );
2979  secp256k1_fe fe2;
2980  unsigned char b322[32];
2981  secp256k1_fe_storage fes2;
2982  /* Check conversions to fe. */
2983  CHECK(secp256k1_fe_set_b32_limit(&fe2, b32));
2984  CHECK(secp256k1_fe_equal(&fe, &fe2));
2985  secp256k1_fe_from_storage(&fe2, &fes);
2986  CHECK(secp256k1_fe_equal(&fe, &fe2));
2987  /* Check conversion from fe. */
2988  secp256k1_fe_get_b32(b322, &fe);
2989  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2990  secp256k1_fe_to_storage(&fes2, &fe);
2991  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2992 }
2993 
2994 static void run_field_be32_overflow(void) {
2995  {
2996  static const unsigned char zero_overflow[32] = {
2997  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2998  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2999  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3000  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3001  };
3002  static const unsigned char zero[32] = { 0x00 };
3003  unsigned char out[32];
3004  secp256k1_fe fe;
3005  CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3006  secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3009  CHECK(secp256k1_fe_is_zero(&fe) == 1);
3010  secp256k1_fe_get_b32(out, &fe);
3011  CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3012  }
3013  {
3014  static const unsigned char one_overflow[32] = {
3015  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3016  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3017  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3018  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3019  };
3020  static const unsigned char one[32] = {
3021  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3022  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3023  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3024  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3025  };
3026  unsigned char out[32];
3027  secp256k1_fe fe;
3028  CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3029  secp256k1_fe_set_b32_mod(&fe, one_overflow);
3032  secp256k1_fe_get_b32(out, &fe);
3033  CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3034  }
3035  {
3036  static const unsigned char ff_overflow[32] = {
3037  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3038  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3039  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3040  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3041  };
3042  static const unsigned char ff[32] = {
3043  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3044  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3045  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3046  0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3047  };
3048  unsigned char out[32];
3049  secp256k1_fe fe;
3050  const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3051  CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3052  secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3054  CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3055  secp256k1_fe_get_b32(out, &fe);
3056  CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3057  }
3058 }
3059 
3060 /* Returns true if two field elements have the same representation. */
3061 static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3062  int ret = 1;
3063  /* Compare the struct member that holds the limbs. */
3064  ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3065  return ret;
3066 }
3067 
3068 static void run_field_half(void) {
3069  secp256k1_fe t, u;
3070  int m;
3071 
3072  /* Check magnitude 0 input */
3074  secp256k1_fe_half(&t);
3075 #ifdef VERIFY
3076  CHECK(t.magnitude == 1);
3077  CHECK(t.normalized == 0);
3078 #endif
3080 
3081  /* Check non-zero magnitudes in the supported range */
3082  for (m = 1; m < 32; m++) {
3083  /* Check max-value input */
3085 
3086  u = t;
3087  secp256k1_fe_half(&u);
3088 #ifdef VERIFY
3089  CHECK(u.magnitude == (m >> 1) + 1);
3090  CHECK(u.normalized == 0);
3091 #endif
3093  secp256k1_fe_add(&u, &u);
3094  CHECK(fe_equal(&t, &u));
3095 
3096  /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3097  * which will also cause all carries to be 1, since all limbs that can
3098  * generate a carry are initially even and all limbs of P are odd in
3099  * every existing field implementation. */
3101  CHECK(t.n[0] > 0);
3102  CHECK((t.n[0] & 1) == 0);
3103  --t.n[0];
3104 
3105  u = t;
3106  secp256k1_fe_half(&u);
3107 #ifdef VERIFY
3108  CHECK(u.magnitude == (m >> 1) + 1);
3109  CHECK(u.normalized == 0);
3110 #endif
3112  secp256k1_fe_add(&u, &u);
3113  CHECK(fe_equal(&t, &u));
3114  }
3115 }
3116 
3117 static void run_field_misc(void) {
3118  secp256k1_fe x;
3119  secp256k1_fe y;
3120  secp256k1_fe z;
3121  secp256k1_fe q;
3122  int v;
3123  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3124  int i, j;
3125  for (i = 0; i < 1000 * COUNT; i++) {
3126  secp256k1_fe_storage xs, ys, zs;
3127  if (i & 1) {
3128  random_fe(&x);
3129  } else {
3130  random_fe_test(&x);
3131  }
3132  random_fe_non_zero(&y);
3133  v = secp256k1_testrand_bits(15);
3134  /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3135  secp256k1_fe_set_int(&q, v); /* q = v */
3136  z = x; /* z = x */
3137  secp256k1_fe_add(&z, &q); /* z = x+v */
3138  q = x; /* q = x */
3139  secp256k1_fe_add_int(&q, v); /* q = x+v */
3140  CHECK(fe_equal(&q, &z));
3141  /* Test the fe equality and comparison operations. */
3142  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3143  CHECK(secp256k1_fe_equal(&x, &x));
3144  z = x;
3145  secp256k1_fe_add(&z,&y);
3146  /* Test fe conditional move; z is not normalized here. */
3147  q = x;
3148  secp256k1_fe_cmov(&x, &z, 0);
3149 #ifdef VERIFY
3150  CHECK(!x.normalized);
3151  CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3152  CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3153 #endif
3154  x = q;
3155  secp256k1_fe_cmov(&x, &x, 1);
3156  CHECK(!fe_identical(&x, &z));
3157  CHECK(fe_identical(&x, &q));
3158  secp256k1_fe_cmov(&q, &z, 1);
3159 #ifdef VERIFY
3160  CHECK(!q.normalized);
3161  CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3162  CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3163 #endif
3164  CHECK(fe_identical(&q, &z));
3165  q = z;
3168  CHECK(!secp256k1_fe_equal(&x, &z));
3170  secp256k1_fe_cmov(&q, &z, (i&1));
3171 #ifdef VERIFY
3172  CHECK(q.normalized && q.magnitude == 1);
3173 #endif
3174  for (j = 0; j < 6; j++) {
3175  secp256k1_fe_negate_unchecked(&z, &z, j+1);
3177  secp256k1_fe_cmov(&q, &z, (j&1));
3178 #ifdef VERIFY
3179  CHECK(!q.normalized && q.magnitude == z.magnitude);
3180 #endif
3181  }
3183  /* Test storage conversion and conditional moves. */
3184  secp256k1_fe_to_storage(&xs, &x);
3185  secp256k1_fe_to_storage(&ys, &y);
3186  secp256k1_fe_to_storage(&zs, &z);
3187  secp256k1_fe_storage_cmov(&zs, &xs, 0);
3188  secp256k1_fe_storage_cmov(&zs, &zs, 1);
3189  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3190  secp256k1_fe_storage_cmov(&ys, &xs, 1);
3191  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3192  secp256k1_fe_from_storage(&x, &xs);
3193  secp256k1_fe_from_storage(&y, &ys);
3194  secp256k1_fe_from_storage(&z, &zs);
3195  /* Test that mul_int, mul, and add agree. */
3196  secp256k1_fe_add(&y, &x);
3197  secp256k1_fe_add(&y, &x);
3198  z = x;
3199  secp256k1_fe_mul_int(&z, 3);
3200  CHECK(fe_equal(&y, &z));
3201  secp256k1_fe_add(&y, &x);
3202  secp256k1_fe_add(&z, &x);
3203  CHECK(fe_equal(&z, &y));
3204  z = x;
3205  secp256k1_fe_mul_int(&z, 5);
3206  secp256k1_fe_mul(&q, &x, &fe5);
3207  CHECK(fe_equal(&z, &q));
3208  secp256k1_fe_negate(&x, &x, 1);
3209  secp256k1_fe_add(&z, &x);
3210  secp256k1_fe_add(&q, &x);
3211  CHECK(fe_equal(&y, &z));
3212  CHECK(fe_equal(&q, &y));
3213  /* Check secp256k1_fe_half. */
3214  z = x;
3215  secp256k1_fe_half(&z);
3216  secp256k1_fe_add(&z, &z);
3217  CHECK(fe_equal(&x, &z));
3218  secp256k1_fe_add(&z, &z);
3219  secp256k1_fe_half(&z);
3220  CHECK(fe_equal(&x, &z));
3221  }
3222 }
3223 
3224 static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3225 {
3226  secp256k1_fe c, an, bn;
3227  /* Variables in BE 32-byte format. */
3228  unsigned char a32[32], b32[32], c32[32];
3229  /* Variables in LE 16x uint16_t format. */
3230  uint16_t a16[16], b16[16], c16[16];
3231  /* Field modulus in LE 16x uint16_t format. */
3232  static const uint16_t m16[16] = {
3233  0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3234  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3235  };
3236  uint16_t t16[32];
3237  int i;
3238 
3239  /* Compute C = A * B in fe format. */
3240  c = *a;
3241  if (use_sqr) {
3242  secp256k1_fe_sqr(&c, &c);
3243  } else {
3244  secp256k1_fe_mul(&c, &c, b);
3245  }
3246 
3247  /* Convert A, B, C into LE 16x uint16_t format. */
3248  an = *a;
3249  bn = *b;
3253  secp256k1_fe_get_b32(a32, &an);
3254  secp256k1_fe_get_b32(b32, &bn);
3255  secp256k1_fe_get_b32(c32, &c);
3256  for (i = 0; i < 16; ++i) {
3257  a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3258  b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3259  c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3260  }
3261  /* Compute T = A * B in LE 16x uint16_t format. */
3262  mulmod256(t16, a16, b16, m16);
3263  /* Compare */
3264  CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3265 }
3266 
3267 static void run_fe_mul(void) {
3268  int i;
3269  for (i = 0; i < 100 * COUNT; ++i) {
3270  secp256k1_fe a, b, c, d;
3271  random_fe(&a);
3272  random_fe_magnitude(&a);
3273  random_fe(&b);
3274  random_fe_magnitude(&b);
3275  random_fe_test(&c);
3276  random_fe_magnitude(&c);
3277  random_fe_test(&d);
3278  random_fe_magnitude(&d);
3279  test_fe_mul(&a, &a, 1);
3280  test_fe_mul(&c, &c, 1);
3281  test_fe_mul(&a, &b, 0);
3282  test_fe_mul(&a, &c, 0);
3283  test_fe_mul(&c, &b, 0);
3284  test_fe_mul(&c, &d, 0);
3285  }
3286 }
3287 
3288 static void run_sqr(void) {
3289  int i;
3290  secp256k1_fe x, y, lhs, rhs, tmp;
3291 
3292  secp256k1_fe_set_int(&x, 1);
3293  secp256k1_fe_negate(&x, &x, 1);
3294 
3295  for (i = 1; i <= 512; ++i) {
3296  secp256k1_fe_mul_int(&x, 2);
3298 
3299  /* Check that (x+y)*(x-y) = x^2 - y*2 for some random values y */
3300  random_fe_test(&y);
3301 
3302  lhs = x;
3303  secp256k1_fe_add(&lhs, &y); /* lhs = x+y */
3304  secp256k1_fe_negate(&tmp, &y, 1); /* tmp = -y */
3305  secp256k1_fe_add(&tmp, &x); /* tmp = x-y */
3306  secp256k1_fe_mul(&lhs, &lhs, &tmp); /* lhs = (x+y)*(x-y) */
3307 
3308  secp256k1_fe_sqr(&rhs, &x); /* rhs = x^2 */
3309  secp256k1_fe_sqr(&tmp, &y); /* tmp = y^2 */
3310  secp256k1_fe_negate(&tmp, &tmp, 1); /* tmp = -y^2 */
3311  secp256k1_fe_add(&rhs, &tmp); /* rhs = x^2 - y^2 */
3312 
3313  CHECK(fe_equal(&lhs, &rhs));
3314  }
3315 }
3316 
3317 static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3318  secp256k1_fe r1, r2;
3319  int v = secp256k1_fe_sqrt(&r1, a);
3320  CHECK((v == 0) == (k == NULL));
3321 
3322  if (k != NULL) {
3323  /* Check that the returned root is +/- the given known answer */
3324  secp256k1_fe_negate(&r2, &r1, 1);
3325  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3328  }
3329 }
3330 
3331 static void run_sqrt(void) {
3332  secp256k1_fe ns, x, s, t;
3333  int i;
3334 
3335  /* Check sqrt(0) is 0 */
3336  secp256k1_fe_set_int(&x, 0);
3337  secp256k1_fe_sqr(&s, &x);
3338  test_sqrt(&s, &x);
3339 
3340  /* Check sqrt of small squares (and their negatives) */
3341  for (i = 1; i <= 100; i++) {
3342  secp256k1_fe_set_int(&x, i);
3343  secp256k1_fe_sqr(&s, &x);
3344  test_sqrt(&s, &x);
3345  secp256k1_fe_negate(&t, &s, 1);
3346  test_sqrt(&t, NULL);
3347  }
3348 
3349  /* Consistency checks for large random values */
3350  for (i = 0; i < 10; i++) {
3351  int j;
3352  random_fe_non_square(&ns);
3353  for (j = 0; j < COUNT; j++) {
3354  random_fe(&x);
3355  secp256k1_fe_sqr(&s, &x);
3357  test_sqrt(&s, &x);
3358  secp256k1_fe_negate(&t, &s, 1);
3360  test_sqrt(&t, NULL);
3361  secp256k1_fe_mul(&t, &s, &ns);
3362  test_sqrt(&t, NULL);
3363  }
3364  }
3365 }
3366 
3367 /***** FIELD/SCALAR INVERSE TESTS *****/
3368 
3370  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3371  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3372 );
3373 
3375  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3376  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3377 );
3378 
3379 /* These tests test the following identities:
3380  *
3381  * for x==0: 1/x == 0
3382  * for x!=0: x*(1/x) == 1
3383  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3384  */
3385 
3387 {
3388  secp256k1_scalar l, r, t;
3389 
3390  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3391  if (out) *out = l;
3392  if (secp256k1_scalar_is_zero(x)) {
3394  return;
3395  }
3396  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3397  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3398  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3399  if (secp256k1_scalar_is_zero(&r)) return;
3400  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3401  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3402  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3403  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3404  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3405  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3406 }
3407 
3408 static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3409 {
3410  secp256k1_fe l, r, t;
3411 
3412  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3413  if (out) *out = l;
3414  t = *x; /* t = x */
3417  return;
3418  }
3419  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3420  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3421  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3422  r = *x; /* r = x */
3423  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3424  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3425  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3426  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3427  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3428  secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3429  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3430  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3431 }
3432 
3433 static void run_inverse_tests(void)
3434 {
3435  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3436  static const secp256k1_fe fe_cases[][2] = {
3437  /* 0 */
3438  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3439  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3440  /* 1 */
3441  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3442  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3443  /* -1 */
3444  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3445  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3446  /* 2 */
3447  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3448  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3449  /* 2**128 */
3450  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3451  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3452  /* Input known to need 637 divsteps */
3453  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3454  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3455  /* Input known to need 567 divsteps starting with delta=1/2. */
3456  {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3457  SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3458  /* Input known to need 566 divsteps starting with delta=1/2. */
3459  {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3460  SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3461  /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3462  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3463  SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3464  {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3465  SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3466  {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3467  SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3468  {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3469  SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3470  {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3471  SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3472  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3473  SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3474  {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3475  SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3476  {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3477  SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3478  {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3479  SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3480  {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3481  SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3482  /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3483  {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3484  SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3485  {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3486  SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3487  {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3488  SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3489  {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3490  SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3491  {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3492  SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3493  {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3494  SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3495  {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3496  SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3497  {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3498  SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3499  {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3500  SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3501  {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3502  SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3503  {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3504  SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3505  {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3506  SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3507  {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3508  SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3509  {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3510  SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3511  {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3512  SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3513  {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3514  SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3515  {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3516  SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3517  {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3518  SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3519  {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3520  SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3521  {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3522  SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3523  {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3524  SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3525  {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3526  SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3527  {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3528  SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3529  {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3530  SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3531  {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3532  SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3533  {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3534  SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3535  {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3536  SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3537  {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3538  SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3539  };
3540  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3541  static const secp256k1_scalar scalar_cases[][2] = {
3542  /* 0 */
3543  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3544  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3545  /* 1 */
3546  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3547  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3548  /* -1 */
3549  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3550  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3551  /* 2 */
3552  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3553  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3554  /* 2**128 */
3555  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3556  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3557  /* Input known to need 635 divsteps */
3558  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3559  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3560  /* Input known to need 566 divsteps starting with delta=1/2. */
3561  {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3562  SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3563  /* Input known to need 565 divsteps starting with delta=1/2. */
3564  {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3565  SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3566  /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3567  {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3568  SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3569  {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3570  SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3571  {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3572  SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3573  {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3574  SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3575  {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3576  SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3577  {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3578  SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3579  {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3580  SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3581  {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3582  SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3583  {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3584  SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3585  {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3586  SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3587  {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3588  SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3589  {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3590  SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3591  {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3592  SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3593  {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3594  SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3595  {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3596  SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3597  {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3598  SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3599  {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3600  SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3601  {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3602  SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3603  {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3604  SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3605  {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3606  SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3607  {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3608  SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3609  {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3610  SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3611  {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3612  SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3613  {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3614  SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3615  {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3616  SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3617  {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3618  SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3619  {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3620  SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3621  {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3622  SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3623  {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3624  SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3625  };
3626  int i, var, testrand;
3627  unsigned char b32[32];
3628  secp256k1_fe x_fe;
3629  secp256k1_scalar x_scalar;
3630  memset(b32, 0, sizeof(b32));
3631  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3632  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3633  for (var = 0; var <= 1; ++var) {
3634  test_inverse_field(&x_fe, &fe_cases[i][0], var);
3635  CHECK(fe_equal(&x_fe, &fe_cases[i][1]));
3636  test_inverse_field(&x_fe, &fe_cases[i][1], var);
3637  CHECK(fe_equal(&x_fe, &fe_cases[i][0]));
3638  }
3639  }
3640  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3641  for (var = 0; var <= 1; ++var) {
3642  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3643  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3644  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3645  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3646  }
3647  }
3648  /* Test inputs 0..999 and their respective negations. */
3649  for (i = 0; i < 1000; ++i) {
3650  b32[31] = i & 0xff;
3651  b32[30] = (i >> 8) & 0xff;
3652  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3653  secp256k1_fe_set_b32_mod(&x_fe, b32);
3654  for (var = 0; var <= 1; ++var) {
3655  test_inverse_scalar(NULL, &x_scalar, var);
3656  test_inverse_field(NULL, &x_fe, var);
3657  }
3658  secp256k1_scalar_negate(&x_scalar, &x_scalar);
3659  secp256k1_fe_negate(&x_fe, &x_fe, 1);
3660  for (var = 0; var <= 1; ++var) {
3661  test_inverse_scalar(NULL, &x_scalar, var);
3662  test_inverse_field(NULL, &x_fe, var);
3663  }
3664  }
3665  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3666  for (testrand = 0; testrand <= 1; ++testrand) {
3667  for (i = 0; i < 64 * COUNT; ++i) {
3669  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3670  secp256k1_fe_set_b32_mod(&x_fe, b32);
3671  for (var = 0; var <= 1; ++var) {
3672  test_inverse_scalar(NULL, &x_scalar, var);
3673  test_inverse_field(NULL, &x_fe, var);
3674  }
3675  }
3676  }
3677 }
3678 
3679 /***** HSORT TESTS *****/
3680 
3681 static void test_heap_swap(void) {
3682  unsigned char a[600];
3683  unsigned char e[sizeof(a)];
3684  memset(a, 21, 200);
3685  memset(a + 200, 99, 200);
3686  memset(a + 400, 42, 200);
3687  memset(e, 42, 200);
3688  memset(e + 200, 99, 200);
3689  memset(e + 400, 21, 200);
3690  secp256k1_heap_swap(a, 0, 2, 200);
3691  CHECK(secp256k1_memcmp_var(a, e, sizeof(a)) == 0);
3692 }
3693 
3694 static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len) {
3695  size_t i;
3696  for (i = 1; i < n; i++) {
3697  CHECK(secp256k1_memcmp_var(&elements[(i-1) * len], &elements[i * len], len) <= 0);
3698  }
3699 }
3700 
3702  size_t counter;
3703  size_t element_len;
3704 };
3705 
3706 
3707 static int test_hsort_cmp(const void *ele1, const void *ele2, void *data) {
3708  struct test_hsort_cmp_data *d = (struct test_hsort_cmp_data *) data;
3709  d->counter += 1;
3710  return secp256k1_memcmp_var((unsigned char *)ele1, (unsigned char *)ele2, d->element_len);
3711 }
3712 
3713 #define NUM 65
3714 #define MAX_ELEMENT_LEN 65
3715 static void test_hsort(size_t element_len) {
3716  unsigned char elements[NUM * MAX_ELEMENT_LEN] = { 0 };
3717  struct test_hsort_cmp_data data;
3718  int i;
3719 
3721  data.counter = 0;
3722  data.element_len = element_len;
3723 
3724  secp256k1_hsort(elements, 0, element_len, test_hsort_cmp, &data);
3725  CHECK(data.counter == 0);
3726  secp256k1_hsort(elements, 1, element_len, test_hsort_cmp, &data);
3727  CHECK(data.counter == 0);
3728  secp256k1_hsort(elements, NUM, element_len, test_hsort_cmp, &data);
3729  CHECK(data.counter >= NUM - 1);
3730  test_hsort_is_sorted(elements, NUM, element_len);
3731 
3732  /* Test hsort with array of random length n */
3733  for (i = 0; i < COUNT; i++) {
3734  int n = secp256k1_testrand_int(NUM);
3736  secp256k1_hsort(elements, n, element_len, test_hsort_cmp, &data);
3737  test_hsort_is_sorted(elements, n, element_len);
3738  }
3739 }
3740 #undef NUM
3741 #undef MAX_ELEMENT_LEN
3742 
3743 
3744 static void run_hsort_tests(void) {
3745  test_heap_swap();
3746  test_hsort(1);
3747  test_hsort(64);
3748  test_hsort(65);
3749 }
3750 
3751 /***** GROUP TESTS *****/
3752 
3753 /* This compares jacobian points including their Z, not just their geometric meaning. */
3754 static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3755  secp256k1_gej a2;
3756  secp256k1_gej b2;
3757  int ret = 1;
3758  ret &= a->infinity == b->infinity;
3759  if (ret && !a->infinity) {
3760  a2 = *a;
3761  b2 = *b;
3768  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3769  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3770  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3771  }
3772  return ret;
3773 }
3774 
3775 static void test_ge(void) {
3776  int i, i1;
3777  int runs = 6;
3778  /* 25 points are used:
3779  * - infinity
3780  * - for each of four random points p1 p2 p3 p4, we add the point, its
3781  * negation, and then those two again but with randomized Z coordinate.
3782  * - The same is then done for lambda*p1 and lambda^2*p1.
3783  */
3784  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3785  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3786  secp256k1_fe zf, r;
3787  secp256k1_fe zfi2, zfi3;
3788 
3789  secp256k1_gej_set_infinity(&gej[0]);
3790  secp256k1_ge_clear(&ge[0]);
3791  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3792  for (i = 0; i < runs; i++) {
3793  int j, k;
3794  secp256k1_ge g;
3796  if (i >= runs - 2) {
3797  secp256k1_ge_mul_lambda(&g, &ge[1]);
3798  CHECK(!secp256k1_ge_eq_var(&g, &ge[1]));
3799  }
3800  if (i >= runs - 1) {
3802  }
3803  ge[1 + 4 * i] = g;
3804  ge[2 + 4 * i] = g;
3805  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3806  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3807  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3808  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3809  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3810  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3811  for (j = 0; j < 4; j++) {
3812  random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3813  random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3814  random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3815  random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3816  random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3817  }
3818 
3819  for (j = 0; j < 4; ++j) {
3820  for (k = 0; k < 4; ++k) {
3821  int expect_equal = (j >> 1) == (k >> 1);
3822  CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3823  CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal);
3824  CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3825  CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal);
3826  }
3827  }
3828  }
3829 
3830  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3832  random_fe_magnitude(&zf);
3833  secp256k1_fe_inv_var(&zfi3, &zf);
3834  secp256k1_fe_sqr(&zfi2, &zfi3);
3835  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3836 
3837  /* Generate random r */
3839 
3840  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3841  int i2;
3842  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3843  /* Compute reference result using gej + gej (var). */
3844  secp256k1_gej refj, resj;
3845  secp256k1_ge ref;
3846  secp256k1_fe zr;
3847  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3848  /* Check Z ratio. */
3849  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3850  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3851  CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3852  }
3853  secp256k1_ge_set_gej_var(&ref, &refj);
3854 
3855  /* Test gej + ge with Z ratio result (var). */
3856  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3857  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3858  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3859  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3860  CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3861  }
3862 
3863  /* Test gej + ge (var, with additional Z factor). */
3864  {
3865  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3866  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3867  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3868  random_ge_x_magnitude(&ge2_zfi);
3869  random_ge_y_magnitude(&ge2_zfi);
3870  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3871  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3872  }
3873 
3874  /* Test gej + ge (const). */
3875  if (i2 != 0) {
3876  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3877  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3878  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3879  }
3880 
3881  /* Test doubling (var). */
3882  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3883  secp256k1_fe zr2;
3884  /* Normal doubling with Z ratio result. */
3885  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3886  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3887  /* Check Z ratio. */
3888  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3889  CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3890  /* Normal doubling. */
3891  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3892  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3893  /* Constant-time doubling. */
3894  secp256k1_gej_double(&resj, &gej[i2]);
3895  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3896  }
3897 
3898  /* Test adding opposites. */
3899  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3901  }
3902 
3903  /* Test adding infinity. */
3904  if (i1 == 0) {
3905  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3906  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3907  CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref));
3908  }
3909  if (i2 == 0) {
3910  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3911  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3912  CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref));
3913  }
3914  }
3915  }
3916 
3917  /* Test adding all points together in random order equals infinity. */
3918  {
3920  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3921  for (i = 0; i < 4 * runs + 1; i++) {
3922  gej_shuffled[i] = gej[i];
3923  }
3924  for (i = 0; i < 4 * runs + 1; i++) {
3925  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3926  if (swap != i) {
3927  secp256k1_gej t = gej_shuffled[i];
3928  gej_shuffled[i] = gej_shuffled[swap];
3929  gej_shuffled[swap] = t;
3930  }
3931  }
3932  for (i = 0; i < 4 * runs + 1; i++) {
3933  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3934  }
3936  free(gej_shuffled);
3937  }
3938 
3939  /* Test batch gej -> ge conversion without known z ratios. */
3940  {
3941  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3942  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3943  for (i = 0; i < 4 * runs + 1; i++) {
3944  secp256k1_fe s;
3945  random_fe_non_zero(&s);
3946  secp256k1_gej_rescale(&gej[i], &s);
3947  CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i]));
3948  }
3949  free(ge_set_all);
3950  }
3951 
3952  /* Test that all elements have X coordinates on the curve. */
3953  for (i = 1; i < 4 * runs + 1; i++) {
3954  secp256k1_fe n;
3956  /* And the same holds after random rescaling. */
3957  secp256k1_fe_mul(&n, &zf, &ge[i].x);
3959  }
3960 
3961  /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3962  {
3963  secp256k1_fe n;
3964  secp256k1_ge q;
3965  int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3966  secp256k1_fe_mul(&n, &zf, &r);
3967  ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3968  ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3969  ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3970  CHECK(ret_on_curve == ret_frac_on_curve);
3971  CHECK(ret_on_curve == ret_set_xo);
3972  if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
3973  }
3974 
3975  /* Test batch gej -> ge conversion with many infinities. */
3976  for (i = 0; i < 4 * runs + 1; i++) {
3977  int odd;
3978  random_group_element_test(&ge[i]);
3979  odd = secp256k1_fe_is_odd(&ge[i].x);
3980  CHECK(odd == 0 || odd == 1);
3981  /* randomly set half the points to infinity */
3982  if (odd == i % 2) {
3983  secp256k1_ge_set_infinity(&ge[i]);
3984  }
3985  secp256k1_gej_set_ge(&gej[i], &ge[i]);
3986  }
3987  /* batch convert */
3988  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3989  /* check result */
3990  for (i = 0; i < 4 * runs + 1; i++) {
3991  CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i]));
3992  }
3993 
3994  /* Test batch gej -> ge conversion with all infinities. */
3995  for (i = 0; i < 4 * runs + 1; i++) {
3996  secp256k1_gej_set_infinity(&gej[i]);
3997  }
3998  /* batch convert */
3999  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
4000  /* check result */
4001  for (i = 0; i < 4 * runs + 1; i++) {
4003  }
4004 
4005  free(ge);
4006  free(gej);
4007 }
4008 
4009 static void test_intialized_inf(void) {
4010  secp256k1_ge p;
4011  secp256k1_gej pj, npj, infj1, infj2, infj3;
4012  secp256k1_fe zinv;
4013 
4014  /* Test that adding P+(-P) results in a fully initialized infinity*/
4016  secp256k1_gej_set_ge(&pj, &p);
4017  secp256k1_gej_neg(&npj, &pj);
4018 
4019  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
4021  CHECK(secp256k1_fe_is_zero(&infj1.x));
4022  CHECK(secp256k1_fe_is_zero(&infj1.y));
4023  CHECK(secp256k1_fe_is_zero(&infj1.z));
4024 
4025  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
4027  CHECK(secp256k1_fe_is_zero(&infj2.x));
4028  CHECK(secp256k1_fe_is_zero(&infj2.y));
4029  CHECK(secp256k1_fe_is_zero(&infj2.z));
4030 
4031  secp256k1_fe_set_int(&zinv, 1);
4032  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
4034  CHECK(secp256k1_fe_is_zero(&infj3.x));
4035  CHECK(secp256k1_fe_is_zero(&infj3.y));
4036  CHECK(secp256k1_fe_is_zero(&infj3.z));
4037 
4038 
4039 }
4040 
4041 static void test_add_neg_y_diff_x(void) {
4042  /* The point of this test is to check that we can add two points
4043  * whose y-coordinates are negatives of each other but whose x
4044  * coordinates differ. If the x-coordinates were the same, these
4045  * points would be negatives of each other and their sum is
4046  * infinity. This is cool because it "covers up" any degeneracy
4047  * in the addition algorithm that would cause the xy coordinates
4048  * of the sum to be wrong (since infinity has no xy coordinates).
4049  * HOWEVER, if the x-coordinates are different, infinity is the
4050  * wrong answer, and such degeneracies are exposed. This is the
4051  * root of https://github.com/bitcoin-core/secp256k1/issues/257
4052  * which this test is a regression test for.
4053  *
4054  * These points were generated in sage as
4055  *
4056  * load("secp256k1_params.sage")
4057  *
4058  * # random "bad pair"
4059  * P = C.random_element()
4060  * Q = -int(LAMBDA) * P
4061  * print(" P: %x %x" % P.xy())
4062  * print(" Q: %x %x" % Q.xy())
4063  * print("P + Q: %x %x" % (P + Q).xy())
4064  */
4066  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
4067  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
4068  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
4069  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
4070  );
4072  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
4073  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
4074  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
4075  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
4076  );
4078  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
4079  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
4080  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
4081  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
4082  );
4083  secp256k1_ge b;
4084  secp256k1_gej resj;
4085  secp256k1_ge res;
4086  secp256k1_ge_set_gej(&b, &bj);
4087 
4088  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4089  secp256k1_ge_set_gej(&res, &resj);
4090  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4091 
4092  secp256k1_gej_add_ge(&resj, &aj, &b);
4093  secp256k1_ge_set_gej(&res, &resj);
4094  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4095 
4096  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4097  secp256k1_ge_set_gej(&res, &resj);
4098  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4099 }
4100 
4101 static void run_ge(void) {
4102  int i;
4103  for (i = 0; i < COUNT * 32; i++) {
4104  test_ge();
4105  }
4108 }
4109 
4110 static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4111  secp256k1_gej t = *a;
4112  secp256k1_gej_cmov(&t, b, 0);
4113  CHECK(gej_xyz_equals_gej(&t, a));
4114  secp256k1_gej_cmov(&t, b, 1);
4115  CHECK(gej_xyz_equals_gej(&t, b));
4116 }
4117 
4118 static void run_gej(void) {
4119  int i;
4120  secp256k1_gej a, b;
4121 
4122  /* Tests for secp256k1_gej_cmov */
4123  for (i = 0; i < COUNT; i++) {
4126  test_gej_cmov(&a, &b);
4127 
4128  random_gej_test(&a);
4129  test_gej_cmov(&a, &b);
4130  test_gej_cmov(&b, &a);
4131 
4132  b = a;
4133  test_gej_cmov(&a, &b);
4134 
4135  random_gej_test(&b);
4136  test_gej_cmov(&a, &b);
4137  test_gej_cmov(&b, &a);
4138  }
4139 
4140  /* Tests for secp256k1_gej_eq_var */
4141  for (i = 0; i < COUNT; i++) {
4142  secp256k1_fe fe;
4143  random_gej_test(&a);
4144  random_gej_test(&b);
4145  CHECK(!secp256k1_gej_eq_var(&a, &b));
4146 
4147  b = a;
4149  secp256k1_gej_rescale(&a, &fe);
4150  CHECK(secp256k1_gej_eq_var(&a, &b));
4151  }
4152 }
4153 
4154 static void test_ec_combine(void) {
4156  secp256k1_pubkey data[6];
4157  const secp256k1_pubkey* d[6];
4158  secp256k1_pubkey sd;
4159  secp256k1_pubkey sd2;
4160  secp256k1_gej Qj;
4161  secp256k1_ge Q;
4162  int i;
4163  for (i = 1; i <= 6; i++) {
4164  secp256k1_scalar s;
4166  secp256k1_scalar_add(&sum, &sum, &s);
4168  secp256k1_ge_set_gej(&Q, &Qj);
4169  secp256k1_pubkey_save(&data[i - 1], &Q);
4170  d[i - 1] = &data[i - 1];
4172  secp256k1_ge_set_gej(&Q, &Qj);
4173  secp256k1_pubkey_save(&sd, &Q);
4174  CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4175  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4176  }
4177 }
4178 
4179 static void run_ec_combine(void) {
4180  int i;
4181  for (i = 0; i < COUNT * 8; i++) {
4182  test_ec_combine();
4183  }
4184 }
4185 
4186 static void test_group_decompress(const secp256k1_fe* x) {
4187  /* The input itself, normalized. */
4188  secp256k1_fe fex = *x;
4189  /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
4190  secp256k1_ge ge_even, ge_odd;
4191  /* Return values of the above calls. */
4192  int res_even, res_odd;
4193 
4195 
4196  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4197  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4198 
4199  CHECK(res_even == res_odd);
4200 
4201  if (res_even) {
4202  secp256k1_fe_normalize_var(&ge_odd.x);
4203  secp256k1_fe_normalize_var(&ge_even.x);
4204  secp256k1_fe_normalize_var(&ge_odd.y);
4205  secp256k1_fe_normalize_var(&ge_even.y);
4206 
4207  /* No infinity allowed. */
4208  CHECK(!ge_even.infinity);
4209  CHECK(!ge_odd.infinity);
4210 
4211  /* Check that the x coordinates check out. */
4212  CHECK(secp256k1_fe_equal(&ge_even.x, x));
4213  CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4214 
4215  /* Check odd/even Y in ge_odd, ge_even. */
4216  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4217  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4218  }
4219 }
4220 
4221 static void run_group_decompress(void) {
4222  int i;
4223  for (i = 0; i < COUNT * 4; i++) {
4224  secp256k1_fe fe;
4225  random_fe_test(&fe);
4226  test_group_decompress(&fe);
4227  }
4228 }
4229 
4230 /***** ECMULT TESTS *****/
4231 
4232 static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4233  /* Tests the pre_g / pre_g_128 tables for consistency.
4234  * For independent verification we take a "geometric" approach to verification.
4235  * We check that every entry is on-curve.
4236  * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4237  * (1) p, gg, and -q are colinear.
4238  * (2) p, gg, and -q are all distinct.
4239  * where gg is twice the generator, where the generator is the first table entry.
4240  *
4241  * Checking the table's generators are correct is done in run_ecmult_pre_g.
4242  */
4243  secp256k1_gej g2;
4244  secp256k1_ge p, q, gg;
4245  secp256k1_fe dpx, dpy, dqx, dqy;
4246  size_t i;
4247 
4248  CHECK(0 < n);
4249 
4250  secp256k1_ge_from_storage(&p, &pre_g[0]);
4252 
4253  secp256k1_gej_set_ge(&g2, &p);
4254  secp256k1_gej_double_var(&g2, &g2, NULL);
4255  secp256k1_ge_set_gej_var(&gg, &g2);
4256  for (i = 1; i < n; ++i) {
4257  secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4258  secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4259  /* Check that p is not equal to gg */
4261 
4262  secp256k1_ge_from_storage(&q, &pre_g[i]);
4264 
4265  secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4266  dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4267  /* Check that -q is not equal to gg */
4269 
4270  /* Check that -q is not equal to p */
4271  CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4272 
4273  /* Check that p, -q and gg are colinear */
4274  secp256k1_fe_mul(&dpx, &dpx, &dqy);
4275  secp256k1_fe_mul(&dpy, &dpy, &dqx);
4276  CHECK(secp256k1_fe_equal(&dpx, &dpy));
4277 
4278  p = q;
4279  }
4280 }
4281 
4282 static void run_ecmult_pre_g(void) {
4284  secp256k1_gej gj;
4285  secp256k1_ge g;
4286  size_t i;
4287 
4288  /* Check that the pre_g and pre_g_128 tables are consistent. */
4291 
4292  /* Check the first entry from the pre_g table. */
4294  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4295 
4296  /* Check the first entry from the pre_g_128 table. */
4298  for (i = 0; i < 128; ++i) {
4299  secp256k1_gej_double_var(&gj, &gj, NULL);
4300  }
4301  secp256k1_ge_set_gej(&g, &gj);
4302  secp256k1_ge_to_storage(&gs, &g);
4303  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4304 }
4305 
4306 static void run_ecmult_chain(void) {
4307  /* random starting point A (on the curve) */
4309  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4310  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4311  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4312  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4313  );
4314  /* two random initial factors xn and gn */
4316  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4317  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4318  );
4320  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4321  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4322  );
4323  /* two small multipliers to be applied to xn and gn in every iteration: */
4324  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4325  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4326  /* accumulators with the resulting coefficients to A and G */
4329  /* actual points */
4330  secp256k1_gej x;
4331  secp256k1_gej x2;
4332  int i;
4333 
4334  /* the point being computed */
4335  x = a;
4336  for (i = 0; i < 200*COUNT; i++) {
4337  /* in each iteration, compute X = xn*X + gn*G; */
4338  secp256k1_ecmult(&x, &x, &xn, &gn);
4339  /* also compute ae and ge: the actual accumulated factors for A and G */
4340  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4341  secp256k1_scalar_mul(&ae, &ae, &xn);
4342  secp256k1_scalar_mul(&ge, &ge, &xn);
4343  secp256k1_scalar_add(&ge, &ge, &gn);
4344  /* modify xn and gn */
4345  secp256k1_scalar_mul(&xn, &xn, &xf);
4346  secp256k1_scalar_mul(&gn, &gn, &gf);
4347 
4348  /* verify */
4349  if (i == 19999) {
4350  /* expected result after 19999 iterations */
4352  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4353  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4354  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4355  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4356  );
4357  CHECK(secp256k1_gej_eq_var(&rp, &x));
4358  }
4359  }
4360  /* redo the computation, but directly with the resulting ae and ge coefficients: */
4361  secp256k1_ecmult(&x2, &a, &ae, &ge);
4362  CHECK(secp256k1_gej_eq_var(&x, &x2));
4363 }
4364 
4365 static void test_point_times_order(const secp256k1_gej *point) {
4366  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4367  secp256k1_scalar x;
4368  secp256k1_scalar nx;
4369  secp256k1_gej res1, res2;
4370  secp256k1_ge res3;
4371  unsigned char pub[65];
4372  size_t psize = 65;
4374  secp256k1_scalar_negate(&nx, &x);
4375  secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4376  secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4377  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4379  secp256k1_ge_set_gej(&res3, &res1);
4381  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4382  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4383  psize = 65;
4384  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4385  /* check zero/one edge cases */
4387  secp256k1_ge_set_gej(&res3, &res1);
4390  secp256k1_ge_set_gej(&res3, &res1);
4391  CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4393  secp256k1_ge_set_gej(&res3, &res1);
4395 }
4396 
4397 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4398  *
4399  * They are computed as:
4400  * - For a in [-2, -1, 0, 1, 2]:
4401  * - For b in [-3, -1, 1, 3]:
4402  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4403  */
4405  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4406  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4407  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4408  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4409  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4410  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4411  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4412  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4413  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4414  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4415  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4416  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4417  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4418  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4419  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4420  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4421  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4422  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4423  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4424  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4425 };
4426 
4427 static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4428  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4429  secp256k1_scalar n1, n2;
4430  secp256k1_ge p;
4431  secp256k1_gej pj, p1j, p2j, ptj;
4432 
4433  /* Generate random n1,n2 such that n1+n2 = -target. */
4435  secp256k1_scalar_add(&n2, &n1, target);
4436  secp256k1_scalar_negate(&n2, &n2);
4437 
4438  /* Generate a random input point. */
4439  if (mode != 0) {
4441  secp256k1_gej_set_ge(&pj, &p);
4442  }
4443 
4444  /* EC multiplications */
4445  if (mode == 0) {
4446  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1);
4447  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2);
4448  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4449  } else if (mode == 1) {
4450  secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4451  secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4452  secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4453  } else {
4454  secp256k1_ecmult_const(&p1j, &p, &n1);
4455  secp256k1_ecmult_const(&p2j, &p, &n2);
4456  secp256k1_ecmult_const(&ptj, &p, target);
4457  }
4458 
4459  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4460  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4461  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4463 }
4464 
4465 static void run_ecmult_near_split_bound(void) {
4466  int i;
4467  unsigned j;
4468  for (i = 0; i < 4*COUNT; ++i) {
4469  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4473  }
4474  }
4475 }
4476 
4477 static void run_point_times_order(void) {
4478  int i;
4479  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4480  static const secp256k1_fe xr = SECP256K1_FE_CONST(
4481  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4482  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4483  );
4484  for (i = 0; i < 500; i++) {
4485  secp256k1_ge p;
4486  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4487  secp256k1_gej j;
4489  secp256k1_gej_set_ge(&j, &p);
4491  }
4492  secp256k1_fe_sqr(&x, &x);
4493  }
4495  CHECK(secp256k1_fe_equal(&x, &xr));
4496 }
4497 
4498 static void ecmult_const_random_mult(void) {
4499  /* random starting point A (on the curve) */
4501  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4502  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4503  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4504  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4505  );
4506  /* random initial factor xn */
4508  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4509  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4510  );
4511  /* expected xn * A (from sage) */
4512  secp256k1_ge expected_b = SECP256K1_GE_CONST(
4513  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4514  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4515  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4516  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4517  );
4518  secp256k1_gej b;
4519  secp256k1_ecmult_const(&b, &a, &xn);
4520 
4522  CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b));
4523 }
4524 
4525 static void ecmult_const_commutativity(void) {
4526  secp256k1_scalar a;
4527  secp256k1_scalar b;
4528  secp256k1_gej res1;
4529  secp256k1_gej res2;
4530  secp256k1_ge mid1;
4531  secp256k1_ge mid2;
4534 
4537  secp256k1_ge_set_gej(&mid1, &res1);
4538  secp256k1_ge_set_gej(&mid2, &res2);
4539  secp256k1_ecmult_const(&res1, &mid1, &b);
4540  secp256k1_ecmult_const(&res2, &mid2, &a);
4541  secp256k1_ge_set_gej(&mid1, &res1);
4542  secp256k1_ge_set_gej(&mid2, &res2);
4543  CHECK(secp256k1_ge_eq_var(&mid1, &mid2));
4544 }
4545 
4546 static void ecmult_const_mult_zero_one(void) {
4547  secp256k1_scalar s;
4548  secp256k1_scalar negone;
4549  secp256k1_gej res1;
4550  secp256k1_ge res2;
4551  secp256k1_ge point;
4552  secp256k1_ge inf;
4553 
4556  random_group_element_test(&point);
4558 
4559  /* 0*point */
4562 
4563  /* s*inf */
4564  secp256k1_ecmult_const(&res1, &inf, &s);
4566 
4567  /* 1*point */
4569  secp256k1_ge_set_gej(&res2, &res1);
4570  CHECK(secp256k1_ge_eq_var(&res2, &point));
4571 
4572  /* -1*point */
4573  secp256k1_ecmult_const(&res1, &point, &negone);
4574  secp256k1_gej_neg(&res1, &res1);
4575  secp256k1_ge_set_gej(&res2, &res1);
4576  CHECK(secp256k1_ge_eq_var(&res2, &point));
4577 }
4578 
4579 static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) {
4580  secp256k1_gej pointj, res2j;
4581  secp256k1_ge res2;
4582  secp256k1_gej_set_ge(&pointj, A);
4583  secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero);
4584  secp256k1_ge_set_gej(&res2, &res2j);
4585  CHECK(secp256k1_gej_eq_ge_var(res, &res2));
4586 }
4587 
4588 static void ecmult_const_edges(void) {
4589  secp256k1_scalar q;
4590  secp256k1_ge point;
4591  secp256k1_gej res;
4592  size_t i;
4593  size_t cases = 1 + sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]);
4594 
4595  /* We are trying to reach the following edge cases (variables are defined as
4596  * in ecmult_const_impl.h):
4597  * 1. i = 0: s = 0 <=> q = -K
4598  * 2. i > 0: v1, v2 large values
4599  * <=> s1, s2 large values
4600  * <=> s = scalars_near_split_bounds[i]
4601  * <=> q = 2*scalars_near_split_bounds[i] - K
4602  */
4603  for (i = 0; i < cases; ++i) {
4605  if (i > 0) {
4608  }
4609  random_group_element_test(&point);
4610  secp256k1_ecmult_const(&res, &point, &q);
4611  ecmult_const_check_result(&point, &q, &res);
4612  }
4613 }
4614 
4615 static void ecmult_const_mult_xonly(void) {
4616  int i;
4617 
4618  /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4619  for (i = 0; i < 2*COUNT; ++i) {
4620  secp256k1_ge base;
4621  secp256k1_gej basej, resj;
4622  secp256k1_fe n, d, resx, v;
4623  secp256k1_scalar q;
4624  int res;
4625  /* Random base point. */
4627  /* Random scalar to multiply it with. */
4629  /* If i is odd, n=d*base.x for random non-zero d */
4630  if (i & 1) {
4632  secp256k1_fe_mul(&n, &base.x, &d);
4633  } else {
4634  n = base.x;
4635  }
4636  /* Perform x-only multiplication. */
4637  res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4638  CHECK(res);
4639  /* Perform normal multiplication. */
4640  secp256k1_gej_set_ge(&basej, &base);
4641  secp256k1_ecmult(&resj, &basej, &q, NULL);
4642  /* Check that resj's X coordinate corresponds with resx. */
4643  secp256k1_fe_sqr(&v, &resj.z);
4644  secp256k1_fe_mul(&v, &v, &resx);
4645  CHECK(fe_equal(&v, &resj.x));
4646  }
4647 
4648  /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4649  for (i = 0; i < 2*COUNT; ++i) {
4650  secp256k1_fe x, n, d, r;
4651  int res;
4652  secp256k1_scalar q;
4654  /* Generate random X coordinate not on the curve. */
4655  do {
4656  random_fe_test(&x);
4657  } while (secp256k1_ge_x_on_curve_var(&x));
4658  /* If i is odd, n=d*x for random non-zero d. */
4659  if (i & 1) {
4661  secp256k1_fe_mul(&n, &x, &d);
4662  } else {
4663  n = x;
4664  }
4665  res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4666  CHECK(res == 0);
4667  }
4668 }
4669 
4670 static void ecmult_const_chain_multiply(void) {
4671  /* Check known result (randomly generated test problem from sage) */
4673  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4674  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4675  );
4676  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4677  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4678  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4679  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4680  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4681  );
4682  secp256k1_gej point;
4683  secp256k1_ge res;
4684  int i;
4685 
4687  for (i = 0; i < 100; ++i) {
4688  secp256k1_ge tmp;
4689  secp256k1_ge_set_gej(&tmp, &point);
4690  secp256k1_ecmult_const(&point, &tmp, &scalar);
4691  }
4692  secp256k1_ge_set_gej(&res, &point);
4693  CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res));
4694 }
4695 
4696 static void run_ecmult_const_tests(void) {
4703 }
4704 
4705 typedef struct {
4709 
4710 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4711  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4712  *sc = data->sc[idx];
4713  *pt = data->pt[idx];
4714  return 1;
4715 }
4716 
4717 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4718  (void)sc;
4719  (void)pt;
4720  (void)idx;
4721  (void)cbdata;
4722  return 0;
4723 }
4724 
4726  int ncount;
4727  secp256k1_scalar sc[32];
4728  secp256k1_ge pt[32];
4729  secp256k1_gej r;
4730  secp256k1_gej r2;
4731  ecmult_multi_data data;
4732 
4733  data.sc = sc;
4734  data.pt = pt;
4735 
4736  /* No points to multiply */
4737  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4738 
4739  /* Check 1- and 2-point multiplies against ecmult */
4740  for (ncount = 0; ncount < COUNT; ncount++) {
4741  secp256k1_ge ptg;
4742  secp256k1_gej ptgj;
4743  random_scalar_order(&sc[0]);
4744  random_scalar_order(&sc[1]);
4745 
4747  secp256k1_gej_set_ge(&ptgj, &ptg);
4748  pt[0] = ptg;
4749  pt[1] = secp256k1_ge_const_g;
4750 
4751  /* only G scalar */
4752  secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4753  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4754  CHECK(secp256k1_gej_eq_var(&r, &r2));
4755 
4756  /* 1-point */
4757  secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4758  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4759  CHECK(secp256k1_gej_eq_var(&r, &r2));
4760 
4761  /* Try to multiply 1 point, but callback returns false */
4762  CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4763 
4764  /* 2-point */
4765  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4766  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4767  CHECK(secp256k1_gej_eq_var(&r, &r2));
4768 
4769  /* 2-point with G scalar */
4770  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4771  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4772  CHECK(secp256k1_gej_eq_var(&r, &r2));
4773  }
4774 
4775  /* Check infinite outputs of various forms */
4776  for (ncount = 0; ncount < COUNT; ncount++) {
4777  secp256k1_ge ptg;
4778  size_t i, j;
4779  size_t sizes[] = { 2, 10, 32 };
4780 
4781  for (j = 0; j < 3; j++) {
4782  for (i = 0; i < 32; i++) {
4783  random_scalar_order(&sc[i]);
4784  secp256k1_ge_set_infinity(&pt[i]);
4785  }
4786  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4788  }
4789 
4790  for (j = 0; j < 3; j++) {
4791  for (i = 0; i < 32; i++) {
4793  pt[i] = ptg;
4794  secp256k1_scalar_set_int(&sc[i], 0);
4795  }
4796  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4798  }
4799 
4800  for (j = 0; j < 3; j++) {
4802  for (i = 0; i < 16; i++) {
4803  random_scalar_order(&sc[2*i]);
4804  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4805  pt[2 * i] = ptg;
4806  pt[2 * i + 1] = ptg;
4807  }
4808 
4809  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4811 
4812  random_scalar_order(&sc[0]);
4813  for (i = 0; i < 16; i++) {
4815 
4816  sc[2*i] = sc[0];
4817  sc[2*i+1] = sc[0];
4818  pt[2 * i] = ptg;
4819  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4820  }
4821 
4822  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4824  }
4825 
4827  secp256k1_scalar_set_int(&sc[0], 0);
4828  pt[0] = ptg;
4829  for (i = 1; i < 32; i++) {
4830  pt[i] = ptg;
4831 
4832  random_scalar_order(&sc[i]);
4833  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4834  secp256k1_scalar_negate(&sc[i], &sc[i]);
4835  }
4836 
4837  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4839  }
4840 
4841  /* Check random points, constant scalar */
4842  for (ncount = 0; ncount < COUNT; ncount++) {
4843  size_t i;
4845 
4846  random_scalar_order(&sc[0]);
4847  for (i = 0; i < 20; i++) {
4848  secp256k1_ge ptg;
4849  sc[i] = sc[0];
4851  pt[i] = ptg;
4852  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4853  }
4854 
4855  secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4856  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4857  CHECK(secp256k1_gej_eq_var(&r, &r2));
4858  }
4859 
4860  /* Check random scalars, constant point */
4861  for (ncount = 0; ncount < COUNT; ncount++) {
4862  size_t i;
4863  secp256k1_ge ptg;
4864  secp256k1_gej p0j;
4865  secp256k1_scalar rs;
4866  secp256k1_scalar_set_int(&rs, 0);
4867 
4869  for (i = 0; i < 20; i++) {
4870  random_scalar_order(&sc[i]);
4871  pt[i] = ptg;
4872  secp256k1_scalar_add(&rs, &rs, &sc[i]);
4873  }
4874 
4875  secp256k1_gej_set_ge(&p0j, &pt[0]);
4876  secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4877  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4878  CHECK(secp256k1_gej_eq_var(&r, &r2));
4879  }
4880 
4881  /* Sanity check that zero scalars don't cause problems */
4882  for (ncount = 0; ncount < 20; ncount++) {
4883  random_scalar_order(&sc[ncount]);
4884  random_group_element_test(&pt[ncount]);
4885  }
4886 
4887  secp256k1_scalar_clear(&sc[0]);
4888  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4889  secp256k1_scalar_clear(&sc[1]);
4890  secp256k1_scalar_clear(&sc[2]);
4891  secp256k1_scalar_clear(&sc[3]);
4892  secp256k1_scalar_clear(&sc[4]);
4893  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4894  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4896 
4897  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4898  {
4899  const size_t TOP = 8;
4900  size_t s0i, s1i;
4901  size_t t0i, t1i;
4902  secp256k1_ge ptg;
4903  secp256k1_gej ptgj;
4904 
4906  secp256k1_gej_set_ge(&ptgj, &ptg);
4907 
4908  for(t0i = 0; t0i < TOP; t0i++) {
4909  for(t1i = 0; t1i < TOP; t1i++) {
4910  secp256k1_gej t0p, t1p;
4911  secp256k1_scalar t0, t1;
4912 
4913  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4914  secp256k1_scalar_cond_negate(&t0, t0i & 1);
4915  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4916  secp256k1_scalar_cond_negate(&t1, t1i & 1);
4917 
4918  secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4919  secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4920 
4921  for(s0i = 0; s0i < TOP; s0i++) {
4922  for(s1i = 0; s1i < TOP; s1i++) {
4923  secp256k1_scalar tmp1, tmp2;
4924  secp256k1_gej expected, actual;
4925 
4926  secp256k1_ge_set_gej(&pt[0], &t0p);
4927  secp256k1_ge_set_gej(&pt[1], &t1p);
4928 
4929  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4930  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4931  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4932  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4933 
4934  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4935  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4936  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4937 
4938  secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4939  CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4940  CHECK(secp256k1_gej_eq_var(&actual, &expected));
4941  }
4942  }
4943  }
4944  }
4945  }
4946 }
4947 
4949  /* Large random test for ecmult_multi_* functions which exercises:
4950  * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4951  * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4952  * - Including or excluding an nonzero a*G term (or such a term at all).
4953  * - Final expected result equal to infinity or not (roughly 50%).
4954  * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4955  */
4956 
4957  /* These 4 variables define the eventual input to the ecmult_multi function.
4958  * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4959  * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4960  * which form its normal inputs. */
4961  int filled = 0;
4963  secp256k1_scalar scalars[128];
4964  secp256k1_gej gejs[128];
4965  /* The expected result, and the computed result. */
4966  secp256k1_gej expected, computed;
4967  /* Temporaries. */
4968  secp256k1_scalar sc_tmp;
4969  secp256k1_ge ge_tmp;
4970  /* Variables needed for the actual input to ecmult_multi. */
4971  secp256k1_ge ges[128];
4972  ecmult_multi_data data;
4973 
4974  int i;
4975  /* Which multiplication function to use */
4976  int fn = secp256k1_testrand_int(3);
4977  secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4980  /* Simulate exponentially distributed num. */
4981  int num_bits = 2 + secp256k1_testrand_int(6);
4982  /* Number of (scalar, point) inputs (excluding g). */
4983  int num = secp256k1_testrand_int((1 << num_bits) + 1);
4984  /* Number of those which are nonzero. */
4985  int num_nonzero = secp256k1_testrand_int(num + 1);
4986  /* Whether we're aiming to create an input with nonzero expected result. */
4987  int nonzero_result = secp256k1_testrand_bits(1);
4988  /* Whether we will provide nonzero g multiplicand. In some cases our hand
4989  * is forced here based on num_nonzero and nonzero_result. */
4990  int g_nonzero = num_nonzero == 0 ? nonzero_result :
4991  num_nonzero == 1 && !nonzero_result ? 1 :
4992  (int)secp256k1_testrand_bits(1);
4993  /* Which g_scalar pointer to pass into ecmult_multi(). */
4994  const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4995  /* How many EC multiplications were performed in this function. */
4996  int mults = 0;
4997  /* How many randomization steps to apply to the input list. */
4998  int rands = (int)secp256k1_testrand_bits(3);
4999  if (rands > num_nonzero) rands = num_nonzero;
5000 
5001  secp256k1_gej_set_infinity(&expected);
5002  secp256k1_gej_set_infinity(&gejs[0]);
5003  secp256k1_scalar_set_int(&scalars[0], 0);
5004 
5005  if (g_nonzero) {
5006  /* If g_nonzero, set g_scalar to nonzero value r. */
5007  random_scalar_order_test(&g_scalar);
5008  if (!nonzero_result) {
5009  /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
5010  CHECK(num_nonzero > filled);
5011  random_scalar_order_test(&sc_tmp);
5012  secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
5013  secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
5014  secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
5015  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
5016  ++filled;
5017  ++mults;
5018  }
5019  }
5020 
5021  if (nonzero_result && filled < num_nonzero) {
5022  /* If a nonzero result is desired, and there is space, add a random nonzero term. */
5023  random_scalar_order_test(&scalars[filled]);
5024  random_group_element_test(&ge_tmp);
5025  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
5026  ++filled;
5027  }
5028 
5029  if (nonzero_result) {
5030  /* Compute the expected result using normal ecmult. */
5031  CHECK(filled <= 1);
5032  secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
5033  mults += filled + g_nonzero;
5034  }
5035 
5036  /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
5037  CHECK(filled <= 1 + !nonzero_result);
5038  CHECK(filled <= num_nonzero);
5039 
5040  /* Add entries to scalars,gejs so that there are num of them. All the added entries
5041  * either have scalar=0 or point=infinity, so these do not change the expected result. */
5042  while (filled < num) {
5043  if (secp256k1_testrand_bits(1)) {
5044  secp256k1_gej_set_infinity(&gejs[filled]);
5045  random_scalar_order_test(&scalars[filled]);
5046  } else {
5047  secp256k1_scalar_set_int(&scalars[filled], 0);
5048  random_group_element_test(&ge_tmp);
5049  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
5050  }
5051  ++filled;
5052  }
5053 
5054  /* Now perform cheapish transformations on gejs and scalars, for indices
5055  * 0..num_nonzero-1, which do not change the expected result, but may
5056  * convert some of them to be both non-0-scalar and non-infinity-point. */
5057  for (i = 0; i < rands; ++i) {
5058  int j;
5059  secp256k1_scalar v, iv;
5060  /* Shuffle the entries. */
5061  for (j = 0; j < num_nonzero; ++j) {
5062  int k = secp256k1_testrand_int(num_nonzero - j);
5063  if (k != 0) {
5064  secp256k1_gej gej = gejs[j];
5065  secp256k1_scalar sc = scalars[j];
5066  gejs[j] = gejs[j + k];
5067  scalars[j] = scalars[j + k];
5068  gejs[j + k] = gej;
5069  scalars[j + k] = sc;
5070  }
5071  }
5072  /* Perturb all consecutive pairs of inputs:
5073  * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5074  for (j = 0; j + 1 < num_nonzero; j += 2) {
5075  secp256k1_gej gej;
5076  secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5077  secp256k1_gej_neg(&gej, &gejs[j]);
5078  secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5079  }
5080  /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5081  CHECK(num_nonzero >= 1);
5083  secp256k1_scalar_inverse(&iv, &v);
5084  secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5085  secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5086  ++mults;
5087  }
5088 
5089  /* Shuffle all entries (0..num-1). */
5090  for (i = 0; i < num; ++i) {
5091  int j = secp256k1_testrand_int(num - i);
5092  if (j != 0) {
5093  secp256k1_gej gej = gejs[i];
5094  secp256k1_scalar sc = scalars[i];
5095  gejs[i] = gejs[i + j];
5096  scalars[i] = scalars[i + j];
5097  gejs[i + j] = gej;
5098  scalars[i + j] = sc;
5099  }
5100  }
5101 
5102  /* Compute affine versions of all inputs. */
5103  secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5104  /* Invoke ecmult_multi code. */
5105  data.sc = scalars;
5106  data.pt = ges;
5107  CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5108  mults += num_nonzero + g_nonzero;
5109  /* Compare with expected result. */
5110  CHECK(secp256k1_gej_eq_var(&computed, &expected));
5111  return mults;
5112 }
5113 
5115  secp256k1_scalar sc;
5116  secp256k1_ge pt;
5117  secp256k1_gej r;
5118  ecmult_multi_data data;
5119  secp256k1_scratch *scratch_empty;
5120 
5122  random_scalar_order(&sc);
5123  data.sc = &sc;
5124  data.pt = &pt;
5125 
5126  /* Try to multiply 1 point, but scratch space is empty.*/
5127  scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5128  CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5129  secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty);
5130 }
5131 
5133  int i;
5134 
5136  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5137  /* Bucket_window of 8 is not used with endo */
5138  if (i == 8) {
5139  continue;
5140  }
5142  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5144  }
5145  }
5146 }
5147 
5153  size_t scratch_size = secp256k1_testrand_bits(8);
5155  secp256k1_scratch *scratch;
5156  size_t n_points_supported;
5157  int bucket_window = 0;
5158 
5159  for(; scratch_size < max_size; scratch_size+=256) {
5160  size_t i;
5161  size_t total_alloc;
5162  size_t checkpoint;
5163  scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5164  CHECK(scratch != NULL);
5165  checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5166  n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5167  if (n_points_supported == 0) {
5169  continue;
5170  }
5171  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5172  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5173  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5174  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5176  total_alloc--;
5177  }
5178  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5179  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
5181  }
5182  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5183 }
5184 
5186  size_t n_batches, n_batch_points, max_n_batch_points, n;
5187 
5188  max_n_batch_points = 0;
5189  n = 1;
5190  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5191 
5192  max_n_batch_points = 1;
5193  n = 0;
5194  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5195  CHECK(n_batches == 0);
5196  CHECK(n_batch_points == 0);
5197 
5198  max_n_batch_points = 2;
5199  n = 5;
5200  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5201  CHECK(n_batches == 3);
5202  CHECK(n_batch_points == 2);
5203 
5204  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5206  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5207  CHECK(n_batches == 1);
5208  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5209 
5210  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5212  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5213  CHECK(n_batches == 2);
5214  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5215 
5216  max_n_batch_points = 1;
5217  n = SIZE_MAX;
5218  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5219  CHECK(n_batches == SIZE_MAX);
5220  CHECK(n_batch_points == 1);
5221 
5222  max_n_batch_points = 2;
5223  n = SIZE_MAX;
5224  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5225  CHECK(n_batches == SIZE_MAX/2 + 1);
5226  CHECK(n_batch_points == 2);
5227 }
5228 
5233 static void test_ecmult_multi_batching(void) {
5234  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5235  secp256k1_scalar scG;
5237  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5238  secp256k1_gej r;
5239  secp256k1_gej r2;
5240  ecmult_multi_data data;
5241  int i;
5242  secp256k1_scratch *scratch;
5243 
5245 
5246  /* Get random scalars and group elements and compute result */
5247  random_scalar_order(&scG);
5248  secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5249  for(i = 0; i < n_points; i++) {
5250  secp256k1_ge ptg;
5251  secp256k1_gej ptgj;
5253  secp256k1_gej_set_ge(&ptgj, &ptg);
5254  pt[i] = ptg;
5255  random_scalar_order(&sc[i]);
5256  secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5257  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5258  }
5259  data.sc = sc;
5260  data.pt = pt;
5261  secp256k1_gej_neg(&r2, &r2);
5262 
5263  /* Test with empty scratch space. It should compute the correct result using
5264  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5266  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5267  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5270 
5271  /* Test with space for 1 point in pippenger. That's not enough because
5272  * ecmult_multi selects strauss which requires more memory. It should
5273  * therefore select the simple algorithm. */
5275  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5276  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5279 
5280  for(i = 1; i <= n_points; i++) {
5281  if (i > ECMULT_PIPPENGER_THRESHOLD) {
5282  int bucket_window = secp256k1_pippenger_bucket_window(i);
5283  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5285  } else {
5286  size_t scratch_size = secp256k1_strauss_scratch_size(i);
5288  }
5289  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5290  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5293  }
5294  free(sc);
5295  free(pt);
5296 }
5297 
5298 static void run_ecmult_multi_tests(void) {
5299  secp256k1_scratch *scratch;
5300  int64_t todo = (int64_t)320 * COUNT;
5301 
5304  scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5311  while (todo > 0) {
5312  todo -= test_ecmult_multi_random(scratch);
5313  }
5315 
5316  /* Run test_ecmult_multi with space for exactly one point */
5320 
5323 }
5324 
5325 static void test_wnaf(const secp256k1_scalar *number, int w) {
5326  secp256k1_scalar x, two, t;
5327  int wnaf[256];
5328  int zeroes = -1;
5329  int i;
5330  int bits;
5331  secp256k1_scalar_set_int(&x, 0);
5332  secp256k1_scalar_set_int(&two, 2);
5333  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5334  CHECK(bits <= 256);
5335  for (i = bits-1; i >= 0; i--) {
5336  int v = wnaf[i];
5337  secp256k1_scalar_mul(&x, &x, &two);
5338  if (v) {
5339  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5340  zeroes=0;
5341  CHECK((v & 1) == 1); /* check non-zero elements are odd */
5342  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5343  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5344  } else {
5345  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5346  zeroes++;
5347  }
5348  if (v >= 0) {
5350  } else {
5353  }
5354  secp256k1_scalar_add(&x, &x, &t);
5355  }
5356  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5357 }
5358 
5359 static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5360  secp256k1_scalar x, shift;
5361  int wnaf[256] = {0};
5362  int i;
5363  int skew;
5364  secp256k1_scalar num, unused;
5365 
5366  secp256k1_scalar_set_int(&x, 0);
5367  secp256k1_scalar_set_int(&shift, 1 << w);
5368  /* Make num a 128-bit scalar. */
5369  secp256k1_scalar_split_128(&num, &unused, number);
5370  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5371 
5372  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5374  int v = wnaf[i];
5375  CHECK(v == 0 || v & 1); /* check parity */
5376  CHECK(v > -(1 << w)); /* check range above */
5377  CHECK(v < (1 << w)); /* check range below */
5378 
5379  secp256k1_scalar_mul(&x, &x, &shift);
5380  if (v >= 0) {
5382  } else {
5385  }
5386  secp256k1_scalar_add(&x, &x, &t);
5387  }
5388  /* If skew is 1 then add 1 to num */
5389  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5390  CHECK(secp256k1_scalar_eq(&x, &num));
5391 }
5392 
5393 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5394  * rest is 0.*/
5395 static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5396  int i;
5397  for (i =