Bitcoin Core 31.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <time.h>
12
13#ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16#endif
17#if defined(VERIFY) && defined(COVERAGE)
18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19#endif
20#include "secp256k1.c"
21
22#include "../include/secp256k1.h"
23#include "../include/secp256k1_preallocated.h"
24#include "testrand_impl.h"
25#include "checkmem.h"
26#include "testutil.h"
27#include "util.h"
28#include "unit_test.h"
29#include "unit_test.c"
30
31#include "../contrib/lax_der_parsing.c"
32#include "../contrib/lax_der_privatekey_parsing.c"
33
34#include "modinv32_impl.h"
35#ifdef SECP256K1_WIDEMUL_INT128
36#include "modinv64_impl.h"
37#include "int128_impl.h"
38#endif
39
40#if defined(__GNUC__)
41# pragma GCC diagnostic push
42# pragma GCC diagnostic warning "-Wunused-function"
43#endif
44
45#define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
46
47static secp256k1_context *CTX = NULL;
49
50static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
51 const unsigned char *p = s;
52 size_t i;
53
54 for (i = 0; i < n; i++) {
55 if (p[i] != value) {
56 return 0;
57 }
58 }
59 return 1;
60}
61
62#define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \
63 int32_t _calls_to_callback = 0; \
64 secp256k1_callback _saved_callback = ctx->callback; \
65 callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \
66 { expr_or_stmt; } \
67 ctx->callback = _saved_callback; \
68 CHECK(_calls_to_callback == 1); \
69} while(0);
70
71/* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once
72 *
73 * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */
74#define CHECK_ERROR_VOID(ctx, expr_or_stmt) \
75 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback)
76#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \
77 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback)
78
79/* CHECK that
80 * - expr calls the illegal callback of ctx exactly once and,
81 * - expr == 0 (or equivalently, expr == NULL)
82 *
83 * Useful for checking functions that return an integer or a pointer. */
84#define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
85#define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0))
86
87static void counting_callback_fn(const char* str, void* data) {
88 /* Dummy callback function that just counts. */
89 int32_t *p;
90 (void)str;
91 p = data;
92 CHECK(*p != INT32_MAX);
93 (*p)++;
94}
95
96static void run_xoshiro256pp_tests(void) {
97 {
98 size_t i;
99 /* Sanity check that we run before the actual seeding. */
100 for (i = 0; i < ARRAY_SIZE(secp256k1_test_state); i++) {
102 }
103 }
104 {
105 int i;
106 unsigned char buf32[32];
107 unsigned char seed16[16] = {
108 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
109 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
110 };
111 unsigned char buf32_expected[32] = {
112 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
113 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
114 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
115 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
116 };
117 testrand_seed(seed16);
118 for (i = 0; i < 17; i++) {
119 testrand256(buf32);
120 }
121 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
122 }
123}
124
125static void run_selftest_tests(void) {
126 /* Test public API */
128}
129
131 return a->built == b->built
135}
136
137static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
138 return a->declassify == b->declassify
145}
146
148 /* Check that a context created with any of the flags in the flags array is
149 * identical to the NONE context. */
150 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
154 int i;
155 for (i = 0; i < (int)(ARRAY_SIZE(flags)); i++) {
156 secp256k1_context *tmp_ctx;
158 tmp_ctx = secp256k1_context_create(flags[i]);
159 CHECK(context_eq(none_ctx, tmp_ctx));
161 }
163}
164
166 secp256k1_pubkey pubkey;
167 secp256k1_pubkey zero_pubkey;
169 unsigned char ctmp[32];
170
171 /* Setup */
172 memset(ctmp, 1, 32);
173 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
174
175 /* Verify context-type checking illegal-argument errors. */
177 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
178 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
179 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
180 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL));
181 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
182 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
183 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
184 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
185 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
186 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
187 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
188 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
190 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
193 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
194}
195
196static void run_static_context_tests(int use_prealloc) {
197 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
199
200 {
201 unsigned char seed[32] = {0x17};
202
203 /* Randomizing secp256k1_context_static is not supported. */
206
207 /* Destroying or cloning secp256k1_context_static is not supported. */
208 if (use_prealloc) {
210 {
211 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
212 CHECK(my_static_ctx != NULL);
213 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
215 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
216 free(my_static_ctx);
217 }
219 } else {
222 }
223 }
224
225 {
226 /* Verify that setting and resetting illegal callback works */
227 int32_t dummy = 0;
234 }
235}
236
238{
241}
242
243static void run_proper_context_tests(int use_prealloc) {
244 int32_t dummy = 0;
245 secp256k1_context *my_ctx, *my_ctx_fresh;
246 void *my_ctx_prealloc = NULL;
247 unsigned char seed[32] = {0x17};
248
249 secp256k1_ge pub;
251 secp256k1_scalar sigr, sigs;
252
253 /* Fresh reference context for comparison */
255
256 if (use_prealloc) {
258 CHECK(my_ctx_prealloc != NULL);
260 } else {
262 }
263
264 /* Randomize and reset randomization */
265 CHECK(context_eq(my_ctx, my_ctx_fresh));
266 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
267 CHECK(!context_eq(my_ctx, my_ctx_fresh));
268 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
269 CHECK(context_eq(my_ctx, my_ctx_fresh));
270
271 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
275
276 /* check if sizes for cloning are consistent */
278
279 /*** clone and destroy all of them to make sure cloning was complete ***/
280 {
281 secp256k1_context *ctx_tmp;
282
283 if (use_prealloc) {
284 /* clone into a non-preallocated context and then again into a new preallocated one. */
285 ctx_tmp = my_ctx;
286 my_ctx = secp256k1_context_clone(my_ctx);
287 CHECK(context_eq(ctx_tmp, my_ctx));
289
290 free(my_ctx_prealloc);
292 CHECK(my_ctx_prealloc != NULL);
293 ctx_tmp = my_ctx;
294 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
295 CHECK(context_eq(ctx_tmp, my_ctx));
297 } else {
298 /* clone into a preallocated context and then again into a new non-preallocated one. */
299 void *prealloc_tmp;
300
302 CHECK(prealloc_tmp != NULL);
303 ctx_tmp = my_ctx;
304 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
305 CHECK(context_eq(ctx_tmp, my_ctx));
307
308 ctx_tmp = my_ctx;
309 my_ctx = secp256k1_context_clone(my_ctx);
310 CHECK(context_eq(ctx_tmp, my_ctx));
312 free(prealloc_tmp);
313 }
314 }
315
316 /* Verify that the error callback makes it across the clone. */
319 /* And that it resets back to default. */
320 secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
322 CHECK(context_eq(my_ctx, my_ctx_fresh));
323
324 /* Verify that setting and resetting illegal callback works */
327 CHECK(my_ctx->illegal_callback.data == &dummy);
328 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
330 CHECK(my_ctx->illegal_callback.data == NULL);
331 CHECK(context_eq(my_ctx, my_ctx_fresh));
332
333 /*** attempt to use them ***/
336 secp256k1_ecmult_gen_ge(&my_ctx->ecmult_gen_ctx, &pub, &key);
337
338 /* obtain a working nonce */
339 do {
341 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
342
343 /* try signing */
344 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
345
346 /* try verifying */
347 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
348
349 /* cleanup */
350 if (use_prealloc) {
352 free(my_ctx_prealloc);
353 } else {
355 }
356 secp256k1_context_destroy(my_ctx_fresh);
357
358 /* Defined as no-op. */
361}
362
364{
367}
368
369static void run_scratch_tests(void) {
370 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
371
372 size_t checkpoint;
373 size_t checkpoint_2;
375 secp256k1_scratch_space local_scratch;
376
377 /* Test public API */
378 scratch = secp256k1_scratch_space_create(CTX, 1000);
379 CHECK(scratch != NULL);
380
381 /* Test internal API */
383 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
384 CHECK(scratch->alloc_size == 0);
385 CHECK(scratch->alloc_size % ALIGNMENT == 0);
386
387 /* Allocating 500 bytes succeeds */
388 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
389 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
390 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
391 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
392 CHECK(scratch->alloc_size != 0);
393 CHECK(scratch->alloc_size % ALIGNMENT == 0);
394
395 /* Allocating another 501 bytes fails */
396 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
397 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
398 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
399 CHECK(scratch->alloc_size != 0);
400 CHECK(scratch->alloc_size % ALIGNMENT == 0);
401
402 /* ...but it succeeds once we apply the checkpoint to undo it */
404 CHECK(scratch->alloc_size == 0);
406 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
407 CHECK(scratch->alloc_size != 0);
408
409 /* try to apply a bad checkpoint */
410 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
412 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */
413 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */
414
415 /* try to use badly initialized scratch space */
417 memset(&local_scratch, 0, sizeof(local_scratch));
418 scratch = &local_scratch;
422
423 /* Test that large integers do not wrap around in a bad way */
424 scratch = secp256k1_scratch_space_create(CTX, 1000);
425 /* Try max allocation with a large number of objects. Only makes sense if
426 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
427 * space. */
428 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
429 /* Try allocating SIZE_MAX to test wrap around which only happens if
430 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
431 * space is too small. */
432 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
434
435 /* cleanup */
436 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
437}
438
439/* A compression function that does nothing */
440static void invalid_sha256_compression(uint32_t *s, const unsigned char *msg, size_t rounds) {
441 (void)s; (void)msg; (void)rounds;
442}
443
444static int own_transform_called = 0;
445static void good_sha256_compression(uint32_t *s, const unsigned char *msg, size_t rounds) {
448}
449
451 secp256k1_context *ctx, *ctx_cloned;
453 unsigned char sha_out[32];
454 /* 1) Verify the context is initialized with the default compression function */
457
458 /* 2) Verify providing a bad compression function fails during set */
461
462 /* 3) Provide sha256 to ctx and verify it is called when provided */
466
467 /* 4) Verify callback makes it across clone */
468 ctx_cloned = secp256k1_context_clone(ctx);
470
471 /* 5) A hash operation should invoke the installed callback */
474 secp256k1_sha256_write(secp256k1_get_hash_context(ctx), &sha, (const unsigned char*)"a", 1);
477
478 /* 6) Unset sha256 and verify the default one is set again */
481
483 secp256k1_context_destroy(ctx_cloned);
484}
485
487 secp256k1_hash_ctx hash_ctx;
488 secp256k1_sha256 sha256_one;
489 secp256k1_sha256 sha256_two;
490 unsigned char out_one[32], out_two[32];
491
493
494 { /* 1) Writing one 64-byte full block vs two 32-byte blocks */
495 const unsigned char data[64] = "totally serious test message to hash, definitely no random data";
496 unsigned char data32[32];
497
498 secp256k1_sha256_initialize(&sha256_one);
499 secp256k1_sha256_initialize(&sha256_two);
500
501 /* Write the 64-byte block */
502 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 64);
503 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one);
504
505 /* Write the two 32-byte blocks */
506 memcpy(data32, data, 32);
507 secp256k1_sha256_write(&hash_ctx, &sha256_two, data32, 32);
508 memcpy(data32, data + 32, 32);
509 secp256k1_sha256_write(&hash_ctx, &sha256_two, data32, 32);
510 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two);
511
512 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0);
513 }
514
515 { /* 2) Writing one 80-byte block vs two 40-byte blocks */
516 const unsigned char data[80] = "Genesis: The Times 03/Jan/2009 Chancellor on brink of second bailout for banks ";
517 unsigned char data40[40];
518
519 secp256k1_sha256_initialize(&sha256_one);
520 secp256k1_sha256_initialize(&sha256_two);
521
522 /* Write the 80-byte block */
523 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 80);
524 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one);
525
526 /* Write the two 40-byte blocks */
527 memcpy(data40, data, 40);
528 secp256k1_sha256_write(&hash_ctx, &sha256_two, data40, 40);
529 memcpy(data40, data + 40, 40);
530 secp256k1_sha256_write(&hash_ctx, &sha256_two, data40, 40);
531 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two);
532
533 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0);
534 }
535
536 { /* 3) Writing multiple consecutive full blocks in one write (128 bytes) */
537 unsigned char data[128];
538 unsigned char i;
539 for (i = 0; i < 128; i++) data[i] = i;
540
541 secp256k1_sha256_initialize(&sha256_one);
542 secp256k1_sha256_initialize(&sha256_two);
543
544 /* Single write of 128 bytes (two full 64-byte blocks) */
545 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 128);
546 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one);
547
548 /* Two separate writes of 64 bytes each */
549 secp256k1_sha256_write(&hash_ctx, &sha256_two, data, 64);
550 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 64, 64);
551 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two);
552
553 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0);
554 }
555
556 { /* 4) Mixed small + large writes in sequence */
557 unsigned char data[150];
558 unsigned char i;
559 for (i = 0; i < 150; i++) data[i] = i;
560
561 secp256k1_sha256_initialize(&sha256_one);
562 secp256k1_sha256_initialize(&sha256_two);
563
564 /* Single write of 150 bytes */
565 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 150);
566 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one);
567
568 /* Split writes: 10, 64, 64, 12 bytes */
569 secp256k1_sha256_write(&hash_ctx, &sha256_two, data, 10);
570 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 10, 64);
571 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 74, 64);
572 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 138, 12);
573 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two);
574
575 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0);
576 }
577}
578
579static void run_ctz_tests(void) {
580 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
581 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
582 int shift;
583 unsigned i;
584 for (i = 0; i < ARRAY_SIZE(b32); ++i) {
585 for (shift = 0; shift < 32; ++shift) {
586 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
587 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
588 }
589 }
590 for (i = 0; i < ARRAY_SIZE(b64); ++i) {
591 for (shift = 0; shift < 64; ++shift) {
592 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
593 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
594 }
595 }
596}
597
598/***** HASH TESTS *****/
599
602 static const char *inputs[] = {
603 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
604 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
605 "For this sample, this 63-byte string will be used as input data",
606 "This is exactly 64 bytes long, not counting the terminating byte",
607 "aaaaa",
608 };
609 static const unsigned int repeat[] = {
610 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
611 };
612 static const unsigned char outputs[][32] = {
613 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
614 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
615 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
616 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
617 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
618 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
619 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
620 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
621 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
622 };
623 unsigned int i, ninputs;
624
625 /* Skip last input vector for low iteration counts */
626 ninputs = ARRAY_SIZE(inputs) - 1;
627 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
628
629 for (i = 0; i < ninputs; i++) {
630 unsigned char out[32];
631 secp256k1_sha256 hasher;
632 unsigned int j;
633 /* 1. Run: simply write the input bytestrings */
634 j = repeat[i];
636 while (j > 0) {
637 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
638 j--;
639 }
640 secp256k1_sha256_finalize(hash_ctx, &hasher, out);
641 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
642 /* 2. Run: split the input bytestrings randomly before writing */
643 if (strlen(inputs[i]) > 0) {
644 int split = testrand_int(strlen(inputs[i]));
646 j = repeat[i];
647 while (j > 0) {
648 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), split);
649 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
650 j--;
651 }
652 secp256k1_sha256_finalize(hash_ctx, &hasher, out);
653 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
654 }
655 }
656}
657
702static void run_sha256_counter_tests(void) {
703 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
704 static const secp256k1_sha256 midstates[] = {
705 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
706 {0x00}, 0xfffc0},
707 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
708 {0x00}, 0x1fffc0},
709 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
710 {0x00}, 0x3fffc0},
711 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
712 {0x00}, 0x7fffc0},
713 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
714 {0x00}, 0xffffc0},
715 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
716 {0x00}, 0x1ffffc0},
717 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
718 {0x00}, 0x3ffffc0},
719 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
720 {0x00}, 0x7ffffc0},
721 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
722 {0x00}, 0xfffffc0},
723 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
724 {0x00}, 0x1fffffc0},
725 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
726 {0x00}, 0x3fffffc0},
727 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
728 {0x00}, 0x7fffffc0},
729 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
730 {0x00}, 0xffffffc0},
731 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
732 {0x00}, 0x1ffffffc0},
733 };
734 static const unsigned char outputs[][32] = {
735 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
736 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
737 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
738 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
739 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
740 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
741 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
742 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
743 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
744 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
745 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
746 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
747 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
748 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
749 };
751 unsigned int i;
752 for (i = 0; i < ARRAY_SIZE(midstates); i++) {
753 unsigned char out[32];
754 secp256k1_sha256 hasher = midstates[i];
755 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)input, strlen(input));
756 secp256k1_sha256_finalize(hash_ctx, &hasher, out);
757 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
758 }
759}
760
761/* Tests for the equality of two sha256 structs. This function only produces a
762 * correct result if an integer multiple of 64 many bytes have been written
763 * into the hash functions. This function is used by some module tests. */
764static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
765 /* Is buffer fully consumed? */
766 CHECK((sha1->bytes & 0x3F) == 0);
767
768 CHECK(sha1->bytes == sha2->bytes);
769 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
770}
771/* Convenience function for using test_sha256_eq to verify the correctness of a
772 * tagged hash midstate. This function is used by some module tests. */
773static void test_sha256_tag_midstate(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen) {
775 secp256k1_sha256_initialize_tagged(hash_ctx, &sha, tag, taglen);
776 test_sha256_eq(&sha, sha_tagged);
777}
778
779static void run_hmac_sha256_tests(void) {
780 static const char *keys[6] = {
781 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
782 "\x4a\x65\x66\x65",
783 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
784 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
785 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
786 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
787 };
788 static const char *inputs[6] = {
789 "\x48\x69\x20\x54\x68\x65\x72\x65",
790 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
791 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
792 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
793 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
794 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
795 };
796 static const unsigned char outputs[6][32] = {
797 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
798 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
799 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
800 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
801 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
802 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
803 };
804 int i;
806 for (i = 0; i < 6; i++) {
808 unsigned char out[32];
809 secp256k1_hmac_sha256_initialize(hash_ctx, &hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
810 secp256k1_hmac_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
811 secp256k1_hmac_sha256_finalize(hash_ctx, &hasher, out);
812 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
813 if (strlen(inputs[i]) > 0) {
814 int split = testrand_int(strlen(inputs[i]));
815 secp256k1_hmac_sha256_initialize(hash_ctx, &hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
816 secp256k1_hmac_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), split);
817 secp256k1_hmac_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
818 secp256k1_hmac_sha256_finalize(hash_ctx, &hasher, out);
819 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
820 }
821 }
822}
823
825 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
826 static const unsigned char out1[3][32] = {
827 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
828 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
829 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
830 };
831
832 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
833 static const unsigned char out2[3][32] = {
834 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
835 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
836 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
837 };
838
841 unsigned char out[32];
842 int i;
843
844 secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, key1, 64);
845 for (i = 0; i < 3; i++) {
847 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
848 }
850
851 secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, key1, 65);
852 for (i = 0; i < 3; i++) {
854 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
855 }
857
858 secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, key2, 64);
859 for (i = 0; i < 3; i++) {
861 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
862 }
864}
865
866static void run_tagged_sha256_tests(void) {
867 unsigned char tag[32] = { 0 };
868 unsigned char msg[32] = { 0 };
869 unsigned char hash32[32];
870 unsigned char hash_expected[32] = {
871 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
872 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
873 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
874 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
875 };
876
877 /* API test */
878 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
879 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)));
880 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)));
881 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0));
882
883 /* Static test vector */
884 memcpy(tag, "tag", 3);
885 memcpy(msg, "msg", 3);
886 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
887 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
888}
889
891 /* Midstate for the tagged hash with tag "sha256_midstate_test_tag". */
892 static const unsigned char tag[] = "sha256_midstate_test_tag";
893 static const uint32_t midstate[8] = {
894 0xa9ec59eaul, 0x9b4c2ffful, 0x400821e2ul, 0x0dcf3847ul,
895 0xbe7ea179ul, 0xa5772bdcul, 0x7d29bfe3ul, 0xa486b855ul
896 };
899
900 secp256k1_sha256_initialize_midstate(&sha, 64, midstate);
901 test_sha256_tag_midstate(hash_ctx, &sha, tag, sizeof(tag) - 1);
902}
903
904/***** MODINV TESTS *****/
905
906/* Compute the modular inverse of (odd) x mod 2^64. */
907static uint64_t modinv2p64(uint64_t x) {
908 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
909 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
910 * why. Start with L=0, for which it is true for every odd x that
911 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
912 int l;
913 uint64_t w = 1;
914 CHECK(x & 1);
915 for (l = 0; l < 6; ++l) w *= (2 - w*x);
916 return w;
917}
918
919
920/* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
921 *
922 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
923 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
924static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
925 uint16_t mul[32];
926 uint64_t c = 0;
927 int i, j;
928 int m_bitlen = 0;
929 int mul_bitlen = 0;
930
931 if (b != NULL) {
932 /* Compute the product of a and b, and put it in mul. */
933 for (i = 0; i < 32; ++i) {
934 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
935 c += (uint64_t)a[j] * b[i - j];
936 }
937 mul[i] = c & 0xFFFF;
938 c >>= 16;
939 }
940 CHECK(c == 0);
941
942 /* compute the highest set bit in mul */
943 for (i = 511; i >= 0; --i) {
944 if ((mul[i >> 4] >> (i & 15)) & 1) {
945 mul_bitlen = i;
946 break;
947 }
948 }
949 } else {
950 /* if b==NULL, set mul=a. */
951 memcpy(mul, a, 32);
952 memset(mul + 16, 0, 32);
953 /* compute the highest set bit in mul */
954 for (i = 255; i >= 0; --i) {
955 if ((mul[i >> 4] >> (i & 15)) & 1) {
956 mul_bitlen = i;
957 break;
958 }
959 }
960 }
961
962 if (m) {
963 /* Compute the highest set bit in m. */
964 for (i = 255; i >= 0; --i) {
965 if ((m[i >> 4] >> (i & 15)) & 1) {
966 m_bitlen = i;
967 break;
968 }
969 }
970
971 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
972 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
973 uint16_t mul2[32];
974 int64_t cs;
975
976 /* Compute mul2 = mul - m<<i. */
977 cs = 0; /* accumulator */
978 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
979 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
980 uint16_t sub = 0;
981 int p;
982 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
983 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
984 if (bitpos >= 0 && bitpos < 256) {
985 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
986 }
987 }
988 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
989 cs += mul[j];
990 cs -= sub;
991 mul2[j] = (cs & 0xFFFF);
992 cs >>= 16;
993 }
994 /* If remainder of subtraction is 0, set mul = mul2. */
995 if (cs == 0) {
996 memcpy(mul, mul2, sizeof(mul));
997 }
998 }
999 /* Sanity check: test that all limbs higher than m's highest are zero */
1000 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
1001 CHECK(mul[i] == 0);
1002 }
1003 }
1004 memcpy(out, mul, 32);
1005}
1006
1007/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
1008static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
1009 int i;
1010 memset(out->v, 0, sizeof(out->v));
1011 for (i = 0; i < 256; ++i) {
1012 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
1013 }
1014}
1015
1016/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
1017static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
1018 int i;
1019 memset(out, 0, 32);
1020 for (i = 0; i < 256; ++i) {
1021 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
1022 }
1023}
1024
1025/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
1027 int i;
1028 for (i = 0; i < 16; ++i) {
1029 int pos = testrand_bits(3);
1030 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
1031 x->v[pos] -= 0x40000000;
1032 x->v[pos + 1] += 1;
1033 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
1034 x->v[pos] += 0x40000000;
1035 x->v[pos + 1] -= 1;
1036 }
1037 }
1038}
1039
1040/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
1041static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1042 uint16_t tmp[16];
1045 int i, vartime, nonzero;
1046
1047 uint16_to_signed30(&x, in);
1048 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
1049 uint16_to_signed30(&m.modulus, mod);
1050
1051 /* compute 1/modulus mod 2^30 */
1052 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
1053 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
1054
1055 /* Test secp256k1_jacobi32_maybe_var. */
1056 if (nonzero) {
1057 int jac;
1058 uint16_t sqr[16], negone[16];
1059 mulmod256(sqr, in, in, mod);
1060 uint16_to_signed30(&x, sqr);
1061 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1062 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1063 CHECK(jac == 0 || jac == 1);
1064 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1065 * jacobi symbols if and only if (mod % 4) == 3. */
1066 negone[0] = mod[0] - 1;
1067 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1068 mulmod256(sqr, sqr, negone, mod);
1069 uint16_to_signed30(&x, sqr);
1070 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1071 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1072 }
1073
1074 uint16_to_signed30(&x, in);
1075 mutate_sign_signed30(&m.modulus);
1076 for (vartime = 0; vartime < 2; ++vartime) {
1077 /* compute inverse */
1078 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1079
1080 /* produce output */
1082
1083 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1084 mulmod256(tmp, out, in, mod);
1085 CHECK(tmp[0] == nonzero);
1086 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1087
1088 /* invert again */
1089 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1090
1091 /* check if the result is equal to the input */
1092 signed30_to_uint16(tmp, &x);
1093 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1094 }
1095}
1096
1097#ifdef SECP256K1_WIDEMUL_INT128
1098/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1099static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1100 int i;
1101 memset(out->v, 0, sizeof(out->v));
1102 for (i = 0; i < 256; ++i) {
1103 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1104 }
1105}
1106
1107/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1108static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1109 int i;
1110 memset(out, 0, 32);
1111 for (i = 0; i < 256; ++i) {
1112 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1113 }
1114}
1115
1116/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1117static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1118 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1119 int i;
1120 for (i = 0; i < 8; ++i) {
1121 int pos = testrand_bits(2);
1122 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1123 x->v[pos] -= (M62 + 1);
1124 x->v[pos + 1] += 1;
1125 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1126 x->v[pos] += (M62 + 1);
1127 x->v[pos + 1] -= 1;
1128 }
1129 }
1130}
1131
1132/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1133static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1134 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1135 uint16_t tmp[16];
1138 int i, vartime, nonzero;
1139
1140 uint16_to_signed62(&x, in);
1141 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1142 uint16_to_signed62(&m.modulus, mod);
1143
1144 /* compute 1/modulus mod 2^62 */
1145 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1146 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1147
1148 /* Test secp256k1_jacobi64_maybe_var. */
1149 if (nonzero) {
1150 int jac;
1151 uint16_t sqr[16], negone[16];
1152 mulmod256(sqr, in, in, mod);
1153 uint16_to_signed62(&x, sqr);
1154 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1155 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1156 CHECK(jac == 0 || jac == 1);
1157 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1158 * jacobi symbols if and only if (mod % 4) == 3. */
1159 negone[0] = mod[0] - 1;
1160 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1161 mulmod256(sqr, sqr, negone, mod);
1162 uint16_to_signed62(&x, sqr);
1163 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1164 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1165 }
1166
1167 uint16_to_signed62(&x, in);
1168 mutate_sign_signed62(&m.modulus);
1169 for (vartime = 0; vartime < 2; ++vartime) {
1170 /* compute inverse */
1171 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1172
1173 /* produce output */
1174 signed62_to_uint16(out, &x);
1175
1176 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1177 mulmod256(tmp, out, in, mod);
1178 CHECK(tmp[0] == nonzero);
1179 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1180
1181 /* invert again */
1182 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1183
1184 /* check if the result is equal to the input */
1185 signed62_to_uint16(tmp, &x);
1186 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1187 }
1188}
1189#endif
1190
1191/* test if a and b are coprime */
1192static int coprime(const uint16_t* a, const uint16_t* b) {
1193 uint16_t x[16], y[16], t[16];
1194 int i;
1195 int iszero;
1196 memcpy(x, a, 32);
1197 memcpy(y, b, 32);
1198
1199 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1200 while (1) {
1201 iszero = 1;
1202 for (i = 0; i < 16; ++i) {
1203 if (x[i] != 0) {
1204 iszero = 0;
1205 break;
1206 }
1207 }
1208 if (iszero) break;
1209 mulmod256(t, y, NULL, x);
1210 memcpy(y, x, 32);
1211 memcpy(x, t, 32);
1212 }
1213
1214 /* return whether y=1 */
1215 if (y[0] != 1) return 0;
1216 for (i = 1; i < 16; ++i) {
1217 if (y[i] != 0) return 0;
1218 }
1219 return 1;
1220}
1221
1222static void run_modinv_tests(void) {
1223 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1224 static const uint16_t CASES[][3][16] = {
1225 /* Test cases triggering edge cases in divsteps */
1226
1227 /* Test case known to need 713 divsteps */
1228 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1229 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1230 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1231 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1232 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1233 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1234 /* Test case known to need 589 divsteps, reaching delta=-140 and
1235 delta=141. */
1236 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1237 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1238 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1239 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1240 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1241 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1242 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1243 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1244 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1245 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1246 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1247 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1248 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1249 /* example needing 713 divsteps; delta=-2..3 */
1250 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1251 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1252 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1253 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1254 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1255 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1256 /* example needing 713 divsteps; delta=-2..3 */
1257 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1258 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1259 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1260 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1261 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1262 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1263 /* example needing 713 divsteps; delta=-2..3 */
1264 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1265 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1266 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1267 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1268 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1269 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1270 /* example reaching delta=-64..65; 661 divsteps */
1271 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1272 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1273 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1274 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1275 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1276 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1277 /* example reaching delta=-64..65; 661 divsteps */
1278 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1279 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1280 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1281 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1282 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1283 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1284 /* example reaching delta=-64..65; 661 divsteps */
1285 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1286 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1287 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1288 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1289 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1290 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1291 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1292 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1293 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1294 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1295 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1296 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1297 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1298 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1299 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1300 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1301 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1302 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1303 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1304 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1305 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1306 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1307 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1308 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1309 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1310 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1311 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1312 /* example doing 446 (f,g/2) steps; 523 divsteps */
1313 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1314 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1315 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1316 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1317 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1318 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1319 /* example doing 446 (f,g/2) steps; 523 divsteps */
1320 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1321 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1322 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1323 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1324 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1325 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1326 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1327 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1328 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1329 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1330 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1331 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1332 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1333 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1334 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1335 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1336 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1337 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1338 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1339 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1340 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1341 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1342 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1343 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1344 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1345 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1346 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1347 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1348 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1349 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1350 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1351 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1352 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1353 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1354
1355 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1356
1357 /* example needing 590 divsteps; delta=-5/2..7/2 */
1358 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1359 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1360 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1361 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1362 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1363 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1364 /* example needing 590 divsteps; delta=-3/2..5/2 */
1365 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1366 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1367 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1368 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1369 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1370 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1371 /* example needing 590 divsteps; delta=-3/2..5/2 */
1372 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1373 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1374 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1375 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1376 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1377 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1378 /* example needing 590 divsteps; delta=-5/2..7/2 */
1379 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1380 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1381 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1382 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1383 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1384 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1385 /* example needing 590 divsteps; delta=-3/2..5/2 */
1386 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1387 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1388 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1389 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1390 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1391 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1392 /* example reaching delta=-127/2..129/2; 571 divsteps */
1393 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1394 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1395 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1396 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1397 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1398 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1399 /* example reaching delta=-127/2..129/2; 571 divsteps */
1400 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1401 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1402 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1403 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1404 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1405 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1406 /* example reaching delta=-127/2..129/2; 571 divsteps */
1407 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1408 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1409 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1410 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1411 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1412 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1413 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1414 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1415 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1416 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1417 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1418 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1419 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1420 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1421 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1422 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1423 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1424 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1425 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1426 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1427 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1428 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1429 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1430 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1431 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1432 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1433 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1434 /* example doing 453 (f,g/2) steps; 514 divsteps */
1435 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1436 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1437 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1438 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1439 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1440 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1441 /* example doing 453 (f,g/2) steps; 514 divsteps */
1442 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1443 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1444 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1445 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1446 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1447 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1448 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1449 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1450 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1451 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1452 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1453 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1454 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1455 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1456 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1457 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1458 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1459 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1460 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1461 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1462 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1463 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1464 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1465 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1466 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1467 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1468 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1469 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1470 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1471 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1472 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1473 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1474 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1475 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1476
1477 /* Test cases with the group order as modulus. */
1478
1479 /* Test case with the group order as modulus, needing 635 divsteps. */
1480 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1481 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1482 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1483 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1484 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1485 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1486 /* example with group size as modulus needing 631 divsteps */
1487 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1488 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1489 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1490 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1491 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1492 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1493 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1494 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1495 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1496 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1497 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1498 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1499 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1500 /* Test case with the group size as modulus, needing 981 divsteps with
1501 broken eta handling. */
1502 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1503 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1504 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1505 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1506 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1507 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1508 /* Test case with the group size as modulus, input = 0. */
1509 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1510 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1511 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1512 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1513 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1514 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1515 /* Test case with the group size as modulus, input = 1. */
1516 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1517 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1518 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1519 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1520 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1521 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1522 /* Test case with the group size as modulus, input = 2. */
1523 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1524 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1525 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1526 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1527 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1528 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1529 /* Test case with the group size as modulus, input = group - 1. */
1530 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1531 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1532 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1533 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1534 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1535 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1536
1537 /* Test cases with the field size as modulus. */
1538
1539 /* Test case with the field size as modulus, needing 637 divsteps. */
1540 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1541 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1542 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1543 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1544 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1545 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1546 /* example with field size as modulus needing 637 divsteps */
1547 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1548 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1549 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1550 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1551 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1552 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1553 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1554 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1555 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1556 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1557 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1558 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1559 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1560 /* Test case with the field size as modulus, needing 935 divsteps with
1561 broken eta handling. */
1562 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1563 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1564 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1565 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1566 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1567 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1568 /* Test case with the field size as modulus, input = 0. */
1569 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1570 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1571 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1572 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1573 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1574 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1575 /* Test case with the field size as modulus, input = 1. */
1576 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1577 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1578 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1579 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1580 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1581 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1582 /* Test case with the field size as modulus, input = 2. */
1583 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1584 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1585 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1586 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1587 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1588 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1589 /* Test case with the field size as modulus, input = field - 1. */
1590 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1591 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1592 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1593 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1594 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1595 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1596
1597 /* Selected from a large number of random inputs to reach small/large
1598 * d/e values in various configurations. */
1599 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1600 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1601 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1602 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1603 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1604 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1605 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1606 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1607 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1608 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1609 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1610 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1611 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1612 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1613 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1614 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1615 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1616 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1617 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1618 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1619 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1620 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1621 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1622 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1623 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1624 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1625 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1626 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1627 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1628 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1629 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1630 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1631 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1632 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1633 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1634 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1635 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1636 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1637 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1638 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1639 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1640 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1641 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1642 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1643 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1644 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1645 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1646 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1647 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1648 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1649 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1650 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1651 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1652 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1653 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1654 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1655 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1656 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1657 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1658 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1659 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1660 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1661 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1662 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1663 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1664 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1665 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1666 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1667 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1668 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1669 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1670 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1671 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1672 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1673 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1674 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1675 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1676 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1677 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1678 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1679 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1680 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1681 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1682 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1683 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1684 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1685 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1686 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1687 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1688 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1689 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1690 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1691 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1692 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1693 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1694 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1695 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1696 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1697 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1698 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1699 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1700 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1701 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1702 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1703 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1704 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1705 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1706 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1707 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1708 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1709 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1710 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1711 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1712 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1713 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1714 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1715 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1716 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1717 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1718 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1719 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1720 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1721 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1722 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1723 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1724 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1725 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1726 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1727 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1728 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1729 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1730 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1731 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1732 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1733 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1734 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1735 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1736 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1737 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1738 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1739 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1740 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1741 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1742 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1743 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1744 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1745 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1746 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1747 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1748 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1749 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1750 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1751 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1752 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1753 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1754 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1755 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1756 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1757 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1758 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1759 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1760 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1761 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1762 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1763 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1764 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1765 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1766 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1767 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1768 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1769 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1770 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1771 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1772 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1773 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1774 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1775 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1776 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1777 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1778 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1779 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1780 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1781 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1782 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1783 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1784 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1785 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1786 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1787 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1788 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1789 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1790 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1791 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1792 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1793 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1794 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1795 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1796 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1797 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1798 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1799 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1800 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1801 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1802 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1803 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1804 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1805 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1806 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1807 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1808 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1809 };
1810
1811 int i, j, ok;
1812
1813 /* Test known inputs/outputs */
1814 for (i = 0; (size_t)i < ARRAY_SIZE(CASES); ++i) {
1815 uint16_t out[16];
1816 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1817 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1818#ifdef SECP256K1_WIDEMUL_INT128
1819 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1820 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1821#endif
1822 }
1823
1824 for (i = 0; i < 100 * COUNT; ++i) {
1825 /* 256-bit numbers in 16-uint16_t's notation */
1826 static const uint16_t ZERO[16] = {0};
1827 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1828 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1829 uint16_t id[16]; /* the inverse of xd mod md */
1830
1831 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1832 do {
1833 /* generate random xd and md (with many subsequent 0s and 1s) */
1834 testrand256_test((unsigned char*)xd);
1835 testrand256_test((unsigned char*)md);
1836 md[0] |= 1; /* modulus must be odd */
1837 /* If modulus is 1, find another one. */
1838 ok = md[0] != 1;
1839 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1840 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1841 } while (!(ok && coprime(xd, md)));
1842
1843 test_modinv32_uint16(id, xd, md);
1844#ifdef SECP256K1_WIDEMUL_INT128
1845 test_modinv64_uint16(id, xd, md);
1846#endif
1847
1848 /* In a few cases, also test with input=0 */
1849 if (i < COUNT) {
1850 test_modinv32_uint16(id, ZERO, md);
1851#ifdef SECP256K1_WIDEMUL_INT128
1852 test_modinv64_uint16(id, ZERO, md);
1853#endif
1854 }
1855 }
1856}
1857
1858/***** INT128 TESTS *****/
1859
1860#ifdef SECP256K1_WIDEMUL_INT128
1861/* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1862static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1863 int i;
1864 uint32_t carry = 0;
1865 for (i = 0; i < 16; ++i) {
1866 carry += a[i];
1867 carry += b[i];
1868 out[i] = carry;
1869 carry >>= 16;
1870 }
1871}
1872
1873/* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1874static void neg256(uint16_t* out, const uint16_t* a) {
1875 int i;
1876 uint32_t carry = 1;
1877 for (i = 0; i < 16; ++i) {
1878 carry += (uint16_t)~a[i];
1879 out[i] = carry;
1880 carry >>= 16;
1881 }
1882}
1883
1884/* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1885static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1886 uint16_t sign = sign_extend && (a[15] >> 15);
1887 int i, j;
1888 for (i = 15; i >= 0; --i) {
1889 uint16_t v = 0;
1890 for (j = 0; j < 16; ++j) {
1891 int frompos = i*16 + j + n;
1892 if (frompos >= 256) {
1893 v |= sign << j;
1894 } else {
1895 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1896 }
1897 }
1898 out[i] = v;
1899 }
1900}
1901
1902/* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1903static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1904 int i;
1905 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1906 for (i = 0; i < 4; ++i) {
1907 out[i] = v >> (16 * i);
1908 }
1909 for (i = 4; i < 16; ++i) {
1910 out[i] = sign;
1911 }
1912}
1913
1914/* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1915static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1916 int i;
1917 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1918 for (i = 0; i < 4; ++i) {
1919 out[i] = lo >> (16 * i);
1920 }
1921 for (i = 4; i < 8; ++i) {
1922 out[i] = hi >> (16 * (i - 4));
1923 }
1924 for (i = 8; i < 16; ++i) {
1925 out[i] = sign;
1926 }
1927}
1928
1929/* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1930static int int256is127(const uint16_t* v) {
1931 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1932 int i;
1933 for (i = 8; i < 16; ++i) {
1934 if (v[i] != 0) all_0 = 0;
1935 if (v[i] != 0xffff) all_1 = 0;
1936 }
1937 return all_0 || all_1;
1938}
1939
1940static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1941 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1942 load256two64(out, hi, lo, 0);
1943}
1944
1945static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1946 uint64_t lo;
1947 int64_t hi;
1948 secp256k1_int128 c = *v;
1949 lo = secp256k1_i128_to_u64(&c);
1950 secp256k1_i128_rshift(&c, 64);
1951 hi = secp256k1_i128_to_i64(&c);
1952 load256two64(out, hi, lo, 1);
1953}
1954
1955static void run_int128_test_case(void) {
1956 unsigned char buf[32];
1957 uint64_t v[4];
1958 secp256k1_int128 swa, swz;
1959 secp256k1_uint128 uwa, uwz;
1960 uint64_t ub, uc;
1961 int64_t sb, sc;
1962 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1963 uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1964 int i;
1965
1966 /* Generate 32-byte random value. */
1967 testrand256_test(buf);
1968 /* Convert into 4 64-bit integers. */
1969 for (i = 0; i < 4; ++i) {
1970 uint64_t vi = 0;
1971 int j;
1972 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1973 v[i] = vi;
1974 }
1975 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1976 secp256k1_u128_load(&uwa, v[1], v[0]);
1977 secp256k1_i128_load(&swa, v[1], v[0]);
1978 ub = v[2];
1979 sb = v[2];
1980 uc = v[3];
1981 sc = v[3];
1982 /* Load those also into 16-bit array representations. */
1983 load256u128(ruwa, &uwa);
1984 load256i128(rswa, &swa);
1985 load256u64(rub, ub, 0);
1986 load256u64(rsb, sb, 1);
1987 load256u64(ruc, uc, 0);
1988 load256u64(rsc, sc, 1);
1989 /* test secp256k1_u128_mul */
1990 mulmod256(ruwr, rub, ruc, NULL);
1991 secp256k1_u128_mul(&uwz, ub, uc);
1992 load256u128(ruwz, &uwz);
1993 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1994 /* test secp256k1_u128_accum_mul */
1995 mulmod256(ruwr, rub, ruc, NULL);
1996 add256(ruwr, ruwr, ruwa);
1997 uwz = uwa;
1998 secp256k1_u128_accum_mul(&uwz, ub, uc);
1999 load256u128(ruwz, &uwz);
2000 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
2001 /* test secp256k1_u128_accum_u64 */
2002 add256(ruwr, rub, ruwa);
2003 uwz = uwa;
2004 secp256k1_u128_accum_u64(&uwz, ub);
2005 load256u128(ruwz, &uwz);
2006 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
2007 /* test secp256k1_u128_rshift */
2008 rshift256(ruwr, ruwa, uc % 128, 0);
2009 uwz = uwa;
2010 secp256k1_u128_rshift(&uwz, uc % 128);
2011 load256u128(ruwz, &uwz);
2012 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
2013 /* test secp256k1_u128_to_u64 */
2014 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
2015 /* test secp256k1_u128_hi_u64 */
2016 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
2017 /* test secp256k1_u128_from_u64 */
2018 secp256k1_u128_from_u64(&uwz, ub);
2019 load256u128(ruwz, &uwz);
2020 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
2021 /* test secp256k1_u128_check_bits */
2022 {
2023 int uwa_bits = 0;
2024 int j;
2025 for (j = 0; j < 128; ++j) {
2026 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
2027 }
2028 for (j = 0; j < 128; ++j) {
2029 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
2030 }
2031 }
2032 /* test secp256k1_i128_mul */
2033 mulmod256(rswr, rsb, rsc, NULL);
2034 secp256k1_i128_mul(&swz, sb, sc);
2035 load256i128(rswz, &swz);
2036 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2037 /* test secp256k1_i128_accum_mul */
2038 mulmod256(rswr, rsb, rsc, NULL);
2039 add256(rswr, rswr, rswa);
2040 if (int256is127(rswr)) {
2041 swz = swa;
2042 secp256k1_i128_accum_mul(&swz, sb, sc);
2043 load256i128(rswz, &swz);
2044 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2045 }
2046 /* test secp256k1_i128_det */
2047 {
2048 uint16_t rsd[16], rse[16], rst[32];
2049 int64_t sd = v[0], se = v[1];
2050 load256u64(rsd, sd, 1);
2051 load256u64(rse, se, 1);
2052 mulmod256(rst, rsc, rsd, NULL);
2053 neg256(rst, rst);
2054 mulmod256(rswr, rsb, rse, NULL);
2055 add256(rswr, rswr, rst);
2056 secp256k1_i128_det(&swz, sb, sc, sd, se);
2057 load256i128(rswz, &swz);
2058 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2059 }
2060 /* test secp256k1_i128_rshift */
2061 rshift256(rswr, rswa, uc % 127, 1);
2062 swz = swa;
2063 secp256k1_i128_rshift(&swz, uc % 127);
2064 load256i128(rswz, &swz);
2065 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2066 /* test secp256k1_i128_to_u64 */
2067 CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2068 /* test secp256k1_i128_from_i64 */
2069 secp256k1_i128_from_i64(&swz, sb);
2070 load256i128(rswz, &swz);
2071 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2072 /* test secp256k1_i128_to_i64 */
2073 CHECK(secp256k1_i128_to_i64(&swz) == sb);
2074 /* test secp256k1_i128_eq_var */
2075 {
2076 int expect = (uc & 1);
2077 swz = swa;
2078 if (!expect) {
2079 /* Make sure swz != swa */
2080 uint64_t v0c = v[0], v1c = v[1];
2081 if (ub & 64) {
2082 v1c ^= (((uint64_t)1) << (ub & 63));
2083 } else {
2084 v0c ^= (((uint64_t)1) << (ub & 63));
2085 }
2086 secp256k1_i128_load(&swz, v1c, v0c);
2087 }
2088 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2089 }
2090 /* test secp256k1_i128_check_pow2 (sign == 1) */
2091 {
2092 int expect = (uc & 1);
2093 int pos = ub % 127;
2094 if (expect) {
2095 /* If expect==1, set swz to exactly 2^pos. */
2096 uint64_t hi = 0;
2097 uint64_t lo = 0;
2098 if (pos >= 64) {
2099 hi = (((uint64_t)1) << (pos & 63));
2100 } else {
2101 lo = (((uint64_t)1) << (pos & 63));
2102 }
2103 secp256k1_i128_load(&swz, hi, lo);
2104 } else {
2105 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2106 if (pos >= 64) {
2107 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2108 } else {
2109 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2110 }
2111 swz = swa;
2112 }
2113 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2114 }
2115 /* test secp256k1_i128_check_pow2 (sign == -1) */
2116 {
2117 int expect = (uc & 1);
2118 int pos = ub % 127;
2119 if (expect) {
2120 /* If expect==1, set swz to exactly -2^pos. */
2121 uint64_t hi = ~(uint64_t)0;
2122 uint64_t lo = ~(uint64_t)0;
2123 if (pos >= 64) {
2124 hi <<= (pos & 63);
2125 lo = 0;
2126 } else {
2127 lo <<= (pos & 63);
2128 }
2129 secp256k1_i128_load(&swz, hi, lo);
2130 } else {
2131 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2132 if (pos >= 64) {
2133 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2134 } else {
2135 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2136 }
2137 swz = swa;
2138 }
2139 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2140 }
2141}
2142
2143static void run_int128_tests(void) {
2144 { /* secp256k1_u128_accum_mul */
2146
2147 /* Check secp256k1_u128_accum_mul overflow */
2148 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2149 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2150 CHECK(secp256k1_u128_to_u64(&res) == 2);
2151 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2152 }
2153 { /* secp256k1_u128_accum_mul */
2154 secp256k1_int128 res;
2155
2156 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2157 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2158 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2159 CHECK(secp256k1_i128_to_u64(&res) == 2);
2160 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2161 secp256k1_i128_accum_mul(&res, 1, 1);
2162 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2163 secp256k1_i128_rshift(&res, 64);
2164 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2165
2166 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2167 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2168 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2169 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2170 CHECK(secp256k1_i128_to_u64(&res) == 0);
2171 secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2172 CHECK(secp256k1_i128_to_u64(&res) == 0);
2173 secp256k1_i128_rshift(&res, 64);
2174 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2175 }
2176 {
2177 /* Randomized tests. */
2178 int i;
2179 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2180 }
2181}
2182#endif
2183
2184/***** SCALAR TESTS *****/
2185
2186static void scalar_test(void) {
2190 unsigned char c[32];
2191
2192 /* Set 's' to a random scalar, with value 'snum'. */
2194
2195 /* Set 's1' to a random scalar, with value 's1num'. */
2197
2198 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2201
2202 {
2203 int i;
2204 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2207 for (i = 0; i < 256; i += 4) {
2209 int j;
2211 for (j = 0; j < 4; j++) {
2212 secp256k1_scalar_add(&n, &n, &n);
2213 }
2214 secp256k1_scalar_add(&n, &n, &t);
2215 }
2217 }
2218
2219 {
2220 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2222 int i = 0;
2224 while (i < 256) {
2226 int j;
2227 int now = testrand_int(15) + 1;
2228 if (now + i > 256) {
2229 now = 256 - i;
2230 }
2232 for (j = 0; j < now; j++) {
2233 secp256k1_scalar_add(&n, &n, &n);
2234 }
2235 secp256k1_scalar_add(&n, &n, &t);
2236 i += now;
2237 }
2239 }
2240
2241 {
2242 /* Test commutativity of add. */
2243 secp256k1_scalar r1, r2;
2244 secp256k1_scalar_add(&r1, &s1, &s2);
2245 secp256k1_scalar_add(&r2, &s2, &s1);
2246 CHECK(secp256k1_scalar_eq(&r1, &r2));
2247 }
2248
2249 {
2250 secp256k1_scalar r1, r2;
2252 int i;
2253 /* Test add_bit. */
2254 int bit = testrand_bits(8);
2257 for (i = 0; i < bit; i++) {
2258 secp256k1_scalar_add(&b, &b, &b);
2259 }
2260 r1 = s1;
2261 r2 = s1;
2262 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2263 /* No overflow happened. */
2264 secp256k1_scalar_cadd_bit(&r2, bit, 1);
2265 CHECK(secp256k1_scalar_eq(&r1, &r2));
2266 /* cadd is a noop when flag is zero */
2267 secp256k1_scalar_cadd_bit(&r2, bit, 0);
2268 CHECK(secp256k1_scalar_eq(&r1, &r2));
2269 }
2270 }
2271
2272 {
2273 /* Test commutativity of mul. */
2274 secp256k1_scalar r1, r2;
2275 secp256k1_scalar_mul(&r1, &s1, &s2);
2276 secp256k1_scalar_mul(&r2, &s2, &s1);
2277 CHECK(secp256k1_scalar_eq(&r1, &r2));
2278 }
2279
2280 {
2281 /* Test associativity of add. */
2282 secp256k1_scalar r1, r2;
2283 secp256k1_scalar_add(&r1, &s1, &s2);
2284 secp256k1_scalar_add(&r1, &r1, &s);
2285 secp256k1_scalar_add(&r2, &s2, &s);
2286 secp256k1_scalar_add(&r2, &s1, &r2);
2287 CHECK(secp256k1_scalar_eq(&r1, &r2));
2288 }
2289
2290 {
2291 /* Test associativity of mul. */
2292 secp256k1_scalar r1, r2;
2293 secp256k1_scalar_mul(&r1, &s1, &s2);
2294 secp256k1_scalar_mul(&r1, &r1, &s);
2295 secp256k1_scalar_mul(&r2, &s2, &s);
2296 secp256k1_scalar_mul(&r2, &s1, &r2);
2297 CHECK(secp256k1_scalar_eq(&r1, &r2));
2298 }
2299
2300 {
2301 /* Test distributitivity of mul over add. */
2302 secp256k1_scalar r1, r2, t;
2303 secp256k1_scalar_add(&r1, &s1, &s2);
2304 secp256k1_scalar_mul(&r1, &r1, &s);
2305 secp256k1_scalar_mul(&r2, &s1, &s);
2306 secp256k1_scalar_mul(&t, &s2, &s);
2307 secp256k1_scalar_add(&r2, &r2, &t);
2308 CHECK(secp256k1_scalar_eq(&r1, &r2));
2309 }
2310
2311 {
2312 /* Test multiplicative identity. */
2315 CHECK(secp256k1_scalar_eq(&r1, &s1));
2316 }
2317
2318 {
2319 /* Test additive identity. */
2322 CHECK(secp256k1_scalar_eq(&r1, &s1));
2323 }
2324
2325 {
2326 /* Test zero product property. */
2330 }
2331
2332 {
2333 /* Test halving. */
2335 secp256k1_scalar_add(&r, &s, &s);
2336 secp256k1_scalar_half(&r, &r);
2338 }
2339}
2340
2342 unsigned char b32[32];
2345
2346 /* Usually set_b32 and set_b32_seckey give the same result */
2348 secp256k1_scalar_set_b32(&s1, b32, NULL);
2349 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2350 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2351
2352 memset(b32, 0, sizeof(b32));
2353 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2354 memset(b32, 0xFF, sizeof(b32));
2355 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2356}
2357
2360 const secp256k1_scalar n_minus_1 = SECP256K1_SCALAR_CONST(
2361 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
2362 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
2363 );
2365 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
2366 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL
2367 );
2369 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
2370 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364142UL
2371 );
2373 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2374 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2375 );
2376
2377 int i;
2378
2381 CHECK(secp256k1_scalar_check_overflow(&n_minus_1) == 0);
2383 CHECK(secp256k1_scalar_check_overflow(&n_plus_1) == 1);
2385
2386 for (i = 0; i < 2 * COUNT; i++) {
2387 int expected_overflow;
2388 int overflow = 0;
2389 unsigned char b32[32];
2390
2391 testrand256(b32);
2392
2393 /* Force top bits to be 0xFF sometimes to ensure we hit overflows */
2394 if (i % 2 == 0) {
2395 memset(b32, 0xFF, 16);
2396 }
2397
2398 expected_overflow = (secp256k1_memcmp_var(b32, secp256k1_group_order_bytes, 32) >= 0);
2399
2400 secp256k1_scalar_set_b32(&s, b32, &overflow);
2401 CHECK(overflow == expected_overflow);
2402 }
2403}
2404
2405static void run_scalar_tests(void) {
2406 int i;
2407
2409
2410 for (i = 0; i < 128 * COUNT; i++) {
2411 scalar_test();
2412 }
2413 for (i = 0; i < COUNT; i++) {
2415 }
2416
2417 {
2418 /* Check that the scalar constants secp256k1_scalar_zero and
2419 secp256k1_scalar_one contain the expected values. */
2420 secp256k1_scalar zero, one;
2421
2423 secp256k1_scalar_set_int(&zero, 0);
2425
2427 secp256k1_scalar_set_int(&one, 1);
2429 }
2430
2431 {
2432 /* (-1)+1 should be zero. */
2439 }
2440
2441 {
2442 /* Test that halving and doubling roundtrips on some fixed values. */
2443 static const secp256k1_scalar HALF_TESTS[] = {
2444 /* 0 */
2445 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2446 /* 1 */
2447 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2448 /* -1 */
2449 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul),
2450 /* -2 (largest odd value) */
2451 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful),
2452 /* Half the secp256k1 order */
2453 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul),
2454 /* Half the secp256k1 order + 1 */
2455 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul),
2456 /* 2^255 */
2457 SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0),
2458 /* 2^255 - 1 */
2459 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful),
2460 };
2461 unsigned n;
2462 for (n = 0; n < ARRAY_SIZE(HALF_TESTS); ++n) {
2464 secp256k1_scalar_half(&s, &HALF_TESTS[n]);
2465 secp256k1_scalar_add(&s, &s, &s);
2466 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2467 secp256k1_scalar_add(&s, &s, &s);
2469 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2470 }
2471 }
2472
2473 {
2474 /* Static test vectors.
2475 * These were reduced from ~10^12 random vectors based on comparison-decision
2476 * and edge-case coverage on 32-bit and 64-bit implementations.
2477 * The responses were generated with Sage 5.9.
2478 */
2485 secp256k1_scalar zzv;
2486 int overflow;
2487 unsigned char chal[33][2][32] = {
2488 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2489 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2490 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2491 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2492 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2493 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2494 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2495 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2496 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2497 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2500 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2502 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2503 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2504 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2505 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2506 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2507 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2508 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2509 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2510 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2511 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2512 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2513 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2514 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2515 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2516 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2517 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2518 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2519 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2520 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2521 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2522 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2523 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2524 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2525 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2526 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2527 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2528 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2529 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2530 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2531 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2532 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2533 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2534 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2535 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2536 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2537 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2538 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2539 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2540 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2541 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2542 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2543 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2544 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2545 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2546 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2547 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2548 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2549 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2550 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2551 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2552 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2553 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2554 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2555 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2556 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2557 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2558 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2560 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2561 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2562 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2563 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2564 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2565 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2566 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2567 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2568 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2569 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2570 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2571 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2572 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2574 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2575 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2576 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2577 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2578 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2579 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2580 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2581 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2582 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2584 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2585 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2586 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2587 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2588 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2589 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2590 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2591 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2592 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2593 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2594 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2595 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2596 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2597 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2598 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2600 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2601 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2602 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2603 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2604 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2605 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2606 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2607 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2608 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2609 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2610 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2611 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2612 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2613 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2614 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2615 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2616 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2617 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2618 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2619 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2620 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2621 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2622 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2623 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2624 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2625 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2626 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2628 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2629 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2630 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2631 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2632 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2633 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2634 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2635 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2636 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2637 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2638 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2639 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2640 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2641 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2642 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2643 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2644 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2645 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2646 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2647 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2648 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2649 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2650 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2651 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2652 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2653 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2654 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2655 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2656 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2659 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2660 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2661 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2662 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2663 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2664 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2665 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2666 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2667 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2668 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2669 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2670 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2671 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2672 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2673 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2674 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2675 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2676 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2677 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2678 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2679 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2680 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2681 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2682 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2683 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2684 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2685 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2686 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2688 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2689 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2690 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2691 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2692 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2694 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2696 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2697 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2698 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2699 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2700 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2701 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2702 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2703 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2704 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2705 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2706 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2707 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2708 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2709 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2710 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2711 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2712 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2713 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2714 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2715 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2716 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2717 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2718 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2719 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2720 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2721 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2722 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2723 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2724 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2725 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2726 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2727 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2728 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2729 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2730 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2731 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2732 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2733 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2734 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2735 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2736 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2737 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2738 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2739 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2740 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2741 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2742 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2743 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2744 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2745 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2746 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2747 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2748 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2749 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2750 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2751 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2752 };
2753 unsigned char res[33][2][32] = {
2754 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2755 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2756 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2757 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2758 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2759 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2760 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2761 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2762 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2763 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2764 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2765 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2766 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2767 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2768 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2769 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2770 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2771 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2772 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2773 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2774 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2775 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2776 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2777 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2778 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2779 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2780 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2781 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2782 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2783 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2784 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2785 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2786 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2787 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2788 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2789 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2790 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2791 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2792 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2793 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2794 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2795 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2796 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2797 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2798 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2799 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2800 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2801 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2802 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2803 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2804 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2805 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2806 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2807 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2808 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2809 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2810 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2811 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2812 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2813 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2814 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2815 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2816 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2817 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2818 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2819 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2820 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2821 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2822 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2823 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2824 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2825 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2826 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2827 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2828 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2829 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2830 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2831 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2832 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2833 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2834 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2835 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2836 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2837 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2838 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2839 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2840 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2841 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2842 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2843 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2844 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2845 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2846 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2847 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2848 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2849 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2850 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2851 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2852 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2853 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2854 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2855 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2856 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2857 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2858 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2859 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2860 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2861 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2862 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2863 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2864 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2865 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2866 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2867 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2868 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2869 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2870 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2871 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2872 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2873 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2874 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2875 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2876 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2877 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2878 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2879 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2880 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2881 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2882 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2883 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2884 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2885 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2886 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2887 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2888 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2889 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2890 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2891 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2892 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2893 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2894 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2895 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2896 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2897 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2898 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2899 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2900 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2901 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2902 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2903 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2904 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2905 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2906 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2907 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2908 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2909 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2910 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2911 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2912 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2913 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2914 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2915 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2916 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2917 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2918 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2919 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2920 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2921 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2922 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2923 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2924 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2925 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2926 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2927 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2928 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2929 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2930 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2931 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2932 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2933 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2934 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2935 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2936 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2937 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2938 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2939 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2940 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2941 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2942 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2943 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2944 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2945 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2946 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2947 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2948 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2949 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2950 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2951 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2952 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2953 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2954 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2955 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2956 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2957 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2958 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2959 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2960 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2961 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2962 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2963 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2964 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2965 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2966 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2967 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2968 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2969 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2970 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2971 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2972 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2973 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2974 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2975 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2976 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2977 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2978 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2979 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2980 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2981 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2982 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2983 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2984 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2985 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2986 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2987 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2988 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2989 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2990 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2991 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2992 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2993 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2994 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2995 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2996 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2997 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2998 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2999 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
3000 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
3001 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
3002 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
3003 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
3004 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
3005 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
3006 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
3007 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
3008 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
3009 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
3010 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
3011 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
3012 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
3013 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
3014 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
3015 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
3016 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
3017 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
3018 };
3019 for (i = 0; i < 33; i++) {
3020 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
3021 CHECK(!overflow);
3022 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
3023 CHECK(!overflow);
3024 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
3025 CHECK(!overflow);
3026 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
3027 CHECK(!overflow);
3028 secp256k1_scalar_mul(&z, &x, &y);
3029 CHECK(secp256k1_scalar_eq(&r1, &z));
3030 if (!secp256k1_scalar_is_zero(&y)) {
3031 secp256k1_scalar_inverse(&zz, &y);
3033 CHECK(secp256k1_scalar_eq(&zzv, &zz));
3034 secp256k1_scalar_mul(&z, &z, &zz);
3035 CHECK(secp256k1_scalar_eq(&x, &z));
3036 secp256k1_scalar_mul(&zz, &zz, &y);
3038 }
3039 secp256k1_scalar_mul(&z, &x, &x);
3040 CHECK(secp256k1_scalar_eq(&r2, &z));
3041 }
3042 }
3043}
3044
3045/***** FIELD TESTS *****/
3046
3048 secp256k1_fe r;
3050 if (secp256k1_fe_sqrt(&r, ns)) {
3051 secp256k1_fe_negate(ns, ns, 1);
3052 }
3053}
3054
3055static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
3056 secp256k1_fe an = *a;
3057 secp256k1_fe bn = *b;
3059 return secp256k1_fe_equal(&an, &bn);
3060}
3061
3062static void run_field_convert(void) {
3063 static const unsigned char b32[32] = {
3064 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
3065 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
3066 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
3067 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
3068 };
3070 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
3071 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
3072 );
3073 static const secp256k1_fe fe = SECP256K1_FE_CONST(
3074 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
3075 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
3076 );
3077 secp256k1_fe fe2;
3078 unsigned char b322[32];
3080 /* Check conversions to fe. */
3082 CHECK(secp256k1_fe_equal(&fe, &fe2));
3083 secp256k1_fe_from_storage(&fe2, &fes);
3084 CHECK(secp256k1_fe_equal(&fe, &fe2));
3085 /* Check conversion from fe. */
3086 secp256k1_fe_get_b32(b322, &fe);
3087 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
3088 secp256k1_fe_to_storage(&fes2, &fe);
3089 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
3090}
3091
3092static void run_field_be32_overflow(void) {
3093 {
3094 static const unsigned char zero_overflow[32] = {
3095 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3096 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3097 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3098 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3099 };
3100 static const unsigned char zero[32] = { 0x00 };
3101 unsigned char out[32];
3102 secp256k1_fe fe;
3103 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3104 secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3107 CHECK(secp256k1_fe_is_zero(&fe) == 1);
3109 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3110 }
3111 {
3112 static const unsigned char one_overflow[32] = {
3113 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3114 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3115 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3116 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3117 };
3118 static const unsigned char one[32] = {
3119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3120 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3121 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3123 };
3124 unsigned char out[32];
3125 secp256k1_fe fe;
3126 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3127 secp256k1_fe_set_b32_mod(&fe, one_overflow);
3131 CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3132 }
3133 {
3134 static const unsigned char ff_overflow[32] = {
3135 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3136 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3137 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3138 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3139 };
3140 static const unsigned char ff[32] = {
3141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3142 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3143 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3144 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3145 };
3146 unsigned char out[32];
3147 secp256k1_fe fe;
3148 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3149 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3150 secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3152 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3154 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3155 }
3156}
3157
3158/* Returns true if two field elements have the same representation. */
3159static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3160 int ret = 1;
3161 /* Compare the struct member that holds the limbs. */
3162 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3163 return ret;
3164}
3165
3166static void run_field_half(void) {
3167 secp256k1_fe t, u;
3168 int m;
3169
3170 /* Check magnitude 0 input */
3173#ifdef VERIFY
3174 CHECK(t.magnitude == 1);
3175 CHECK(t.normalized == 0);
3176#endif
3178
3179 /* Check non-zero magnitudes in the supported range */
3180 for (m = 1; m < 32; m++) {
3181 /* Check max-value input */
3183
3184 u = t;
3186#ifdef VERIFY
3187 CHECK(u.magnitude == (m >> 1) + 1);
3188 CHECK(u.normalized == 0);
3189#endif
3191 secp256k1_fe_add(&u, &u);
3192 CHECK(fe_equal(&t, &u));
3193
3194 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3195 * which will also cause all carries to be 1, since all limbs that can
3196 * generate a carry are initially even and all limbs of P are odd in
3197 * every existing field implementation. */
3199 CHECK(t.n[0] > 0);
3200 CHECK((t.n[0] & 1) == 0);
3201 --t.n[0];
3202
3203 u = t;
3205#ifdef VERIFY
3206 CHECK(u.magnitude == (m >> 1) + 1);
3207 CHECK(u.normalized == 0);
3208#endif
3210 secp256k1_fe_add(&u, &u);
3211 CHECK(fe_equal(&t, &u));
3212 }
3213}
3214
3215static void run_field_misc(void) {
3216 secp256k1_fe x;
3217 secp256k1_fe y;
3218 secp256k1_fe z;
3219 secp256k1_fe q;
3220 int v;
3221 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3222 int i, j;
3223 for (i = 0; i < 1000 * COUNT; i++) {
3224 secp256k1_fe_storage xs, ys, zs;
3225 if (i & 1) {
3227 } else {
3229 }
3231 v = testrand_bits(15);
3232 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3233 secp256k1_fe_set_int(&q, v); /* q = v */
3234 z = x; /* z = x */
3235 secp256k1_fe_add(&z, &q); /* z = x+v */
3236 q = x; /* q = x */
3237 secp256k1_fe_add_int(&q, v); /* q = x+v */
3238 CHECK(fe_equal(&q, &z));
3239 /* Test the fe equality and comparison operations. */
3240 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3241 CHECK(secp256k1_fe_equal(&x, &x));
3242 z = x;
3243 secp256k1_fe_add(&z,&y);
3244 /* Test fe conditional move; z is not normalized here. */
3245 q = x;
3246 secp256k1_fe_cmov(&x, &z, 0);
3247#ifdef VERIFY
3248 CHECK(!x.normalized);
3249 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3250 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3251#endif
3252 x = q;
3253 secp256k1_fe_cmov(&x, &x, 1);
3254 CHECK(!fe_identical(&x, &z));
3255 CHECK(fe_identical(&x, &q));
3256 secp256k1_fe_cmov(&q, &z, 1);
3257#ifdef VERIFY
3258 CHECK(!q.normalized);
3259 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3260 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3261#endif
3262 CHECK(fe_identical(&q, &z));
3263 q = z;
3266 CHECK(!secp256k1_fe_equal(&x, &z));
3268 secp256k1_fe_cmov(&q, &z, (i&1));
3269#ifdef VERIFY
3270 CHECK(q.normalized && q.magnitude == 1);
3271#endif
3272 for (j = 0; j < 6; j++) {
3273 secp256k1_fe_negate_unchecked(&z, &z, j+1);
3275 secp256k1_fe_cmov(&q, &z, (j&1));
3276#ifdef VERIFY
3277 CHECK(!q.normalized && q.magnitude == z.magnitude);
3278#endif
3279 }
3281 /* Test storage conversion and conditional moves. */
3282 secp256k1_fe_to_storage(&xs, &x);
3283 secp256k1_fe_to_storage(&ys, &y);
3284 secp256k1_fe_to_storage(&zs, &z);
3285 secp256k1_fe_storage_cmov(&zs, &xs, 0);
3286 secp256k1_fe_storage_cmov(&zs, &zs, 1);
3287 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3288 secp256k1_fe_storage_cmov(&ys, &xs, 1);
3289 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3293 /* Test that mul_int, mul, and add agree. */
3294 secp256k1_fe_add(&y, &x);
3295 secp256k1_fe_add(&y, &x);
3296 z = x;
3297 secp256k1_fe_mul_int(&z, 3);
3298 CHECK(fe_equal(&y, &z));
3299 secp256k1_fe_add(&y, &x);
3300 secp256k1_fe_add(&z, &x);
3301 CHECK(fe_equal(&z, &y));
3302 z = x;
3303 secp256k1_fe_mul_int(&z, 5);
3304 secp256k1_fe_mul(&q, &x, &fe5);
3305 CHECK(fe_equal(&z, &q));
3306 secp256k1_fe_negate(&x, &x, 1);
3307 secp256k1_fe_add(&z, &x);
3308 secp256k1_fe_add(&q, &x);
3309 CHECK(fe_equal(&y, &z));
3310 CHECK(fe_equal(&q, &y));
3311 /* Check secp256k1_fe_half. */
3312 z = x;
3314 secp256k1_fe_add(&z, &z);
3315 CHECK(fe_equal(&x, &z));
3316 secp256k1_fe_add(&z, &z);
3318 CHECK(fe_equal(&x, &z));
3319 }
3320}
3321
3322static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3323{
3324 secp256k1_fe c, an, bn;
3325 /* Variables in BE 32-byte format. */
3326 unsigned char a32[32], b32[32], c32[32];
3327 /* Variables in LE 16x uint16_t format. */
3328 uint16_t a16[16], b16[16], c16[16];
3329 /* Field modulus in LE 16x uint16_t format. */
3330 static const uint16_t m16[16] = {
3331 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3332 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3333 };
3334 uint16_t t16[32];
3335 int i;
3336
3337 /* Compute C = A * B in fe format. */
3338 c = *a;
3339 if (use_sqr) {
3340 secp256k1_fe_sqr(&c, &c);
3341 } else {
3342 secp256k1_fe_mul(&c, &c, b);
3343 }
3344
3345 /* Convert A, B, C into LE 16x uint16_t format. */
3346 an = *a;
3347 bn = *b;
3351 secp256k1_fe_get_b32(a32, &an);
3352 secp256k1_fe_get_b32(b32, &bn);
3353 secp256k1_fe_get_b32(c32, &c);
3354 for (i = 0; i < 16; ++i) {
3355 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3356 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3357 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3358 }
3359 /* Compute T = A * B in LE 16x uint16_t format. */
3360 mulmod256(t16, a16, b16, m16);
3361 /* Compare */
3362 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3363}
3364
3365static void run_fe_mul(void) {
3366 int i;
3367 for (i = 0; i < 100 * COUNT; ++i) {
3368 secp256k1_fe a, b, c, d;
3377 test_fe_mul(&a, &a, 1);
3378 test_fe_mul(&c, &c, 1);
3379 test_fe_mul(&a, &b, 0);
3380 test_fe_mul(&a, &c, 0);
3381 test_fe_mul(&c, &b, 0);
3382 test_fe_mul(&c, &d, 0);
3383 }
3384}
3385
3386static void run_sqr(void) {
3387 int i;
3388 secp256k1_fe x, y, lhs, rhs, tmp;
3389
3390 secp256k1_fe_set_int(&x, 1);
3391 secp256k1_fe_negate(&x, &x, 1);
3392
3393 for (i = 1; i <= 512; ++i) {
3394 secp256k1_fe_mul_int(&x, 2);
3396
3397 /* Check that (x+y)*(x-y) = x^2 - y*2 for some random values y */
3399
3400 lhs = x;
3401 secp256k1_fe_add(&lhs, &y); /* lhs = x+y */
3402 secp256k1_fe_negate(&tmp, &y, 1); /* tmp = -y */
3403 secp256k1_fe_add(&tmp, &x); /* tmp = x-y */
3404 secp256k1_fe_mul(&lhs, &lhs, &tmp); /* lhs = (x+y)*(x-y) */
3405
3406 secp256k1_fe_sqr(&rhs, &x); /* rhs = x^2 */
3407 secp256k1_fe_sqr(&tmp, &y); /* tmp = y^2 */
3408 secp256k1_fe_negate(&tmp, &tmp, 1); /* tmp = -y^2 */
3409 secp256k1_fe_add(&rhs, &tmp); /* rhs = x^2 - y^2 */
3410
3411 CHECK(fe_equal(&lhs, &rhs));
3412 }
3413}
3414
3415static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3416 secp256k1_fe r1, r2;
3417 int v = secp256k1_fe_sqrt(&r1, a);
3418 CHECK((v == 0) == (k == NULL));
3419
3420 if (k != NULL) {
3421 /* Check that the returned root is +/- the given known answer */
3422 secp256k1_fe_negate(&r2, &r1, 1);
3423 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3426 }
3427}
3428
3429static void run_sqrt(void) {
3430 secp256k1_fe ns, x, s, t;
3431 int i;
3432
3433 /* Check sqrt(0) is 0 */
3434 secp256k1_fe_set_int(&x, 0);
3435 secp256k1_fe_sqr(&s, &x);
3436 test_sqrt(&s, &x);
3437
3438 /* Check sqrt of small squares (and their negatives) */
3439 for (i = 1; i <= 100; i++) {
3440 secp256k1_fe_set_int(&x, i);
3441 secp256k1_fe_sqr(&s, &x);
3442 test_sqrt(&s, &x);
3443 secp256k1_fe_negate(&t, &s, 1);
3444 test_sqrt(&t, NULL);
3445 }
3446
3447 /* Consistency checks for large random values */
3448 for (i = 0; i < 10; i++) {
3449 int j;
3451 for (j = 0; j < COUNT; j++) {
3453 secp256k1_fe_sqr(&s, &x);
3455 test_sqrt(&s, &x);
3456 secp256k1_fe_negate(&t, &s, 1);
3458 test_sqrt(&t, NULL);
3459 secp256k1_fe_mul(&t, &s, &ns);
3460 test_sqrt(&t, NULL);
3461 }
3462 }
3463}
3464
3465/***** FIELD/SCALAR INVERSE TESTS *****/
3466
3468 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3469 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3470);
3471
3473 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3474 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3475);
3476
3477/* These tests test the following identities:
3478 *
3479 * for x==0: 1/x == 0
3480 * for x!=0: x*(1/x) == 1
3481 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3482 */
3483
3485{
3486 secp256k1_scalar l, r, t;
3487
3488 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3489 if (out) *out = l;
3490 if (secp256k1_scalar_is_zero(x)) {
3492 return;
3493 }
3494 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3495 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3496 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3497 if (secp256k1_scalar_is_zero(&r)) return;
3498 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3499 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3500 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3501 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3502 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3503 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3504}
3505
3506static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3507{
3508 secp256k1_fe l, r, t;
3509
3510 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3511 if (out) *out = l;
3512 t = *x; /* t = x */
3515 return;
3516 }
3517 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3518 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3519 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3520 r = *x; /* r = x */
3521 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3523 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3524 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3525 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3526 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3527 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3529}
3530
3531static void run_inverse_tests(void)
3532{
3533 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3534 static const secp256k1_fe fe_cases[][2] = {
3535 /* 0 */
3536 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3537 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3538 /* 1 */
3539 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3540 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3541 /* -1 */
3542 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3543 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3544 /* 2 */
3545 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3546 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3547 /* 2**128 */
3548 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3549 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3550 /* Input known to need 637 divsteps */
3551 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3552 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3553 /* Input known to need 567 divsteps starting with delta=1/2. */
3554 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3555 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3556 /* Input known to need 566 divsteps starting with delta=1/2. */
3557 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3558 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3559 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3560 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3561 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3562 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3563 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3564 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3565 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3566 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3567 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3568 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3569 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3570 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3571 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3572 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3573 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3574 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3575 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3576 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3577 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3578 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3579 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3580 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3581 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3582 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3583 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3584 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3585 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3586 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3587 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3588 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3589 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3590 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3591 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3592 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3593 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3594 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3595 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3596 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3597 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3598 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3599 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3600 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3601 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3602 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3603 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3604 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3605 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3606 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3607 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3608 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3609 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3610 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3611 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3612 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3613 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3614 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3615 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3616 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3617 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3618 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3619 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3620 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3621 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3622 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3623 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3624 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3625 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3626 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3627 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3628 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3629 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3630 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3631 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3632 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3633 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3634 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3635 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3636 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3637 };
3638 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3639 static const secp256k1_scalar scalar_cases[][2] = {
3640 /* 0 */
3641 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3642 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3643 /* 1 */
3644 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3645 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3646 /* -1 */
3647 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3648 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3649 /* 2 */
3650 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3651 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3652 /* 2**128 */
3653 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3654 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3655 /* Input known to need 635 divsteps */
3656 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3657 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3658 /* Input known to need 566 divsteps starting with delta=1/2. */
3659 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3660 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3661 /* Input known to need 565 divsteps starting with delta=1/2. */
3662 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3663 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3664 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3665 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3666 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3667 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3668 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3669 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3670 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3671 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3672 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3673 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3674 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3675 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3676 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3677 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3678 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3679 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3680 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3681 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3682 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3683 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3684 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3685 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3686 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3687 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3688 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3689 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3690 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3691 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3692 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3693 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3694 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3695 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3696 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3697 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3698 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3699 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3700 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3701 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3702 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3703 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3704 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3705 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3706 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3707 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3708 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3709 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3710 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3711 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3712 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3713 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3714 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3715 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3716 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3717 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3718 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3719 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3720 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3721 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3722 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3723 };
3724 int i, var, testrand;
3725 unsigned char b32[32];
3726 secp256k1_fe x_fe;
3727 secp256k1_scalar x_scalar;
3728 memset(b32, 0, sizeof(b32));
3729 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3730 for (i = 0; (size_t)i < ARRAY_SIZE(fe_cases); ++i) {
3731 for (var = 0; var <= 1; ++var) {
3732 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3733 CHECK(fe_equal(&x_fe, &fe_cases[i][1]));
3734 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3735 CHECK(fe_equal(&x_fe, &fe_cases[i][0]));
3736 }
3737 }
3738 for (i = 0; (size_t)i < ARRAY_SIZE(scalar_cases); ++i) {
3739 for (var = 0; var <= 1; ++var) {
3740 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3741 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3742 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3743 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3744 }
3745 }
3746 /* Test inputs 0..999 and their respective negations. */
3747 for (i = 0; i < 1000; ++i) {
3748 b32[31] = i & 0xff;
3749 b32[30] = (i >> 8) & 0xff;
3750 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3751 secp256k1_fe_set_b32_mod(&x_fe, b32);
3752 for (var = 0; var <= 1; ++var) {
3753 test_inverse_scalar(NULL, &x_scalar, var);
3754 test_inverse_field(NULL, &x_fe, var);
3755 }
3756 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3757 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3758 for (var = 0; var <= 1; ++var) {
3759 test_inverse_scalar(NULL, &x_scalar, var);
3760 test_inverse_field(NULL, &x_fe, var);
3761 }
3762 }
3763 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3764 for (testrand = 0; testrand <= 1; ++testrand) {
3765 for (i = 0; i < 64 * COUNT; ++i) {
3766 (testrand ? testrand256_test : testrand256)(b32);
3767 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3768 secp256k1_fe_set_b32_mod(&x_fe, b32);
3769 for (var = 0; var <= 1; ++var) {
3770 test_inverse_scalar(NULL, &x_scalar, var);
3771 test_inverse_field(NULL, &x_fe, var);
3772 }
3773 }
3774 }
3775}
3776
3777/***** HSORT TESTS *****/
3778
3779static void test_heap_swap(void) {
3780 unsigned char a[600];
3781 unsigned char e[sizeof(a)];
3782 memset(a, 21, 200);
3783 memset(a + 200, 99, 200);
3784 memset(a + 400, 42, 200);
3785 memset(e, 42, 200);
3786 memset(e + 200, 99, 200);
3787 memset(e + 400, 21, 200);
3788 secp256k1_heap_swap(a, 0, 2, 200);
3789 CHECK(secp256k1_memcmp_var(a, e, sizeof(a)) == 0);
3790}
3791
3792static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len) {
3793 size_t i;
3794 for (i = 1; i < n; i++) {
3795 CHECK(secp256k1_memcmp_var(&elements[(i-1) * len], &elements[i * len], len) <= 0);
3796 }
3797}
3798
3800 size_t counter;
3802};
3803
3804
3805static int test_hsort_cmp(const void *ele1, const void *ele2, void *data) {
3806 struct test_hsort_cmp_data *d = (struct test_hsort_cmp_data *) data;
3807 d->counter += 1;
3808 return secp256k1_memcmp_var((unsigned char *)ele1, (unsigned char *)ele2, d->element_len);
3809}
3810
3811#define NUM 65
3812#define MAX_ELEMENT_LEN 65
3813static void test_hsort(size_t element_len) {
3814 unsigned char elements[NUM * MAX_ELEMENT_LEN] = { 0 };
3816 int i;
3817
3819 data.counter = 0;
3820 data.element_len = element_len;
3821
3823 CHECK(data.counter == 0);
3825 CHECK(data.counter == 0);
3827 CHECK(data.counter >= NUM - 1);
3829
3830 /* Test hsort with array of random length n */
3831 for (i = 0; i < COUNT; i++) {
3832 int n = testrand_int(NUM);
3833 testrand_bytes_test(elements, n*element_len);
3835 test_hsort_is_sorted(elements, n, element_len);
3836 }
3837}
3838#undef NUM
3839#undef MAX_ELEMENT_LEN
3840
3841
3842static void run_hsort_tests(void) {
3844 test_hsort(1);
3845 test_hsort(64);
3846 test_hsort(65);
3847}
3848
3849/***** GROUP TESTS *****/
3850
3851/* This compares jacobian points including their Z, not just their geometric meaning. */
3852static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3853 secp256k1_gej a2;
3854 secp256k1_gej b2;
3855 int ret = 1;
3856 ret &= a->infinity == b->infinity;
3857 if (ret && !a->infinity) {
3858 a2 = *a;
3859 b2 = *b;
3866 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3867 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3868 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3869 }
3870 return ret;
3871}
3872
3873static void test_ge(void) {
3874 int i, i1;
3875 int runs = 6;
3876 /* 25 points are used:
3877 * - infinity
3878 * - for each of four random points p1 p2 p3 p4, we add the point, its
3879 * negation, and then those two again but with randomized Z coordinate.
3880 * - The same is then done for lambda*p1 and lambda^2*p1.
3881 */
3882 secp256k1_ge *ge = checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3883 secp256k1_gej *gej = checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3884 secp256k1_fe zf, r;
3885 secp256k1_fe zfi2, zfi3;
3886
3889 for (i = 0; i < runs; i++) {
3890 int j, k;
3893 if (i >= runs - 2) {
3894 secp256k1_ge_mul_lambda(&g, &ge[1]);
3895 CHECK(!secp256k1_ge_eq_var(&g, &ge[1]));
3896 }
3897 if (i >= runs - 1) {
3899 }
3900 ge[1 + 4 * i] = g;
3901 ge[2 + 4 * i] = g;
3902 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3903 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3904 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3905 testutil_random_ge_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3906 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3907 testutil_random_ge_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3908 for (j = 0; j < 4; j++) {
3909 testutil_random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3910 testutil_random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3911 testutil_random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3912 testutil_random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3913 testutil_random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3914 }
3915
3916 for (j = 0; j < 4; ++j) {
3917 for (k = 0; k < 4; ++k) {
3918 int expect_equal = (j >> 1) == (k >> 1);
3919 CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3920 CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal);
3921 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3922 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal);
3923 }
3924 }
3925 }
3926
3927 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3930 secp256k1_fe_inv_var(&zfi3, &zf);
3931 secp256k1_fe_sqr(&zfi2, &zfi3);
3932 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3933
3934 /* Generate random r */
3936
3937 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3938 int i2;
3939 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3940 /* Compute reference result using gej + gej (var). */
3941 secp256k1_gej refj, resj;
3942 secp256k1_ge ref;
3943 secp256k1_fe zr;
3944 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3945 /* Check Z ratio. */
3946 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3947 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3948 CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3949 }
3950 secp256k1_ge_set_gej_var(&ref, &refj);
3951
3952 /* Test gej + ge with Z ratio result (var). */
3953 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3954 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3955 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3956 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3957 CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3958 }
3959
3960 /* Test gej + ge (var, with additional Z factor). */
3961 {
3962 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3963 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3964 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3967 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3968 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3969 }
3970
3971 /* Test gej + ge (const). */
3972 if (i2 != 0) {
3973 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3974 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3975 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3976 }
3977
3978 /* Test doubling (var). */
3979 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3980 secp256k1_fe zr2;
3981 /* Normal doubling with Z ratio result. */
3982 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3983 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3984 /* Check Z ratio. */
3985 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3986 CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3987 /* Normal doubling. */
3988 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3989 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3990 /* Constant-time doubling. */
3991 secp256k1_gej_double(&resj, &gej[i2]);
3992 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3993 }
3994
3995 /* Test adding opposites. */
3996 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3998 }
3999
4000 /* Test adding infinity. */
4001 if (i1 == 0) {
4004 CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref));
4005 }
4006 if (i2 == 0) {
4009 CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref));
4010 }
4011 }
4012 }
4013
4014 /* Test adding all points together in random order equals infinity. */
4015 {
4017 secp256k1_gej *gej_shuffled = checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
4018 for (i = 0; i < 4 * runs + 1; i++) {
4019 gej_shuffled[i] = gej[i];
4020 }
4021 for (i = 0; i < 4 * runs + 1; i++) {
4022 int swap = i + testrand_int(4 * runs + 1 - i);
4023 if (swap != i) {
4024 secp256k1_gej t = gej_shuffled[i];
4025 gej_shuffled[i] = gej_shuffled[swap];
4026 gej_shuffled[swap] = t;
4027 }
4028 }
4029 for (i = 0; i < 4 * runs + 1; i++) {
4030 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
4031 }
4033 free(gej_shuffled);
4034 }
4035
4036 /* Test batch gej -> ge conversion without known z ratios. */
4037 {
4038 secp256k1_ge *ge_set_all_var = checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
4039 secp256k1_ge *ge_set_all = checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
4040 secp256k1_ge_set_all_gej_var(&ge_set_all_var[0], &gej[0], 4 * runs + 1);
4041 for (i = 0; i < 4 * runs + 1; i++) {
4044 secp256k1_gej_rescale(&gej[i], &s);
4045 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all_var[i]));
4046 }
4047
4048 /* Skip infinity at &gej[0]. */
4049 secp256k1_ge_set_all_gej(&ge_set_all[1], &gej[1], 4 * runs);
4050 for (i = 1; i < 4 * runs + 1; i++) {
4053 secp256k1_gej_rescale(&gej[i], &s);
4054 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i]));
4055 CHECK(secp256k1_ge_eq_var(&ge_set_all_var[i], &ge_set_all[i]));
4056 }
4057
4058 /* Test with an array of length 1. */
4059 secp256k1_ge_set_all_gej_var(ge_set_all_var, &gej[1], 1);
4060 secp256k1_ge_set_all_gej(ge_set_all, &gej[1], 1);
4061 CHECK(secp256k1_gej_eq_ge_var(&gej[1], &ge_set_all_var[1]));
4062 CHECK(secp256k1_gej_eq_ge_var(&gej[1], &ge_set_all[1]));
4063 CHECK(secp256k1_ge_eq_var(&ge_set_all_var[1], &ge_set_all[1]));
4064
4065 /* Test with an array of length 0. */
4066 secp256k1_ge_set_all_gej_var(NULL, NULL, 0);
4067 secp256k1_ge_set_all_gej(NULL, NULL, 0);
4068
4069 free(ge_set_all_var);
4070 free(ge_set_all);
4071 }
4072
4073 /* Test that all elements have X coordinates on the curve. */
4074 for (i = 1; i < 4 * runs + 1; i++) {
4075 secp256k1_fe n;
4077 /* And the same holds after random rescaling. */
4078 secp256k1_fe_mul(&n, &zf, &ge[i].x);
4080 }
4081
4082 /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
4083 {
4084 secp256k1_fe n;
4085 secp256k1_ge q;
4086 int ret_on_curve, ret_frac_on_curve, ret_set_xo;
4087 secp256k1_fe_mul(&n, &zf, &r);
4088 ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
4089 ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
4090 ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
4091 CHECK(ret_on_curve == ret_frac_on_curve);
4092 CHECK(ret_on_curve == ret_set_xo);
4093 if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
4094 }
4095
4096 /* Test batch gej -> ge conversion with many infinities. */
4097 for (i = 0; i < 4 * runs + 1; i++) {
4098 int odd;
4100 odd = secp256k1_fe_is_odd(&ge[i].x);
4101 CHECK(odd == 0 || odd == 1);
4102 /* randomly set half the points to infinity */
4103 if (odd == i % 2) {
4105 }
4106 secp256k1_gej_set_ge(&gej[i], &ge[i]);
4107 }
4108 /* batch convert */
4109 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
4110 /* check result */
4111 for (i = 0; i < 4 * runs + 1; i++) {
4112 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i]));
4113 }
4114
4115 /* Test batch gej -> ge conversion with all infinities. */
4116 for (i = 0; i < 4 * runs + 1; i++) {
4118 }
4119 /* batch convert */
4120 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
4121 /* check result */
4122 for (i = 0; i < 4 * runs + 1; i++) {
4124 }
4125
4126 free(ge);
4127 free(gej);
4128}
4129
4130static void test_initialized_inf(void) {
4131 secp256k1_ge p;
4132 secp256k1_gej pj, npj, infj1, infj2, infj3;
4133 secp256k1_fe zinv;
4134
4135 /* Test that adding P+(-P) results in a fully initialized infinity*/
4137 secp256k1_gej_set_ge(&pj, &p);
4138 secp256k1_gej_neg(&npj, &pj);
4139
4140 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
4142 CHECK(secp256k1_fe_is_zero(&infj1.x));
4143 CHECK(secp256k1_fe_is_zero(&infj1.y));
4144 CHECK(secp256k1_fe_is_zero(&infj1.z));
4145
4146 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
4148 CHECK(secp256k1_fe_is_zero(&infj2.x));
4149 CHECK(secp256k1_fe_is_zero(&infj2.y));
4150 CHECK(secp256k1_fe_is_zero(&infj2.z));
4151
4152 secp256k1_fe_set_int(&zinv, 1);
4153 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
4155 CHECK(secp256k1_fe_is_zero(&infj3.x));
4156 CHECK(secp256k1_fe_is_zero(&infj3.y));
4157 CHECK(secp256k1_fe_is_zero(&infj3.z));
4158
4159
4160}
4161
4162static void test_add_neg_y_diff_x(void) {
4163 /* The point of this test is to check that we can add two points
4164 * whose y-coordinates are negatives of each other but whose x
4165 * coordinates differ. If the x-coordinates were the same, these
4166 * points would be negatives of each other and their sum is
4167 * infinity. This is cool because it "covers up" any degeneracy
4168 * in the addition algorithm that would cause the xy coordinates
4169 * of the sum to be wrong (since infinity has no xy coordinates).
4170 * HOWEVER, if the x-coordinates are different, infinity is the
4171 * wrong answer, and such degeneracies are exposed. This is the
4172 * root of https://github.com/bitcoin-core/secp256k1/issues/257
4173 * which this test is a regression test for.
4174 *
4175 * These points were generated in sage as
4176 *
4177 * load("secp256k1_params.sage")
4178 *
4179 * # random "bad pair"
4180 * P = C.random_element()
4181 * Q = -int(LAMBDA) * P
4182 * print(" P: %x %x" % P.xy())
4183 * print(" Q: %x %x" % Q.xy())
4184 * print("P + Q: %x %x" % (P + Q).xy())
4185 */
4187 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
4188 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
4189 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
4190 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
4191 );
4193 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
4194 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
4195 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
4196 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
4197 );
4199 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
4200 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
4201 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
4202 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
4203 );
4204 secp256k1_ge b;
4205 secp256k1_gej resj;
4206 secp256k1_ge res;
4207 secp256k1_ge_set_gej(&b, &bj);
4208
4209 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4210 secp256k1_ge_set_gej(&res, &resj);
4211 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4212
4213 secp256k1_gej_add_ge(&resj, &aj, &b);
4214 secp256k1_ge_set_gej(&res, &resj);
4215 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4216
4217 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4218 secp256k1_ge_set_gej(&res, &resj);
4219 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4220}
4221
4222static void test_ge_bytes(void) {
4223 int i;
4224
4225 for (i = 0; i < COUNT + 1; i++) {
4226 unsigned char buf[64];
4227 secp256k1_ge p, q;
4228
4229 if (i == 0) {
4231 } else {
4233 }
4234
4235 if (!secp256k1_ge_is_infinity(&p)) {
4236 secp256k1_ge_to_bytes(buf, &p);
4237
4238 secp256k1_ge_from_bytes(&q, buf);
4239 CHECK(secp256k1_ge_eq_var(&p, &q));
4240
4242 CHECK(secp256k1_ge_eq_var(&p, &q));
4243 }
4246 CHECK(secp256k1_ge_eq_var(&p, &q));
4247 }
4248}
4249
4250static void run_ge(void) {
4251 int i;
4252 for (i = 0; i < COUNT * 32; i++) {
4253 test_ge();
4254 }
4257 test_ge_bytes();
4258}
4259
4260static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4261 secp256k1_gej t = *a;
4262 secp256k1_gej_cmov(&t, b, 0);
4264 secp256k1_gej_cmov(&t, b, 1);
4266}
4267
4268static void run_gej(void) {
4269 int i;
4270 secp256k1_gej a, b;
4271
4272 /* Tests for secp256k1_gej_cmov */
4273 for (i = 0; i < COUNT; i++) {
4276 test_gej_cmov(&a, &b);
4277
4279 test_gej_cmov(&a, &b);
4280 test_gej_cmov(&b, &a);
4281
4282 b = a;
4283 test_gej_cmov(&a, &b);
4284
4286 test_gej_cmov(&a, &b);
4287 test_gej_cmov(&b, &a);
4288 }
4289
4290 /* Tests for secp256k1_gej_eq_var */
4291 for (i = 0; i < COUNT; i++) {
4292 secp256k1_fe fe;
4295 CHECK(!secp256k1_gej_eq_var(&a, &b));
4296
4297 b = a;
4299 secp256k1_gej_rescale(&a, &fe);
4300 CHECK(secp256k1_gej_eq_var(&a, &b));
4301 }
4302}
4303
4304static void test_ec_combine(void) {
4307 const secp256k1_pubkey* d[6];
4309 secp256k1_pubkey sd2;
4310 secp256k1_ge Q;
4311 int i;
4312 for (i = 1; i <= 6; i++) {
4317 secp256k1_pubkey_save(&data[i - 1], &Q);
4318 d[i - 1] = &data[i - 1];
4320 secp256k1_pubkey_save(&sd, &Q);
4321 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4322 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4323 }
4324}
4325
4326static void run_ec_combine(void) {
4327 int i;
4328 for (i = 0; i < COUNT * 8; i++) {
4330 }
4331}
4332
4334 /* The input itself, normalized. */
4335 secp256k1_fe fex = *x;
4336 /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
4337 secp256k1_ge ge_even, ge_odd;
4338 /* Return values of the above calls. */
4339 int res_even, res_odd;
4340
4342
4343 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4344 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4345
4346 CHECK(res_even == res_odd);
4347
4348 if (res_even) {
4350 secp256k1_fe_normalize_var(&ge_even.x);
4352 secp256k1_fe_normalize_var(&ge_even.y);
4353
4354 /* No infinity allowed. */
4355 CHECK(!secp256k1_ge_is_infinity(&ge_even));
4357
4358 /* Check that the x coordinates check out. */
4359 CHECK(secp256k1_fe_equal(&ge_even.x, x));
4360 CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4361
4362 /* Check odd/even Y in ge_odd, ge_even. */
4363 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4364 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4365 }
4366}
4367
4368static void run_group_decompress(void) {
4369 int i;
4370 for (i = 0; i < COUNT * 4; i++) {
4371 secp256k1_fe fe;
4374 }
4375}
4376
4377/***** ECMULT TESTS *****/
4378
4379static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4380 /* Tests the pre_g / pre_g_128 tables for consistency.
4381 * For independent verification we take a "geometric" approach to verification.
4382 * We check that every entry is on-curve.
4383 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4384 * (1) p, gg, and -q are colinear.
4385 * (2) p, gg, and -q are all distinct.
4386 * where gg is twice the generator, where the generator is the first table entry.
4387 *
4388 * Checking the table's generators are correct is done in run_ecmult_pre_g.
4389 */
4390 secp256k1_gej g2;
4391 secp256k1_ge p, q, gg;
4392 secp256k1_fe dpx, dpy, dqx, dqy;
4393 size_t i;
4394
4395 CHECK(0 < n);
4396
4397 secp256k1_ge_from_storage(&p, &pre_g[0]);
4399
4400 secp256k1_gej_set_ge(&g2, &p);
4401 secp256k1_gej_double_var(&g2, &g2, NULL);
4402 secp256k1_ge_set_gej_var(&gg, &g2);
4403 for (i = 1; i < n; ++i) {
4404 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4405 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4406 /* Check that p is not equal to gg */
4408
4409 secp256k1_ge_from_storage(&q, &pre_g[i]);
4411
4412 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4413 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4414 /* Check that -q is not equal to gg */
4416
4417 /* Check that -q is not equal to p */
4418 CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4419
4420 /* Check that p, -q and gg are colinear */
4421 secp256k1_fe_mul(&dpx, &dpx, &dqy);
4422 secp256k1_fe_mul(&dpy, &dpy, &dqx);
4423 CHECK(secp256k1_fe_equal(&dpx, &dpy));
4424
4425 p = q;
4426 }
4427}
4428
4429static void run_ecmult_pre_g(void) {
4431 secp256k1_gej gj;
4433 size_t i;
4434
4435 /* Check that the pre_g and pre_g_128 tables are consistent. */
4438
4439 /* Check the first entry from the pre_g table. */
4441 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4442
4443 /* Check the first entry from the pre_g_128 table. */
4445 for (i = 0; i < 128; ++i) {
4446 secp256k1_gej_double_var(&gj, &gj, NULL);
4447 }
4448 secp256k1_ge_set_gej(&g, &gj);
4450 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4451}
4452
4453static void run_ecmult_chain(void) {
4454 /* random starting point A (on the curve) */
4456 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4457 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4458 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4459 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4460 );
4461 /* two random initial factors xn and gn */
4463 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4464 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4465 );
4467 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4468 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4469 );
4470 /* two small multipliers to be applied to xn and gn in every iteration: */
4471 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4472 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4473 /* accumulators with the resulting coefficients to A and G */
4476 /* actual points */
4477 secp256k1_gej x;
4478 secp256k1_gej x2;
4479 int i;
4480
4481 /* the point being computed */
4482 x = a;
4483 for (i = 0; i < 200*COUNT; i++) {
4484 /* in each iteration, compute X = xn*X + gn*G; */
4485 secp256k1_ecmult(&x, &x, &xn, &gn);
4486 /* also compute ae and ge: the actual accumulated factors for A and G */
4487 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4488 secp256k1_scalar_mul(&ae, &ae, &xn);
4489 secp256k1_scalar_mul(&ge, &ge, &xn);
4490 secp256k1_scalar_add(&ge, &ge, &gn);
4491 /* modify xn and gn */
4492 secp256k1_scalar_mul(&xn, &xn, &xf);
4493 secp256k1_scalar_mul(&gn, &gn, &gf);
4494
4495 /* verify */
4496 if (i == 19999) {
4497 /* expected result after 19999 iterations */
4499 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4500 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4501 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4502 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4503 );
4504 CHECK(secp256k1_gej_eq_var(&rp, &x));
4505 }
4506 }
4507 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4508 secp256k1_ecmult(&x2, &a, &ae, &ge);
4509 CHECK(secp256k1_gej_eq_var(&x, &x2));
4510}
4511
4512static void test_point_times_order(const secp256k1_gej *point) {
4513 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4516 secp256k1_gej res1, res2;
4517 secp256k1_ge res3;
4519 secp256k1_scalar_negate(&nx, &x);
4520 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4521 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4522 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4524 secp256k1_ge_set_gej(&res3, &res1);
4526 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4527 /* check zero/one edge cases */
4529 secp256k1_ecmult(&res2, point, &secp256k1_scalar_zero, NULL);
4530 secp256k1_ge_set_gej(&res3, &res1);
4534
4536 secp256k1_ecmult(&res2, point, &secp256k1_scalar_one, NULL);
4537 secp256k1_ge_set_gej(&res3, &res1);
4538 CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4539 secp256k1_ge_set_gej(&res3, &res2);
4540 CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4541
4543 secp256k1_ge_set_gej(&res3, &res1);
4545}
4546
4547/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4548 *
4549 * They are computed as:
4550 * - For a in [-2, -1, 0, 1, 2]:
4551 * - For b in [-3, -1, 1, 3]:
4552 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4553 */
4555 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4556 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4557 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4558 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4559 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4560 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4561 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4562 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4563 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4564 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4565 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4566 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4567 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4568 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4569 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4570 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4571 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4572 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4573 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4574 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4575};
4576
4577static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4578 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4579 secp256k1_scalar n1, n2;
4580 secp256k1_ge p;
4581 secp256k1_gej pj, p1j, p2j, ptj;
4582
4583 /* Generate random n1,n2 such that n1+n2 = -target. */
4585 secp256k1_scalar_add(&n2, &n1, target);
4586 secp256k1_scalar_negate(&n2, &n2);
4587
4588 /* Generate a random input point. */
4589 if (mode != 0) {
4591 secp256k1_gej_set_ge(&pj, &p);
4592 }
4593
4594 /* EC multiplications */
4595 if (mode == 0) {
4599 } else if (mode == 1) {
4600 secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4601 secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4602 secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4603 } else {
4604 secp256k1_ecmult_const(&p1j, &p, &n1);
4605 secp256k1_ecmult_const(&p2j, &p, &n2);
4606 secp256k1_ecmult_const(&ptj, &p, target);
4607 }
4608
4609 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4610 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4611 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4613}
4614
4616 int i;
4617 unsigned j;
4618 for (i = 0; i < 4*COUNT; ++i) {
4619 for (j = 0; j < ARRAY_SIZE(scalars_near_split_bounds); ++j) {
4623 }
4624 }
4625}
4626
4627static void run_point_times_order(void) {
4628 int i;
4629 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4630 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4631 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4632 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4633 );
4634 for (i = 0; i < 500; i++) {
4635 secp256k1_ge p;
4636 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4637 secp256k1_gej j;
4639 secp256k1_gej_set_ge(&j, &p);
4641 }
4642 secp256k1_fe_sqr(&x, &x);
4643 }
4645 CHECK(secp256k1_fe_equal(&x, &xr));
4646}
4647
4648static void ecmult_const_random_mult(void) {
4649 /* random starting point A (on the curve) */
4651 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4652 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4653 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4654 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4655 );
4656 /* random initial factor xn */
4658 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4659 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4660 );
4661 /* expected xn * A (from sage) */
4662 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4663 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4664 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4665 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4666 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4667 );
4668 secp256k1_gej b;
4669 secp256k1_ecmult_const(&b, &a, &xn);
4670
4672 CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b));
4673}
4674
4678 secp256k1_gej res1;
4679 secp256k1_gej res2;
4680 secp256k1_ge mid1;
4681 secp256k1_ge mid2;
4684
4687 secp256k1_ge_set_gej(&mid1, &res1);
4688 secp256k1_ge_set_gej(&mid2, &res2);
4689 secp256k1_ecmult_const(&res1, &mid1, &b);
4690 secp256k1_ecmult_const(&res2, &mid2, &a);
4691 secp256k1_ge_set_gej(&mid1, &res1);
4692 secp256k1_ge_set_gej(&mid2, &res2);
4693 CHECK(secp256k1_ge_eq_var(&mid1, &mid2));
4694}
4695
4698 secp256k1_scalar negone;
4699 secp256k1_gej res1;
4700 secp256k1_ge res2;
4701 secp256k1_ge point;
4702 secp256k1_ge inf;
4703
4708
4709 /* 0*point */
4712
4713 /* s*inf */
4714 secp256k1_ecmult_const(&res1, &inf, &s);
4716
4717 /* 1*point */
4719 secp256k1_ge_set_gej(&res2, &res1);
4720 CHECK(secp256k1_ge_eq_var(&res2, &point));
4721
4722 /* -1*point */
4723 secp256k1_ecmult_const(&res1, &point, &negone);
4724 secp256k1_gej_neg(&res1, &res1);
4725 secp256k1_ge_set_gej(&res2, &res1);
4726 CHECK(secp256k1_ge_eq_var(&res2, &point));
4727}
4728
4729static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) {
4730 secp256k1_gej pointj, res2j;
4731 secp256k1_ge res2;
4732 secp256k1_gej_set_ge(&pointj, A);
4733 secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero);
4734 secp256k1_ge_set_gej(&res2, &res2j);
4735 CHECK(secp256k1_gej_eq_ge_var(res, &res2));
4736}
4737
4738static void ecmult_const_edges(void) {
4740 secp256k1_ge point;
4741 secp256k1_gej res;
4742 size_t i;
4743 size_t cases = 1 + ARRAY_SIZE(scalars_near_split_bounds);
4744
4745 /* We are trying to reach the following edge cases (variables are defined as
4746 * in ecmult_const_impl.h):
4747 * 1. i = 0: s = 0 <=> q = -K
4748 * 2. i > 0: v1, v2 large values
4749 * <=> s1, s2 large values
4750 * <=> s = scalars_near_split_bounds[i]
4751 * <=> q = 2*scalars_near_split_bounds[i] - K
4752 */
4753 for (i = 0; i < cases; ++i) {
4755 if (i > 0) {
4758 }
4760 secp256k1_ecmult_const(&res, &point, &q);
4761 ecmult_const_check_result(&point, &q, &res);
4762 }
4763}
4764
4765static void ecmult_const_mult_xonly(void) {
4766 int i;
4767
4768 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4769 for (i = 0; i < 2*COUNT; ++i) {
4770 secp256k1_ge base;
4771 secp256k1_gej basej, resj;
4772 secp256k1_fe n, d, resx, v;
4774 int res;
4775 /* Random base point. */
4777 /* Random scalar to multiply it with. */
4779 /* If i is odd, n=d*base.x for random non-zero d */
4780 if (i & 1) {
4782 secp256k1_fe_mul(&n, &base.x, &d);
4783 } else {
4784 n = base.x;
4785 }
4786 /* Perform x-only multiplication. */
4787 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4788 CHECK(res);
4789 /* Perform normal multiplication. */
4790 secp256k1_gej_set_ge(&basej, &base);
4791 secp256k1_ecmult(&resj, &basej, &q, NULL);
4792 /* Check that resj's X coordinate corresponds with resx. */
4793 secp256k1_fe_sqr(&v, &resj.z);
4794 secp256k1_fe_mul(&v, &v, &resx);
4795 CHECK(fe_equal(&v, &resj.x));
4796 }
4797
4798 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4799 for (i = 0; i < 2*COUNT; ++i) {
4800 secp256k1_fe x, n, d, r;
4801 int res;
4804 /* Generate random X coordinate not on the curve. */
4805 do {
4807 } while (secp256k1_ge_x_on_curve_var(&x));
4808 /* If i is odd, n=d*x for random non-zero d. */
4809 if (i & 1) {
4811 secp256k1_fe_mul(&n, &x, &d);
4812 } else {
4813 n = x;
4814 }
4815 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4816 CHECK(res == 0);
4817 }
4818}
4819
4821 /* Check known result (randomly generated test problem from sage) */
4823 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4824 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4825 );
4826 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4827 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4828 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4829 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4830 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4831 );
4832 secp256k1_gej point;
4833 secp256k1_ge res;
4834 int i;
4835
4837 for (i = 0; i < 100; ++i) {
4838 secp256k1_ge tmp;
4839 secp256k1_ge_set_gej(&tmp, &point);
4840 secp256k1_ecmult_const(&point, &tmp, &scalar);
4841 }
4842 secp256k1_ge_set_gej(&res, &point);
4843 CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res));
4844}
4845
4846static void run_ecmult_const_tests(void) {
4853}
4854
4855typedef struct {
4859
4860static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4862 *sc = data->sc[idx];
4863 *pt = data->pt[idx];
4864 return 1;
4865}
4866
4867static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4868 (void)sc;
4869 (void)pt;
4870 (void)idx;
4871 (void)cbdata;
4872 return 0;
4873}
4874
4876 int ncount;
4877 secp256k1_scalar sc[32];
4878 secp256k1_ge pt[32];
4879 secp256k1_gej r;
4880 secp256k1_gej r2;
4882
4883 data.sc = sc;
4884 data.pt = pt;
4885
4886 /* No points to multiply */
4887 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4888
4889 /* Check 1- and 2-point multiplies against ecmult */
4890 for (ncount = 0; ncount < COUNT; ncount++) {
4891 secp256k1_ge ptg;
4892 secp256k1_gej ptgj;
4895
4897 secp256k1_gej_set_ge(&ptgj, &ptg);
4898 pt[0] = ptg;
4899 pt[1] = secp256k1_ge_const_g;
4900
4901 /* only G scalar */
4902 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4903 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4904 CHECK(secp256k1_gej_eq_var(&r, &r2));
4905
4906 /* 1-point */
4907 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4908 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4909 CHECK(secp256k1_gej_eq_var(&r, &r2));
4910
4911 /* Try to multiply 1 point, but callback returns false */
4912 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4913
4914 /* 2-point */
4915 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4916 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4917 CHECK(secp256k1_gej_eq_var(&r, &r2));
4918
4919 /* 2-point with G scalar */
4920 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4921 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4922 CHECK(secp256k1_gej_eq_var(&r, &r2));
4923 }
4924
4925 /* Check infinite outputs of various forms */
4926 for (ncount = 0; ncount < COUNT; ncount++) {
4927 secp256k1_ge ptg;
4928 size_t i, j;
4929 size_t sizes[] = { 2, 10, 32 };
4930
4931 for (j = 0; j < 3; j++) {
4932 for (i = 0; i < 32; i++) {
4935 }
4936 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4938 }
4939
4940 for (j = 0; j < 3; j++) {
4941 for (i = 0; i < 32; i++) {
4943 pt[i] = ptg;
4944 secp256k1_scalar_set_int(&sc[i], 0);
4945 }
4946 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4948 }
4949
4950 for (j = 0; j < 3; j++) {
4952 for (i = 0; i < 16; i++) {
4954 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4955 pt[2 * i] = ptg;
4956 pt[2 * i + 1] = ptg;
4957 }
4958
4959 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4961
4963 for (i = 0; i < 16; i++) {
4965
4966 sc[2*i] = sc[0];
4967 sc[2*i+1] = sc[0];
4968 pt[2 * i] = ptg;
4969 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4970 }
4971
4972 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4974 }
4975
4977 secp256k1_scalar_set_int(&sc[0], 0);
4978 pt[0] = ptg;
4979 for (i = 1; i < 32; i++) {
4980 pt[i] = ptg;
4981
4983 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4984 secp256k1_scalar_negate(&sc[i], &sc[i]);
4985 }
4986
4987 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4989 }
4990
4991 /* Check random points, constant scalar */
4992 for (ncount = 0; ncount < COUNT; ncount++) {
4993 size_t i;
4995
4997 for (i = 0; i < 20; i++) {
4998 secp256k1_ge ptg;
4999 sc[i] = sc[0];
5001 pt[i] = ptg;
5002 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
5003 }
5004
5005 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
5006 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
5007 CHECK(secp256k1_gej_eq_var(&r, &r2));
5008 }
5009
5010 /* Check random scalars, constant point */
5011 for (ncount = 0; ncount < COUNT; ncount++) {
5012 size_t i;
5013 secp256k1_ge ptg;
5014 secp256k1_gej p0j;
5017
5019 for (i = 0; i < 20; i++) {
5021 pt[i] = ptg;
5022 secp256k1_scalar_add(&rs, &rs, &sc[i]);
5023 }
5024
5025 secp256k1_gej_set_ge(&p0j, &pt[0]);
5026 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
5027 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
5028 CHECK(secp256k1_gej_eq_var(&r, &r2));
5029 }
5030
5031 /* Sanity check that zero scalars don't cause problems */
5032 for (ncount = 0; ncount < 20; ncount++) {
5033 testutil_random_scalar_order(&sc[ncount]);
5034 testutil_random_ge_test(&pt[ncount]);
5035 }
5036
5037 secp256k1_scalar_set_int(&sc[0], 0);
5038 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
5039 secp256k1_scalar_set_int(&sc[1], 0);
5040 secp256k1_scalar_set_int(&sc[2], 0);
5041 secp256k1_scalar_set_int(&sc[3], 0);
5042 secp256k1_scalar_set_int(&sc[4], 0);
5043 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
5044 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
5046
5047 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
5048 {
5049 const size_t TOP = 8;
5050 size_t s0i, s1i;
5051 size_t t0i, t1i;
5052 secp256k1_ge ptg;
5053 secp256k1_gej ptgj;
5054
5056 secp256k1_gej_set_ge(&ptgj, &ptg);
5057
5058 for(t0i = 0; t0i < TOP; t0i++) {
5059 for(t1i = 0; t1i < TOP; t1i++) {
5060 secp256k1_gej t0p, t1p;
5061 secp256k1_scalar t0, t1;
5062
5063 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
5064 secp256k1_scalar_cond_negate(&t0, t0i & 1);
5065 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
5066 secp256k1_scalar_cond_negate(&t1, t1i & 1);
5067
5068 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
5069 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
5070
5071 for(s0i = 0; s0i < TOP; s0i++) {
5072 for(s1i = 0; s1i < TOP; s1i++) {
5073 secp256k1_scalar tmp1, tmp2;
5074 secp256k1_gej expected, actual;
5075
5076 secp256k1_ge_set_gej(&pt[0], &t0p);
5077 secp256k1_ge_set_gej(&pt[1], &t1p);
5078
5079 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
5080 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
5081 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
5082 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
5083
5084 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
5085 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
5086 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
5087
5088 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
5089 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
5090 CHECK(secp256k1_gej_eq_var(&actual, &expected));
5091 }
5092 }
5093 }
5094 }
5095 }
5096}
5097
5099 /* Large random test for ecmult_multi_* functions which exercises:
5100 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
5101 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
5102 * - Including or excluding an nonzero a*G term (or such a term at all).
5103 * - Final expected result equal to infinity or not (roughly 50%).
5104 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
5105 */
5106
5107 /* These 4 variables define the eventual input to the ecmult_multi function.
5108 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
5109 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
5110 * which form its normal inputs. */
5111 int filled = 0;
5113 secp256k1_scalar scalars[128];
5114 secp256k1_gej gejs[128];
5115 /* The expected result, and the computed result. */
5116 secp256k1_gej expected, computed;
5117 /* Temporaries. */
5118 secp256k1_scalar sc_tmp;
5119 secp256k1_ge ge_tmp;
5120 /* Variables needed for the actual input to ecmult_multi. */
5121 secp256k1_ge ges[128];
5123
5124 int i;
5125 /* Which multiplication function to use */
5126 int fn = testrand_int(3);
5130 /* Simulate exponentially distributed num. */
5131 int num_bits = 2 + testrand_int(6);
5132 /* Number of (scalar, point) inputs (excluding g). */
5133 int num = testrand_int((1 << num_bits) + 1);
5134 /* Number of those which are nonzero. */
5135 int num_nonzero = testrand_int(num + 1);
5136 /* Whether we're aiming to create an input with nonzero expected result. */
5137 int nonzero_result = testrand_bits(1);
5138 /* Whether we will provide nonzero g multiplicand. In some cases our hand
5139 * is forced here based on num_nonzero and nonzero_result. */
5140 int g_nonzero = num_nonzero == 0 ? nonzero_result :
5141 num_nonzero == 1 && !nonzero_result ? 1 :
5142 (int)testrand_bits(1);
5143 /* Which g_scalar pointer to pass into ecmult_multi(). */
5144 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || testrand_bits(1)) ? &g_scalar : NULL;
5145 /* How many EC multiplications were performed in this function. */
5146 int mults = 0;
5147 /* How many randomization steps to apply to the input list. */
5148 int rands = (int)testrand_bits(3);
5149 if (rands > num_nonzero) rands = num_nonzero;
5150
5151 secp256k1_gej_set_infinity(&expected);
5153 secp256k1_scalar_set_int(&scalars[0], 0);
5154
5155 if (g_nonzero) {
5156 /* If g_nonzero, set g_scalar to nonzero value r. */
5158 if (!nonzero_result) {
5159 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
5160 CHECK(num_nonzero > filled);
5162 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
5163 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
5164 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
5165 secp256k1_ecmult_gen_gej(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
5166 ++filled;
5167 ++mults;
5168 }
5169 }
5170
5171 if (nonzero_result && filled < num_nonzero) {
5172 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
5173 testutil_random_scalar_order_test(&scalars[filled]);
5174 testutil_random_ge_test(&ge_tmp);
5175 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
5176 ++filled;
5177 }
5178
5179 if (nonzero_result) {
5180 /* Compute the expected result using normal ecmult. */
5181 CHECK(filled <= 1);
5182 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
5183 mults += filled + g_nonzero;
5184 }
5185
5186 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
5187 CHECK(filled <= 1 + !nonzero_result);
5188 CHECK(filled <= num_nonzero);
5189
5190 /* Add entries to scalars,gejs so that there are num of them. All the added entries
5191 * either have scalar=0 or point=infinity, so these do not change the expected result. */
5192 while (filled < num) {
5193 if (testrand_bits(1)) {
5194 secp256k1_gej_set_infinity(&gejs[filled]);
5195 testutil_random_scalar_order_test(&scalars[filled]);
5196 } else {
5197 secp256k1_scalar_set_int(&scalars[filled], 0);
5198 testutil_random_ge_test(&ge_tmp);
5199 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
5200 }
5201 ++filled;
5202 }
5203
5204 /* Now perform cheapish transformations on gejs and scalars, for indices
5205 * 0..num_nonzero-1, which do not change the expected result, but may
5206 * convert some of them to be both non-0-scalar and non-infinity-point. */
5207 for (i = 0; i < rands; ++i) {
5208 int j;
5209 secp256k1_scalar v, iv;
5210 /* Shuffle the entries. */
5211 for (j = 0; j < num_nonzero; ++j) {
5212 int k = testrand_int(num_nonzero - j);
5213 if (k != 0) {
5214 secp256k1_gej gej = gejs[j];
5215 secp256k1_scalar sc = scalars[j];
5216 gejs[j] = gejs[j + k];
5217 scalars[j] = scalars[j + k];
5218 gejs[j + k] = gej;
5219 scalars[j + k] = sc;
5220 }
5221 }
5222 /* Perturb all consecutive pairs of inputs:
5223 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5224 for (j = 0; j + 1 < num_nonzero; j += 2) {
5225 secp256k1_gej gej;
5226 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5227 secp256k1_gej_neg(&gej, &gejs[j]);
5228 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5229 }
5230 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5231 CHECK(num_nonzero >= 1);
5233 secp256k1_scalar_inverse(&iv, &v);
5234 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5235 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5236 ++mults;
5237 }
5238
5239 /* Shuffle all entries (0..num-1). */
5240 for (i = 0; i < num; ++i) {
5241 int j = testrand_int(num - i);
5242 if (j != 0) {
5243 secp256k1_gej gej = gejs[i];
5244 secp256k1_scalar sc = scalars[i];
5245 gejs[i] = gejs[i + j];
5246 scalars[i] = scalars[i + j];
5247 gejs[i + j] = gej;
5248 scalars[i + j] = sc;
5249 }
5250 }
5251
5252 /* Compute affine versions of all inputs. */
5253 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5254 /* Invoke ecmult_multi code. */
5255 data.sc = scalars;
5256 data.pt = ges;
5257 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5258 mults += num_nonzero + g_nonzero;
5259 /* Compare with expected result. */
5260 CHECK(secp256k1_gej_eq_var(&computed, &expected));
5261 return mults;
5262}
5263
5266 secp256k1_ge pt;
5267 secp256k1_gej r;
5269 secp256k1_scratch *scratch_empty;
5270
5273 data.sc = &sc;
5274 data.pt = &pt;
5275
5276 /* Try to multiply 1 point, but scratch space is empty.*/
5277 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5278 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5280}
5281
5283 int i;
5284
5286 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5287 /* Bucket_window of 8 is not used with endo */
5288 if (i == 8) {
5289 continue;
5290 }
5292 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5294 }
5295 }
5296}
5297
5303 size_t scratch_size = testrand_bits(8);
5305 secp256k1_scratch *scratch;
5306 size_t n_points_supported;
5307 int bucket_window = 0;
5308
5309 for(; scratch_size < max_size; scratch_size+=256) {
5310 size_t i;
5311 size_t total_alloc;
5312 size_t checkpoint;
5313 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5314 CHECK(scratch != NULL);
5315 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5316 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5317 if (n_points_supported == 0) {
5319 continue;
5320 }
5321 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5322 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5323 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5324 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5326 total_alloc--;
5327 }
5328 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5331 }
5332 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5333}
5334
5336 size_t n_batches, n_batch_points, max_n_batch_points, n;
5337
5338 max_n_batch_points = 0;
5339 n = 1;
5340 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5341
5342 max_n_batch_points = 1;
5343 n = 0;
5344 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5345 CHECK(n_batches == 0);
5346 CHECK(n_batch_points == 0);
5347
5348 max_n_batch_points = 2;
5349 n = 5;
5350 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5351 CHECK(n_batches == 3);
5352 CHECK(n_batch_points == 2);
5353
5354 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5356 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5357 CHECK(n_batches == 1);
5358 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5359
5360 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5362 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5363 CHECK(n_batches == 2);
5364 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5365
5366 max_n_batch_points = 1;
5367 n = SIZE_MAX;
5368 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5369 CHECK(n_batches == SIZE_MAX);
5370 CHECK(n_batch_points == 1);
5371
5372 max_n_batch_points = 2;
5373 n = SIZE_MAX;
5374 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5375 CHECK(n_batches == SIZE_MAX/2 + 1);
5376 CHECK(n_batch_points == 2);
5377}
5378
5384 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5385 secp256k1_scalar scG;
5387 secp256k1_ge *pt = checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5388 secp256k1_gej r;
5389 secp256k1_gej r2;
5391 int i;
5392 secp256k1_scratch *scratch;
5393
5395
5396 /* Get random scalars and group elements and compute result */
5398 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5399 for(i = 0; i < n_points; i++) {
5400 secp256k1_ge ptg;
5401 secp256k1_gej ptgj;
5403 secp256k1_gej_set_ge(&ptgj, &ptg);
5404 pt[i] = ptg;
5406 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5407 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5408 }
5409 data.sc = sc;
5410 data.pt = pt;
5411 secp256k1_gej_neg(&r2, &r2);
5412
5413 /* Test with empty scratch space. It should compute the correct result using
5414 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5417 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5420
5421 /* Test with space for 1 point in pippenger. That's not enough because
5422 * ecmult_multi selects strauss which requires more memory. It should
5423 * therefore select the simple algorithm. */
5426 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5429
5430 for(i = 1; i <= n_points; i++) {
5432 int bucket_window = secp256k1_pippenger_bucket_window(i);
5433 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5435 } else {
5436 size_t scratch_size = secp256k1_strauss_scratch_size(i);
5438 }
5440 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5443 }
5444 free(sc);
5445 free(pt);
5446}
5447
5448static void run_ecmult_multi_tests(void) {
5449 secp256k1_scratch *scratch;
5450 int64_t todo = (int64_t)320 * COUNT;
5451
5454 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5461 while (todo > 0) {
5462 todo -= test_ecmult_multi_random(scratch);
5463 }
5465
5466 /* Run test_ecmult_multi with space for exactly one point */
5470
5473}
5474
5475static void test_wnaf(const secp256k1_scalar *number, int w) {
5476 secp256k1_scalar x, two, t;
5477 int wnaf[256];
5478 int zeroes = -1;
5479 int i;
5480 int bits;
5482 secp256k1_scalar_set_int(&two, 2);
5483 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5484 CHECK(bits <= 256);
5485 for (i = bits-1; i >= 0; i--) {
5486 int v = wnaf[i];
5487 secp256k1_scalar_mul(&x, &x, &two);
5488 if (v) {
5489 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5490 zeroes=0;
5491 CHECK((v & 1) == 1); /* check non-zero elements are odd */
5492 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5493 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5494 } else {
5495 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5496 zeroes++;
5497 }
5498 if (v >= 0) {
5500 } else {
5503 }
5504 secp256k1_scalar_add(&x, &x, &t);
5505 }
5506 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5507}
5508
5509static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5510 secp256k1_scalar x, shift;
5511 int wnaf[256] = {0};
5512 int i;
5513 int skew;
5514 secp256k1_scalar num, unused;
5515
5517 secp256k1_scalar_set_int(&shift, 1 << w);
5518 /* Make num a 128-bit scalar. */
5519 secp256k1_scalar_split_128(&num, &unused, number);
5520 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5521
5522 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5524 int v = wnaf[i];
5525 CHECK(v == 0 || v & 1); /* check parity */
5526 CHECK(v > -(1 << w)); /* check range above */
5527 CHECK(v < (1 << w)); /* check range below */
5528
5529 secp256k1_scalar_mul(&x, &x, &shift);
5530 if (v >= 0) {
5532 } else {
5535 }
5536 secp256k1_scalar_add(&x, &x, &t);
5537 }
5538 /* If skew is 1 then add 1 to num */
5539 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5540 CHECK(secp256k1_scalar_eq(&x, &num));
5541}
5542
5543/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5544 * rest is 0.*/
5545static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5546 int i;
5547 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5548 CHECK(wnaf[i] == 0);
5549 }
5550 for (i = 7; i >= 0; --i) {
5551 CHECK(wnaf[i] == wnaf_expected[i]);
5552 }
5553}
5554
5555static void test_fixed_wnaf_small(void) {
5556 int w = 4;
5557 int wnaf[256] = {0};
5558 int i;
5559 int skew;
5560 secp256k1_scalar num;
5561
5562 secp256k1_scalar_set_int(&num, 0);
5563 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5564 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5565 int v = wnaf[i];
5566 CHECK(v == 0);
5567 }
5568 CHECK(skew == 0);
5569
5570 secp256k1_scalar_set_int(&num, 1);
5571 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5572 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5573 int v = wnaf[i];
5574 CHECK(v == 0);
5575 }
5576 CHECK(wnaf[0] == 1);
5577 CHECK(skew == 0);
5578
5579 {
5580 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5581 secp256k1_scalar_set_int(&num, 0xffffffff);
5582 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5583 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5584 CHECK(skew == 0);
5585 }
5586 {
5587 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5588 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5589 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5590 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5591 CHECK(skew == 1);
5592 }
5593 {
5594 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5595 secp256k1_scalar_set_int(&num, 0x01010101);
5596 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5597 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5598 CHECK(skew == 0);
5599 }
5600 {
5601 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5602 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5603 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5604 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5605 CHECK(skew == 0);
5606 }
5607}
5608
5609static void run_wnaf(void) {
5610 int i;
5612
5613 /* Test 0 for fixed wnaf */
5615 /* Random tests */
5616 for (i = 0; i < COUNT; i++) {
5618 test_wnaf(&n, 4+(i%10));
5619 test_fixed_wnaf(&n, 4 + (i % 10));
5620 }
5622 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5626}
5627
5628static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5629 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5630 *sc = *indata;
5632 CHECK(idx == 0);
5633 return 1;
5634}
5635
5637 /* Compute x*G in many different ways, serialize it uncompressed, and feed it into acc. */
5638 secp256k1_gej gj, infj;
5639 secp256k1_ge r;
5640 secp256k1_gej rj[7];
5641 unsigned char bytes[65];
5642 size_t i;
5646 secp256k1_ecmult(&rj[1], &gj, x, NULL);
5647 secp256k1_ecmult(&rj[2], &gj, x, &secp256k1_scalar_zero);
5648 secp256k1_ecmult(&rj[3], &infj, &secp256k1_scalar_zero, x);
5649 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &rj[4], x, NULL, NULL, 0));
5652 secp256k1_ge_set_gej_var(&r, &rj[0]);
5653 for (i = 0; i < ARRAY_SIZE(rj); i++) {
5654 CHECK(secp256k1_gej_eq_ge_var(&rj[i], &r));
5655 }
5656 if (secp256k1_ge_is_infinity(&r)) {
5657 /* Store infinity as 0x00 */
5658 const unsigned char zerobyte[1] = {0};
5660 } else {
5661 /* Store other points using their uncompressed serialization. */
5663 secp256k1_sha256_write(secp256k1_get_hash_context(CTX), acc, bytes, sizeof(bytes));
5664 }
5665}
5666
5668 /* Using test_ecmult_accumulate, test ecmult for:
5669 * - For i in 0..36:
5670 * - Key i
5671 * - Key -i
5672 * - For i in 0..255:
5673 * - For j in 1..255 (only odd values):
5674 * - Key (j*2^i) mod order
5675 */
5677 secp256k1_sha256 acc;
5678 unsigned char b32[32];
5679 int i, j;
5681
5682 /* Expected hash of all the computed points; created with an independent
5683 * implementation. */
5684 static const unsigned char expected32[32] = {
5685 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5686 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5687 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5688 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5689 };
5691 for (i = 0; i <= 36; ++i) {
5693 test_ecmult_accumulate(&acc, &x, scratch);
5695 test_ecmult_accumulate(&acc, &x, scratch);
5696 };
5697 for (i = 0; i < 256; ++i) {
5698 for (j = 1; j < 256; j += 2) {
5699 int k;
5701 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5702 test_ecmult_accumulate(&acc, &x, scratch);
5703 }
5704 }
5706 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5707
5709}
5710
5711static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5712 /* Using test_ecmult_accumulate, test ecmult for:
5713 * - Key 0
5714 * - Key 1
5715 * - Key -1
5716 * - For i in range(iter):
5717 * - Key SHA256(LE32(prefix) || LE16(i))
5718 */
5720 secp256k1_sha256 acc;
5721 unsigned char b32[32];
5722 unsigned char inp[6];
5723 size_t i;
5726
5727 inp[0] = prefix & 0xFF;
5728 inp[1] = (prefix >> 8) & 0xFF;
5729 inp[2] = (prefix >> 16) & 0xFF;
5730 inp[3] = (prefix >> 24) & 0xFF;
5733 test_ecmult_accumulate(&acc, &x, scratch);
5735 test_ecmult_accumulate(&acc, &x, scratch);
5737 test_ecmult_accumulate(&acc, &x, scratch);
5738
5739 for (i = 0; i < iter; ++i) {
5740 secp256k1_sha256 gen;
5741 inp[4] = i & 0xff;
5742 inp[5] = (i >> 8) & 0xff;
5744 secp256k1_sha256_write(hash_ctx, &gen, inp, sizeof(inp));
5745 secp256k1_sha256_finalize(hash_ctx, &gen, b32);
5746 secp256k1_scalar_set_b32(&x, b32, NULL);
5747 test_ecmult_accumulate(&acc, &x, scratch);
5748 }
5749 secp256k1_sha256_finalize(hash_ctx, &acc, b32);
5750 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5751
5753}
5754
5755static void run_ecmult_constants(void) {
5756 /* Expected hashes of all points in the tests below. Computed using an
5757 * independent implementation. */
5758 static const unsigned char expected32_6bit20[32] = {
5759 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5760 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5761 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5762 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5763 };
5764 static const unsigned char expected32_8bit8[32] = {
5765 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5766 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5767 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5768 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5769 };
5770 /* For every combination of 6 bit positions out of 256, restricted to
5771 * 20-bit windows (i.e., the first and last bit position are no more than
5772 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5773 * this test. */
5774 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5775 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5776 }
5777
5778 /* For every combination of 8 consecutive bit positions, all 256 bit
5779 * patterns occur in the input scalars used in this test. */
5780 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5781 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5782 }
5783
5784 CONDITIONAL_TEST(16, "test_ecmult_constants_2bit") {
5786 }
5787}
5788
5789static void run_ecmult_gen_ge(void) {
5790 /* Test that secp256k1_ecmult_gen_ge result matches secp256k1_ecmult_gen_gej with
5791 * manual Jacobian-to-affine conversion (secp256k1_ge_set_gej) over random scalars */
5792 int i;
5793
5794 for (i = 0; i < COUNT; i++) {
5795 secp256k1_scalar scalar;
5796 secp256k1_gej result_gej;
5797 secp256k1_ge result_ge, expected_ge;
5798
5800 secp256k1_ecmult_gen_gej(&CTX->ecmult_gen_ctx, &result_gej, &scalar);
5801 secp256k1_ge_set_gej(&expected_ge, &result_gej);
5802 secp256k1_ecmult_gen_ge(&CTX->ecmult_gen_ctx, &result_ge, &scalar);
5803
5804 CHECK(secp256k1_ge_eq_var(&result_ge, &expected_ge));
5805 }
5806}
5807
5808static void test_ecmult_gen_blind(void) {
5809 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5810 secp256k1_scalar key;
5812 unsigned char seed32[32];
5813 secp256k1_gej pgej;
5814 secp256k1_gej pgej2;
5815 secp256k1_ge p;
5816 secp256k1_ge pge;
5819 testrand256(seed32);
5825 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5827 secp256k1_ge_set_gej(&pge, &pgej);
5828 CHECK(secp256k1_gej_eq_ge_var(&pgej2, &pge));
5829}
5830
5832 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5834 secp256k1_ge p1, p2;
5841 CHECK(secp256k1_ge_eq_var(&p1, &p2));
5842}
5843
5844/* Verify that ecmult_gen for scalars gn for which gn + scalar_offset = {-1,0,1}. */
5846 int i;
5847 secp256k1_gej res1, res2, res3;
5848 secp256k1_scalar gn = secp256k1_scalar_one; /* gn = 1 */
5849 secp256k1_scalar_add(&gn, &gn, &CTX->ecmult_gen_ctx.scalar_offset); /* gn = 1 + scalar_offset */
5850 secp256k1_scalar_negate(&gn, &gn); /* gn = -1 - scalar_offset */
5851
5852 for (i = -1; i < 2; ++i) {
5853 /* Run test with gn = i - scalar_offset (so that the ecmult_gen recoded value represents i). */
5855 secp256k1_ecmult(&res2, NULL, &secp256k1_scalar_zero, &gn);
5857 CHECK(secp256k1_gej_eq_var(&res1, &res2));
5858 CHECK(secp256k1_gej_eq_var(&res1, &res3));
5860 }
5861}
5862
5863static void run_ecmult_gen_blind(void) {
5864 int i;
5867 for (i = 0; i < 10; i++) {
5869 }
5870}
5871
5872/***** ENDOMORPHISH TESTS *****/
5873static void test_scalar_split(const secp256k1_scalar* full) {
5874 secp256k1_scalar s, s1, slam;
5875 const unsigned char zero[32] = {0};
5876 unsigned char tmp[32];
5877
5878 secp256k1_scalar_split_lambda(&s1, &slam, full);
5879
5880 /* check slam*lambda + s1 == full */
5882 secp256k1_scalar_add(&s, &s, &s1);
5883 CHECK(secp256k1_scalar_eq(&s, full));
5884
5885 /* check that both are <= 128 bits in size */
5886 if (secp256k1_scalar_is_high(&s1)) {
5887 secp256k1_scalar_negate(&s1, &s1);
5888 }
5889 if (secp256k1_scalar_is_high(&slam)) {
5890 secp256k1_scalar_negate(&slam, &slam);
5891 }
5892
5893 secp256k1_scalar_get_b32(tmp, &s1);
5894 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5895 secp256k1_scalar_get_b32(tmp, &slam);
5896 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5897}
5898
5899
5900static void run_endomorphism_tests(void) {
5901 unsigned i;
5902 static secp256k1_scalar s;
5910
5911 for (i = 0; i < 100U * COUNT; ++i) {
5912 secp256k1_scalar full;
5914 test_scalar_split(&full);
5915 }
5916 for (i = 0; i < ARRAY_SIZE(scalars_near_split_bounds); ++i) {
5918 }
5919}
5920
5921static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5922 unsigned char pubkeyc[65];
5923 secp256k1_pubkey pubkey;
5924 secp256k1_ge ge;
5925 size_t pubkeyclen;
5926
5927 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5928 /* Smaller sizes are tested exhaustively elsewhere. */
5929 int32_t i;
5930 memcpy(&pubkeyc[1], input, 64);
5931 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5932 for (i = 0; i < 256; i++) {
5933 /* Try all type bytes. */
5934 int xpass;
5935 int ypass;
5936 int ysign;
5937 pubkeyc[0] = i;
5938 /* What sign does this point have? */
5939 ysign = (input[63] & 1) + 2;
5940 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5941 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5942 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5943 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5944 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5945 if (xpass || ypass) {
5946 /* These cases must parse. */
5947 unsigned char pubkeyo[65];
5948 size_t outl;
5949 memset(&pubkey, 0, sizeof(pubkey));
5950 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5951 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5952 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5953 outl = 65;
5954 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5955 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5956 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5957 CHECK(outl == 33);
5958 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5959 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5960 if (ypass) {
5961 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5962 CHECK(pubkeyo[0] == ysign);
5963 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5964 memset(&pubkey, 0, sizeof(pubkey));
5965 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5966 secp256k1_pubkey_save(&pubkey, &ge);
5967 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5968 outl = 65;
5969 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5970 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5971 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5972 CHECK(outl == 65);
5973 CHECK(pubkeyo[0] == 4);
5974 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5975 }
5976 } else {
5977 /* These cases must fail to parse. */
5978 memset(&pubkey, 0xfe, sizeof(pubkey));
5979 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5980 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5981 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5982 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5983 }
5984 }
5985 }
5986}
5987
5988static void run_ec_pubkey_parse_test(void) {
5989#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5990 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5991 {
5992 /* Point with leading and trailing zeros in x and y serialization. */
5993 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5994 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5995 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5996 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5997 },
5998 {
5999 /* Point with x equal to a 3rd root of unity.*/
6000 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
6001 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
6002 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
6003 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
6004 },
6005 {
6006 /* Point with largest x. (1/2) */
6007 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6008 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
6009 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
6010 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
6011 },
6012 {
6013 /* Point with largest x. (2/2) */
6014 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6015 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
6016 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
6017 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
6018 },
6019 {
6020 /* Point with smallest x. (1/2) */
6021 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6022 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6023 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
6024 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
6025 },
6026 {
6027 /* Point with smallest x. (2/2) */
6028 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6029 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6030 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
6031 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
6032 },
6033 {
6034 /* Point with largest y. (1/3) */
6035 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
6036 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
6037 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6038 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
6039 },
6040 {
6041 /* Point with largest y. (2/3) */
6042 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
6043 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
6044 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6045 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
6046 },
6047 {
6048 /* Point with largest y. (3/3) */
6049 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
6050 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
6051 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6052 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
6053 },
6054 {
6055 /* Point with smallest y. (1/3) */
6056 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
6057 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
6058 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6059 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6060 },
6061 {
6062 /* Point with smallest y. (2/3) */
6063 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
6064 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
6065 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6066 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6067 },
6068 {
6069 /* Point with smallest y. (3/3) */
6070 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
6071 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
6072 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6073 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
6074 }
6075 };
6076#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
6077 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
6078 {
6079 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
6080 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
6081 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
6082 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6083 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
6084 },
6085 {
6086 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
6087 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
6088 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
6089 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6090 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
6091 },
6092 {
6093 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
6094 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
6095 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
6096 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6097 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
6098 },
6099 {
6100 /* x on curve, y is from y^2 = x^3 + 8. */
6101 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6103 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6104 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
6105 }
6106 };
6107#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
6108 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
6109 {
6110 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
6111 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
6112 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
6113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6115 },
6116 {
6117 /* Valid if x overflow ignored (x = 1 mod p). */
6118 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6119 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
6120 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
6121 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
6122 },
6123 {
6124 /* Valid if x overflow ignored (x = 1 mod p). */
6125 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6126 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
6127 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
6128 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
6129 },
6130 {
6131 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
6132 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6133 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
6134 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
6135 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
6136 },
6137 {
6138 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
6139 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6140 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
6141 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
6142 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
6143 },
6144 {
6145 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
6146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6147 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6148 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
6149 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
6150 },
6151 {
6152 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
6153 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6154 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6155 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
6156 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
6157 }
6158 };
6159 const unsigned char pubkeyc[66] = {
6160 /* Serialization of G. */
6161 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
6162 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
6163 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
6164 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
6165 0xB8, 0x00
6166 };
6167 unsigned char sout[65];
6168 unsigned char shortkey[2] = { 0 };
6169 secp256k1_ge ge;
6170 secp256k1_pubkey pubkey;
6171 size_t len;
6172 int32_t i;
6173
6174 /* Nothing should be reading this far into pubkeyc. */
6175 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
6176 /* Zero length claimed, fail, zeroize, no illegal arg error. */
6177 memset(&pubkey, 0xfe, sizeof(pubkey));
6178 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
6179 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6180 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
6181 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6182 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6183 /* Length one claimed, fail, zeroize, no illegal arg error. */
6184 for (i = 0; i < 256 ; i++) {
6185 memset(&pubkey, 0xfe, sizeof(pubkey));
6186 shortkey[0] = i;
6187 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
6188 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6189 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
6190 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6191 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6192 }
6193 /* Length two claimed, fail, zeroize, no illegal arg error. */
6194 for (i = 0; i < 65536 ; i++) {
6195 memset(&pubkey, 0xfe, sizeof(pubkey));
6196 shortkey[0] = i & 255;
6197 shortkey[1] = i >> 8;
6198 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6199 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
6200 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6201 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6202 }
6203 memset(&pubkey, 0xfe, sizeof(pubkey));
6204 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6205 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
6206 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
6207 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6208 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6209 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
6210 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65));
6211 /* NULL input string. Illegal arg and zeroize output. */
6212 memset(&pubkey, 0xfe, sizeof(pubkey));
6213 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6214 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65));
6215 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6216 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6217 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
6218 memset(&pubkey, 0xfe, sizeof(pubkey));
6219 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6220 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
6221 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6222 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6223 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
6224 memset(&pubkey, 0xfe, sizeof(pubkey));
6225 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6226 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
6227 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6228 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6229 /* Valid parse. */
6230 memset(&pubkey, 0, sizeof(pubkey));
6231 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6232 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
6233 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
6234 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6235 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
6236 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
6237 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
6238 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
6241 /* secp256k1_ec_pubkey_serialize illegal args. */
6242 len = 65;
6244 CHECK(len == 0);
6246 len = 65;
6249 SECP256K1_CHECKMEM_CHECK(sout, 65);
6250 CHECK(len == 0);
6251 len = 65;
6252 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0));
6253 CHECK(len == 0);
6254 len = 65;
6257 SECP256K1_CHECKMEM_CHECK(sout, 65);
6258 CHECK(len == 65);
6259 /* Multiple illegal args. Should still set arg error only once. */
6261 /* Try a bunch of prefabbed points with all possible encodings. */
6262 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6263 ec_pubkey_parse_pointtest(valid[i], 1, 1);
6264 }
6265 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6266 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6267 }
6268 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6269 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6270 }
6271}
6272
6273static void run_eckey_edge_case_test(void) {
6274 const unsigned char *orderc = secp256k1_group_order_bytes;
6275 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6276 unsigned char ctmp[33];
6277 unsigned char ctmp2[33];
6278 secp256k1_pubkey pubkey;
6279 secp256k1_pubkey pubkey2;
6280 secp256k1_pubkey pubkey_one;
6281 secp256k1_pubkey pubkey_negone;
6282 const secp256k1_pubkey *pubkeys[3];
6283 size_t len;
6284 int i;
6285 /* Group order is too large, reject. */
6286 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6287 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6288 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6289 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6290 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6291 /* Maximum value is too large, reject. */
6292 memset(ctmp, 255, 32);
6294 memset(&pubkey, 1, sizeof(pubkey));
6295 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6296 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6297 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6298 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6299 /* Zero is too small, reject. */
6300 memset(ctmp, 0, 32);
6302 memset(&pubkey, 1, sizeof(pubkey));
6303 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6304 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6305 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6306 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6307 /* One must be accepted. */
6308 ctmp[31] = 0x01;
6310 memset(&pubkey, 0, sizeof(pubkey));
6311 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6312 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6313 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6314 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6315 pubkey_one = pubkey;
6316 /* Group order + 1 is too large, reject. */
6317 memcpy(ctmp, orderc, 32);
6318 ctmp[31] = 0x42;
6320 memset(&pubkey, 1, sizeof(pubkey));
6321 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6322 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6323 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6324 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6325 /* -1 must be accepted. */
6326 ctmp[31] = 0x40;
6328 memset(&pubkey, 0, sizeof(pubkey));
6329 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6330 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6331 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6332 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6333 pubkey_negone = pubkey;
6334 /* Tweak of zero leaves the value unchanged. */
6335 memset(ctmp2, 0, 32);
6336 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6337 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6338 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6339 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6340 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6341 /* Multiply tweak of zero zeroizes the output. */
6342 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6343 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6344 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6345 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6346 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6347 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6348 seckey, the seckey is zeroized. */
6349 memcpy(ctmp, orderc, 32);
6350 memset(ctmp2, 0, 32);
6351 ctmp2[31] = 0x01;
6352 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6354 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6355 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6356 memcpy(ctmp, orderc, 32);
6357 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6358 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6359 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6360 tweak, the seckey is zeroized. */
6361 memcpy(ctmp, orderc, 32);
6362 ctmp[31] = 0x40;
6363 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6364 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6365 memcpy(ctmp, orderc, 32);
6366 ctmp[31] = 0x40;
6367 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6368 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6369 memcpy(ctmp, orderc, 32);
6370 ctmp[31] = 0x40;
6371 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6372 tweak, the pubkey is zeroized. */
6373 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6374 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6375 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6376 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6377 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6378 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6379 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6380 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6381 * case the pubkey is zeroized. */
6382 memcpy(ctmp, orderc, 32);
6383 ctmp[31] = 0x40;
6384 memset(ctmp2, 0, 32);
6385 ctmp2[31] = 1;
6386 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6387 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6388 ctmp2[31] = 1;
6389 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6390 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6391 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6392 /* Tweak computation wraps and results in a key of 1. */
6393 ctmp2[31] = 2;
6394 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6395 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6396 ctmp2[31] = 2;
6397 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6398 ctmp2[31] = 1;
6399 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6400 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6401 /* Tweak mul * 2 = 1+1. */
6402 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6403 ctmp2[31] = 2;
6404 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6405 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6406 /* Zeroize pubkey on parse error. */
6407 memset(&pubkey, 0, 32);
6409 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6410 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6411 memset(&pubkey2, 0, 32);
6413 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6414 /* Plain argument errors. */
6417 memset(ctmp2, 0, 32);
6418 ctmp2[31] = 4;
6421 memset(ctmp2, 0, 32);
6422 ctmp2[31] = 4;
6425 memset(ctmp2, 0, 32);
6428 memset(ctmp2, 0, 32);
6429 ctmp2[31] = 1;
6433 memset(&pubkey, 1, sizeof(pubkey));
6435 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6436 /* secp256k1_ec_pubkey_combine tests. */
6437 pubkeys[0] = &pubkey_one;
6438 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6439 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6440 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6441 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6443 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0));
6445 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6446 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1));
6447 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6448 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6450 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1));
6452 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6453 pubkeys[0] = &pubkey_negone;
6454 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6456 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6458 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6459 len = 33;
6461 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6462 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6463 /* Result is infinity. */
6464 pubkeys[0] = &pubkey_one;
6465 pubkeys[1] = &pubkey_negone;
6466 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6468 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6470 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6471 /* Passes through infinity but comes out one. */
6472 pubkeys[2] = &pubkey_one;
6473 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6475 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6477 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6478 /* check that NULL in array of pubkey pointers is not allowed */
6479 for (i = 0; i < 3; i++) {
6480 const secp256k1_pubkey *original_ptr = pubkeys[i];
6481 secp256k1_pubkey result;
6482 pubkeys[i] = NULL;
6483 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &result, pubkeys, 3));
6484 pubkeys[i] = original_ptr;
6485 }
6486 len = 33;
6488 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6489 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6490 /* Adds to two. */
6491 pubkeys[1] = &pubkey_one;
6492 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6494 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6496 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6497}
6498
6499static void run_eckey_negate_test(void) {
6500 unsigned char seckey[32];
6501 unsigned char seckey_tmp[32];
6502
6504 memcpy(seckey_tmp, seckey, 32);
6505
6506 /* Verify negation changes the key and changes it back */
6507 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6508 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6509 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6510 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6511
6512 /* Negating all 0s fails */
6513 memset(seckey, 0, 32);
6514 memset(seckey_tmp, 0, 32);
6515 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6516 /* Check that seckey is not modified */
6517 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6518
6519 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6520 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6521 * doesn't just set seckey to a constant value in case of failure. */
6523 memset(seckey, 0xFF, 16);
6524 memset(seckey_tmp, 0, 32);
6525 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6526 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6527}
6528
6529static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6531 do {
6533 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6534}
6535
6536static void test_ecdsa_sign_verify(void) {
6537 secp256k1_ge pub;
6538 secp256k1_scalar one;
6539 secp256k1_scalar msg, key;
6540 secp256k1_scalar sigr, sigs;
6541 int getrec;
6542 int recid;
6546 getrec = testrand_bits(1);
6547 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6548 See the commit messages of the commit that introduced this comment for details. */
6549 if (getrec) {
6550 random_sign(&sigr, &sigs, &key, &msg, &recid);
6551 CHECK(recid >= 0 && recid < 4);
6552 } else {
6553 random_sign(&sigr, &sigs, &key, &msg, NULL);
6554 }
6555 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6556 secp256k1_scalar_set_int(&one, 1);
6557 secp256k1_scalar_add(&msg, &msg, &one);
6558 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6559}
6560
6561static void run_ecdsa_sign_verify(void) {
6562 int i;
6563 for (i = 0; i < 10*COUNT; i++) {
6565 }
6566}
6567
6569static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6570 (void)msg32;
6571 (void)key32;
6572 (void)algo16;
6573 memcpy(nonce32, data, 32);
6574 return (counter == 0);
6575}
6576
6577static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6578 /* Dummy nonce generator that has a fatal error on the first counter value. */
6579 if (counter == 0) {
6580 return 0;
6581 }
6582 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6583}
6584
6585static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6586 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6587 if (counter < 3) {
6588 memset(nonce32, counter==0 ? 0 : 255, 32);
6589 if (counter == 2) {
6590 nonce32[31]--;
6591 }
6592 return 1;
6593 }
6594 if (counter < 5) {
6595 memcpy(nonce32, secp256k1_group_order_bytes, 32);
6596 if (counter == 4) {
6597 nonce32[31]++;
6598 }
6599 return 1;
6600 }
6601 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6602 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6603 if (counter > 5) {
6604 return 0;
6605 }
6606 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6607}
6608
6610 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6611 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6612}
6613
6614static void test_ecdsa_end_to_end(void) {
6615 unsigned char extra[32] = {0x00};
6616 unsigned char privkey[32];
6617 unsigned char message[32];
6618 unsigned char privkey2[32];
6619 secp256k1_ecdsa_signature signature[6];
6621 unsigned char sig[74];
6622 size_t siglen = 74;
6623 unsigned char pubkeyc[65];
6624 size_t pubkeyclen = 65;
6625 secp256k1_pubkey pubkey;
6626 secp256k1_pubkey pubkey_tmp;
6627 unsigned char seckey[300];
6628 size_t seckeylen = 300;
6629
6630 /* Generate a random key and message. */
6631 {
6632 secp256k1_scalar msg, key;
6635 secp256k1_scalar_get_b32(privkey, &key);
6636 secp256k1_scalar_get_b32(message, &msg);
6637 }
6638
6639 /* Construct and verify corresponding public key. */
6640 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6641 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6642
6643 /* Verify exporting and importing public key. */
6645 memset(&pubkey, 0, sizeof(pubkey));
6646 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6647
6648 /* Verify negation changes the key and changes it back */
6649 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6650 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6651 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6652 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6653 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6654
6655 /* Verify private key import and export. */
6656 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, testrand_bits(1) == 1));
6657 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6658 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6659
6660 /* Optionally tweak the keys using addition. */
6661 if (testrand_int(3) == 0) {
6662 int ret1;
6663 int ret2;
6664 unsigned char rnd[32];
6665 secp256k1_pubkey pubkey2;
6666 testrand256_test(rnd);
6667 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6668 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6669 CHECK(ret1 == ret2);
6670 if (ret1 == 0) {
6671 return;
6672 }
6673 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6674 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6675 }
6676
6677 /* Optionally tweak the keys using multiplication. */
6678 if (testrand_int(3) == 0) {
6679 int ret1;
6680 int ret2;
6681 unsigned char rnd[32];
6682 secp256k1_pubkey pubkey2;
6683 testrand256_test(rnd);
6684 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6685 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6686 CHECK(ret1 == ret2);
6687 if (ret1 == 0) {
6688 return;
6689 }
6690 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6691 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6692 }
6693
6694 /* Sign. */
6695 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6696 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6697 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6698 extra[31] = 1;
6699 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6700 extra[31] = 0;
6701 extra[0] = 1;
6702 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6703 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6704 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6705 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6706 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6707 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6708 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6709 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6710 /* Verify. */
6711 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6712 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6713 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6714 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6715 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6716 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6717 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6719 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6720 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6721 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6722 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6723 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6724 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6725 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6727 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6728 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6729 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6730 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6731
6732 /* Serialize/parse DER and verify again */
6733 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6734 memset(&signature[0], 0, sizeof(signature[0]));
6735 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6736 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6737 /* Serialize/destroy/parse DER and verify again. */
6738 siglen = 74;
6739 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6740 sig[testrand_int(siglen)] += 1 + testrand_int(255);
6741 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6742 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6743}
6744
6745static void test_random_pubkeys(void) {
6746 secp256k1_ge elem;
6747 secp256k1_ge elem2;
6748 unsigned char in[65];
6749 /* Generate some randomly sized pubkeys. */
6750 size_t len = testrand_bits(2) == 0 ? 65 : 33;
6751 if (testrand_bits(2) == 0) {
6752 len = testrand_bits(6);
6753 }
6754 if (len == 65) {
6755 in[0] = testrand_bits(1) ? 4 : (testrand_bits(1) ? 6 : 7);
6756 } else {
6757 in[0] = testrand_bits(1) ? 2 : 3;
6758 }
6759 if (testrand_bits(3) == 0) {
6760 in[0] = testrand_bits(8);
6761 }
6762 if (len > 1) {
6763 testrand256(&in[1]);
6764 }
6765 if (len > 33) {
6766 testrand256(&in[33]);
6767 }
6768 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6769 unsigned char out[65];
6770 unsigned char firstb;
6771 int res;
6772 size_t size = len;
6773 firstb = in[0];
6774 /* If the pubkey can be parsed, it should round-trip... */
6775 if (len == 33) {
6777 } else {
6779 }
6780 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6781 /* ... except for the type of hybrid inputs. */
6782 if ((in[0] != 6) && (in[0] != 7)) {
6783 CHECK(in[0] == out[0]);
6784 }
6785 size = 65;
6787 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6788 CHECK(secp256k1_ge_eq_var(&elem2, &elem));
6789 /* Check that the X9.62 hybrid type is checked. */
6790 in[0] = testrand_bits(1) ? 6 : 7;
6791 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6792 if (firstb == 2 || firstb == 3) {
6793 if (in[0] == firstb + 4) {
6794 CHECK(res);
6795 } else {
6796 CHECK(!res);
6797 }
6798 }
6799 if (res) {
6800 CHECK(secp256k1_ge_eq_var(&elem, &elem2));
6802 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6803 }
6804 }
6805}
6806
6807static void run_pubkey_comparison(void) {
6808 unsigned char pk1_ser[33] = {
6809 0x02,
6810 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6811 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6812 };
6813 const unsigned char pk2_ser[33] = {
6814 0x02,
6815 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6816 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6817 };
6818 secp256k1_pubkey pk1;
6819 secp256k1_pubkey pk2;
6820
6821 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6822 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6823
6826 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6827 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6828 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6829 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6830 {
6831 secp256k1_pubkey pk_tmp;
6832 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6834 {
6835 int32_t ecount = 0;
6837 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6838 CHECK(ecount == 2);
6840 }
6842 }
6843
6844 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6845 * an uncompressed encoding, these would have the opposite ordering */
6846 pk1_ser[0] = 3;
6847 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6848 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6849 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6850}
6851
6852static void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk) {
6853 size_t i;
6854 const secp256k1_pubkey *pk_test[5];
6855
6856 for (i = 0; i < n_pk; i++) {
6857 pk_test[i] = &pk[pk_order[i]];
6858 }
6859 secp256k1_ec_pubkey_sort(CTX, pk_test, n_pk);
6860 for (i = 0; i < n_pk; i++) {
6861 CHECK(secp256k1_memcmp_var(pk_test[i], &pk[i], sizeof(*pk_test[i])) == 0);
6862 }
6863}
6864
6865static void permute(size_t *arr, size_t n) {
6866 size_t i;
6867 for (i = n - 1; i >= 1; i--) {
6868 size_t tmp, j;
6869 j = testrand_int(i + 1);
6870 tmp = arr[i];
6871 arr[i] = arr[j];
6872 arr[j] = tmp;
6873 }
6874}
6875
6876static void test_sort_api(void) {
6877 secp256k1_pubkey pks[2];
6878 const secp256k1_pubkey *pks_ptr[2];
6879 int i;
6880
6881 pks_ptr[0] = &pks[0];
6882 pks_ptr[1] = &pks[1];
6883
6886
6887 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1);
6888 /* check that NULL in array of public key pointers is not allowed */
6889 for (i = 0; i < 2; i++) {
6890 const secp256k1_pubkey *original_ptr = pks_ptr[i];
6891 pks_ptr[i] = NULL;
6893 pks_ptr[i] = original_ptr;
6894 }
6896 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 0) == 1);
6897 /* Test illegal public keys */
6898 memset(&pks[0], 0, sizeof(pks[0]));
6900 memset(&pks[1], 0, sizeof(pks[1]));
6901 {
6902 int32_t ecount = 0;
6904 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1);
6905 CHECK(ecount == 2);
6907 }
6908}
6909
6910static void test_sort(void) {
6912 unsigned char pk_ser[5][33] = {
6913 { 0x02, 0x08 },
6914 { 0x02, 0x0b },
6915 { 0x02, 0x0c },
6916 { 0x03, 0x05 },
6917 { 0x03, 0x0a },
6918 };
6919 int i;
6920 size_t pk_order[5] = { 0, 1, 2, 3, 4 };
6921
6922 for (i = 0; i < 5; i++) {
6923 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk[i], pk_ser[i], sizeof(pk_ser[i])));
6924 }
6925
6926 permute(pk_order, 1);
6927 test_sort_helper(pk, pk_order, 1);
6928 permute(pk_order, 2);
6929 test_sort_helper(pk, pk_order, 2);
6930 permute(pk_order, 3);
6931 test_sort_helper(pk, pk_order, 3);
6932 for (i = 0; i < COUNT; i++) {
6933 permute(pk_order, 4);
6934 test_sort_helper(pk, pk_order, 4);
6935 }
6936 for (i = 0; i < COUNT; i++) {
6937 permute(pk_order, 5);
6938 test_sort_helper(pk, pk_order, 5);
6939 }
6940 /* Check that sorting also works for random pubkeys */
6941 for (i = 0; i < COUNT; i++) {
6942 int j;
6943 const secp256k1_pubkey *pk_ptr[5];
6944 for (j = 0; j < 5; j++) {
6946 pk_ptr[j] = &pk[j];
6947 }
6948 secp256k1_ec_pubkey_sort(CTX, pk_ptr, 5);
6949 for (j = 1; j < 5; j++) {
6950 CHECK(secp256k1_ec_pubkey_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], CTX) <= 0);
6951 }
6952 }
6953}
6954
6955/* Test vectors from BIP-MuSig2 */
6956static void test_sort_vectors(void) {
6957 enum { N_PUBKEYS = 6 };
6958 unsigned char pk_ser[N_PUBKEYS][33] = {
6959 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6960 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6961 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 },
6962 { 0x02, 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, 0x49, 0x34,
6963 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, 0xB5, 0x31, 0xC8, 0x45, 0x83,
6964 0x6F, 0x99, 0xB0, 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 },
6965 { 0x03, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 0x36, 0x18,
6966 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2,
6967 0xDE, 0xCE, 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 },
6968 { 0x02, 0x35, 0x90, 0xA9, 0x4E, 0x76, 0x8F, 0x8E, 0x18, 0x15, 0xC2,
6969 0xF2, 0x4B, 0x4D, 0x80, 0xA8, 0xE3, 0x14, 0x93, 0x16, 0xC3, 0x51,
6970 0x8C, 0xE7, 0xB7, 0xAD, 0x33, 0x83, 0x68, 0xD0, 0x38, 0xCA, 0x66 },
6971 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6972 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6973 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xFF },
6974 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6975 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6976 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 }
6977 };
6978 secp256k1_pubkey pubkeys[N_PUBKEYS];
6979 secp256k1_pubkey *sorted[N_PUBKEYS];
6980 const secp256k1_pubkey *pks_ptr[N_PUBKEYS];
6981 int i;
6982
6983 sorted[0] = &pubkeys[3];
6984 sorted[1] = &pubkeys[0];
6985 sorted[2] = &pubkeys[0];
6986 sorted[3] = &pubkeys[4];
6987 sorted[4] = &pubkeys[1];
6988 sorted[5] = &pubkeys[2];
6989
6990 for (i = 0; i < N_PUBKEYS; i++) {
6991 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i])));
6992 pks_ptr[i] = &pubkeys[i];
6993 }
6995 for (i = 0; i < N_PUBKEYS; i++) {
6996 CHECK(secp256k1_memcmp_var(pks_ptr[i], sorted[i], sizeof(secp256k1_pubkey)) == 0);
6997 }
6998}
6999
7000static void run_pubkey_sort(void) {
7001 test_sort_api();
7002 test_sort();
7004}
7005
7006
7007static void run_random_pubkeys(void) {
7008 int i;
7009 for (i = 0; i < 10*COUNT; i++) {
7011 }
7012}
7013
7014static void run_ecdsa_end_to_end(void) {
7015 int i;
7016 for (i = 0; i < 64*COUNT; i++) {
7018 }
7019}
7020
7021static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
7022 static const unsigned char zeroes[32] = {0};
7023
7024 int ret = 0;
7025
7027 unsigned char roundtrip_der[2048];
7028 unsigned char compact_der[64];
7029 size_t len_der = 2048;
7030 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
7031
7032 secp256k1_ecdsa_signature sig_der_lax;
7033 unsigned char roundtrip_der_lax[2048];
7034 unsigned char compact_der_lax[64];
7035 size_t len_der_lax = 2048;
7036 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
7037
7038 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
7039 if (parsed_der) {
7040 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
7041 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
7042 }
7043 if (valid_der) {
7044 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
7045 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
7046 }
7047
7048 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
7049 if (parsed_der_lax) {
7050 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
7051 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
7052 }
7053 if (valid_der_lax) {
7054 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
7055 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
7056 }
7057
7058 if (certainly_der) {
7059 ret |= (!parsed_der) << 2;
7060 }
7061 if (certainly_not_der) {
7062 ret |= (parsed_der) << 17;
7063 }
7064 if (valid_der) {
7065 ret |= (!roundtrips_der) << 3;
7066 }
7067
7068 if (valid_der) {
7069 ret |= (!roundtrips_der_lax) << 12;
7070 ret |= (len_der != len_der_lax) << 13;
7071 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
7072 }
7073 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
7074 if (parsed_der) {
7075 ret |= (!parsed_der_lax) << 16;
7076 }
7077
7078 return ret;
7079}
7080
7081static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
7082 size_t i;
7083 for (i = 0; i < ptrlen; i++) {
7084 int shift = ptrlen - 1 - i;
7085 if (shift >= 4) {
7086 ptr[i] = 0;
7087 } else {
7088 ptr[i] = (val >> shift) & 0xFF;
7089 }
7090 }
7091}
7092
7093static void damage_array(unsigned char *sig, size_t *len) {
7094 int pos;
7095 int action = testrand_bits(3);
7096 if (action < 1 && *len > 3) {
7097 /* Delete a byte. */
7098 pos = testrand_int(*len);
7099 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
7100 (*len)--;
7101 return;
7102 } else if (action < 2 && *len < 2048) {
7103 /* Insert a byte. */
7104 pos = testrand_int(1 + *len);
7105 memmove(sig + pos + 1, sig + pos, *len - pos);
7106 sig[pos] = testrand_bits(8);
7107 (*len)++;
7108 return;
7109 } else if (action < 4) {
7110 /* Modify a byte. */
7111 sig[testrand_int(*len)] += 1 + testrand_int(255);
7112 return;
7113 } else { /* action < 8 */
7114 /* Modify a bit. */
7115 sig[testrand_int(*len)] ^= 1 << testrand_bits(3);
7116 return;
7117 }
7118}
7119
7120static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
7121 int der;
7122 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
7123 size_t tlen, elen, glen;
7124 int indet;
7125 int n;
7126
7127 *len = 0;
7128 der = testrand_bits(2) == 0;
7129 *certainly_der = der;
7130 *certainly_not_der = 0;
7131 indet = der ? 0 : testrand_int(10) == 0;
7132
7133 for (n = 0; n < 2; n++) {
7134 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
7135 nlow[n] = der ? 1 : (testrand_bits(3) != 0);
7136 /* The length of the number in bytes (the first byte of which will always be nonzero) */
7137 nlen[n] = nlow[n] ? testrand_int(33) : 32 + testrand_int(200) * testrand_bits(3) / 8;
7138 CHECK(nlen[n] <= 232);
7139 /* The top bit of the number. */
7140 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : testrand_bits(1));
7141 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
7142 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + testrand_bits(7) : 1 + testrand_int(127));
7143 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
7144 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? testrand_int(3) : testrand_int(300 - nlen[n]) * testrand_bits(3) / 8);
7145 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
7146 *certainly_not_der = 1;
7147 }
7148 CHECK(nlen[n] + nzlen[n] <= 300);
7149 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
7150 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
7151 if (!der) {
7152 /* nlenlen[n] max 127 bytes */
7153 int add = testrand_int(127 - nlenlen[n]) * testrand_bits(4) * testrand_bits(4) / 256;
7154 nlenlen[n] += add;
7155 if (add != 0) {
7156 *certainly_not_der = 1;
7157 }
7158 }
7159 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
7160 }
7161
7162 /* The total length of the data to go, so far */
7163 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
7164 CHECK(tlen <= 856);
7165
7166 /* The length of the garbage inside the tuple. */
7167 elen = (der || indet) ? 0 : testrand_int(980 - tlen) * testrand_bits(3) / 8;
7168 if (elen != 0) {
7169 *certainly_not_der = 1;
7170 }
7171 tlen += elen;
7172 CHECK(tlen <= 980);
7173
7174 /* The length of the garbage after the end of the tuple. */
7175 glen = der ? 0 : testrand_int(990 - tlen) * testrand_bits(3) / 8;
7176 if (glen != 0) {
7177 *certainly_not_der = 1;
7178 }
7179 CHECK(tlen + glen <= 990);
7180
7181 /* Write the tuple header. */
7182 sig[(*len)++] = 0x30;
7183 if (indet) {
7184 /* Indeterminate length */
7185 sig[(*len)++] = 0x80;
7186 *certainly_not_der = 1;
7187 } else {
7188 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
7189 if (!der) {
7190 int add = testrand_int(127 - tlenlen) * testrand_bits(4) * testrand_bits(4) / 256;
7191 tlenlen += add;
7192 if (add != 0) {
7193 *certainly_not_der = 1;
7194 }
7195 }
7196 if (tlenlen == 0) {
7197 /* Short length notation */
7198 sig[(*len)++] = tlen;
7199 } else {
7200 /* Long length notation */
7201 sig[(*len)++] = 128 + tlenlen;
7202 assign_big_endian(sig + *len, tlenlen, tlen);
7203 *len += tlenlen;
7204 }
7205 tlen += tlenlen;
7206 }
7207 tlen += 2;
7208 CHECK(tlen + glen <= 1119);
7209
7210 for (n = 0; n < 2; n++) {
7211 /* Write the integer header. */
7212 sig[(*len)++] = 0x02;
7213 if (nlenlen[n] == 0) {
7214 /* Short length notation */
7215 sig[(*len)++] = nlen[n] + nzlen[n];
7216 } else {
7217 /* Long length notation. */
7218 sig[(*len)++] = 128 + nlenlen[n];
7219 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
7220 *len += nlenlen[n];
7221 }
7222 /* Write zero padding */
7223 while (nzlen[n] > 0) {
7224 sig[(*len)++] = 0x00;
7225 nzlen[n]--;
7226 }
7227 if (nlen[n] == 32 && !nlow[n]) {
7228 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
7229 int i;
7230 for (i = 0; i < 16; i++) {
7231 sig[(*len)++] = 0xFF;
7232 }
7233 nlen[n] -= 16;
7234 }
7235 /* Write first byte of number */
7236 if (nlen[n] > 0) {
7237 sig[(*len)++] = nhbyte[n];
7238 nlen[n]--;
7239 }
7240 /* Generate remaining random bytes of number */
7241 testrand_bytes_test(sig + *len, nlen[n]);
7242 *len += nlen[n];
7243 nlen[n] = 0;
7244 }
7245
7246 /* Generate random garbage inside tuple. */
7247 testrand_bytes_test(sig + *len, elen);
7248 *len += elen;
7249
7250 /* Generate end-of-contents bytes. */
7251 if (indet) {
7252 sig[(*len)++] = 0;
7253 sig[(*len)++] = 0;
7254 tlen += 2;
7255 }
7256 CHECK(tlen + glen <= 1121);
7257
7258 /* Generate random garbage outside tuple. */
7259 testrand_bytes_test(sig + *len, glen);
7260 *len += glen;
7261 tlen += glen;
7262 CHECK(tlen <= 1121);
7263 CHECK(tlen == *len);
7264}
7265
7266static void run_ecdsa_der_parse(void) {
7267 int i,j;
7268 for (i = 0; i < 200 * COUNT; i++) {
7269 unsigned char buffer[2048];
7270 size_t buflen = 0;
7271 int certainly_der = 0;
7272 int certainly_not_der = 0;
7273 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
7274 CHECK(buflen <= 2048);
7275 for (j = 0; j < 16; j++) {
7276 int ret = 0;
7277 if (j > 0) {
7278 damage_array(buffer, &buflen);
7279 /* We don't know anything anymore about the DERness of the result */
7280 certainly_der = 0;
7281 certainly_not_der = 0;
7282 }
7283 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
7284 if (ret != 0) {
7285 size_t k;
7286 fprintf(stderr, "Failure %x on ", ret);
7287 for (k = 0; k < buflen; k++) {
7288 fprintf(stderr, "%02x ", buffer[k]);
7289 }
7290 fprintf(stderr, "\n");
7291 }
7292 CHECK(ret == 0);
7293 }
7294 }
7295}
7296
7297/* Tests several edge cases. */
7298static void run_ecdsa_edge_cases(void) {
7299 int t;
7301
7302 /* Test the case where ECDSA recomputes a point that is infinity. */
7303 {
7304 secp256k1_ge key;
7306 secp256k1_scalar sr, ss;
7308 secp256k1_scalar_negate(&ss, &ss);
7309 secp256k1_scalar_inverse(&ss, &ss);
7312 msg = ss;
7313 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7314 }
7315
7316 /* Verify signature with r of zero fails. */
7317 {
7318 const unsigned char pubkey_mods_zero[33] = {
7319 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7320 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7321 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7322 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7323 0x41
7324 };
7325 secp256k1_ge key;
7327 secp256k1_scalar sr, ss;
7331 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
7332 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
7333 }
7334
7335 /* Verify signature with s of zero fails. */
7336 {
7337 const unsigned char pubkey[33] = {
7338 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7339 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7340 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7341 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7342 0x01
7343 };
7344 secp256k1_ge key;
7346 secp256k1_scalar sr, ss;
7350 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7351 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7352 }
7353
7354 /* Verify signature with message 0 passes. */
7355 {
7356 const unsigned char pubkey[33] = {
7357 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7358 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7361 0x02
7362 };
7363 const unsigned char pubkey2[33] = {
7364 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7365 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7366 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7367 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7368 0x43
7369 };
7370 secp256k1_ge key;
7371 secp256k1_ge key2;
7373 secp256k1_scalar sr, ss;
7377 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7378 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7379 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7380 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7381 secp256k1_scalar_negate(&ss, &ss);
7382 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7383 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7385 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7386 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7387 }
7388
7389 /* Verify signature with message 1 passes. */
7390 {
7391 const unsigned char pubkey[33] = {
7392 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
7393 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
7394 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7395 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7396 0x25
7397 };
7398 const unsigned char pubkey2[33] = {
7399 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7400 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7401 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7402 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7403 0x62
7404 };
7405 const unsigned char csr[32] = {
7406 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7407 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7408 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7409 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7410 };
7411 secp256k1_ge key;
7412 secp256k1_ge key2;
7414 secp256k1_scalar sr, ss;
7417 secp256k1_scalar_set_b32(&sr, csr, NULL);
7418 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7419 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7420 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7421 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7422 secp256k1_scalar_negate(&ss, &ss);
7423 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7424 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7427 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7428 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7429 }
7430
7431 /* Verify signature with message -1 passes. */
7432 {
7433 const unsigned char pubkey[33] = {
7434 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7435 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7436 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7437 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7438 0xf1
7439 };
7440 const unsigned char csr[32] = {
7441 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7443 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7444 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7445 };
7446 secp256k1_ge key;
7448 secp256k1_scalar sr, ss;
7452 secp256k1_scalar_set_b32(&sr, csr, NULL);
7453 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7454 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7455 secp256k1_scalar_negate(&ss, &ss);
7456 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7459 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7460 }
7461
7462 /* Signature where s would be zero. */
7463 {
7464 secp256k1_pubkey pubkey;
7465 size_t siglen;
7466 unsigned char signature[72];
7467 static const unsigned char nonce[32] = {
7468 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7469 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7470 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7471 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7472 };
7473 static const unsigned char nonce2[32] = {
7474 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7475 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7476 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7477 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7478 };
7479 const unsigned char key[32] = {
7480 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7481 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7482 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7483 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7484 };
7485 unsigned char msg[32] = {
7486 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7487 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7488 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7489 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7490 };
7492 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7493 msg[31] = 0xaa;
7498 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7499 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7500 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey));
7501 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey));
7503 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7505 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7506 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey));
7507 siglen = 72;
7510 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL));
7511 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7512 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen));
7514 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7515 siglen = 10;
7516 /* Too little room for a signature does not fail via ARGCHECK. */
7517 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7524 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7525 memset(signature, 255, 64);
7526 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7527 }
7528
7529 /* Nonce function corner cases. */
7530 for (t = 0; t < 2; t++) {
7531 static const unsigned char zero[32] = {0x00};
7532 int i;
7533 unsigned char key[32];
7534 unsigned char msg[32];
7536 secp256k1_scalar sr[512], ss;
7537 const unsigned char *extra;
7538 extra = t == 0 ? NULL : zero;
7539 memset(msg, 0, 32);
7540 msg[31] = 1;
7541 /* High key results in signature failure. */
7542 memset(key, 0xFF, 32);
7543 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7545 /* Zero key results in signature failure. */
7546 memset(key, 0, 32);
7547 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7549 /* Nonce function failure results in signature failure. */
7550 key[31] = 1;
7551 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7553 /* The retry loop successfully makes its way to the first good value. */
7554 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7555 CHECK(!is_empty_signature(&sig));
7556 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7557 CHECK(!is_empty_signature(&sig2));
7558 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7559 /* The default nonce function is deterministic. */
7560 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7561 CHECK(!is_empty_signature(&sig2));
7562 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7563 /* The default nonce function changes output with different messages. */
7564 for(i = 0; i < 256; i++) {
7565 int j;
7566 msg[0] = i;
7567 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7568 CHECK(!is_empty_signature(&sig2));
7569 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7570 for (j = 0; j < i; j++) {
7571 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7572 }
7573 }
7574 msg[0] = 0;
7575 msg[31] = 2;
7576 /* The default nonce function changes output with different keys. */
7577 for(i = 256; i < 512; i++) {
7578 int j;
7579 key[0] = i - 256;
7580 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7581 CHECK(!is_empty_signature(&sig2));
7582 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7583 for (j = 0; j < i; j++) {
7584 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7585 }
7586 }
7587 key[0] = 0;
7588 }
7589
7590 {
7591 /* Check that optional nonce arguments do not have equivalent effect. */
7592 const unsigned char zeros[32] = {0};
7593 unsigned char nonce[32];
7594 unsigned char nonce2[32];
7595 unsigned char nonce3[32];
7596 unsigned char nonce4[32];
7598 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7599 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7600 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7601 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7603 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7604 SECP256K1_CHECKMEM_CHECK(nonce2,32);
7605 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7606 SECP256K1_CHECKMEM_CHECK(nonce3,32);
7607 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7608 SECP256K1_CHECKMEM_CHECK(nonce4,32);
7609 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7610 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7611 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7612 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7613 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7614 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7615 }
7616
7617
7618 /* Privkey export where pubkey is the point at infinity. */
7619 {
7620 unsigned char privkey[300];
7621 const unsigned char *seckey = secp256k1_group_order_bytes;
7622 size_t outlen = 300;
7623 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7624 outlen = 300;
7625 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7626 }
7627}
7628
7630static void ecdsa_ctx_sha256(void) {
7631 /* Check ctx-provided SHA256 compression override takes effect */
7633 secp256k1_ecdsa_signature out_default, out_custom;
7634 unsigned char sk[32] = {1}, msg32[32] = {1};
7635
7636 /* Default behavior. No ctx-provided SHA256 compression */
7637 CHECK(secp256k1_ecdsa_sign(ctx, &out_default, msg32, sk, NULL, NULL));
7638 CHECK(!sha256_ecdsa_called);
7639
7640 /* Override SHA256 compression directly, bypassing the ctx setter sanity checks */
7641 ctx->hash_ctx.fn_sha256_compression = sha256_ecdsa;
7642 CHECK(secp256k1_ecdsa_sign(ctx, &out_custom, msg32, sk, NULL, NULL));
7643 CHECK(sha256_ecdsa_called);
7644 /* Outputs must differ if custom compression was used */
7645 CHECK(secp256k1_memcmp_var(out_default.data, out_custom.data, 64) != 0);
7646
7648}
7649
7654static void test_ecdsa_wycheproof(void) {
7656
7657 int t;
7660 secp256k1_ecdsa_signature signature;
7661 secp256k1_sha256 hasher;
7662 secp256k1_pubkey pubkey;
7663 const unsigned char *msg, *sig, *pk;
7664 unsigned char out[32] = {0};
7665 int actual_verify = 0;
7666
7667 memset(&pubkey, 0, sizeof(pubkey));
7669 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7670
7673 secp256k1_sha256_write(hash_ctx, &hasher, msg, testvectors[t].msg_len);
7674 secp256k1_sha256_finalize(hash_ctx, &hasher, out);
7675
7676 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset];
7677 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7678 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7679 }
7680 CHECK(testvectors[t].expected_verify == actual_verify);
7681 }
7682}
7683
7684/* Tests cases from Wycheproof test suite. */
7685static void run_ecdsa_wycheproof(void) {
7687}
7688
7689#ifdef ENABLE_MODULE_ECDH
7690# include "modules/ecdh/tests_impl.h"
7691#endif
7692
7693#ifdef ENABLE_MODULE_RECOVERY
7695#endif
7696
7697#ifdef ENABLE_MODULE_EXTRAKEYS
7699#endif
7700
7701#ifdef ENABLE_MODULE_SCHNORRSIG
7703#endif
7704
7705#ifdef ENABLE_MODULE_MUSIG
7707#endif
7708
7709#ifdef ENABLE_MODULE_ELLSWIFT
7711#endif
7712
7714 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7715 unsigned char buf2[sizeof(buf1)];
7716
7717 /* secp256k1_memczero(..., ..., 0) is a noop. */
7718 memcpy(buf2, buf1, sizeof(buf1));
7719 secp256k1_memczero(buf1, sizeof(buf1), 0);
7720 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7721
7722 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7723 memset(buf2, 0, sizeof(buf2));
7724 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7725 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7726}
7727
7728
7730 unsigned char buf1[3] = {0, 1};
7731 unsigned char buf2[3] = {1, 0};
7732
7733 CHECK(secp256k1_is_zero_array(buf1, 0) == 1);
7734 CHECK(secp256k1_is_zero_array(buf1, 1) == 1);
7735 CHECK(secp256k1_is_zero_array(buf1, 2) == 0);
7736 CHECK(secp256k1_is_zero_array(buf2, 1) == 0);
7737 CHECK(secp256k1_is_zero_array(buf2, 2) == 0);
7738}
7739
7741 {
7742 const uint32_t x = 0xFF03AB45;
7743 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7744 unsigned char buf[4];
7745 uint32_t x_;
7746
7747 secp256k1_write_be32(buf, x);
7748 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7749
7750 x_ = secp256k1_read_be32(buf);
7751 CHECK(x == x_);
7752 }
7753
7754 {
7755 const uint64_t x = 0xCAFE0123BEEF4567;
7756 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7757 unsigned char buf[8];
7758 uint64_t x_;
7759
7760 secp256k1_write_be64(buf, x);
7761 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7762
7763 x_ = secp256k1_read_be64(buf);
7764 CHECK(x == x_);
7765 }
7766}
7767
7768static void int_cmov_test(void) {
7769 int r = INT_MAX;
7770 int a = 0;
7771
7772 secp256k1_int_cmov(&r, &a, 0);
7773 CHECK(r == INT_MAX);
7774
7775 r = 0; a = INT_MAX;
7776 secp256k1_int_cmov(&r, &a, 1);
7777 CHECK(r == INT_MAX);
7778
7779 a = 0;
7780 secp256k1_int_cmov(&r, &a, 1);
7781 CHECK(r == 0);
7782
7783 a = 1;
7784 secp256k1_int_cmov(&r, &a, 1);
7785 CHECK(r == 1);
7786
7787 r = 1; a = 0;
7788 secp256k1_int_cmov(&r, &a, 0);
7789 CHECK(r == 1);
7790
7791}
7792
7793static void fe_cmov_test(void) {
7794 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7795 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7796 static const secp256k1_fe max = SECP256K1_FE_CONST(
7797 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7798 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7799 );
7800 secp256k1_fe r = max;
7801 secp256k1_fe a = zero;
7802
7803 secp256k1_fe_cmov(&r, &a, 0);
7804 CHECK(fe_identical(&r, &max));
7805
7806 r = zero; a = max;
7807 secp256k1_fe_cmov(&r, &a, 1);
7808 CHECK(fe_identical(&r, &max));
7809
7810 a = zero;
7811 secp256k1_fe_cmov(&r, &a, 1);
7812 CHECK(fe_identical(&r, &zero));
7813
7814 a = one;
7815 secp256k1_fe_cmov(&r, &a, 1);
7816 CHECK(fe_identical(&r, &one));
7817
7818 r = one; a = zero;
7819 secp256k1_fe_cmov(&r, &a, 0);
7820 CHECK(fe_identical(&r, &one));
7821}
7822
7823static void fe_storage_cmov_test(void) {
7824 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7825 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7827 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7828 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7829 );
7830 secp256k1_fe_storage r = max;
7831 secp256k1_fe_storage a = zero;
7832
7833 secp256k1_fe_storage_cmov(&r, &a, 0);
7834 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7835
7836 r = zero; a = max;
7837 secp256k1_fe_storage_cmov(&r, &a, 1);
7838 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7839
7840 a = zero;
7841 secp256k1_fe_storage_cmov(&r, &a, 1);
7842 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7843
7844 a = one;
7845 secp256k1_fe_storage_cmov(&r, &a, 1);
7846 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7847
7848 r = one; a = zero;
7849 secp256k1_fe_storage_cmov(&r, &a, 0);
7850 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7851}
7852
7853static void scalar_cmov_test(void) {
7854 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7855 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
7856 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
7857 );
7858 secp256k1_scalar r = max;
7860
7861 secp256k1_scalar_cmov(&r, &a, 0);
7862 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7863
7864 r = secp256k1_scalar_zero; a = max;
7865 secp256k1_scalar_cmov(&r, &a, 1);
7866 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7867
7869 secp256k1_scalar_cmov(&r, &a, 1);
7870 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0);
7871
7873 secp256k1_scalar_cmov(&r, &a, 1);
7874 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7875
7877 secp256k1_scalar_cmov(&r, &a, 0);
7878 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7879}
7880
7881static void ge_storage_cmov_test(void) {
7882 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7883 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7885 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7886 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7887 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7888 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7889 );
7890 secp256k1_ge_storage r = max;
7891 secp256k1_ge_storage a = zero;
7892
7893 secp256k1_ge_storage_cmov(&r, &a, 0);
7894 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7895
7896 r = zero; a = max;
7897 secp256k1_ge_storage_cmov(&r, &a, 1);
7898 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7899
7900 a = zero;
7901 secp256k1_ge_storage_cmov(&r, &a, 1);
7902 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7903
7904 a = one;
7905 secp256k1_ge_storage_cmov(&r, &a, 1);
7906 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7907
7908 r = one; a = zero;
7909 secp256k1_ge_storage_cmov(&r, &a, 0);
7910 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7911}
7912
7913static void run_cmov_tests(void) {
7914 int_cmov_test();
7915 fe_cmov_test();
7919}
7920
7921/* --------------------------------------------------------- */
7922/* Test Registry */
7923/* --------------------------------------------------------- */
7924
7925/* --- Special test cases that must run before RNG initialization --- */
7926static const struct tf_test_entry tests_no_rng[] = {
7927 CASE(xoshiro256pp_tests),
7928};
7930
7931/* --- Standard test cases start here --- */
7932static const struct tf_test_entry tests_general[] = {
7933 CASE(selftest_tests),
7934 CASE(all_proper_context_tests),
7935 CASE(all_static_context_tests),
7936 CASE(deprecated_context_flags_test),
7937 CASE(scratch_tests),
7938 CASE(plug_sha256_compression_tests),
7939 CASE(sha256_multi_block_compression_tests),
7940};
7941
7942static const struct tf_test_entry tests_integer[] = {
7943#ifdef SECP256K1_WIDEMUL_INT128
7944 CASE(int128_tests),
7945#endif
7946 CASE(ctz_tests),
7947 CASE(modinv_tests),
7948 CASE(inverse_tests),
7949};
7950
7951static const struct tf_test_entry tests_hash[] = {
7952 CASE(sha256_known_output_tests),
7953 CASE(sha256_counter_tests),
7954 CASE(hmac_sha256_tests),
7955 CASE(rfc6979_hmac_sha256_tests),
7956 CASE(tagged_sha256_tests),
7957 CASE(sha256_initialize_midstate_tests),
7958};
7959
7960static const struct tf_test_entry tests_scalar[] = {
7961 CASE(scalar_tests),
7962};
7963
7964static const struct tf_test_entry tests_field[] = {
7965 CASE(field_half),
7966 CASE(field_misc),
7967 CASE(field_convert),
7968 CASE(field_be32_overflow),
7969 CASE(fe_mul),
7970 CASE(sqr),
7971 CASE(sqrt),
7972};
7973
7974static const struct tf_test_entry tests_group[] = {
7975 CASE(ge),
7976 CASE(gej),
7977 CASE(group_decompress),
7978};
7979
7980static const struct tf_test_entry tests_ecmult[] = {
7981 CASE(ecmult_pre_g),
7982 CASE(wnaf),
7983 CASE(point_times_order),
7984 CASE(ecmult_near_split_bound),
7985 CASE(ecmult_chain),
7986 CASE(ecmult_constants),
7987 CASE(ecmult_gen_ge),
7988 CASE(ecmult_gen_blind),
7989 CASE(ecmult_const_tests),
7990 CASE(ecmult_multi_tests),
7991 CASE(ec_combine),
7992};
7993
7994static const struct tf_test_entry tests_ec[] = {
7995 CASE(endomorphism_tests),
7996 CASE(ec_pubkey_parse_test),
7997 CASE(eckey_edge_case_test),
7998 CASE(eckey_negate_test),
7999};
8000
8001static const struct tf_test_entry tests_ecdsa[] = {
8002 CASE(ec_illegal_argument_tests),
8003 CASE(pubkey_comparison),
8004 CASE(pubkey_sort),
8005 CASE(random_pubkeys),
8006 CASE(ecdsa_der_parse),
8007 CASE(ecdsa_sign_verify),
8008 CASE(ecdsa_end_to_end),
8009 CASE(ecdsa_edge_cases),
8010 CASE(ecdsa_wycheproof),
8012};
8013
8014static const struct tf_test_entry tests_utils[] = {
8015 CASE(hsort_tests),
8016 CASE(secp256k1_memczero_test),
8017 CASE(secp256k1_is_zero_array_test),
8018 CASE(secp256k1_byteorder_tests),
8019 CASE(cmov_tests),
8020};
8021
8022/* Register test modules */
8023static const struct tf_test_module registry_modules[] = {
8024 MAKE_TEST_MODULE(general),
8025 MAKE_TEST_MODULE(integer),
8026 MAKE_TEST_MODULE(hash),
8027 MAKE_TEST_MODULE(scalar),
8028 MAKE_TEST_MODULE(field),
8030 MAKE_TEST_MODULE(ecmult),
8031 MAKE_TEST_MODULE(ec),
8032#ifdef ENABLE_MODULE_ECDH
8033 MAKE_TEST_MODULE(ecdh),
8034#endif
8035 MAKE_TEST_MODULE(ecdsa),
8036#ifdef ENABLE_MODULE_RECOVERY
8037 /* ECDSA pubkey recovery tests */
8038 MAKE_TEST_MODULE(recovery),
8039#endif
8040#ifdef ENABLE_MODULE_EXTRAKEYS
8041 MAKE_TEST_MODULE(extrakeys),
8042#endif
8043#ifdef ENABLE_MODULE_SCHNORRSIG
8044 MAKE_TEST_MODULE(schnorrsig),
8045#endif
8046#ifdef ENABLE_MODULE_MUSIG
8047 MAKE_TEST_MODULE(musig),
8048#endif
8049#ifdef ENABLE_MODULE_ELLSWIFT
8050 MAKE_TEST_MODULE(ellswift),
8051#endif
8052 MAKE_TEST_MODULE(utils),
8053};
8054
8055/* Setup test environment */
8056static int setup(void) {
8057 /* Create a global context available to all tests */
8059 /* Randomize the context only with probability 15/16
8060 to make sure we test without context randomization from time to time.
8061 TODO Reconsider this when recalibrating the tests. */
8062 if (testrand_bits(4)) {
8063 unsigned char rand32[32];
8064 testrand256(rand32);
8066 }
8067 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
8068 that write to the context. The API does not support cloning the static context, so we use
8069 memcpy instead. The user is not supposed to copy a context but we should still ensure that
8070 the API functions handle copies of the static context gracefully. */
8071 STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
8072 CHECK(STATIC_CTX != NULL);
8075 return 0;
8076}
8077
8078/* Shutdown test environment */
8079static int teardown(void) {
8080 free(STATIC_CTX);
8082 return 0;
8083}
8084
8085int main(int argc, char **argv) {
8086 struct tf_framework tf = {0};
8090
8091 /* Add context creation/destruction functions */
8092 tf.fn_setup = setup;
8093 tf.fn_teardown = teardown;
8094
8095 /* Init and run framework */
8096 if (tf_init(&tf, argc, argv) != 0) return EXIT_FAILURE;
8097 return tf_run(&tf);
8098}
8099
8100#if defined(__GNUC__)
8101# pragma GCC diagnostic pop
8102#endif
static void pool cs
int ret
int flags
Definition: bitcoin-tx.cpp:530
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:105
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:107
static const wycheproof_ecdh_testvector testvectors[SECP256K1_ECDH_WYCHEPROOF_NUMBER_TESTVECTORS]
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
static const unsigned char wycheproof_ecdsa_signatures[]
static const unsigned char wycheproof_ecdsa_public_keys[]
static const unsigned char wycheproof_ecdsa_messages[]
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
static void secp256k1_eckey_pubkey_serialize65(secp256k1_ge *elem, unsigned char *pub65)
Serialize a group element (that is not allowed to be infinity) to an uncompressed public key (65 byte...
static void secp256k1_eckey_pubkey_serialize33(secp256k1_ge *elem, unsigned char *pub33)
Serialize a group element (that is not allowed to be infinity) to a compressed public key (33 bytes).
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
static const secp256k1_scalar secp256k1_ecmult_const_K
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const secp256k1_hash_ctx *hash_ctx, const unsigned char *seed32)
static void secp256k1_ecmult_gen_ge(const secp256k1_ecmult_gen_context *ctx, secp256k1_ge *r, const secp256k1_scalar *a)
static void secp256k1_ecmult_gen_gej(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:626
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:743
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:422
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:437
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:162
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:377
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:597
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:734
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:804
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:664
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:822
volatile double sum
Definition: examples.cpp:10
#define N_PUBKEYS
Definition: tests_impl.h:252
#define secp256k1_fe_cmov
Definition: field.h:95
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:211
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:233
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
#define secp256k1_fe_cmp_var
Definition: field.h:86
#define secp256k1_fe_normalize_weak
Definition: field.h:79
#define secp256k1_fe_is_odd
Definition: field.h:85
#define secp256k1_fe_mul
Definition: field.h:93
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
#define secp256k1_fe_add
Definition: field.h:92
#define secp256k1_fe_normalize_var
Definition: field.h:80
#define secp256k1_fe_half
Definition: field.h:101
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
#define secp256k1_fe_to_storage
Definition: field.h:96
#define secp256k1_fe_inv_var
Definition: field.h:99
#define secp256k1_fe_is_zero
Definition: field.h:84
#define secp256k1_fe_set_b32_limit
Definition: field.h:88
#define secp256k1_fe_is_square_var
Definition: field.h:103
#define secp256k1_fe_get_bounds
Definition: field.h:100
#define secp256k1_fe_from_storage
Definition: field.h:97
#define secp256k1_fe_set_b32_mod
Definition: field.h:87
#define secp256k1_fe_negate_unchecked
Definition: field.h:90
#define secp256k1_fe_get_b32
Definition: field.h:89
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
#define secp256k1_fe_inv
Definition: field.h:98
#define secp256k1_fe_sqr
Definition: field.h:94
#define secp256k1_fe_normalize
Definition: field.h:78
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is 1, set *r equal to *a; if flag is 0, leave it.
#define secp256k1_fe_add_int
Definition: field.h:102
#define secp256k1_fe_set_int
Definition: field.h:83
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
static int secp256k1_ge_eq_var(const secp256k1_ge *a, const secp256k1_ge *b)
Check two group elements (affine) for equality in variable time.
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
static void secp256k1_ge_to_bytes_ext(unsigned char *data, const secp256k1_ge *ge)
Convert a group element (that is allowed to be infinity) to a 64-byte array.
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b)
Check two group elements (jacobian and affine) for equality in variable time.
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
static void secp256k1_ge_from_bytes_ext(secp256k1_ge *ge, const unsigned char *data)
Convert a 64-byte array into a group element.
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is 1, set *r equal to *a; if flag is 0, leave it.
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static void secp256k1_ge_set_all_gej(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set group elements r[0:len] (affine) equal to group elements a[0:len] (jacobian).
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set group elements r[0:len] (affine) equal to group elements a[0:len] (jacobian).
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
static void secp256k1_ge_to_bytes(unsigned char *buf, const secp256k1_ge *a)
Convert a group element that is not infinity to a 64-byte array.
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is 1, set *r equal to *a; if flag is 0, leave it.
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static void secp256k1_ge_from_bytes(secp256k1_ge *r, const unsigned char *buf)
Convert a 64-byte array into group element.
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:72
static void secp256k1_sha256_transform(uint32_t *state, const unsigned char *blocks64, size_t n_blocks)
Definition: hash_impl.h:133
static void secp256k1_sha256_initialize_tagged(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:196
static void secp256k1_hsort(void *ptr, size_t count, size_t size, int(*cmp)(const void *, const void *, void *), void *cmp_data)
static SECP256K1_INLINE void secp256k1_heap_swap(unsigned char *arr, size_t i, size_t j, size_t stride)
Definition: hsort_impl.h:34
int128_t secp256k1_int128
Definition: int128_native.h:17
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
unsigned int nonce
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static int sign(const secp256k1_context *ctx, struct signer_secrets *signer_secrets, struct signer *signer, const secp256k1_musig_keyagg_cache *cache, const unsigned char *msg32, unsigned char *sig64)
Definition: musig.c:106
static const auto ZERO
A stack consisting of a single zero-length element (interpreted as 0 by the script interpreter in num...
Definition: miniscript.h:345
Internal SHA-1 implementation.
Definition: sha1.cpp:16
static std::vector< std::string > split(const std::string &str, const std::string &delims=" \t")
Definition: subprocess.h:311
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
#define WINDOW_G
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:45
const char * prefix
Definition: rest.cpp:1143
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is 1, set *r equal to *a; if flag is 0, leave it.
static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a)
Multiply a scalar with the multiplicative inverse of 2.
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*2^128 = k.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 < count <= 32) from a scalar.
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 < count <= 32) from a scalar.
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:83
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
static void secp256k1_hmac_sha256_finalize(const secp256k1_hash_ctx *hash_ctx, secp256k1_hmac_sha256 *hash, unsigned char *out32)
static void secp256k1_sha256_finalize(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *hash, unsigned char *out32)
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
static void secp256k1_sha256_initialize_midstate(secp256k1_sha256 *hash, uint64_t bytes, const uint32_t state[8])
static void secp256k1_hmac_sha256_write(const secp256k1_hash_ctx *hash_ctx, secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
static void secp256k1_rfc6979_hmac_sha256_generate(const secp256k1_hash_ctx *hash_ctx, secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
static void secp256k1_rfc6979_hmac_sha256_initialize(const secp256k1_hash_ctx *hash_ctx, secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
static void secp256k1_sha256_write(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *hash, const unsigned char *data, size_t size)
static void secp256k1_hmac_sha256_initialize(const secp256k1_hash_ctx *hash_ctx, secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:411
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:282
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is 1, set *r equal to *a; if flag is 0, leave it.
Definition: util.h:313
#define ARRAY_SIZE(arr)
Definition: util.h:195
#define ALIGNMENT
Definition: util.h:187
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:113
static SECP256K1_INLINE int secp256k1_is_zero_array(const unsigned char *s, size_t len)
Definition: util.h:297
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:429
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:393
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:437
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:457
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:108
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:382
#define VERIFY_CHECK(cond)
Definition: util.h:170
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:370
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:445
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:173
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:221
const secp256k1_context *const secp256k1_context_no_precomp
Definition: secp256k1.c:77
static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition: secp256k1.c:247
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:84
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:386
static secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition: secp256k1.c:242
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:259
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:265
static SECP256K1_INLINE const secp256k1_hash_ctx * secp256k1_get_hash_context(const secp256k1_context *ctx)
Definition: secp256k1.c:238
static int secp256k1_ec_pubkey_sort_cmp(const void *pk1, const void *pk2, void *ctx)
Definition: secp256k1.c:339
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:534
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:372
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:190
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:736
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:219
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:779
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:789
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:654
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:412
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:287
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:214
SECP256K1_API int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:669
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:313
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an elliptic curve secret key.
Definition: secp256k1.c:615
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:144
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:202
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:601
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:269
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:215
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:396
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:88
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:636
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:225
struct secp256k1_pubkey secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:477
SECP256K1_API int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:815
SECP256K1_API const secp256k1_context *const secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:246
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:458
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:166
SECP256K1_API void secp256k1_context_set_sha256_compression(secp256k1_context *ctx, secp256k1_sha256_compression_function fn_compression) SECP256K1_ARG_NONNULL(1)
Set a callback function to override the internal SHA256 compression function.
Definition: secp256k1.c:226
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:719
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:226
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:433
struct secp256k1_ecdsa_signature secp256k1_ecdsa_signature
Opaque data structure that holds a parsed ECDSA signature.
SECP256K1_API int secp256k1_ec_pubkey_sort(const secp256k1_context *ctx, const secp256k1_pubkey **pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Sort public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:345
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:218
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:696
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:756
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:445
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:114
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:179
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:120
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:94
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:155
secp256k1_scalar * sc
Definition: tests.c:4856
secp256k1_ge * pt
Definition: tests.c:4857
void(* fn)(const char *text, void *data)
Definition: util.h:99
const void * data
Definition: util.h:100
secp256k1_callback illegal_callback
Definition: secp256k1.c:64
secp256k1_callback error_callback
Definition: secp256k1.c:65
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:62
secp256k1_hash_ctx hash_ctx
Definition: secp256k1.c:63
Opaque data structure that holds a parsed ECDSA signature.
Definition: secp256k1.h:75
unsigned char data[64]
Definition: secp256k1.h:76
secp256k1_scalar scalar_offset
Definition: ecmult_gen.h:128
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
uint32_t n[10]
Definition: field_10x26.h:22
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
int infinity
Definition: group.h:19
secp256k1_fe x
Definition: group.h:17
secp256k1_fe y
Definition: group.h:18
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_fe y
Definition: group.h:30
secp256k1_fe x
Definition: group.h:29
int infinity
Definition: group.h:32
secp256k1_fe z
Definition: group.h:31
secp256k1_sha256_compression_function fn_sha256_compression
Definition: hash.h:14
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:62
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
uint64_t bytes
Definition: hash.h:22
uint32_t s[8]
Definition: hash.h:20
size_t element_len
Definition: tests.c:3801
teardown_fn fn_teardown
Definition: unit_test.h:106
setup_ctx_fn fn_setup
Definition: unit_test.h:105
const struct tf_test_module * registry_no_rng
Definition: unit_test.h:103
const struct tf_test_module * registry_modules
Definition: unit_test.h:99
int num_modules
Definition: unit_test.h:101
Definition: unit_test.h:53
std::vector< uint16_t > keys
Definition: dbwrapper.cpp:377
FastRandomContext rng
Definition: dbwrapper.cpp:414
static void testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
static uint32_t testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
static SECP256K1_INLINE void testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
static void run_random_pubkeys(void)
Definition: tests.c:7007
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:76
static void run_all_proper_context_tests(void)
Definition: tests.c:363
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5475
static void run_inverse_tests(void)
Definition: tests.c:3531
static void counting_callback_fn(const char *str, void *data)
Definition: tests.c:87
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:1026
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5921
static const struct tf_test_module registry_modules_no_rng
Definition: tests.c:7929
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6536
static void test_ge(void)
Definition: tests.c:3873
#define CHECK_ERROR_VOID(ctx, expr_or_stmt)
Definition: tests.c:74
static const struct tf_test_entry tests_field[]
Definition: tests.c:7964
static void run_pubkey_comparison(void)
Definition: tests.c:6807
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6561
static void run_field_misc(void)
Definition: tests.c:3215
static void good_sha256_compression(uint32_t *s, const unsigned char *msg, size_t rounds)
Definition: tests.c:445
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5831
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5988
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:196
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6529
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6577
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6585
#define SECP256K1_EC_PARSE_TEST_NINVALID
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:5098
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:924
static const struct tf_test_entry tests_group[]
Definition: tests.c:7974
static void test_sha256_tag_midstate(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen)
Definition: tests.c:773
static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar *q, const secp256k1_gej *res)
Definition: tests.c:4729
static void test_sort(void)
Definition: tests.c:6910
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:84
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3852
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:130
static void run_tagged_sha256_tests(void)
Definition: tests.c:866
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:702
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5545
static int test_hsort_cmp(const void *ele1, const void *ele2, void *data)
Definition: tests.c:3805
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:50
static void test_fixed_wnaf_small(void)
Definition: tests.c:5555
int main(int argc, char **argv)
Definition: tests.c:8085
static void run_plug_sha256_compression_tests(void)
Definition: tests.c:450
static void run_ecmult_const_tests(void)
Definition: tests.c:4846
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3159
#define SECP256K1_EC_PARSE_TEST_NVALID
static void run_eckey_edge_case_test(void)
Definition: tests.c:6273
static int teardown(void)
Definition: tests.c:8079
static void run_pubkey_sort(void)
Definition: tests.c:7000
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:3047
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7740
static void run_ecmult_constants(void)
Definition: tests.c:5755
static void run_field_be32_overflow(void)
Definition: tests.c:3092
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:1041
static void run_ecmult_chain(void)
Definition: tests.c:4453
static const struct tf_test_entry tests_utils[]
Definition: tests.c:8014
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3506
static void run_ec_combine(void)
Definition: tests.c:4326
static const struct tf_test_module registry_modules[]
Definition: tests.c:8023
static void run_deprecated_context_flags_test(void)
Definition: tests.c:147
static secp256k1_context * CTX
Definition: tests.c:47
static void run_point_times_order(void)
Definition: tests.c:4627
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:7120
static void test_sort_vectors(void)
Definition: tests.c:6956
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:45
static void ecmult_const_commutativity(void)
Definition: tests.c:4675
static void int_cmov_test(void)
Definition: tests.c:7768
static const struct tf_test_entry tests_ecdsa[]
Definition: tests.c:8001
static void test_ge_bytes(void)
Definition: tests.c:4222
static void test_add_neg_y_diff_x(void)
Definition: tests.c:4162
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5636
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4512
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:7081
static const struct tf_test_entry tests_ec[]
Definition: tests.c:7994
static void run_hmac_sha256_tests(void)
Definition: tests.c:779
static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3055
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5264
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:1017
static void run_secp256k1_is_zero_array_test(void)
Definition: tests.c:7729
static const struct tf_test_entry tests_no_rng[]
Definition: tests.c:7926
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6609
static void run_field_half(void)
Definition: tests.c:3166
static void run_eckey_negate_test(void)
Definition: tests.c:6499
static void scalar_test(void)
Definition: tests.c:2186
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2341
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4875
static void run_hsort_tests(void)
Definition: tests.c:3842
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6569
static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len)
Definition: tests.c:3792
static void run_gej(void)
Definition: tests.c:4268
static const struct tf_test_entry tests_integer[]
Definition: tests.c:7942
static void run_ge(void)
Definition: tests.c:4250
#define MAX_ELEMENT_LEN
Definition: tests.c:3812
static void ge_storage_cmov_test(void)
Definition: tests.c:7881
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3467
static void fe_storage_cmov_test(void)
Definition: tests.c:7823
static void test_ec_combine(void)
Definition: tests.c:4304
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5282
static void test_ecmult_gen_edge_cases(void)
Definition: tests.c:5845
static void run_ctz_tests(void)
Definition: tests.c:579
static void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk)
Definition: tests.c:6852
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5302
static void run_scalar_tests(void)
Definition: tests.c:2405
static void test_random_pubkeys(void)
Definition: tests.c:6745
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4260
static void test_heap_swap(void)
Definition: tests.c:3779
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3415
static void scalar_cmov_test(void)
Definition: tests.c:7853
static const struct tf_test_entry tests_hash[]
Definition: tests.c:7951
static void run_ecmult_gen_blind(void)
Definition: tests.c:5863
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6614
static const struct tf_test_entry tests_ecmult[]
Definition: tests.c:7980
static void run_sha256_known_output_tests(void)
Definition: tests.c:600
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4577
#define NUM
Definition: tests.c:3811
#define CHECK_ERROR(ctx, expr)
Definition: tests.c:85
static void run_ecdsa_end_to_end(void)
Definition: tests.c:7014
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4860
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4765
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:243
static const struct tf_test_entry tests_general[]
Definition: tests.c:7932
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3322
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4333
static void test_scalar_check_overflow(void)
Definition: tests.c:2358
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5667
static void run_cmov_tests(void)
Definition: tests.c:7913
static void permute(size_t *arr, size_t n)
Definition: tests.c:6865
static void run_sha256_multi_block_compression_tests(void)
Definition: tests.c:486
static const struct tf_test_entry tests_scalar[]
Definition: tests.c:7960
static void test_initialized_inf(void)
Definition: tests.c:4130
static void run_ecdsa_der_parse(void)
Definition: tests.c:7266
static void ecmult_const_random_mult(void)
Definition: tests.c:4648
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5873
static void run_field_convert(void)
Definition: tests.c:3062
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:7021
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:165
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7685
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5711
static void invalid_sha256_compression(uint32_t *s, const unsigned char *msg, size_t rounds)
Definition: tests.c:440
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5383
static void run_all_static_context_tests(void)
Definition: tests.c:237
static void run_sqrt(void)
Definition: tests.c:3429
static void run_modinv_tests(void)
Definition: tests.c:1222
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4554
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:1008
static void run_xoshiro256pp_tests(void)
Definition: tests.c:96
static void run_wnaf(void)
Definition: tests.c:5609
static void run_ecmult_multi_tests(void)
Definition: tests.c:5448
static void run_selftest_tests(void)
Definition: tests.c:125
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1192
static void run_sqr(void)
Definition: tests.c:3386
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:137
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5335
static void run_endomorphism_tests(void)
Definition: tests.c:5900
static void run_scratch_tests(void)
Definition: tests.c:369
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7654
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4615
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7298
static void fe_cmov_test(void)
Definition: tests.c:7793
static void run_group_decompress(void)
Definition: tests.c:4368
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4696
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5628
static void ecmult_const_edges(void)
Definition: tests.c:4738
static void run_sha256_initialize_midstate_tests(void)
Definition: tests.c:890
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4820
static void run_ecmult_pre_g(void)
Definition: tests.c:4429
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4867
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:764
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4379
static void test_hsort(size_t element_len)
Definition: tests.c:3813
static void test_sort_api(void)
Definition: tests.c:6876
static int setup(void)
Definition: tests.c:8056
static secp256k1_context * STATIC_CTX
Definition: tests.c:48
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5509
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3484
static void test_ecmult_gen_blind(void)
Definition: tests.c:5808
static void run_ecmult_gen_ge(void)
Definition: tests.c:5789
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7713
static int own_transform_called
Definition: tests.c:444
static void run_fe_mul(void)
Definition: tests.c:3365
#define SECP256K1_EC_PARSE_TEST_NXVALID
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:7093
static void ecdsa_ctx_sha256(void)
Definition: tests.c:7630
static const secp256k1_fe fe_minus_one
Definition: tests.c:3472
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:824
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:907
static void testutil_random_fe_test(secp256k1_fe *x)
Definition: testutil.h:63
static void testutil_random_pubkey_test(secp256k1_pubkey *pk)
Definition: testutil.h:123
static void testutil_random_gej_y_magnitude(secp256k1_gej *gej)
Definition: testutil.h:91
static const unsigned char secp256k1_group_order_bytes[32]
Definition: testutil.h:24
static void testutil_random_fe_non_zero(secp256k1_fe *nz)
Definition: testutil.h:41
static void testutil_random_scalar_order(secp256k1_scalar *num)
Definition: testutil.h:142
#define DEFINE_SHA256_TRANSFORM_PROBE(name)
Definition: testutil.h:15
static void testutil_random_gej_test(secp256k1_gej *gej)
Definition: testutil.h:117
static void testutil_random_scalar_order_test(secp256k1_scalar *num)
Definition: testutil.h:129
static void testutil_random_scalar_order_b32(unsigned char *b32)
Definition: testutil.h:155
static void testutil_random_fe(secp256k1_fe *x)
Definition: testutil.h:31
static void testutil_random_fe_non_zero_test(secp256k1_fe *fe)
Definition: testutil.h:73
static void testutil_random_gej_x_magnitude(secp256k1_gej *gej)
Definition: testutil.h:87
static void testutil_random_fe_magnitude(secp256k1_fe *fe, int m)
Definition: testutil.h:47
static void testutil_random_ge_x_magnitude(secp256k1_ge *ge)
Definition: testutil.h:79
static void testutil_random_gej_z_magnitude(secp256k1_gej *gej)
Definition: testutil.h:95
static void testutil_random_ge_test(secp256k1_ge *ge)
Definition: testutil.h:99
static void testutil_random_ge_y_magnitude(secp256k1_ge *ge)
Definition: testutil.h:83
static void testutil_random_ge_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: testutil.h:110
int COUNT
Definition: unit_test.c:28
static int tf_init(struct tf_framework *tf, int argc, char **argv)
Definition: unit_test.c:354
static int tf_run(struct tf_framework *tf)
Definition: unit_test.c:416
#define CASE1(name)
Definition: unit_test.h:27
#define CASE(name)
Definition: unit_test.h:26
#define MAKE_TEST_MODULE(name)
Definition: unit_test.h:29
#define expect(bit)