Bitcoin Core  22.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "../include/secp256k1.h"
19 #include "../include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
21 #include "util.h"
22 
23 #ifdef ENABLE_OPENSSL_TESTS
24 #include <openssl/bn.h>
25 #include <openssl/ec.h>
26 #include <openssl/ecdsa.h>
27 #include <openssl/obj_mac.h>
28 # if OPENSSL_VERSION_NUMBER < 0x10100000L
29 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
30 # endif
31 #endif
32 
33 #include "../contrib/lax_der_parsing.c"
34 #include "../contrib/lax_der_privatekey_parsing.c"
35 
36 #include "modinv32_impl.h"
37 #ifdef SECP256K1_WIDEMUL_INT128
38 #include "modinv64_impl.h"
39 #endif
40 
41 static int count = 64;
42 static secp256k1_context *ctx = NULL;
43 
44 static void counting_illegal_callback_fn(const char* str, void* data) {
45  /* Dummy callback function that just counts. */
46  int32_t *p;
47  (void)str;
48  p = data;
49  (*p)++;
50 }
51 
52 static void uncounting_illegal_callback_fn(const char* str, void* data) {
53  /* Dummy callback function that just counts (backwards). */
54  int32_t *p;
55  (void)str;
56  p = data;
57  (*p)--;
58 }
59 
61  do {
62  unsigned char b32[32];
64  if (secp256k1_fe_set_b32(fe, b32)) {
65  break;
66  }
67  } while(1);
68 }
69 
71  secp256k1_fe zero;
72  int n = secp256k1_testrand_int(9);
74  if (n == 0) {
75  return;
76  }
77  secp256k1_fe_clear(&zero);
78  secp256k1_fe_negate(&zero, &zero, 0);
79  secp256k1_fe_mul_int(&zero, n - 1);
80  secp256k1_fe_add(fe, &zero);
81 #ifdef VERIFY
82  CHECK(fe->magnitude == n);
83 #endif
84 }
85 
87  secp256k1_fe fe;
88  do {
92  break;
93  }
94  } while(1);
95  ge->infinity = 0;
96 }
97 
99  secp256k1_fe z2, z3;
100  do {
102  if (!secp256k1_fe_is_zero(&gej->z)) {
103  break;
104  }
105  } while(1);
106  secp256k1_fe_sqr(&z2, &gej->z);
107  secp256k1_fe_mul(&z3, &z2, &gej->z);
108  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
109  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
110  gej->infinity = ge->infinity;
111 }
112 
114  do {
115  unsigned char b32[32];
116  int overflow = 0;
118  secp256k1_scalar_set_b32(num, b32, &overflow);
119  if (overflow || secp256k1_scalar_is_zero(num)) {
120  continue;
121  }
122  break;
123  } while(1);
124 }
125 
127  do {
128  unsigned char b32[32];
129  int overflow = 0;
131  secp256k1_scalar_set_b32(num, b32, &overflow);
132  if (overflow || secp256k1_scalar_is_zero(num)) {
133  continue;
134  }
135  break;
136  } while(1);
137 }
138 
139 void random_scalar_order_b32(unsigned char *b32) {
140  secp256k1_scalar num;
141  random_scalar_order(&num);
142  secp256k1_scalar_get_b32(b32, &num);
143 }
144 
145 void run_context_tests(int use_prealloc) {
146  secp256k1_pubkey pubkey;
147  secp256k1_pubkey zero_pubkey;
149  unsigned char ctmp[32];
150  int32_t ecount;
151  int32_t ecount2;
152  secp256k1_context *none;
153  secp256k1_context *sign;
154  secp256k1_context *vrfy;
155  secp256k1_context *both;
156  void *none_prealloc = NULL;
157  void *sign_prealloc = NULL;
158  void *vrfy_prealloc = NULL;
159  void *both_prealloc = NULL;
160 
161  secp256k1_gej pubj;
162  secp256k1_ge pub;
163  secp256k1_scalar msg, key, nonce;
164  secp256k1_scalar sigr, sigs;
165 
166  if (use_prealloc) {
171  CHECK(none_prealloc != NULL);
172  CHECK(sign_prealloc != NULL);
173  CHECK(vrfy_prealloc != NULL);
174  CHECK(both_prealloc != NULL);
179  } else {
184  }
185 
186  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
187 
188  ecount = 0;
189  ecount2 = 10;
192  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
194  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
196 
197  /* check if sizes for cloning are consistent */
202 
203  /*** clone and destroy all of them to make sure cloning was complete ***/
204  {
205  secp256k1_context *ctx_tmp;
206 
207  if (use_prealloc) {
208  /* clone into a non-preallocated context and then again into a new preallocated one. */
209  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
210  free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
211  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
212 
213  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
214  free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
215  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
216 
217  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
218  free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
219  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
220 
221  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
222  free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
223  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
224  } else {
225  /* clone into a preallocated context and then again into a new non-preallocated one. */
226  void *prealloc_tmp;
227 
228  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
229  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
230  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
231  free(prealloc_tmp);
232 
233  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
234  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
235  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
236  free(prealloc_tmp);
237 
238  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
239  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
240  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
241  free(prealloc_tmp);
242 
243  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
244  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
245  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
246  free(prealloc_tmp);
247  }
248  }
249 
250  /* Verify that the error callback makes it across the clone. */
251  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
253  /* And that it resets back to default. */
254  secp256k1_context_set_error_callback(sign, NULL, NULL);
255  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
256 
257  /*** attempt to use them ***/
260  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
261  secp256k1_ge_set_gej(&pub, &pubj);
262 
263  /* Verify context-type checking illegal-argument errors. */
264  memset(ctmp, 1, 32);
265  CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
266  CHECK(ecount == 1);
267  VG_UNDEF(&pubkey, sizeof(pubkey));
268  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
269  VG_CHECK(&pubkey, sizeof(pubkey));
270  CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
271  CHECK(ecount == 2);
272  VG_UNDEF(&sig, sizeof(sig));
273  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
274  VG_CHECK(&sig, sizeof(sig));
275  CHECK(ecount2 == 10);
276  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
277  CHECK(ecount2 == 11);
278  CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
279  CHECK(ecount == 2);
280  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
281  CHECK(ecount2 == 12);
282  CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
283  CHECK(ecount == 2);
284  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
285  CHECK(ecount2 == 13);
286  CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
287  CHECK(ecount == 2);
288  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
289  CHECK(ecount == 2);
290  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
291  CHECK(ecount2 == 14);
292  CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
293  CHECK(ecount == 3);
294  CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
295  CHECK(ecount == 3);
296  CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
297  CHECK(ecount == 3);
298  CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
299  CHECK(ecount == 3);
300  CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
301  CHECK(ecount2 == 14);
302  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
303  CHECK(ecount2 == 14);
304  secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
305  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
306 
307  /* obtain a working nonce */
308  do {
310  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
311 
312  /* try signing */
313  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
314  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
315 
316  /* try verifying */
317  CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
318  CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
319 
320  /* cleanup */
321  if (use_prealloc) {
326  free(none_prealloc);
327  free(sign_prealloc);
328  free(vrfy_prealloc);
329  free(both_prealloc);
330  } else {
335  }
336  /* Defined as no-op. */
339 
340 }
341 
342 void run_scratch_tests(void) {
343  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
344 
345  int32_t ecount = 0;
346  size_t checkpoint;
347  size_t checkpoint_2;
349  secp256k1_scratch_space *scratch;
350  secp256k1_scratch_space local_scratch;
351 
352  /* Test public API */
355 
356  scratch = secp256k1_scratch_space_create(none, 1000);
357  CHECK(scratch != NULL);
358  CHECK(ecount == 0);
359 
360  /* Test internal API */
361  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
362  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
363  CHECK(scratch->alloc_size == 0);
364  CHECK(scratch->alloc_size % ALIGNMENT == 0);
365 
366  /* Allocating 500 bytes succeeds */
367  checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
368  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
369  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
370  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
371  CHECK(scratch->alloc_size != 0);
372  CHECK(scratch->alloc_size % ALIGNMENT == 0);
373 
374  /* Allocating another 501 bytes fails */
375  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
376  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
377  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
378  CHECK(scratch->alloc_size != 0);
379  CHECK(scratch->alloc_size % ALIGNMENT == 0);
380 
381  /* ...but it succeeds once we apply the checkpoint to undo it */
382  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
383  CHECK(scratch->alloc_size == 0);
384  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
385  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
386  CHECK(scratch->alloc_size != 0);
387 
388  /* try to apply a bad checkpoint */
389  checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
390  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
391  CHECK(ecount == 0);
392  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
393  CHECK(ecount == 1);
394  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
395  CHECK(ecount == 2);
396 
397  /* try to use badly initialized scratch space */
398  secp256k1_scratch_space_destroy(none, scratch);
399  memset(&local_scratch, 0, sizeof(local_scratch));
400  scratch = &local_scratch;
402  CHECK(ecount == 3);
403  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
404  CHECK(ecount == 4);
405  secp256k1_scratch_space_destroy(none, scratch);
406  CHECK(ecount == 5);
407 
408  /* Test that large integers do not wrap around in a bad way */
409  scratch = secp256k1_scratch_space_create(none, 1000);
410  /* Try max allocation with a large number of objects. Only makes sense if
411  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
412  * space. */
413  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
414  /* Try allocating SIZE_MAX to test wrap around which only happens if
415  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
416  * space is too small. */
417  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
418  secp256k1_scratch_space_destroy(none, scratch);
419 
420  /* cleanup */
421  secp256k1_scratch_space_destroy(none, NULL); /* no-op */
423 }
424 
425 void run_ctz_tests(void) {
426  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
427  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
428  int shift;
429  unsigned i;
430  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
431  for (shift = 0; shift < 32; ++shift) {
432  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
433  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
434  }
435  }
436  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
437  for (shift = 0; shift < 64; ++shift) {
438  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
439  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
440  }
441  }
442 }
443 
444 /***** HASH TESTS *****/
445 
446 void run_sha256_tests(void) {
447  static const char *inputs[8] = {
448  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
449  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
450  "For this sample, this 63-byte string will be used as input data",
451  "This is exactly 64 bytes long, not counting the terminating byte"
452  };
453  static const unsigned char outputs[8][32] = {
454  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
455  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
456  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
457  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
458  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
459  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
460  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
461  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
462  };
463  int i;
464  for (i = 0; i < 8; i++) {
465  unsigned char out[32];
466  secp256k1_sha256 hasher;
468  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
469  secp256k1_sha256_finalize(&hasher, out);
470  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
471  if (strlen(inputs[i]) > 0) {
472  int split = secp256k1_testrand_int(strlen(inputs[i]));
474  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
475  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
476  secp256k1_sha256_finalize(&hasher, out);
477  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
478  }
479  }
480 }
481 
483  static const char *keys[6] = {
484  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
485  "\x4a\x65\x66\x65",
486  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
487  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
488  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
489  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
490  };
491  static const char *inputs[6] = {
492  "\x48\x69\x20\x54\x68\x65\x72\x65",
493  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
494  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
495  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
496  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
497  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
498  };
499  static const unsigned char outputs[6][32] = {
500  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
501  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
502  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
503  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
504  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
505  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
506  };
507  int i;
508  for (i = 0; i < 6; i++) {
509  secp256k1_hmac_sha256 hasher;
510  unsigned char out[32];
511  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
512  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
513  secp256k1_hmac_sha256_finalize(&hasher, out);
514  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
515  if (strlen(inputs[i]) > 0) {
516  int split = secp256k1_testrand_int(strlen(inputs[i]));
517  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
518  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
519  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
520  secp256k1_hmac_sha256_finalize(&hasher, out);
521  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
522  }
523  }
524 }
525 
527  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
528  static const unsigned char out1[3][32] = {
529  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
530  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
531  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
532  };
533 
534  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
535  static const unsigned char out2[3][32] = {
536  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
537  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
538  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
539  };
540 
542  unsigned char out[32];
543  int i;
544 
546  for (i = 0; i < 3; i++) {
548  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
549  }
551 
553  for (i = 0; i < 3; i++) {
555  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
556  }
558 
560  for (i = 0; i < 3; i++) {
562  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
563  }
565 }
566 
568  int ecount = 0;
570  unsigned char tag[32] = { 0 };
571  unsigned char msg[32] = { 0 };
572  unsigned char hash32[32];
573  unsigned char hash_expected[32] = {
574  0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
575  0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
576  0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
577  0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
578  };
579 
581 
582  /* API test */
583  CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
584  CHECK(secp256k1_tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
585  CHECK(ecount == 1);
586  CHECK(secp256k1_tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0);
587  CHECK(ecount == 2);
588  CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0);
589  CHECK(ecount == 3);
590 
591  /* Static test vector */
592  memcpy(tag, "tag", 3);
593  memcpy(msg, "msg", 3);
594  CHECK(secp256k1_tagged_sha256(none, hash32, tag, 3, msg, 3) == 1);
595  CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
597 }
598 
599 /***** RANDOM TESTS *****/
600 
601 void test_rand_bits(int rand32, int bits) {
602  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
603  * get a false negative chance below once in a billion */
604  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
605  /* We try multiplying the results with various odd numbers, which shouldn't
606  * influence the uniform distribution modulo a power of 2. */
607  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
608  /* We only select up to 6 bits from the output to analyse */
609  unsigned int usebits = bits > 6 ? 6 : bits;
610  unsigned int maxshift = bits - usebits;
611  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
612  number, track all observed outcomes, one per bit in a uint64_t. */
613  uint64_t x[6][27] = {{0}};
614  unsigned int i, shift, m;
615  /* Multiply the output of all rand calls with the odd number m, which
616  should not change the uniformity of its distribution. */
617  for (i = 0; i < rounds[usebits]; i++) {
618  uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
619  CHECK((((uint64_t)r) >> bits) == 0);
620  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
621  uint32_t rm = r * mults[m];
622  for (shift = 0; shift <= maxshift; shift++) {
623  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
624  }
625  }
626  }
627  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
628  for (shift = 0; shift <= maxshift; shift++) {
629  /* Test that the lower usebits bits of x[shift] are 1 */
630  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
631  }
632  }
633 }
634 
635 /* Subrange must be a whole divisor of range, and at most 64 */
636 void test_rand_int(uint32_t range, uint32_t subrange) {
637  /* (1-1/subrange)^rounds < 1/10^9 */
638  int rounds = (subrange * 2073) / 100;
639  int i;
640  uint64_t x = 0;
641  CHECK((range % subrange) == 0);
642  for (i = 0; i < rounds; i++) {
643  uint32_t r = secp256k1_testrand_int(range);
644  CHECK(r < range);
645  r = r % subrange;
646  x |= (((uint64_t)1) << r);
647  }
648  /* Test that the lower subrange bits of x are 1. */
649  CHECK(((~x) << (64 - subrange)) == 0);
650 }
651 
652 void run_rand_bits(void) {
653  size_t b;
654  test_rand_bits(1, 32);
655  for (b = 1; b <= 32; b++) {
656  test_rand_bits(0, b);
657  }
658 }
659 
660 void run_rand_int(void) {
661  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
662  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
663  unsigned int m, s;
664  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
665  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
666  test_rand_int(ms[m] * ss[s], ss[s]);
667  }
668  }
669 }
670 
671 /***** MODINV TESTS *****/
672 
673 /* Compute the modular inverse of (odd) x mod 2^64. */
674 uint64_t modinv2p64(uint64_t x) {
675  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
676  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
677  * why. Start with L=0, for which it is true for every odd x that
678  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
679  int l;
680  uint64_t w = 1;
681  CHECK(x & 1);
682  for (l = 0; l < 6; ++l) w *= (2 - w*x);
683  return w;
684 }
685 
686 /* compute out = (a*b) mod m; if b=NULL, treat b=1.
687  *
688  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
689  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
690 void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
691  uint16_t mul[32];
692  uint64_t c = 0;
693  int i, j;
694  int m_bitlen = 0;
695  int mul_bitlen = 0;
696 
697  if (b != NULL) {
698  /* Compute the product of a and b, and put it in mul. */
699  for (i = 0; i < 32; ++i) {
700  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
701  c += (uint64_t)a[j] * b[i - j];
702  }
703  mul[i] = c & 0xFFFF;
704  c >>= 16;
705  }
706  CHECK(c == 0);
707 
708  /* compute the highest set bit in mul */
709  for (i = 511; i >= 0; --i) {
710  if ((mul[i >> 4] >> (i & 15)) & 1) {
711  mul_bitlen = i;
712  break;
713  }
714  }
715  } else {
716  /* if b==NULL, set mul=a. */
717  memcpy(mul, a, 32);
718  memset(mul + 16, 0, 32);
719  /* compute the highest set bit in mul */
720  for (i = 255; i >= 0; --i) {
721  if ((mul[i >> 4] >> (i & 15)) & 1) {
722  mul_bitlen = i;
723  break;
724  }
725  }
726  }
727 
728  /* Compute the highest set bit in m. */
729  for (i = 255; i >= 0; --i) {
730  if ((m[i >> 4] >> (i & 15)) & 1) {
731  m_bitlen = i;
732  break;
733  }
734  }
735 
736  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
737  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
738  uint16_t mul2[32];
739  int64_t cs;
740 
741  /* Compute mul2 = mul - m<<i. */
742  cs = 0; /* accumulator */
743  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
744  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
745  uint16_t sub = 0;
746  int p;
747  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
748  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
749  if (bitpos >= 0 && bitpos < 256) {
750  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
751  }
752  }
753  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
754  cs += mul[j];
755  cs -= sub;
756  mul2[j] = (cs & 0xFFFF);
757  cs >>= 16;
758  }
759  /* If remainder of subtraction is 0, set mul = mul2. */
760  if (cs == 0) {
761  memcpy(mul, mul2, sizeof(mul));
762  }
763  }
764  /* Sanity check: test that all limbs higher than m's highest are zero */
765  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
766  CHECK(mul[i] == 0);
767  }
768  memcpy(out, mul, 32);
769 }
770 
771 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
772 void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
773  int i;
774  memset(out->v, 0, sizeof(out->v));
775  for (i = 0; i < 256; ++i) {
776  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
777  }
778 }
779 
780 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
781 void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
782  int i;
783  memset(out, 0, 32);
784  for (i = 0; i < 256; ++i) {
785  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
786  }
787 }
788 
789 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
791  int i;
792  for (i = 0; i < 16; ++i) {
793  int pos = secp256k1_testrand_int(8);
794  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
795  x->v[pos] -= 0x40000000;
796  x->v[pos + 1] += 1;
797  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
798  x->v[pos] += 0x40000000;
799  x->v[pos + 1] -= 1;
800  }
801  }
802 }
803 
804 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
805 void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
806  uint16_t tmp[16];
809  int i, vartime, nonzero;
810 
811  uint16_to_signed30(&x, in);
812  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
813  uint16_to_signed30(&m.modulus, mod);
814  mutate_sign_signed30(&m.modulus);
815 
816  /* compute 1/modulus mod 2^30 */
817  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
818  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
819 
820  for (vartime = 0; vartime < 2; ++vartime) {
821  /* compute inverse */
822  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
823 
824  /* produce output */
825  signed30_to_uint16(out, &x);
826 
827  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
828  mulmod256(tmp, out, in, mod);
829  CHECK(tmp[0] == nonzero);
830  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
831 
832  /* invert again */
833  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
834 
835  /* check if the result is equal to the input */
836  signed30_to_uint16(tmp, &x);
837  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
838  }
839 }
840 
841 #ifdef SECP256K1_WIDEMUL_INT128
842 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
843 void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
844  int i;
845  memset(out->v, 0, sizeof(out->v));
846  for (i = 0; i < 256; ++i) {
847  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
848  }
849 }
850 
851 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
852 void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
853  int i;
854  memset(out, 0, 32);
855  for (i = 0; i < 256; ++i) {
856  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
857  }
858 }
859 
860 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
861 void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
862  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
863  int i;
864  for (i = 0; i < 8; ++i) {
865  int pos = secp256k1_testrand_int(4);
866  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
867  x->v[pos] -= (M62 + 1);
868  x->v[pos + 1] += 1;
869  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
870  x->v[pos] += (M62 + 1);
871  x->v[pos + 1] -= 1;
872  }
873  }
874 }
875 
876 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
877 void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
878  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
879  uint16_t tmp[16];
882  int i, vartime, nonzero;
883 
884  uint16_to_signed62(&x, in);
885  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
886  uint16_to_signed62(&m.modulus, mod);
887  mutate_sign_signed62(&m.modulus);
888 
889  /* compute 1/modulus mod 2^62 */
890  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
891  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
892 
893  for (vartime = 0; vartime < 2; ++vartime) {
894  /* compute inverse */
895  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
896 
897  /* produce output */
898  signed62_to_uint16(out, &x);
899 
900  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
901  mulmod256(tmp, out, in, mod);
902  CHECK(tmp[0] == nonzero);
903  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
904 
905  /* invert again */
906  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
907 
908  /* check if the result is equal to the input */
909  signed62_to_uint16(tmp, &x);
910  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
911  }
912 }
913 #endif
914 
915 /* test if a and b are coprime */
916 int coprime(const uint16_t* a, const uint16_t* b) {
917  uint16_t x[16], y[16], t[16];
918  int i;
919  int iszero;
920  memcpy(x, a, 32);
921  memcpy(y, b, 32);
922 
923  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
924  while (1) {
925  iszero = 1;
926  for (i = 0; i < 16; ++i) {
927  if (x[i] != 0) {
928  iszero = 0;
929  break;
930  }
931  }
932  if (iszero) break;
933  mulmod256(t, y, NULL, x);
934  memcpy(y, x, 32);
935  memcpy(x, t, 32);
936  }
937 
938  /* return whether y=1 */
939  if (y[0] != 1) return 0;
940  for (i = 1; i < 16; ++i) {
941  if (y[i] != 0) return 0;
942  }
943  return 1;
944 }
945 
946 void run_modinv_tests(void) {
947  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
948  static const uint16_t CASES[][3][16] = {
949  /* Test cases triggering edge cases in divsteps */
950 
951  /* Test case known to need 713 divsteps */
952  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
953  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
954  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
955  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
956  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
957  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
958  /* Test case known to need 589 divsteps, reaching delta=-140 and
959  delta=141. */
960  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
961  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
962  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
963  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
964  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
965  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
966  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
967  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
968  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
969  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
970  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
971  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
972  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
973  /* example needing 713 divsteps; delta=-2..3 */
974  {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
975  0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
976  {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
977  0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
978  {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
979  0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
980  /* example needing 713 divsteps; delta=-2..3 */
981  {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
982  0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
983  {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
984  0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
985  {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
986  0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
987  /* example needing 713 divsteps; delta=-2..3 */
988  {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
989  0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
990  {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
991  0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
992  {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
993  0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
994  /* example reaching delta=-64..65; 661 divsteps */
995  {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
996  0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
997  {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
998  0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
999  {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1000  0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1001  /* example reaching delta=-64..65; 661 divsteps */
1002  {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1003  0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1004  {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1005  0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1006  {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1007  0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1008  /* example reaching delta=-64..65; 661 divsteps */
1009  {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1010  0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1011  {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1012  0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1013  {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1014  0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1015  /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1016  {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1017  0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1018  {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1019  0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1020  {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1021  0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1022  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1023  {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1024  0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1025  {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1026  0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1027  {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1028  0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1029  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1030  {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1031  0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1032  {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1033  0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1034  {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1035  0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1036  /* example doing 446 (f,g/2) steps; 523 divsteps */
1037  {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1038  0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1039  {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1040  0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1041  {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1042  0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1043  /* example doing 446 (f,g/2) steps; 523 divsteps */
1044  {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1045  0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1046  {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1047  0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1048  {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1049  0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1050  /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1051  {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1052  0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1053  {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1054  0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1055  {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1056  0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1057  /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1058  {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1059  0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1060  {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1061  0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1062  {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1063  0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1064  /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1065  {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1066  0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1067  {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1068  0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1069  {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1070  0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1071  /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1072  {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1073  0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1074  {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1075  0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1076  {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1077  0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1078 
1079  /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1080 
1081  /* example needing 590 divsteps; delta=-5/2..7/2 */
1082  {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1083  0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1084  {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1085  0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1086  {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1087  0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1088  /* example needing 590 divsteps; delta=-3/2..5/2 */
1089  {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1090  0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1091  {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1092  0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1093  {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1094  0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1095  /* example needing 590 divsteps; delta=-3/2..5/2 */
1096  {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1097  0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1098  {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1099  0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1100  {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1101  0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1102  /* example needing 590 divsteps; delta=-5/2..7/2 */
1103  {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1104  0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1105  {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1106  0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1107  {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1108  0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1109  /* example needing 590 divsteps; delta=-3/2..5/2 */
1110  {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1111  0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1112  {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1113  0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1114  {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1115  0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1116  /* example reaching delta=-127/2..129/2; 571 divsteps */
1117  {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1118  0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1119  {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1120  0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1121  {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1122  0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1123  /* example reaching delta=-127/2..129/2; 571 divsteps */
1124  {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1125  0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1126  {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1127  0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1128  {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1129  0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1130  /* example reaching delta=-127/2..129/2; 571 divsteps */
1131  {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1132  0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1133  {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1134  0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1135  {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1136  0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1137  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1138  {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1139  0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1140  {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1141  0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1142  {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1143  0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1144  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1145  {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1146  0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1147  {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1148  0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1149  {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1150  0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1151  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1152  {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1153  0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1154  {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1155  0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1156  {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1157  0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1158  /* example doing 453 (f,g/2) steps; 514 divsteps */
1159  {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1160  0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1161  {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1162  0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1163  {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1164  0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1165  /* example doing 453 (f,g/2) steps; 514 divsteps */
1166  {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1167  0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1168  {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1169  0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1170  {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1171  0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1172  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1173  {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1174  0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1175  {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1176  0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1177  {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1178  0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1179  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1180  {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1181  0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1182  {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1183  0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1184  {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1185  0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1186  /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1187  {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1188  0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1189  {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1190  0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1191  {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1192  0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1193  /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1194  {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1195  0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1196  {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1197  0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1198  {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1199  0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1200 
1201  /* Test cases with the group order as modulus. */
1202 
1203  /* Test case with the group order as modulus, needing 635 divsteps. */
1204  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1205  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1206  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1207  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1208  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1209  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1210  /* example with group size as modulus needing 631 divsteps */
1211  {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1212  0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1213  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1214  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1215  {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1216  0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1217  /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1218  {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1219  0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1220  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1221  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1222  {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1223  0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1224  /* Test case with the group size as modulus, needing 981 divsteps with
1225  broken eta handling. */
1226  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1227  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1228  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1229  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1230  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1231  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1232  /* Test case with the group size as modulus, input = 0. */
1233  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1234  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1235  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1236  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1237  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1238  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1239  /* Test case with the group size as modulus, input = 1. */
1240  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1241  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1242  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1243  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1244  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1245  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1246  /* Test case with the group size as modulus, input = 2. */
1247  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1248  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1249  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1250  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1251  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1252  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1253  /* Test case with the group size as modulus, input = group - 1. */
1254  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1255  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1256  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1257  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1258  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1259  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1260 
1261  /* Test cases with the field size as modulus. */
1262 
1263  /* Test case with the field size as modulus, needing 637 divsteps. */
1264  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1265  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1266  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1267  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1268  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1269  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1270  /* example with field size as modulus needing 637 divsteps */
1271  {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1272  0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1273  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1274  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1275  {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1276  0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1277  /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1278  {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1279  0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1280  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1281  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1282  {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1283  0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1284  /* Test case with the field size as modulus, needing 935 divsteps with
1285  broken eta handling. */
1286  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1287  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1288  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1289  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1290  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1291  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1292  /* Test case with the field size as modulus, input = 0. */
1293  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1294  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1295  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1296  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1297  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1298  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1299  /* Test case with the field size as modulus, input = 1. */
1300  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1301  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1302  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1303  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1304  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1305  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1306  /* Test case with the field size as modulus, input = 2. */
1307  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1308  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1309  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1310  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1311  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1312  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1313  /* Test case with the field size as modulus, input = field - 1. */
1314  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1315  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1316  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1317  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1318  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1319  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1320 
1321  /* Selected from a large number of random inputs to reach small/large
1322  * d/e values in various configurations. */
1323  {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1324  0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1325  {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1326  0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1327  {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1328  0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1329  {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1330  0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1331  {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1332  0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1333  {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1334  0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1335  {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1336  0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1337  {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1338  0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1339  {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1340  0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1341  {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1342  0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1343  {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1344  0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1345  {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1346  0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1347  {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1348  0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1349  {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1350  0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1351  {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1352  0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1353  {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1354  0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1355  {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1356  0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1357  {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1358  0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1359  {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1360  0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1361  {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1362  0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1363  {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1364  0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1365  {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1366  0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1367  {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1368  0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1369  {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1370  0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1371  {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1372  0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1373  {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1374  0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1375  {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1376  0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1377  {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1378  0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1379  {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1380  0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1381  {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1382  0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1383  {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1384  0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1385  {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1386  0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1387  {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1388  0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1389  {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1390  0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1391  {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1392  0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1393  {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1394  0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1395  {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1396  0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1397  {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1398  0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1399  {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1400  0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1401  {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1402  0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1403  {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1404  0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1405  {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1406  0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1407  {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1408  0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1409  {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1410  0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1411  {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1412  0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1413  {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1414  0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1415  {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1416  0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1417  {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1418  0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1419  {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1420  0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1421  {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1422  0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1423  {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1424  0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1425  {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1426  0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1427  {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1428  0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1429  {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1430  0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1431  {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1432  0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1433  {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1434  0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1435  {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1436  0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1437  {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1438  0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1439  {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1440  0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1441  {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1442  0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1443  {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1444  0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1445  {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1446  0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1447  {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1448  0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1449  {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1450  0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1451  {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1452  0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1453  {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1454  0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1455  {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1456  0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1457  {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1458  0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1459  {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1460  0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1461  {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1462  0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1463  {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1464  0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1465  {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1466  0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1467  {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1468  0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1469  {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1470  0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1471  {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1472  0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1473  {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1474  0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1475  {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1476  0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1477  {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1478  0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1479  {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1480  0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1481  {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1482  0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1483  {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1484  0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1485  {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1486  0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1487  {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1488  0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1489  {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1490  0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1491  {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1492  0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1493  {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1494  0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1495  {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1496  0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1497  {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1498  0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1499  {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1500  0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1501  {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1502  0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1503  {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1504  0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1505  {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1506  0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1507  {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1508  0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1509  {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1510  0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1511  {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1512  0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1513  {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1514  0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1515  {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1516  0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1517  {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1518  0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1519  {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1520  0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1521  {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1522  0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1523  {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1524  0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1525  {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1526  0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1527  {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1528  0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1529  {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1530  0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1531  {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1532  0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1533  };
1534 
1535  int i, j, ok;
1536 
1537  /* Test known inputs/outputs */
1538  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1539  uint16_t out[16];
1540  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1541  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1542 #ifdef SECP256K1_WIDEMUL_INT128
1543  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1544  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1545 #endif
1546  }
1547 
1548  for (i = 0; i < 100 * count; ++i) {
1549  /* 256-bit numbers in 16-uint16_t's notation */
1550  static const uint16_t ZERO[16] = {0};
1551  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1552  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1553  uint16_t id[16]; /* the inverse of xd mod md */
1554 
1555  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1556  do {
1557  /* generate random xd and md (with many subsequent 0s and 1s) */
1558  secp256k1_testrand256_test((unsigned char*)xd);
1559  secp256k1_testrand256_test((unsigned char*)md);
1560  md[0] |= 1; /* modulus must be odd */
1561  /* If modulus is 1, find another one. */
1562  ok = md[0] != 1;
1563  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1564  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1565  } while (!(ok && coprime(xd, md)));
1566 
1567  test_modinv32_uint16(id, xd, md);
1568 #ifdef SECP256K1_WIDEMUL_INT128
1569  test_modinv64_uint16(id, xd, md);
1570 #endif
1571 
1572  /* In a few cases, also test with input=0 */
1573  if (i < count) {
1574  test_modinv32_uint16(id, ZERO, md);
1575 #ifdef SECP256K1_WIDEMUL_INT128
1576  test_modinv64_uint16(id, ZERO, md);
1577 #endif
1578  }
1579  }
1580 }
1581 
1582 /***** SCALAR TESTS *****/
1583 
1584 
1585 void scalar_test(void) {
1586  secp256k1_scalar s;
1587  secp256k1_scalar s1;
1588  secp256k1_scalar s2;
1589  unsigned char c[32];
1590 
1591  /* Set 's' to a random scalar, with value 'snum'. */
1593 
1594  /* Set 's1' to a random scalar, with value 's1num'. */
1596 
1597  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1599  secp256k1_scalar_get_b32(c, &s2);
1600 
1601  {
1602  int i;
1603  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1604  secp256k1_scalar n;
1605  secp256k1_scalar_set_int(&n, 0);
1606  for (i = 0; i < 256; i += 4) {
1608  int j;
1609  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1610  for (j = 0; j < 4; j++) {
1611  secp256k1_scalar_add(&n, &n, &n);
1612  }
1613  secp256k1_scalar_add(&n, &n, &t);
1614  }
1615  CHECK(secp256k1_scalar_eq(&n, &s));
1616  }
1617 
1618  {
1619  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1620  secp256k1_scalar n;
1621  int i = 0;
1622  secp256k1_scalar_set_int(&n, 0);
1623  while (i < 256) {
1625  int j;
1626  int now = secp256k1_testrand_int(15) + 1;
1627  if (now + i > 256) {
1628  now = 256 - i;
1629  }
1630  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1631  for (j = 0; j < now; j++) {
1632  secp256k1_scalar_add(&n, &n, &n);
1633  }
1634  secp256k1_scalar_add(&n, &n, &t);
1635  i += now;
1636  }
1637  CHECK(secp256k1_scalar_eq(&n, &s));
1638  }
1639 
1640  {
1641  /* test secp256k1_scalar_shr_int */
1642  secp256k1_scalar r;
1643  int i;
1645  for (i = 0; i < 100; ++i) {
1646  int low;
1647  int shift = 1 + secp256k1_testrand_int(15);
1648  int expected = r.d[0] % (1 << shift);
1649  low = secp256k1_scalar_shr_int(&r, shift);
1650  CHECK(expected == low);
1651  }
1652  }
1653 
1654  {
1655  /* Test commutativity of add. */
1656  secp256k1_scalar r1, r2;
1657  secp256k1_scalar_add(&r1, &s1, &s2);
1658  secp256k1_scalar_add(&r2, &s2, &s1);
1659  CHECK(secp256k1_scalar_eq(&r1, &r2));
1660  }
1661 
1662  {
1663  secp256k1_scalar r1, r2;
1664  secp256k1_scalar b;
1665  int i;
1666  /* Test add_bit. */
1667  int bit = secp256k1_testrand_bits(8);
1668  secp256k1_scalar_set_int(&b, 1);
1670  for (i = 0; i < bit; i++) {
1671  secp256k1_scalar_add(&b, &b, &b);
1672  }
1673  r1 = s1;
1674  r2 = s1;
1675  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1676  /* No overflow happened. */
1677  secp256k1_scalar_cadd_bit(&r2, bit, 1);
1678  CHECK(secp256k1_scalar_eq(&r1, &r2));
1679  /* cadd is a noop when flag is zero */
1680  secp256k1_scalar_cadd_bit(&r2, bit, 0);
1681  CHECK(secp256k1_scalar_eq(&r1, &r2));
1682  }
1683  }
1684 
1685  {
1686  /* Test commutativity of mul. */
1687  secp256k1_scalar r1, r2;
1688  secp256k1_scalar_mul(&r1, &s1, &s2);
1689  secp256k1_scalar_mul(&r2, &s2, &s1);
1690  CHECK(secp256k1_scalar_eq(&r1, &r2));
1691  }
1692 
1693  {
1694  /* Test associativity of add. */
1695  secp256k1_scalar r1, r2;
1696  secp256k1_scalar_add(&r1, &s1, &s2);
1697  secp256k1_scalar_add(&r1, &r1, &s);
1698  secp256k1_scalar_add(&r2, &s2, &s);
1699  secp256k1_scalar_add(&r2, &s1, &r2);
1700  CHECK(secp256k1_scalar_eq(&r1, &r2));
1701  }
1702 
1703  {
1704  /* Test associativity of mul. */
1705  secp256k1_scalar r1, r2;
1706  secp256k1_scalar_mul(&r1, &s1, &s2);
1707  secp256k1_scalar_mul(&r1, &r1, &s);
1708  secp256k1_scalar_mul(&r2, &s2, &s);
1709  secp256k1_scalar_mul(&r2, &s1, &r2);
1710  CHECK(secp256k1_scalar_eq(&r1, &r2));
1711  }
1712 
1713  {
1714  /* Test distributitivity of mul over add. */
1715  secp256k1_scalar r1, r2, t;
1716  secp256k1_scalar_add(&r1, &s1, &s2);
1717  secp256k1_scalar_mul(&r1, &r1, &s);
1718  secp256k1_scalar_mul(&r2, &s1, &s);
1719  secp256k1_scalar_mul(&t, &s2, &s);
1720  secp256k1_scalar_add(&r2, &r2, &t);
1721  CHECK(secp256k1_scalar_eq(&r1, &r2));
1722  }
1723 
1724  {
1725  /* Test multiplicative identity. */
1726  secp256k1_scalar r1, v1;
1727  secp256k1_scalar_set_int(&v1,1);
1728  secp256k1_scalar_mul(&r1, &s1, &v1);
1729  CHECK(secp256k1_scalar_eq(&r1, &s1));
1730  }
1731 
1732  {
1733  /* Test additive identity. */
1734  secp256k1_scalar r1, v0;
1735  secp256k1_scalar_set_int(&v0,0);
1736  secp256k1_scalar_add(&r1, &s1, &v0);
1737  CHECK(secp256k1_scalar_eq(&r1, &s1));
1738  }
1739 
1740  {
1741  /* Test zero product property. */
1742  secp256k1_scalar r1, v0;
1743  secp256k1_scalar_set_int(&v0,0);
1744  secp256k1_scalar_mul(&r1, &s1, &v0);
1745  CHECK(secp256k1_scalar_eq(&r1, &v0));
1746  }
1747 
1748 }
1749 
1751  unsigned char b32[32];
1752  secp256k1_scalar s1;
1753  secp256k1_scalar s2;
1754 
1755  /* Usually set_b32 and set_b32_seckey give the same result */
1757  secp256k1_scalar_set_b32(&s1, b32, NULL);
1758  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1759  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1760 
1761  memset(b32, 0, sizeof(b32));
1762  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1763  memset(b32, 0xFF, sizeof(b32));
1764  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1765 }
1766 
1767 void run_scalar_tests(void) {
1768  int i;
1769  for (i = 0; i < 128 * count; i++) {
1770  scalar_test();
1771  }
1772  for (i = 0; i < count; i++) {
1774  }
1775 
1776  {
1777  /* (-1)+1 should be zero. */
1778  secp256k1_scalar s, o;
1779  secp256k1_scalar_set_int(&s, 1);
1781  secp256k1_scalar_negate(&o, &s);
1782  secp256k1_scalar_add(&o, &o, &s);
1784  secp256k1_scalar_negate(&o, &o);
1786  }
1787 
1788  {
1789  /* Does check_overflow check catch all ones? */
1790  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1791  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1792  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1793  );
1794  CHECK(secp256k1_scalar_check_overflow(&overflowed));
1795  }
1796 
1797  {
1798  /* Static test vectors.
1799  * These were reduced from ~10^12 random vectors based on comparison-decision
1800  * and edge-case coverage on 32-bit and 64-bit implementations.
1801  * The responses were generated with Sage 5.9.
1802  */
1803  secp256k1_scalar x;
1804  secp256k1_scalar y;
1805  secp256k1_scalar z;
1806  secp256k1_scalar zz;
1807  secp256k1_scalar one;
1808  secp256k1_scalar r1;
1809  secp256k1_scalar r2;
1810  secp256k1_scalar zzv;
1811  int overflow;
1812  unsigned char chal[33][2][32] = {
1813  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1814  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1815  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1816  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1817  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1818  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1819  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1820  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1821  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1822  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1823  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1824  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1825  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1826  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1827  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1828  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1829  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1830  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1831  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1832  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1833  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1834  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1835  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1836  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1837  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1838  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1839  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1840  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1841  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1842  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1843  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1844  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1845  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1846  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1847  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1848  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1849  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1850  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1851  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1852  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1853  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1854  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1855  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1856  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1857  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1858  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1859  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1860  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1861  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1862  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1863  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1864  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1865  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1866  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1867  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1868  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1869  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1870  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1871  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1872  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1873  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1874  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1875  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1876  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1877  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1878  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1879  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1880  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1881  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1882  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1883  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1884  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1885  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1886  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1887  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1888  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1889  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1890  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1891  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1892  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1893  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1894  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1895  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1896  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1897  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1898  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1899  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1900  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1901  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1902  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1903  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1904  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1905  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1906  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1907  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1908  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1909  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1910  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1911  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1912  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1913  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1914  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1915  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1916  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1917  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1918  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1919  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1920  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1921  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1922  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1923  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1924  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1925  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1926  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1927  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1928  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1929  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1930  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1931  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1932  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1933  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1934  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1935  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1936  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1937  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1938  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1939  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1940  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1941  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1942  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1943  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1944  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1945  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1946  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1947  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1948  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1949  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1950  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1951  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1952  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1953  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1954  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1955  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1956  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1957  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1958  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1959  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1960  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1961  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1962  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1963  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1964  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1965  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1966  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1967  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1968  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1969  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1970  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1971  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1972  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1973  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1974  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1975  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1976  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1977  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1978  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1979  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1980  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1981  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1982  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1983  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1984  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1985  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1986  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1987  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1988  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1989  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1990  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1991  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1992  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1993  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1994  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1995  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1996  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1997  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1998  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1999  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2000  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2001  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2002  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2003  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2004  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2005  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2006  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2007  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2008  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2009  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2010  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2011  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2012  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2013  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2014  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2015  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2016  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2017  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2018  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2019  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2020  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2021  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2022  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2023  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2024  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2025  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2026  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2027  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2028  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2029  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2030  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2031  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2032  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2033  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2034  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2035  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2036  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2037  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2038  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2039  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2040  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2041  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2042  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2043  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2044  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2045  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2046  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2047  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2048  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2049  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2050  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2051  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2052  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2053  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2054  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2055  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2056  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2057  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2058  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2059  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2060  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2061  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2062  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2063  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2064  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2065  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2066  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2067  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2068  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2069  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2070  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2071  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2072  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2073  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2074  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2075  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2076  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2077  };
2078  unsigned char res[33][2][32] = {
2079  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2080  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2081  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2082  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2083  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2084  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2085  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2086  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2087  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2088  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2089  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2090  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2091  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2092  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2093  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2094  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2095  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2096  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2097  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2098  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2099  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2100  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2101  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2102  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2103  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2104  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2105  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2106  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2107  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2108  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2109  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2110  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2111  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2112  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2113  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2114  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2115  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2116  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2117  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2118  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2119  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2120  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2121  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2122  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2123  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2124  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2125  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2126  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2127  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2128  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2129  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2130  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2131  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2132  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2133  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2134  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2135  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2136  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2137  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2138  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2139  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2140  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2141  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2142  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2143  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2144  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2145  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2146  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2147  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2148  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2149  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2150  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2151  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2152  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2153  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2154  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2155  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2156  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2157  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2158  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2159  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2160  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2161  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2162  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2163  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2164  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2165  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2166  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2167  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2168  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2169  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2170  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2171  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2172  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2173  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2174  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2175  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2176  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2177  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2178  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2179  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2180  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2181  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2182  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2183  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2184  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2185  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2186  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2187  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2188  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2189  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2190  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2191  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2192  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2193  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2194  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2195  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2196  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2197  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2198  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2199  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2200  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2201  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2202  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2203  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2204  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2205  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2206  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2207  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2208  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2209  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2210  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2211  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2212  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2213  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2214  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2215  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2216  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2217  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2218  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2219  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2220  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2221  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2222  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2223  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2224  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2225  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2226  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2227  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2228  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2229  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2230  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2231  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2232  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2233  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2234  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2235  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2236  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2237  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2238  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2239  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2240  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2241  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2242  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2243  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2244  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2245  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2246  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2247  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2248  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2249  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2250  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2251  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2252  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2253  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2254  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2255  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2256  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2257  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2258  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2259  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2260  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2261  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2262  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2263  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2264  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2265  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2266  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2267  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2268  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2269  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2270  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2271  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2272  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2273  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2274  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2275  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2276  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2277  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2278  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2279  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2280  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2281  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2282  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2283  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2284  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2285  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2286  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2287  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2288  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2289  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2290  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2291  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2292  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2293  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2294  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2295  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2296  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2297  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2298  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2299  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2300  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2301  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2302  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2303  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2304  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2305  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2306  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2307  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2308  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2309  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2310  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2311  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2312  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2313  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2314  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2315  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2316  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2317  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2318  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2319  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2320  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2321  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2322  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2323  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2324  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2325  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2326  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2327  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2328  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2329  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2330  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2331  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2332  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2333  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2334  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2335  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2336  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2337  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2338  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2339  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2340  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2341  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2342  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2343  };
2344  secp256k1_scalar_set_int(&one, 1);
2345  for (i = 0; i < 33; i++) {
2346  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2347  CHECK(!overflow);
2348  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2349  CHECK(!overflow);
2350  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2351  CHECK(!overflow);
2352  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2353  CHECK(!overflow);
2354  secp256k1_scalar_mul(&z, &x, &y);
2356  CHECK(secp256k1_scalar_eq(&r1, &z));
2357  if (!secp256k1_scalar_is_zero(&y)) {
2358  secp256k1_scalar_inverse(&zz, &y);
2360  secp256k1_scalar_inverse_var(&zzv, &y);
2361  CHECK(secp256k1_scalar_eq(&zzv, &zz));
2362  secp256k1_scalar_mul(&z, &z, &zz);
2364  CHECK(secp256k1_scalar_eq(&x, &z));
2365  secp256k1_scalar_mul(&zz, &zz, &y);
2367  CHECK(secp256k1_scalar_eq(&one, &zz));
2368  }
2369  }
2370  }
2371 }
2372 
2373 /***** FIELD TESTS *****/
2374 
2376  unsigned char bin[32];
2377  do {
2378  secp256k1_testrand256(bin);
2379  if (secp256k1_fe_set_b32(x, bin)) {
2380  return;
2381  }
2382  } while(1);
2383 }
2384 
2386  unsigned char bin[32];
2387  do {
2389  if (secp256k1_fe_set_b32(x, bin)) {
2390  return;
2391  }
2392  } while(1);
2393 }
2394 
2396  int tries = 10;
2397  while (--tries >= 0) {
2398  random_fe(nz);
2400  if (!secp256k1_fe_is_zero(nz)) {
2401  break;
2402  }
2403  }
2404  /* Infinitesimal probability of spurious failure here */
2405  CHECK(tries >= 0);
2406 }
2407 
2409  secp256k1_fe r;
2410  random_fe_non_zero(ns);
2411  if (secp256k1_fe_sqrt(&r, ns)) {
2412  secp256k1_fe_negate(ns, ns, 1);
2413  }
2414 }
2415 
2416 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2417  secp256k1_fe an = *a;
2418  secp256k1_fe bn = *b;
2421  return secp256k1_fe_equal_var(&an, &bn);
2422 }
2423 
2424 void run_field_convert(void) {
2425  static const unsigned char b32[32] = {
2426  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2427  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2428  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2429  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2430  };
2432  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2433  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2434  );
2435  static const secp256k1_fe fe = SECP256K1_FE_CONST(
2436  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2437  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2438  );
2439  secp256k1_fe fe2;
2440  unsigned char b322[32];
2441  secp256k1_fe_storage fes2;
2442  /* Check conversions to fe. */
2443  CHECK(secp256k1_fe_set_b32(&fe2, b32));
2444  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2445  secp256k1_fe_from_storage(&fe2, &fes);
2446  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2447  /* Check conversion from fe. */
2448  secp256k1_fe_get_b32(b322, &fe);
2449  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2450  secp256k1_fe_to_storage(&fes2, &fe);
2451  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2452 }
2453 
2455  secp256k1_fe t = *b;
2456 #ifdef VERIFY
2457  t.magnitude = a->magnitude;
2458  t.normalized = a->normalized;
2459 #endif
2460  return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
2461 }
2462 
2463 void run_field_misc(void) {
2464  secp256k1_fe x;
2465  secp256k1_fe y;
2466  secp256k1_fe z;
2467  secp256k1_fe q;
2468  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2469  int i, j;
2470  for (i = 0; i < 5*count; i++) {
2471  secp256k1_fe_storage xs, ys, zs;
2472  random_fe(&x);
2473  random_fe_non_zero(&y);
2474  /* Test the fe equality and comparison operations. */
2475  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
2476  CHECK(secp256k1_fe_equal_var(&x, &x));
2477  z = x;
2478  secp256k1_fe_add(&z,&y);
2479  /* Test fe conditional move; z is not normalized here. */
2480  q = x;
2481  secp256k1_fe_cmov(&x, &z, 0);
2482 #ifdef VERIFY
2483  CHECK(x.normalized && x.magnitude == 1);
2484 #endif
2485  secp256k1_fe_cmov(&x, &x, 1);
2486  CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
2487  CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
2488  secp256k1_fe_cmov(&q, &z, 1);
2489 #ifdef VERIFY
2490  CHECK(!q.normalized && q.magnitude == z.magnitude);
2491 #endif
2492  CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
2495  CHECK(!secp256k1_fe_equal_var(&x, &z));
2497  secp256k1_fe_cmov(&q, &z, (i&1));
2498 #ifdef VERIFY
2499  CHECK(q.normalized && q.magnitude == 1);
2500 #endif
2501  for (j = 0; j < 6; j++) {
2502  secp256k1_fe_negate(&z, &z, j+1);
2504  secp256k1_fe_cmov(&q, &z, (j&1));
2505 #ifdef VERIFY
2506  CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2507 #endif
2508  }
2510  /* Test storage conversion and conditional moves. */
2511  secp256k1_fe_to_storage(&xs, &x);
2512  secp256k1_fe_to_storage(&ys, &y);
2513  secp256k1_fe_to_storage(&zs, &z);
2514  secp256k1_fe_storage_cmov(&zs, &xs, 0);
2515  secp256k1_fe_storage_cmov(&zs, &zs, 1);
2516  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2517  secp256k1_fe_storage_cmov(&ys, &xs, 1);
2518  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2519  secp256k1_fe_from_storage(&x, &xs);
2520  secp256k1_fe_from_storage(&y, &ys);
2521  secp256k1_fe_from_storage(&z, &zs);
2522  /* Test that mul_int, mul, and add agree. */
2523  secp256k1_fe_add(&y, &x);
2524  secp256k1_fe_add(&y, &x);
2525  z = x;
2526  secp256k1_fe_mul_int(&z, 3);
2527  CHECK(check_fe_equal(&y, &z));
2528  secp256k1_fe_add(&y, &x);
2529  secp256k1_fe_add(&z, &x);
2530  CHECK(check_fe_equal(&z, &y));
2531  z = x;
2532  secp256k1_fe_mul_int(&z, 5);
2533  secp256k1_fe_mul(&q, &x, &fe5);
2534  CHECK(check_fe_equal(&z, &q));
2535  secp256k1_fe_negate(&x, &x, 1);
2536  secp256k1_fe_add(&z, &x);
2537  secp256k1_fe_add(&q, &x);
2538  CHECK(check_fe_equal(&y, &z));
2539  CHECK(check_fe_equal(&q, &y));
2540  }
2541 }
2542 
2543 void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
2544 {
2545  secp256k1_fe c, an, bn;
2546  /* Variables in BE 32-byte format. */
2547  unsigned char a32[32], b32[32], c32[32];
2548  /* Variables in LE 16x uint16_t format. */
2549  uint16_t a16[16], b16[16], c16[16];
2550  /* Field modulus in LE 16x uint16_t format. */
2551  static const uint16_t m16[16] = {
2552  0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2553  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2554  };
2555  uint16_t t16[32];
2556  int i;
2557 
2558  /* Compute C = A * B in fe format. */
2559  c = *a;
2560  if (use_sqr) {
2561  secp256k1_fe_sqr(&c, &c);
2562  } else {
2563  secp256k1_fe_mul(&c, &c, b);
2564  }
2565 
2566  /* Convert A, B, C into LE 16x uint16_t format. */
2567  an = *a;
2568  bn = *b;
2572  secp256k1_fe_get_b32(a32, &an);
2573  secp256k1_fe_get_b32(b32, &bn);
2574  secp256k1_fe_get_b32(c32, &c);
2575  for (i = 0; i < 16; ++i) {
2576  a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
2577  b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
2578  c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
2579  }
2580  /* Compute T = A * B in LE 16x uint16_t format. */
2581  mulmod256(t16, a16, b16, m16);
2582  /* Compare */
2583  CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
2584 }
2585 
2586 void run_fe_mul(void) {
2587  int i;
2588  for (i = 0; i < 100 * count; ++i) {
2589  secp256k1_fe a, b, c, d;
2590  random_fe(&a);
2592  random_fe(&b);
2594  random_fe_test(&c);
2596  random_fe_test(&d);
2598  test_fe_mul(&a, &a, 1);
2599  test_fe_mul(&c, &c, 1);
2600  test_fe_mul(&a, &b, 0);
2601  test_fe_mul(&a, &c, 0);
2602  test_fe_mul(&c, &b, 0);
2603  test_fe_mul(&c, &d, 0);
2604  }
2605 }
2606 
2607 void run_sqr(void) {
2608  secp256k1_fe x, s;
2609 
2610  {
2611  int i;
2612  secp256k1_fe_set_int(&x, 1);
2613  secp256k1_fe_negate(&x, &x, 1);
2614 
2615  for (i = 1; i <= 512; ++i) {
2616  secp256k1_fe_mul_int(&x, 2);
2618  secp256k1_fe_sqr(&s, &x);
2619  }
2620  }
2621 }
2622 
2623 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2624  secp256k1_fe r1, r2;
2625  int v = secp256k1_fe_sqrt(&r1, a);
2626  CHECK((v == 0) == (k == NULL));
2627 
2628  if (k != NULL) {
2629  /* Check that the returned root is +/- the given known answer */
2630  secp256k1_fe_negate(&r2, &r1, 1);
2631  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2634  }
2635 }
2636 
2637 void run_sqrt(void) {
2638  secp256k1_fe ns, x, s, t;
2639  int i;
2640 
2641  /* Check sqrt(0) is 0 */
2642  secp256k1_fe_set_int(&x, 0);
2643  secp256k1_fe_sqr(&s, &x);
2644  test_sqrt(&s, &x);
2645 
2646  /* Check sqrt of small squares (and their negatives) */
2647  for (i = 1; i <= 100; i++) {
2648  secp256k1_fe_set_int(&x, i);
2649  secp256k1_fe_sqr(&s, &x);
2650  test_sqrt(&s, &x);
2651  secp256k1_fe_negate(&t, &s, 1);
2652  test_sqrt(&t, NULL);
2653  }
2654 
2655  /* Consistency checks for large random values */
2656  for (i = 0; i < 10; i++) {
2657  int j;
2658  random_fe_non_square(&ns);
2659  for (j = 0; j < count; j++) {
2660  random_fe(&x);
2661  secp256k1_fe_sqr(&s, &x);
2662  test_sqrt(&s, &x);
2663  secp256k1_fe_negate(&t, &s, 1);
2664  test_sqrt(&t, NULL);
2665  secp256k1_fe_mul(&t, &s, &ns);
2666  test_sqrt(&t, NULL);
2667  }
2668  }
2669 }
2670 
2671 /***** FIELD/SCALAR INVERSE TESTS *****/
2672 
2674  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2675  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2676 );
2677 
2679  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2680  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2681 );
2682 
2683 /* These tests test the following identities:
2684  *
2685  * for x==0: 1/x == 0
2686  * for x!=0: x*(1/x) == 1
2687  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2688  */
2689 
2691 {
2692  secp256k1_scalar l, r, t;
2693 
2694  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
2695  if (out) *out = l;
2696  if (secp256k1_scalar_is_zero(x)) {
2698  return;
2699  }
2700  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2701  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2702  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2703  if (secp256k1_scalar_is_zero(&r)) return;
2704  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
2705  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2706  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
2707  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2708  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2709  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2710 }
2711 
2712 void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2713 {
2714  secp256k1_fe l, r, t;
2715 
2716  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2717  if (out) *out = l;
2718  t = *x; /* t = x */
2721  return;
2722  }
2723  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2724  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2725  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2726  r = *x; /* r = x */
2727  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2728  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
2729  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2730  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2731  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2732  secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2733  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2734  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
2735 }
2736 
2738 {
2739  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2740  static const secp256k1_fe fe_cases[][2] = {
2741  /* 0 */
2742  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2743  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2744  /* 1 */
2745  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2746  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2747  /* -1 */
2748  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2749  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2750  /* 2 */
2751  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2752  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2753  /* 2**128 */
2754  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2755  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2756  /* Input known to need 637 divsteps */
2757  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2758  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
2759  /* Input known to need 567 divsteps starting with delta=1/2. */
2760  {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
2761  SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
2762  /* Input known to need 566 divsteps starting with delta=1/2. */
2763  {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
2764  SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
2765  /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
2766  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
2767  SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
2768  {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
2769  SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
2770  {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
2771  SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
2772  {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
2773  SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
2774  {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
2775  SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
2776  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
2777  SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
2778  {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
2779  SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
2780  {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
2781  SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
2782  {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
2783  SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
2784  {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
2785  SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
2786  /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
2787  {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
2788  SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
2789  {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
2790  SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
2791  {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
2792  SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
2793  {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
2794  SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
2795  {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
2796  SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
2797  {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
2798  SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
2799  {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
2800  SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
2801  {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
2802  SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
2803  {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
2804  SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
2805  {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
2806  SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
2807  {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
2808  SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
2809  {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
2810  SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
2811  {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
2812  SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
2813  {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
2814  SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
2815  {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
2816  SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
2817  {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
2818  SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
2819  {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
2820  SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
2821  {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
2822  SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
2823  {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
2824  SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
2825  {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
2826  SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
2827  {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
2828  SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
2829  {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
2830  SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
2831  {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
2832  SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
2833  {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
2834  SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
2835  {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
2836  SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
2837  {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
2838  SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
2839  {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
2840  SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
2841  {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
2842  SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
2843  };
2844  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
2845  static const secp256k1_scalar scalar_cases[][2] = {
2846  /* 0 */
2847  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2848  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2849  /* 1 */
2850  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2851  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2852  /* -1 */
2853  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
2854  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
2855  /* 2 */
2856  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2857  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
2858  /* 2**128 */
2859  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2860  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
2861  /* Input known to need 635 divsteps */
2862  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
2863  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
2864  /* Input known to need 566 divsteps starting with delta=1/2. */
2865  {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
2866  SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
2867  /* Input known to need 565 divsteps starting with delta=1/2. */
2868  {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
2869  SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
2870  /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
2871  {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
2872  SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
2873  {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
2874  SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
2875  {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
2876  SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
2877  {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
2878  SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
2879  {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
2880  SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
2881  {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
2882  SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
2883  {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
2884  SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
2885  {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
2886  SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
2887  {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
2888  SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
2889  {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
2890  SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
2891  {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
2892  SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
2893  {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
2894  SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
2895  {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
2896  SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
2897  {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
2898  SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
2899  {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
2900  SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
2901  {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
2902  SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
2903  {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
2904  SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
2905  {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
2906  SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
2907  {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
2908  SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
2909  {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
2910  SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
2911  {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
2912  SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
2913  {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
2914  SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
2915  {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
2916  SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
2917  {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
2918  SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
2919  {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
2920  SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
2921  {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
2922  SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
2923  {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
2924  SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
2925  {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
2926  SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
2927  {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
2928  SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
2929  };
2930  int i, var, testrand;
2931  unsigned char b32[32];
2932  secp256k1_fe x_fe;
2933  secp256k1_scalar x_scalar;
2934  memset(b32, 0, sizeof(b32));
2935  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
2936  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
2937  for (var = 0; var <= 1; ++var) {
2938  test_inverse_field(&x_fe, &fe_cases[i][0], var);
2939  check_fe_equal(&x_fe, &fe_cases[i][1]);
2940  test_inverse_field(&x_fe, &fe_cases[i][1], var);
2941  check_fe_equal(&x_fe, &fe_cases[i][0]);
2942  }
2943  }
2944  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
2945  for (var = 0; var <= 1; ++var) {
2946  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
2947  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
2948  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
2949  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
2950  }
2951  }
2952  /* Test inputs 0..999 and their respective negations. */
2953  for (i = 0; i < 1000; ++i) {
2954  b32[31] = i & 0xff;
2955  b32[30] = (i >> 8) & 0xff;
2956  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2957  secp256k1_fe_set_b32(&x_fe, b32);
2958  for (var = 0; var <= 1; ++var) {
2959  test_inverse_scalar(NULL, &x_scalar, var);
2960  test_inverse_field(NULL, &x_fe, var);
2961  }
2962  secp256k1_scalar_negate(&x_scalar, &x_scalar);
2963  secp256k1_fe_negate(&x_fe, &x_fe, 1);
2964  for (var = 0; var <= 1; ++var) {
2965  test_inverse_scalar(NULL, &x_scalar, var);
2966  test_inverse_field(NULL, &x_fe, var);
2967  }
2968  }
2969  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
2970  for (testrand = 0; testrand <= 1; ++testrand) {
2971  for (i = 0; i < 64 * count; ++i) {
2973  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2974  secp256k1_fe_set_b32(&x_fe, b32);
2975  for (var = 0; var <= 1; ++var) {
2976  test_inverse_scalar(NULL, &x_scalar, var);
2977  test_inverse_field(NULL, &x_fe, var);
2978  }
2979  }
2980  }
2981 }
2982 
2983 /***** GROUP TESTS *****/
2984 
2985 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2986  CHECK(a->infinity == b->infinity);
2987  if (a->infinity) {
2988  return;
2989  }
2990  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2991  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2992 }
2993 
2994 /* This compares jacobian points including their Z, not just their geometric meaning. */
2996  secp256k1_gej a2;
2997  secp256k1_gej b2;
2998  int ret = 1;
2999  ret &= a->infinity == b->infinity;
3000  if (ret && !a->infinity) {
3001  a2 = *a;
3002  b2 = *b;
3009  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3010  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3011  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3012  }
3013  return ret;
3014 }
3015 
3016 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3017  secp256k1_fe z2s;
3018  secp256k1_fe u1, u2, s1, s2;
3019  CHECK(a->infinity == b->infinity);
3020  if (a->infinity) {
3021  return;
3022  }
3023  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3024  secp256k1_fe_sqr(&z2s, &b->z);
3025  secp256k1_fe_mul(&u1, &a->x, &z2s);
3026  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
3027  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3028  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
3029  CHECK(secp256k1_fe_equal_var(&u1, &u2));
3030  CHECK(secp256k1_fe_equal_var(&s1, &s2));
3031 }
3032 
3033 void test_ge(void) {
3034  int i, i1;
3035  int runs = 6;
3036  /* 25 points are used:
3037  * - infinity
3038  * - for each of four random points p1 p2 p3 p4, we add the point, its
3039  * negation, and then those two again but with randomized Z coordinate.
3040  * - The same is then done for lambda*p1 and lambda^2*p1.
3041  */
3042  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3043  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3044  secp256k1_fe zf;
3045  secp256k1_fe zfi2, zfi3;
3046 
3047  secp256k1_gej_set_infinity(&gej[0]);
3048  secp256k1_ge_clear(&ge[0]);
3049  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3050  for (i = 0; i < runs; i++) {
3051  int j;
3052  secp256k1_ge g;
3054  if (i >= runs - 2) {
3055  secp256k1_ge_mul_lambda(&g, &ge[1]);
3056  }
3057  if (i >= runs - 1) {
3059  }
3060  ge[1 + 4 * i] = g;
3061  ge[2 + 4 * i] = g;
3062  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3063  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3064  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3065  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3066  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3067  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3068  for (j = 0; j < 4; j++) {
3069  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
3070  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
3071  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
3072  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
3073  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3074  }
3075  }
3076 
3077  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3078  do {
3080  } while(secp256k1_fe_is_zero(&zf));
3082  secp256k1_fe_inv_var(&zfi3, &zf);
3083  secp256k1_fe_sqr(&zfi2, &zfi3);
3084  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3085 
3086  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3087  int i2;
3088  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3089  /* Compute reference result using gej + gej (var). */
3090  secp256k1_gej refj, resj;
3091  secp256k1_ge ref;
3092  secp256k1_fe zr;
3093  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3094  /* Check Z ratio. */
3095  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3096  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3097  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3098  }
3099  secp256k1_ge_set_gej_var(&ref, &refj);
3100 
3101  /* Test gej + ge with Z ratio result (var). */
3102  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3103  ge_equals_gej(&ref, &resj);
3104  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3105  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3106  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3107  }
3108 
3109  /* Test gej + ge (var, with additional Z factor). */
3110  {
3111  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3112  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3113  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3116  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3117  ge_equals_gej(&ref, &resj);
3118  }
3119 
3120  /* Test gej + ge (const). */
3121  if (i2 != 0) {
3122  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3123  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3124  ge_equals_gej(&ref, &resj);
3125  }
3126 
3127  /* Test doubling (var). */
3128  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3129  secp256k1_fe zr2;
3130  /* Normal doubling with Z ratio result. */
3131  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3132  ge_equals_gej(&ref, &resj);
3133  /* Check Z ratio. */
3134  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3135  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3136  /* Normal doubling. */
3137  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3138  ge_equals_gej(&ref, &resj);
3139  /* Constant-time doubling. */
3140  secp256k1_gej_double(&resj, &gej[i2]);
3141  ge_equals_gej(&ref, &resj);
3142  }
3143 
3144  /* Test adding opposites. */
3145  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3147  }
3148 
3149  /* Test adding infinity. */
3150  if (i1 == 0) {
3151  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3152  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3153  ge_equals_gej(&ref, &gej[i2]);
3154  }
3155  if (i2 == 0) {
3156  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3157  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3158  ge_equals_gej(&ref, &gej[i1]);
3159  }
3160  }
3161  }
3162 
3163  /* Test adding all points together in random order equals infinity. */
3164  {
3166  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3167  for (i = 0; i < 4 * runs + 1; i++) {
3168  gej_shuffled[i] = gej[i];
3169  }
3170  for (i = 0; i < 4 * runs + 1; i++) {
3171  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3172  if (swap != i) {
3173  secp256k1_gej t = gej_shuffled[i];
3174  gej_shuffled[i] = gej_shuffled[swap];
3175  gej_shuffled[swap] = t;
3176  }
3177  }
3178  for (i = 0; i < 4 * runs + 1; i++) {
3179  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3180  }
3182  free(gej_shuffled);
3183  }
3184 
3185  /* Test batch gej -> ge conversion without known z ratios. */
3186  {
3187  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3188  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3189  for (i = 0; i < 4 * runs + 1; i++) {
3190  secp256k1_fe s;
3191  random_fe_non_zero(&s);
3192  secp256k1_gej_rescale(&gej[i], &s);
3193  ge_equals_gej(&ge_set_all[i], &gej[i]);
3194  }
3195  free(ge_set_all);
3196  }
3197 
3198  /* Test batch gej -> ge conversion with many infinities. */
3199  for (i = 0; i < 4 * runs + 1; i++) {
3200  int odd;
3201  random_group_element_test(&ge[i]);
3202  odd = secp256k1_fe_is_odd(&ge[i].x);
3203  CHECK(odd == 0 || odd == 1);
3204  /* randomly set half the points to infinity */
3205  if (odd == i % 2) {
3206  secp256k1_ge_set_infinity(&ge[i]);
3207  }
3208  secp256k1_gej_set_ge(&gej[i], &ge[i]);
3209  }
3210  /* batch convert */
3211  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3212  /* check result */
3213  for (i = 0; i < 4 * runs + 1; i++) {
3214  ge_equals_gej(&ge[i], &gej[i]);
3215  }
3216 
3217  /* Test batch gej -> ge conversion with all infinities. */
3218  for (i = 0; i < 4 * runs + 1; i++) {
3219  secp256k1_gej_set_infinity(&gej[i]);
3220  }
3221  /* batch convert */
3222  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3223  /* check result */
3224  for (i = 0; i < 4 * runs + 1; i++) {
3226  }
3227 
3228  free(ge);
3229  free(gej);
3230 }
3231 
3232 
3234  secp256k1_ge p;
3235  secp256k1_gej pj, npj, infj1, infj2, infj3;
3236  secp256k1_fe zinv;
3237 
3238  /* Test that adding P+(-P) results in a fully initalized infinity*/
3240  secp256k1_gej_set_ge(&pj, &p);
3241  secp256k1_gej_neg(&npj, &pj);
3242 
3243  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3245  CHECK(secp256k1_fe_is_zero(&infj1.x));
3246  CHECK(secp256k1_fe_is_zero(&infj1.y));
3247  CHECK(secp256k1_fe_is_zero(&infj1.z));
3248 
3249  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3251  CHECK(secp256k1_fe_is_zero(&infj2.x));
3252  CHECK(secp256k1_fe_is_zero(&infj2.y));
3253  CHECK(secp256k1_fe_is_zero(&infj2.z));
3254 
3255  secp256k1_fe_set_int(&zinv, 1);
3256  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3258  CHECK(secp256k1_fe_is_zero(&infj3.x));
3259  CHECK(secp256k1_fe_is_zero(&infj3.y));
3260  CHECK(secp256k1_fe_is_zero(&infj3.z));
3261 
3262 
3263 }
3264 
3266  /* The point of this test is to check that we can add two points
3267  * whose y-coordinates are negatives of each other but whose x
3268  * coordinates differ. If the x-coordinates were the same, these
3269  * points would be negatives of each other and their sum is
3270  * infinity. This is cool because it "covers up" any degeneracy
3271  * in the addition algorithm that would cause the xy coordinates
3272  * of the sum to be wrong (since infinity has no xy coordinates).
3273  * HOWEVER, if the x-coordinates are different, infinity is the
3274  * wrong answer, and such degeneracies are exposed. This is the
3275  * root of https://github.com/bitcoin-core/secp256k1/issues/257
3276  * which this test is a regression test for.
3277  *
3278  * These points were generated in sage as
3279  * # secp256k1 params
3280  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3281  * C = EllipticCurve ([F (0), F (7)])
3282  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3283  * N = FiniteField(G.order())
3284  *
3285  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3286  * x = polygen(N)
3287  * lam = (1 - x^3).roots()[1][0]
3288  *
3289  * # random "bad pair"
3290  * P = C.random_element()
3291  * Q = -int(lam) * P
3292  * print " P: %x %x" % P.xy()
3293  * print " Q: %x %x" % Q.xy()
3294  * print "P + Q: %x %x" % (P + Q).xy()
3295  */
3297  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3298  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3299  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3300  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3301  );
3303  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3304  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3305  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3306  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3307  );
3309  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3310  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3311  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3312  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3313  );
3314  secp256k1_ge b;
3315  secp256k1_gej resj;
3316  secp256k1_ge res;
3317  secp256k1_ge_set_gej(&b, &bj);
3318 
3319  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3320  secp256k1_ge_set_gej(&res, &resj);
3321  ge_equals_gej(&res, &sumj);
3322 
3323  secp256k1_gej_add_ge(&resj, &aj, &b);
3324  secp256k1_ge_set_gej(&res, &resj);
3325  ge_equals_gej(&res, &sumj);
3326 
3327  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
3328  secp256k1_ge_set_gej(&res, &resj);
3329  ge_equals_gej(&res, &sumj);
3330 }
3331 
3332 void run_ge(void) {
3333  int i;
3334  for (i = 0; i < count * 32; i++) {
3335  test_ge();
3336  }
3339 }
3340 
3341 void test_ec_combine(void) {
3342  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3343  secp256k1_pubkey data[6];
3344  const secp256k1_pubkey* d[6];
3345  secp256k1_pubkey sd;
3346  secp256k1_pubkey sd2;
3347  secp256k1_gej Qj;
3348  secp256k1_ge Q;
3349  int i;
3350  for (i = 1; i <= 6; i++) {
3351  secp256k1_scalar s;
3353  secp256k1_scalar_add(&sum, &sum, &s);
3355  secp256k1_ge_set_gej(&Q, &Qj);
3356  secp256k1_pubkey_save(&data[i - 1], &Q);
3357  d[i - 1] = &data[i - 1];
3359  secp256k1_ge_set_gej(&Q, &Qj);
3360  secp256k1_pubkey_save(&sd, &Q);
3361  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
3362  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
3363  }
3364 }
3365 
3366 void run_ec_combine(void) {
3367  int i;
3368  for (i = 0; i < count * 8; i++) {
3369  test_ec_combine();
3370  }
3371 }
3372 
3374  /* The input itself, normalized. */
3375  secp256k1_fe fex = *x;
3376  /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
3377  secp256k1_ge ge_even, ge_odd;
3378  /* Return values of the above calls. */
3379  int res_even, res_odd;
3380 
3382 
3383  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
3384  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
3385 
3386  CHECK(res_even == res_odd);
3387 
3388  if (res_even) {
3389  secp256k1_fe_normalize_var(&ge_odd.x);
3390  secp256k1_fe_normalize_var(&ge_even.x);
3391  secp256k1_fe_normalize_var(&ge_odd.y);
3392  secp256k1_fe_normalize_var(&ge_even.y);
3393 
3394  /* No infinity allowed. */
3395  CHECK(!ge_even.infinity);
3396  CHECK(!ge_odd.infinity);
3397 
3398  /* Check that the x coordinates check out. */
3399  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
3400  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
3401 
3402  /* Check odd/even Y in ge_odd, ge_even. */
3403  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
3404  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
3405  }
3406 }
3407 
3409  int i;
3410  for (i = 0; i < count * 4; i++) {
3411  secp256k1_fe fe;
3412  random_fe_test(&fe);
3413  test_group_decompress(&fe);
3414  }
3415 }
3416 
3417 /***** ECMULT TESTS *****/
3418 
3419 void run_ecmult_chain(void) {
3420  /* random starting point A (on the curve) */
3422  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
3423  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
3424  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
3425  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
3426  );
3427  /* two random initial factors xn and gn */
3429  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
3430  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
3431  );
3433  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
3434  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
3435  );
3436  /* two small multipliers to be applied to xn and gn in every iteration: */
3437  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
3438  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
3439  /* accumulators with the resulting coefficients to A and G */
3440  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3441  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3442  /* actual points */
3443  secp256k1_gej x;
3444  secp256k1_gej x2;
3445  int i;
3446 
3447  /* the point being computed */
3448  x = a;
3449  for (i = 0; i < 200*count; i++) {
3450  /* in each iteration, compute X = xn*X + gn*G; */
3451  secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
3452  /* also compute ae and ge: the actual accumulated factors for A and G */
3453  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
3454  secp256k1_scalar_mul(&ae, &ae, &xn);
3455  secp256k1_scalar_mul(&ge, &ge, &xn);
3456  secp256k1_scalar_add(&ge, &ge, &gn);
3457  /* modify xn and gn */
3458  secp256k1_scalar_mul(&xn, &xn, &xf);
3459  secp256k1_scalar_mul(&gn, &gn, &gf);
3460 
3461  /* verify */
3462  if (i == 19999) {
3463  /* expected result after 19999 iterations */
3465  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
3466  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
3467  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
3468  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
3469  );
3470 
3471  secp256k1_gej_neg(&rp, &rp);
3472  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
3474  }
3475  }
3476  /* redo the computation, but directly with the resulting ae and ge coefficients: */
3477  secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
3478  secp256k1_gej_neg(&x2, &x2);
3479  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
3481 }
3482 
3484  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
3485  secp256k1_scalar x;
3486  secp256k1_scalar nx;
3487  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3488  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3489  secp256k1_gej res1, res2;
3490  secp256k1_ge res3;
3491  unsigned char pub[65];
3492  size_t psize = 65;
3494  secp256k1_scalar_negate(&nx, &x);
3495  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
3496  secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
3497  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
3499  secp256k1_ge_set_gej(&res3, &res1);
3501  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
3502  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
3503  psize = 65;
3504  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
3505  /* check zero/one edge cases */
3506  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
3507  secp256k1_ge_set_gej(&res3, &res1);
3509  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
3510  secp256k1_ge_set_gej(&res3, &res1);
3511  ge_equals_gej(&res3, point);
3512  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
3513  secp256k1_ge_set_gej(&res3, &res1);
3515 }
3516 
3517 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
3518  *
3519  * They are computed as:
3520  * - For a in [-2, -1, 0, 1, 2]:
3521  * - For b in [-3, -1, 1, 3]:
3522  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
3523  */
3525  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
3526  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
3527  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
3528  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
3529  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
3530  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
3531  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
3532  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
3533  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
3534  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
3535  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
3536  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
3537  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
3538  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
3539  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
3540  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
3541  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
3542  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
3543  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
3544  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
3545 };
3546 
3547 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
3548  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
3549  secp256k1_scalar n1, n2;
3550  secp256k1_ge p;
3551  secp256k1_gej pj, p1j, p2j, ptj;
3552  static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3553 
3554  /* Generate random n1,n2 such that n1+n2 = -target. */
3556  secp256k1_scalar_add(&n2, &n1, target);
3557  secp256k1_scalar_negate(&n2, &n2);
3558 
3559  /* Generate a random input point. */
3560  if (mode != 0) {
3562  secp256k1_gej_set_ge(&pj, &p);
3563  }
3564 
3565  /* EC multiplications */
3566  if (mode == 0) {
3567  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
3568  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
3569  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
3570  } else if (mode == 1) {
3571  secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
3572  secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
3573  secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
3574  } else {
3575  secp256k1_ecmult_const(&p1j, &p, &n1, 256);
3576  secp256k1_ecmult_const(&p2j, &p, &n2, 256);
3577  secp256k1_ecmult_const(&ptj, &p, target, 256);
3578  }
3579 
3580  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
3581  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
3582  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
3584 }
3585 
3587  int i;
3588  unsigned j;
3589  for (i = 0; i < 4*count; ++i) {
3590  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
3594  }
3595  }
3596 }
3597 
3599  int i;
3600  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
3601  static const secp256k1_fe xr = SECP256K1_FE_CONST(
3602  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
3603  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
3604  );
3605  for (i = 0; i < 500; i++) {
3606  secp256k1_ge p;
3607  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
3608  secp256k1_gej j;
3610  secp256k1_gej_set_ge(&j, &p);
3612  }
3613  secp256k1_fe_sqr(&x, &x);
3614  }
3616  CHECK(secp256k1_fe_equal_var(&x, &xr));
3617 }
3618 
3620  /* random starting point A (on the curve) */
3622  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
3623  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
3624  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
3625  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
3626  );
3627  /* random initial factor xn */
3629  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
3630  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
3631  );
3632  /* expected xn * A (from sage) */
3633  secp256k1_ge expected_b = SECP256K1_GE_CONST(
3634  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
3635  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
3636  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
3637  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
3638  );
3639  secp256k1_gej b;
3640  secp256k1_ecmult_const(&b, &a, &xn, 256);
3641 
3643  ge_equals_gej(&expected_b, &b);
3644 }
3645 
3647  secp256k1_scalar a;
3648  secp256k1_scalar b;
3649  secp256k1_gej res1;
3650  secp256k1_gej res2;
3651  secp256k1_ge mid1;
3652  secp256k1_ge mid2;
3655 
3656  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
3657  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
3658  secp256k1_ge_set_gej(&mid1, &res1);
3659  secp256k1_ge_set_gej(&mid2, &res2);
3660  secp256k1_ecmult_const(&res1, &mid1, &b, 256);
3661  secp256k1_ecmult_const(&res2, &mid2, &a, 256);
3662  secp256k1_ge_set_gej(&mid1, &res1);
3663  secp256k1_ge_set_gej(&mid2, &res2);
3664  ge_equals_ge(&mid1, &mid2);
3665 }
3666 
3668  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3669  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3670  secp256k1_scalar negone;
3671  secp256k1_gej res1;
3672  secp256k1_ge res2;
3673  secp256k1_ge point;
3674  secp256k1_scalar_negate(&negone, &one);
3675 
3676  random_group_element_test(&point);
3677  secp256k1_ecmult_const(&res1, &point, &zero, 3);
3678  secp256k1_ge_set_gej(&res2, &res1);
3680  secp256k1_ecmult_const(&res1, &point, &one, 2);
3681  secp256k1_ge_set_gej(&res2, &res1);
3682  ge_equals_ge(&res2, &point);
3683  secp256k1_ecmult_const(&res1, &point, &negone, 256);
3684  secp256k1_gej_neg(&res1, &res1);
3685  secp256k1_ge_set_gej(&res2, &res1);
3686  ge_equals_ge(&res2, &point);
3687 }
3688 
3690  /* Check known result (randomly generated test problem from sage) */
3692  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
3693  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
3694  );
3695  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
3696  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
3697  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
3698  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
3699  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
3700  );
3701  secp256k1_gej point;
3702  secp256k1_ge res;
3703  int i;
3704 
3706  for (i = 0; i < 100; ++i) {
3707  secp256k1_ge tmp;
3708  secp256k1_ge_set_gej(&tmp, &point);
3709  secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
3710  }
3711  secp256k1_ge_set_gej(&res, &point);
3712  ge_equals_gej(&res, &expected_point);
3713 }
3714 
3720 }
3721 
3722 typedef struct {
3726 
3727 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3728  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
3729  *sc = data->sc[idx];
3730  *pt = data->pt[idx];
3731  return 1;
3732 }
3733 
3734 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3735  (void)sc;
3736  (void)pt;
3737  (void)idx;
3738  (void)cbdata;
3739  return 0;
3740 }
3741 
3743  int ncount;
3744  secp256k1_scalar szero;
3745  secp256k1_scalar sc[32];
3746  secp256k1_ge pt[32];
3747  secp256k1_gej r;
3748  secp256k1_gej r2;
3749  ecmult_multi_data data;
3750 
3751  data.sc = sc;
3752  data.pt = pt;
3753  secp256k1_scalar_set_int(&szero, 0);
3754 
3755  /* No points to multiply */
3756  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
3757 
3758  /* Check 1- and 2-point multiplies against ecmult */
3759  for (ncount = 0; ncount < count; ncount++) {
3760  secp256k1_ge ptg;
3761  secp256k1_gej ptgj;
3762  random_scalar_order(&sc[0]);
3763  random_scalar_order(&sc[1]);
3764 
3766  secp256k1_gej_set_ge(&ptgj, &ptg);
3767  pt[0] = ptg;
3768  pt[1] = secp256k1_ge_const_g;
3769 
3770  /* only G scalar */
3771  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
3772  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
3773  secp256k1_gej_neg(&r2, &r2);
3774  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3776 
3777  /* 1-point */
3778  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
3779  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
3780  secp256k1_gej_neg(&r2, &r2);
3781  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3783 
3784  /* Try to multiply 1 point, but callback returns false */
3785  CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
3786 
3787  /* 2-point */
3788  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3789  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
3790  secp256k1_gej_neg(&r2, &r2);
3791  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3793 
3794  /* 2-point with G scalar */
3795  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3796  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
3797  secp256k1_gej_neg(&r2, &r2);
3798  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3800  }
3801 
3802  /* Check infinite outputs of various forms */
3803  for (ncount = 0; ncount < count; ncount++) {
3804  secp256k1_ge ptg;
3805  size_t i, j;
3806  size_t sizes[] = { 2, 10, 32 };
3807 
3808  for (j = 0; j < 3; j++) {
3809  for (i = 0; i < 32; i++) {
3810  random_scalar_order(&sc[i]);
3811  secp256k1_ge_set_infinity(&pt[i]);
3812  }
3813  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3815  }
3816 
3817  for (j = 0; j < 3; j++) {
3818  for (i = 0; i < 32; i++) {
3820  pt[i] = ptg;
3821  secp256k1_scalar_set_int(&sc[i], 0);
3822  }
3823  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3825  }
3826 
3827  for (j = 0; j < 3; j++) {
3829  for (i = 0; i < 16; i++) {
3830  random_scalar_order(&sc[2*i]);
3831  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
3832  pt[2 * i] = ptg;
3833  pt[2 * i + 1] = ptg;
3834  }
3835 
3836  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3838 
3839  random_scalar_order(&sc[0]);
3840  for (i = 0; i < 16; i++) {
3842 
3843  sc[2*i] = sc[0];
3844  sc[2*i+1] = sc[0];
3845  pt[2 * i] = ptg;
3846  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
3847  }
3848 
3849  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3851  }
3852 
3854  secp256k1_scalar_set_int(&sc[0], 0);
3855  pt[0] = ptg;
3856  for (i = 1; i < 32; i++) {
3857  pt[i] = ptg;
3858 
3859  random_scalar_order(&sc[i]);
3860  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
3861  secp256k1_scalar_negate(&sc[i], &sc[i]);
3862  }
3863 
3864  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
3866  }
3867 
3868  /* Check random points, constant scalar */
3869  for (ncount = 0; ncount < count; ncount++) {
3870  size_t i;
3872 
3873  random_scalar_order(&sc[0]);
3874  for (i = 0; i < 20; i++) {
3875  secp256k1_ge ptg;
3876  sc[i] = sc[0];
3878  pt[i] = ptg;
3879  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
3880  }
3881 
3882  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
3883  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3884  secp256k1_gej_neg(&r2, &r2);
3885  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3887  }
3888 
3889  /* Check random scalars, constant point */
3890  for (ncount = 0; ncount < count; ncount++) {
3891  size_t i;
3892  secp256k1_ge ptg;
3893  secp256k1_gej p0j;
3894  secp256k1_scalar rs;
3895  secp256k1_scalar_set_int(&rs, 0);
3896 
3898  for (i = 0; i < 20; i++) {
3899  random_scalar_order(&sc[i]);
3900  pt[i] = ptg;
3901  secp256k1_scalar_add(&rs, &rs, &sc[i]);
3902  }
3903 
3904  secp256k1_gej_set_ge(&p0j, &pt[0]);
3905  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
3906  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3907  secp256k1_gej_neg(&r2, &r2);
3908  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3910  }
3911 
3912  /* Sanity check that zero scalars don't cause problems */
3913  for (ncount = 0; ncount < 20; ncount++) {
3914  random_scalar_order(&sc[ncount]);
3915  random_group_element_test(&pt[ncount]);
3916  }
3917 
3918  secp256k1_scalar_clear(&sc[0]);
3919  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3920  secp256k1_scalar_clear(&sc[1]);
3921  secp256k1_scalar_clear(&sc[2]);
3922  secp256k1_scalar_clear(&sc[3]);
3923  secp256k1_scalar_clear(&sc[4]);
3924  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3925  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
3927 
3928  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
3929  {
3930  const size_t TOP = 8;
3931  size_t s0i, s1i;
3932  size_t t0i, t1i;
3933  secp256k1_ge ptg;
3934  secp256k1_gej ptgj;
3935 
3937  secp256k1_gej_set_ge(&ptgj, &ptg);
3938 
3939  for(t0i = 0; t0i < TOP; t0i++) {
3940  for(t1i = 0; t1i < TOP; t1i++) {
3941  secp256k1_gej t0p, t1p;
3942  secp256k1_scalar t0, t1;
3943 
3944  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3945  secp256k1_scalar_cond_negate(&t0, t0i & 1);
3946  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3947  secp256k1_scalar_cond_negate(&t1, t1i & 1);
3948 
3949  secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3950  secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3951 
3952  for(s0i = 0; s0i < TOP; s0i++) {
3953  for(s1i = 0; s1i < TOP; s1i++) {
3954  secp256k1_scalar tmp1, tmp2;
3955  secp256k1_gej expected, actual;
3956 
3957  secp256k1_ge_set_gej(&pt[0], &t0p);
3958  secp256k1_ge_set_gej(&pt[1], &t1p);
3959 
3960  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3961  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3962  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3963  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3964 
3965  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3966  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3967  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3968 
3969  secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3970  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3971  secp256k1_gej_neg(&expected, &expected);
3972  secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3973  CHECK(secp256k1_gej_is_infinity(&actual));
3974  }
3975  }
3976  }
3977  }
3978  }
3979 }
3980 
3982  secp256k1_scalar szero;
3983  secp256k1_scalar sc;
3984  secp256k1_ge pt;
3985  secp256k1_gej r;
3986  ecmult_multi_data data;
3987  secp256k1_scratch *scratch_empty;
3988 
3990  random_scalar_order(&sc);
3991  data.sc = &sc;
3992  data.pt = &pt;
3993  secp256k1_scalar_set_int(&szero, 0);
3994 
3995  /* Try to multiply 1 point, but scratch space is empty.*/
3996  scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3997  CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3998  secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3999 }
4000 
4002  int i;
4003 
4005  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
4006  /* Bucket_window of 8 is not used with endo */
4007  if (i == 8) {
4008  continue;
4009  }
4011  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
4013  }
4014  }
4015 }
4016 
4022  size_t scratch_size = secp256k1_testrand_int(256);
4024  secp256k1_scratch *scratch;
4025  size_t n_points_supported;
4026  int bucket_window = 0;
4027 
4028  for(; scratch_size < max_size; scratch_size+=256) {
4029  size_t i;
4030  size_t total_alloc;
4031  size_t checkpoint;
4032  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
4033  CHECK(scratch != NULL);
4034  checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
4035  n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
4036  if (n_points_supported == 0) {
4038  continue;
4039  }
4040  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
4041  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
4042  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
4043  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
4045  total_alloc--;
4046  }
4047  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
4048  secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
4050  }
4051  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
4052 }
4053 
4055  size_t n_batches, n_batch_points, max_n_batch_points, n;
4056 
4057  max_n_batch_points = 0;
4058  n = 1;
4059  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
4060 
4061  max_n_batch_points = 1;
4062  n = 0;
4063  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4064  CHECK(n_batches == 0);
4065  CHECK(n_batch_points == 0);
4066 
4067  max_n_batch_points = 2;
4068  n = 5;
4069  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4070  CHECK(n_batches == 3);
4071  CHECK(n_batch_points == 2);
4072 
4073  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
4075  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4076  CHECK(n_batches == 1);
4077  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
4078 
4079  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
4081  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4082  CHECK(n_batches == 2);
4083  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
4084 
4085  max_n_batch_points = 1;
4086  n = SIZE_MAX;
4087  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4088  CHECK(n_batches == SIZE_MAX);
4089  CHECK(n_batch_points == 1);
4090 
4091  max_n_batch_points = 2;
4092  n = SIZE_MAX;
4093  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4094  CHECK(n_batches == SIZE_MAX/2 + 1);
4095  CHECK(n_batch_points == 2);
4096 }
4097 
4103  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
4104  secp256k1_scalar scG;
4105  secp256k1_scalar szero;
4107  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
4108  secp256k1_gej r;
4109  secp256k1_gej r2;
4110  ecmult_multi_data data;
4111  int i;
4112  secp256k1_scratch *scratch;
4113 
4115  secp256k1_scalar_set_int(&szero, 0);
4116 
4117  /* Get random scalars and group elements and compute result */
4118  random_scalar_order(&scG);
4119  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
4120  for(i = 0; i < n_points; i++) {
4121  secp256k1_ge ptg;
4122  secp256k1_gej ptgj;
4124  secp256k1_gej_set_ge(&ptgj, &ptg);
4125  pt[i] = ptg;
4126  random_scalar_order(&sc[i]);
4127  secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
4128  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
4129  }
4130  data.sc = sc;
4131  data.pt = pt;
4132  secp256k1_gej_neg(&r2, &r2);
4133 
4134  /* Test with empty scratch space. It should compute the correct result using
4135  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
4137  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4138  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4141 
4142  /* Test with space for 1 point in pippenger. That's not enough because
4143  * ecmult_multi selects strauss which requires more memory. It should
4144  * therefore select the simple algorithm. */
4146  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4147  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4150 
4151  for(i = 1; i <= n_points; i++) {
4152  if (i > ECMULT_PIPPENGER_THRESHOLD) {
4153  int bucket_window = secp256k1_pippenger_bucket_window(i);
4154  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
4156  } else {
4157  size_t scratch_size = secp256k1_strauss_scratch_size(i);
4159  }
4160  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4161  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4164  }
4165  free(sc);
4166  free(pt);
4167 }
4168 
4170  secp256k1_scratch *scratch;
4171 
4174  scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
4182 
4183  /* Run test_ecmult_multi with space for exactly one point */
4187 
4190 }
4191 
4192 void test_wnaf(const secp256k1_scalar *number, int w) {
4193  secp256k1_scalar x, two, t;
4194  int wnaf[256];
4195  int zeroes = -1;
4196  int i;
4197  int bits;
4198  secp256k1_scalar_set_int(&x, 0);
4199  secp256k1_scalar_set_int(&two, 2);
4200  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
4201  CHECK(bits <= 256);
4202  for (i = bits-1; i >= 0; i--) {
4203  int v = wnaf[i];
4204  secp256k1_scalar_mul(&x, &x, &two);
4205  if (v) {
4206  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4207  zeroes=0;
4208  CHECK((v & 1) == 1); /* check non-zero elements are odd */
4209  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
4210  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4211  } else {
4212  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4213  zeroes++;
4214  }
4215  if (v >= 0) {
4217  } else {
4220  }
4221  secp256k1_scalar_add(&x, &x, &t);
4222  }
4223  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4224 }
4225 
4227  secp256k1_scalar neg1 = *number;
4228  secp256k1_scalar neg2 = *number;
4229  int sign1 = 1;
4230  int sign2 = 1;
4231 
4232  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
4233  secp256k1_scalar_negate(&neg1, &neg1);
4234  sign1 = -1;
4235  }
4237  CHECK(sign1 == sign2);
4238  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
4239 }
4240 
4241 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
4242  secp256k1_scalar x, shift;
4243  int wnaf[256] = {0};
4244  int i;
4245  int skew;
4246  int bits = 256;
4247  secp256k1_scalar num = *number;
4248  secp256k1_scalar scalar_skew;
4249 
4250  secp256k1_scalar_set_int(&x, 0);
4251  secp256k1_scalar_set_int(&shift, 1 << w);
4252  for (i = 0; i < 16; ++i) {
4253  secp256k1_scalar_shr_int(&num, 8);
4254  }
4255  bits = 128;
4256  skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
4257 
4258  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
4260  int v = wnaf[i];
4261  CHECK(v != 0); /* check nonzero */
4262  CHECK(v & 1); /* check parity */
4263  CHECK(v > -(1 << w)); /* check range above */
4264  CHECK(v < (1 << w)); /* check range below */
4265 
4266  secp256k1_scalar_mul(&x, &x, &shift);
4267  if (v >= 0) {
4269  } else {
4272  }
4273  secp256k1_scalar_add(&x, &x, &t);
4274  }
4275  /* Skew num because when encoding numbers as odd we use an offset */
4276  secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
4277  secp256k1_scalar_add(&num, &num, &scalar_skew);
4278  CHECK(secp256k1_scalar_eq(&x, &num));
4279 }
4280 
4281 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
4282  secp256k1_scalar x, shift;
4283  int wnaf[256] = {0};
4284  int i;
4285  int skew;
4286  secp256k1_scalar num = *number;
4287 
4288  secp256k1_scalar_set_int(&x, 0);
4289  secp256k1_scalar_set_int(&shift, 1 << w);
4290  for (i = 0; i < 16; ++i) {
4291  secp256k1_scalar_shr_int(&num, 8);
4292  }
4293  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4294 
4295  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4297  int v = wnaf[i];
4298  CHECK(v == 0 || v & 1); /* check parity */
4299  CHECK(v > -(1 << w)); /* check range above */
4300  CHECK(v < (1 << w)); /* check range below */
4301 
4302  secp256k1_scalar_mul(&x, &x, &shift);
4303  if (v >= 0) {
4305  } else {
4308  }
4309  secp256k1_scalar_add(&x, &x, &t);
4310  }
4311  /* If skew is 1 then add 1 to num */
4312  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
4313  CHECK(secp256k1_scalar_eq(&x, &num));
4314 }
4315 
4316 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
4317  * rest is 0.*/
4318 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
4319  int i;
4320  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
4321  CHECK(wnaf[i] == 0);
4322  }
4323  for (i = 7; i >= 0; --i) {
4324  CHECK(wnaf[i] == wnaf_expected[i]);
4325  }
4326 }
4327 
4329  int w = 4;
4330  int wnaf[256] = {0};
4331  int i;
4332  int skew;
4333  secp256k1_scalar num;
4334 
4335  secp256k1_scalar_set_int(&num, 0);
4336  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4337  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4338  int v = wnaf[i];
4339  CHECK(v == 0);
4340  }
4341  CHECK(skew == 0);
4342 
4343  secp256k1_scalar_set_int(&num, 1);
4344  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4345  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
4346  int v = wnaf[i];
4347  CHECK(v == 0);
4348  }
4349  CHECK(wnaf[0] == 1);
4350  CHECK(skew == 0);
4351 
4352  {
4353  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
4354  secp256k1_scalar_set_int(&num, 0xffffffff);
4355  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4356  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4357  CHECK(skew == 0);
4358  }
4359  {
4360  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
4361  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
4362  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4363  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4364  CHECK(skew == 1);
4365  }
4366  {
4367  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
4368  secp256k1_scalar_set_int(&num, 0x01010101);
4369  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4370  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4371  CHECK(skew == 0);
4372  }
4373  {
4374  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
4375  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
4376  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4377  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4378  CHECK(skew == 0);
4379  }
4380 }
4381 
4382 void run_wnaf(void) {
4383  int i;
4384  secp256k1_scalar n = {{0}};
4385 
4386  test_constant_wnaf(&n, 4);
4387  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
4388  * have easier-to-diagnose failure modes */
4389  n.d[0] = 1;
4390  test_constant_wnaf(&n, 4);
4391  n.d[0] = 2;
4392  test_constant_wnaf(&n, 4);
4393  /* Test -1, because it's a special case in wnaf_const */
4395  secp256k1_scalar_negate(&n, &n);
4396  test_constant_wnaf(&n, 4);
4397 
4398  /* Test -2, which may not lead to overflows in wnaf_const */
4400  secp256k1_scalar_negate(&n, &n);
4401  test_constant_wnaf(&n, 4);
4402 
4403  /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
4404  as corner cases of negation handling in wnaf_const */
4405  secp256k1_scalar_inverse(&n, &n);
4406  test_constant_wnaf(&n, 4);
4407 
4409  test_constant_wnaf(&n, 4);
4410 
4411  /* Test 0 for fixed wnaf */
4413  /* Random tests */
4414  for (i = 0; i < count; i++) {
4415  random_scalar_order(&n);
4416  test_wnaf(&n, 4+(i%10));
4418  test_constant_wnaf(&n, 4 + (i % 10));
4419  test_fixed_wnaf(&n, 4 + (i % 10));
4420  }
4421  secp256k1_scalar_set_int(&n, 0);
4422  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
4424  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
4426 }
4427 
4429  /* Test ecmult_gen() for [0..36) and [order-36..0). */
4430  secp256k1_scalar x;
4431  secp256k1_gej r;
4432  secp256k1_ge ng;
4433  int i;
4434  int j;
4436  for (i = 0; i < 36; i++ ) {
4437  secp256k1_scalar_set_int(&x, i);
4439  for (j = 0; j < i; j++) {
4440  if (j == i - 1) {
4442  }
4443  secp256k1_gej_add_ge(&r, &r, &ng);
4444  }
4446  }
4447  for (i = 1; i <= 36; i++ ) {
4448  secp256k1_scalar_set_int(&x, i);
4449  secp256k1_scalar_negate(&x, &x);
4451  for (j = 0; j < i; j++) {
4452  if (j == i - 1) {
4453  ge_equals_gej(&ng, &r);
4454  }
4456  }
4458  }
4459 }
4460 
4463 }
4464 
4466  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
4467  secp256k1_scalar key;
4468  secp256k1_scalar b;
4469  unsigned char seed32[32];
4470  secp256k1_gej pgej;
4471  secp256k1_gej pgej2;
4472  secp256k1_gej i;
4473  secp256k1_ge pge;
4475  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
4476  secp256k1_testrand256(seed32);
4477  b = ctx->ecmult_gen_ctx.blind;
4478  i = ctx->ecmult_gen_ctx.initial;
4481  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
4482  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
4484  secp256k1_ge_set_gej(&pge, &pgej);
4485  ge_equals_gej(&pge, &pgej2);
4486 }
4487 
4489  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
4490  secp256k1_scalar b;
4491  secp256k1_gej initial;
4493  b = ctx->ecmult_gen_ctx.blind;
4494  initial = ctx->ecmult_gen_ctx.initial;
4498 }
4499 
4501  int i;
4503  for (i = 0; i < 10; i++) {
4505  }
4506 }
4507 
4508 /***** ENDOMORPHISH TESTS *****/
4510  secp256k1_scalar s, s1, slam;
4511  const unsigned char zero[32] = {0};
4512  unsigned char tmp[32];
4513 
4514  secp256k1_scalar_split_lambda(&s1, &slam, full);
4515 
4516  /* check slam*lambda + s1 == full */
4518  secp256k1_scalar_add(&s, &s, &s1);
4519  CHECK(secp256k1_scalar_eq(&s, full));
4520 
4521  /* check that both are <= 128 bits in size */
4522  if (secp256k1_scalar_is_high(&s1)) {
4523  secp256k1_scalar_negate(&s1, &s1);
4524  }
4525  if (secp256k1_scalar_is_high(&slam)) {
4526  secp256k1_scalar_negate(&slam, &slam);
4527  }
4528 
4529  secp256k1_scalar_get_b32(tmp, &s1);
4530  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
4531  secp256k1_scalar_get_b32(tmp, &slam);
4532  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
4533 }
4534 
4535 
4537  unsigned i;
4538  static secp256k1_scalar s;
4542  test_scalar_split(&s);
4545  test_scalar_split(&s);
4546 
4547  for (i = 0; i < 100U * count; ++i) {
4548  secp256k1_scalar full;
4549  random_scalar_order_test(&full);
4550  test_scalar_split(&full);
4551  }
4552  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
4554  }
4555 }
4556 
4557 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
4558  unsigned char pubkeyc[65];
4559  secp256k1_pubkey pubkey;
4560  secp256k1_ge ge;
4561  size_t pubkeyclen;
4562  int32_t ecount;
4563  ecount = 0;
4565  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
4566  /* Smaller sizes are tested exhaustively elsewhere. */
4567  int32_t i;
4568  memcpy(&pubkeyc[1], input, 64);
4569  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
4570  for (i = 0; i < 256; i++) {
4571  /* Try all type bytes. */
4572  int xpass;
4573  int ypass;
4574  int ysign;
4575  pubkeyc[0] = i;
4576  /* What sign does this point have? */
4577  ysign = (input[63] & 1) + 2;
4578  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
4579  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
4580  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
4581  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
4582  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
4583  if (xpass || ypass) {
4584  /* These cases must parse. */
4585  unsigned char pubkeyo[65];
4586  size_t outl;
4587  memset(&pubkey, 0, sizeof(pubkey));
4588  VG_UNDEF(&pubkey, sizeof(pubkey));
4589  ecount = 0;
4590  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4591  VG_CHECK(&pubkey, sizeof(pubkey));
4592  outl = 65;
4593  VG_UNDEF(pubkeyo, 65);
4594  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4595  VG_CHECK(pubkeyo, outl);
4596  CHECK(outl == 33);
4597  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
4598  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
4599  if (ypass) {
4600  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
4601  CHECK(pubkeyo[0] == ysign);
4602  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4603  memset(&pubkey, 0, sizeof(pubkey));
4604  VG_UNDEF(&pubkey, sizeof(pubkey));
4605  secp256k1_pubkey_save(&pubkey, &ge);
4606  VG_CHECK(&pubkey, sizeof(pubkey));
4607  outl = 65;
4608  VG_UNDEF(pubkeyo, 65);
4609  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4610  VG_CHECK(pubkeyo, outl);
4611  CHECK(outl == 65);
4612  CHECK(pubkeyo[0] == 4);
4613  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
4614  }
4615  CHECK(ecount == 0);
4616  } else {
4617  /* These cases must fail to parse. */
4618  memset(&pubkey, 0xfe, sizeof(pubkey));
4619  ecount = 0;
4620  VG_UNDEF(&pubkey, sizeof(pubkey));
4621  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
4622  VG_CHECK(&pubkey, sizeof(pubkey));
4623  CHECK(ecount == 0);
4624  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4625  CHECK(ecount == 1);
4626  }
4627  }
4628  }
4630 }
4631 
4633 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
4634  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
4635  {
4636  /* Point with leading and trailing zeros in x and y serialization. */
4637  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
4638  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4639  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
4640  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
4641  },
4642  {
4643  /* Point with x equal to a 3rd root of unity.*/
4644  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
4645  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
4646  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4647  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4648  },
4649  {
4650  /* Point with largest x. (1/2) */
4651  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4652  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
4653  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
4654  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
4655  },
4656  {
4657  /* Point with largest x. (2/2) */
4658  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4659  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
4660  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
4661  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
4662  },
4663  {
4664  /* Point with smallest x. (1/2) */
4665  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4666  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4667  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4668  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4669  },
4670  {
4671  /* Point with smallest x. (2/2) */
4672  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4673  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4674  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4675  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4676  },
4677  {
4678  /* Point with largest y. (1/3) */
4679  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4680  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4681  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4682  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4683  },
4684  {
4685  /* Point with largest y. (2/3) */
4686  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4687  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4688  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4689  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4690  },
4691  {
4692  /* Point with largest y. (3/3) */
4693  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4694  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4695  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4696  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4697  },
4698  {
4699  /* Point with smallest y. (1/3) */
4700  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4701  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4702  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4703  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4704  },
4705  {
4706  /* Point with smallest y. (2/3) */
4707  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4708  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4709  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4710  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4711  },
4712  {
4713  /* Point with smallest y. (3/3) */
4714  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4715  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4716  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4717  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
4718  }
4719  };
4720 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
4721  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
4722  {
4723  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
4724  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4725  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4726  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4727  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4728  },
4729  {
4730  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
4731  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4732  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4733  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4734  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4735  },
4736  {
4737  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
4738  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4739  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4740  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4741  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4742  },
4743  {
4744  /* x on curve, y is from y^2 = x^3 + 8. */
4745  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4746  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4747  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4748  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
4749  }
4750  };
4751 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
4752  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
4753  {
4754  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
4755  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
4756  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
4757  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4758  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4759  },
4760  {
4761  /* Valid if x overflow ignored (x = 1 mod p). */
4762  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4763  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4764  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4765  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4766  },
4767  {
4768  /* Valid if x overflow ignored (x = 1 mod p). */
4769  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4770  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4771  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4772  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4773  },
4774  {
4775  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4776  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4777  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4778  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
4779  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
4780  },
4781  {
4782  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4783  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4784  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4785  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
4786  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
4787  },
4788  {
4789  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4790  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4791  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4792  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
4793  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
4794  },
4795  {
4796  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4797  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4798  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4799  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
4800  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
4801  }
4802  };
4803  const unsigned char pubkeyc[66] = {
4804  /* Serialization of G. */
4805  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
4806  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
4807  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
4808  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
4809  0xB8, 0x00
4810  };
4811  unsigned char sout[65];
4812  unsigned char shortkey[2];
4813  secp256k1_ge ge;
4814  secp256k1_pubkey pubkey;
4815  size_t len;
4816  int32_t i;
4817  int32_t ecount;
4818  int32_t ecount2;
4819  ecount = 0;
4820  /* Nothing should be reading this far into pubkeyc. */
4821  VG_UNDEF(&pubkeyc[65], 1);
4823  /* Zero length claimed, fail, zeroize, no illegal arg error. */
4824  memset(&pubkey, 0xfe, sizeof(pubkey));
4825  ecount = 0;
4826  VG_UNDEF(shortkey, 2);
4827  VG_UNDEF(&pubkey, sizeof(pubkey));
4828  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
4829  VG_CHECK(&pubkey, sizeof(pubkey));
4830  CHECK(ecount == 0);
4831  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4832  CHECK(ecount == 1);
4833  /* Length one claimed, fail, zeroize, no illegal arg error. */
4834  for (i = 0; i < 256 ; i++) {
4835  memset(&pubkey, 0xfe, sizeof(pubkey));
4836  ecount = 0;
4837  shortkey[0] = i;
4838  VG_UNDEF(&shortkey[1], 1);
4839  VG_UNDEF(&pubkey, sizeof(pubkey));
4840  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
4841  VG_CHECK(&pubkey, sizeof(pubkey));
4842  CHECK(ecount == 0);
4843  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4844  CHECK(ecount == 1);
4845  }
4846  /* Length two claimed, fail, zeroize, no illegal arg error. */
4847  for (i = 0; i < 65536 ; i++) {
4848  memset(&pubkey, 0xfe, sizeof(pubkey));
4849  ecount = 0;
4850  shortkey[0] = i & 255;
4851  shortkey[1] = i >> 8;
4852  VG_UNDEF(&pubkey, sizeof(pubkey));
4853  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
4854  VG_CHECK(&pubkey, sizeof(pubkey));
4855  CHECK(ecount == 0);
4856  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4857  CHECK(ecount == 1);
4858  }
4859  memset(&pubkey, 0xfe, sizeof(pubkey));
4860  ecount = 0;
4861  VG_UNDEF(&pubkey, sizeof(pubkey));
4862  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
4863  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
4864  VG_CHECK(&pubkey, sizeof(pubkey));
4865  CHECK(ecount == 0);
4866  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4867  CHECK(ecount == 1);
4868  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
4869  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
4870  CHECK(ecount == 2);
4871  /* NULL input string. Illegal arg and zeroize output. */
4872  memset(&pubkey, 0xfe, sizeof(pubkey));
4873  ecount = 0;
4874  VG_UNDEF(&pubkey, sizeof(pubkey));
4875  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
4876  VG_CHECK(&pubkey, sizeof(pubkey));
4877  CHECK(ecount == 1);
4878  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4879  CHECK(ecount == 2);
4880  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
4881  memset(&pubkey, 0xfe, sizeof(pubkey));
4882  ecount = 0;
4883  VG_UNDEF(&pubkey, sizeof(pubkey));
4884  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
4885  VG_CHECK(&pubkey, sizeof(pubkey));
4886  CHECK(ecount == 0);
4887  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4888  CHECK(ecount == 1);
4889  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
4890  memset(&pubkey, 0xfe, sizeof(pubkey));
4891  ecount = 0;
4892  VG_UNDEF(&pubkey, sizeof(pubkey));
4893  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
4894  VG_CHECK(&pubkey, sizeof(pubkey));
4895  CHECK(ecount == 0);
4896  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4897  CHECK(ecount == 1);
4898  /* Valid parse. */
4899  memset(&pubkey, 0, sizeof(pubkey));
4900  ecount = 0;
4901  VG_UNDEF(&pubkey, sizeof(pubkey));
4902  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
4903  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
4904  VG_CHECK(&pubkey, sizeof(pubkey));
4905  CHECK(ecount == 0);
4906  VG_UNDEF(&ge, sizeof(ge));
4907  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4908  VG_CHECK(&ge.x, sizeof(ge.x));
4909  VG_CHECK(&ge.y, sizeof(ge.y));
4910  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
4912  CHECK(ecount == 0);
4913  /* secp256k1_ec_pubkey_serialize illegal args. */
4914  ecount = 0;
4915  len = 65;
4917  CHECK(ecount == 1);
4918  CHECK(len == 0);
4920  CHECK(ecount == 2);
4921  len = 65;
4922  VG_UNDEF(sout, 65);
4924  VG_CHECK(sout, 65);
4925  CHECK(ecount == 3);
4926  CHECK(len == 0);
4927  len = 65;
4928  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
4929  CHECK(ecount == 4);
4930  CHECK(len == 0);
4931  len = 65;
4932  VG_UNDEF(sout, 65);
4934  VG_CHECK(sout, 65);
4935  CHECK(ecount == 4);
4936  CHECK(len == 65);
4937  /* Multiple illegal args. Should still set arg error only once. */
4938  ecount = 0;
4939  ecount2 = 11;
4940  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4941  CHECK(ecount == 1);
4942  /* Does the illegal arg callback actually change the behavior? */
4944  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4945  CHECK(ecount == 1);
4946  CHECK(ecount2 == 10);
4948  /* Try a bunch of prefabbed points with all possible encodings. */
4949  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4950  ec_pubkey_parse_pointtest(valid[i], 1, 1);
4951  }
4952  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4953  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4954  }
4955  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4956  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4957  }
4958 }
4959 
4961  const unsigned char orderc[32] = {
4962  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4963  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4964  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4965  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4966  };
4967  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4968  unsigned char ctmp[33];
4969  unsigned char ctmp2[33];
4970  secp256k1_pubkey pubkey;
4971  secp256k1_pubkey pubkey2;
4972  secp256k1_pubkey pubkey_one;
4973  secp256k1_pubkey pubkey_negone;
4974  const secp256k1_pubkey *pubkeys[3];
4975  size_t len;
4976  int32_t ecount;
4977  /* Group order is too large, reject. */
4978  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4979  VG_UNDEF(&pubkey, sizeof(pubkey));
4980  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4981  VG_CHECK(&pubkey, sizeof(pubkey));
4982  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4983  /* Maximum value is too large, reject. */
4984  memset(ctmp, 255, 32);
4985  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4986  memset(&pubkey, 1, sizeof(pubkey));
4987  VG_UNDEF(&pubkey, sizeof(pubkey));
4988  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4989  VG_CHECK(&pubkey, sizeof(pubkey));
4990  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4991  /* Zero is too small, reject. */
4992  memset(ctmp, 0, 32);
4993  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4994  memset(&pubkey, 1, sizeof(pubkey));
4995  VG_UNDEF(&pubkey, sizeof(pubkey));
4996  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4997  VG_CHECK(&pubkey, sizeof(pubkey));
4998  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4999  /* One must be accepted. */
5000  ctmp[31] = 0x01;
5001  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5002  memset(&pubkey, 0, sizeof(pubkey));
5003  VG_UNDEF(&pubkey, sizeof(pubkey));
5004  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5005  VG_CHECK(&pubkey, sizeof(pubkey));
5006  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5007  pubkey_one = pubkey;
5008  /* Group order + 1 is too large, reject. */
5009  memcpy(ctmp, orderc, 32);
5010  ctmp[31] = 0x42;
5011  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5012  memset(&pubkey, 1, sizeof(pubkey));
5013  VG_UNDEF(&pubkey, sizeof(pubkey));
5014  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5015  VG_CHECK(&pubkey, sizeof(pubkey));
5016  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5017  /* -1 must be accepted. */
5018  ctmp[31] = 0x40;
5019  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5020  memset(&pubkey, 0, sizeof(pubkey));
5021  VG_UNDEF(&pubkey, sizeof(pubkey));
5022  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5023  VG_CHECK(&pubkey, sizeof(pubkey));
5024  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5025  pubkey_negone = pubkey;
5026  /* Tweak of zero leaves the value unchanged. */
5027  memset(ctmp2, 0, 32);
5028  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
5029  CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
5030  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
5031  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5032  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5033  /* Multiply tweak of zero zeroizes the output. */
5034  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5035  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5036  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
5037  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5038  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5039  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5040  seckey, the seckey is zeroized. */
5041  memcpy(ctmp, orderc, 32);
5042  memset(ctmp2, 0, 32);
5043  ctmp2[31] = 0x01;
5044  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
5045  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5046  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
5047  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5048  memcpy(ctmp, orderc, 32);
5049  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5050  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5051  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5052  tweak, the seckey is zeroized. */
5053  memcpy(ctmp, orderc, 32);
5054  ctmp[31] = 0x40;
5055  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
5056  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5057  memcpy(ctmp, orderc, 32);
5058  ctmp[31] = 0x40;
5059  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
5060  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5061  memcpy(ctmp, orderc, 32);
5062  ctmp[31] = 0x40;
5063  /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
5064  tweak, the pubkey is zeroized. */
5065  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
5066  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5067  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5068  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
5069  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5070  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5071  /* If the resulting key in secp256k1_ec_seckey_tweak_add and
5072  * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
5073  * case the pubkey is zeroized. */
5074  memcpy(ctmp, orderc, 32);
5075  ctmp[31] = 0x40;
5076  memset(ctmp2, 0, 32);
5077  ctmp2[31] = 1;
5078  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
5079  CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
5080  ctmp2[31] = 1;
5081  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5082  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5083  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5084  /* Tweak computation wraps and results in a key of 1. */
5085  ctmp2[31] = 2;
5086  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
5087  CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
5088  ctmp2[31] = 2;
5089  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5090  ctmp2[31] = 1;
5091  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
5092  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5093  /* Tweak mul * 2 = 1+1. */
5094  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5095  ctmp2[31] = 2;
5096  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
5097  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5098  /* Test argument errors. */
5099  ecount = 0;
5101  CHECK(ecount == 0);
5102  /* Zeroize pubkey on parse error. */
5103  memset(&pubkey, 0, 32);
5104  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5105  CHECK(ecount == 1);
5106  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5107  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5108  memset(&pubkey2, 0, 32);
5109  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
5110  CHECK(ecount == 2);
5111  CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
5112  /* Plain argument errors. */
5113  ecount = 0;
5114  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5115  CHECK(ecount == 0);
5116  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
5117  CHECK(ecount == 1);
5118  ecount = 0;
5119  memset(ctmp2, 0, 32);
5120  ctmp2[31] = 4;
5121  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
5122  CHECK(ecount == 1);
5123  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
5124  CHECK(ecount == 2);
5125  ecount = 0;
5126  memset(ctmp2, 0, 32);
5127  ctmp2[31] = 4;
5128  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
5129  CHECK(ecount == 1);
5130  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
5131  CHECK(ecount == 2);
5132  ecount = 0;
5133  memset(ctmp2, 0, 32);
5134  CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
5135  CHECK(ecount == 1);
5136  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
5137  CHECK(ecount == 2);
5138  ecount = 0;
5139  memset(ctmp2, 0, 32);
5140  ctmp2[31] = 1;
5141  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
5142  CHECK(ecount == 1);
5143  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
5144  CHECK(ecount == 2);
5145  ecount = 0;
5146  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
5147  CHECK(ecount == 1);
5148  memset(&pubkey, 1, sizeof(pubkey));
5149  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5150  CHECK(ecount == 2);
5151  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5152  /* secp256k1_ec_pubkey_combine tests. */
5153  ecount = 0;
5154  pubkeys[0] = &pubkey_one;
5155  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
5156  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
5157  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
5158  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5159  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5160  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
5161  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5162  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5163  CHECK(ecount == 1);
5164  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
5165  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5166  CHECK(ecount == 2);
5167  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5168  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5169  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
5170  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5171  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5172  CHECK(ecount == 3);
5173  pubkeys[0] = &pubkey_negone;
5174  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5175  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5176  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
5177  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5178  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5179  CHECK(ecount == 3);
5180  len = 33;
5181  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5182  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
5183  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5184  /* Result is infinity. */
5185  pubkeys[0] = &pubkey_one;
5186  pubkeys[1] = &pubkey_negone;
5187  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5188  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5189  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
5190  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5191  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5192  CHECK(ecount == 3);
5193  /* Passes through infinity but comes out one. */
5194  pubkeys[2] = &pubkey_one;
5195  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5196  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5197  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
5198  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5199  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5200  CHECK(ecount == 3);
5201  len = 33;
5202  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5203  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
5204  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5205  /* Adds to two. */
5206  pubkeys[1] = &pubkey_one;
5207  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5208  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5209  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
5210  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5211  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5212  CHECK(ecount == 3);
5214 }
5215 
5217  unsigned char seckey[32];
5218  unsigned char seckey_tmp[32];
5219 
5220  random_scalar_order_b32(seckey);
5221  memcpy(seckey_tmp, seckey, 32);
5222 
5223  /* Verify negation changes the key and changes it back */
5224  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5225  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
5226  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5227  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5228 
5229  /* Check that privkey alias gives same result */
5230  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5231  CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
5232  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5233 
5234  /* Negating all 0s fails */
5235  memset(seckey, 0, 32);
5236  memset(seckey_tmp, 0, 32);
5237  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5238  /* Check that seckey is not modified */
5239  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5240 
5241  /* Negating an overflowing seckey fails and the seckey is zeroed. In this
5242  * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
5243  * doesn't just set seckey to a constant value in case of failure. */
5244  random_scalar_order_b32(seckey);
5245  memset(seckey, 0xFF, 16);
5246  memset(seckey_tmp, 0, 32);
5247  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5248  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5249 }
5250 
5251 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
5253  do {
5255  } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
5256 }
5257 
5259  secp256k1_gej pubj;
5260  secp256k1_ge pub;
5261  secp256k1_scalar one;
5262  secp256k1_scalar msg, key;
5263  secp256k1_scalar sigr, sigs;
5264  int getrec;
5265  /* Initialize recid to suppress a false positive -Wconditional-uninitialized in clang.
5266  VG_UNDEF ensures that valgrind will still treat the variable as uninitialized. */
5267  int recid = -1; VG_UNDEF(&recid, sizeof(recid));
5270  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
5271  secp256k1_ge_set_gej(&pub, &pubj);
5272  getrec = secp256k1_testrand_bits(1);
5273  random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
5274  if (getrec) {
5275  CHECK(recid >= 0 && recid < 4);
5276  }
5277  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5278  secp256k1_scalar_set_int(&one, 1);
5279  secp256k1_scalar_add(&msg, &msg, &one);
5280  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5281 }
5282 
5284  int i;
5285  for (i = 0; i < 10*count; i++) {
5287  }
5288 }
5289 
5291 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char<