Bitcoin Core 29.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <time.h>
12
13#ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16#endif
17#if defined(VERIFY) && defined(COVERAGE)
18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19#endif
20#include "secp256k1.c"
21
22#include "../include/secp256k1.h"
23#include "../include/secp256k1_preallocated.h"
24#include "testrand_impl.h"
25#include "checkmem.h"
26#include "testutil.h"
27#include "util.h"
28
29#include "../contrib/lax_der_parsing.c"
30#include "../contrib/lax_der_privatekey_parsing.c"
31
32#include "modinv32_impl.h"
33#ifdef SECP256K1_WIDEMUL_INT128
34#include "modinv64_impl.h"
35#include "int128_impl.h"
36#endif
37
38#define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
39
40static int COUNT = 16;
41static secp256k1_context *CTX = NULL;
43
44static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
45 const unsigned char *p = s;
46 size_t i;
47
48 for (i = 0; i < n; i++) {
49 if (p[i] != value) {
50 return 0;
51 }
52 }
53 return 1;
54}
55
56#define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \
57 int32_t _calls_to_callback = 0; \
58 secp256k1_callback _saved_callback = ctx->callback; \
59 callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \
60 { expr_or_stmt; } \
61 ctx->callback = _saved_callback; \
62 CHECK(_calls_to_callback == 1); \
63} while(0);
64
65/* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once
66 *
67 * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */
68#define CHECK_ERROR_VOID(ctx, expr_or_stmt) \
69 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback)
70#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \
71 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback)
72
73/* CHECK that
74 * - expr calls the illegal callback of ctx exactly once and,
75 * - expr == 0 (or equivalently, expr == NULL)
76 *
77 * Useful for checking functions that return an integer or a pointer. */
78#define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
79#define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0))
80
81static void counting_callback_fn(const char* str, void* data) {
82 /* Dummy callback function that just counts. */
83 int32_t *p;
84 (void)str;
85 p = data;
86 CHECK(*p != INT32_MAX);
87 (*p)++;
88}
89
90static void run_xoshiro256pp_tests(void) {
91 {
92 size_t i;
93 /* Sanity check that we run before the actual seeding. */
94 for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
96 }
97 }
98 {
99 int i;
100 unsigned char buf32[32];
101 unsigned char seed16[16] = {
102 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
103 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
104 };
105 unsigned char buf32_expected[32] = {
106 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
107 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
108 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
109 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
110 };
111 testrand_seed(seed16);
112 for (i = 0; i < 17; i++) {
113 testrand256(buf32);
114 }
115 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
116 }
117}
118
119static void run_selftest_tests(void) {
120 /* Test public API */
122}
123
125 return a->built == b->built
129}
130
131static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
132 return a->declassify == b->declassify
138}
139
141 /* Check that a context created with any of the flags in the flags array is
142 * identical to the NONE context. */
143 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
147 int i;
148 for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
149 secp256k1_context *tmp_ctx;
151 tmp_ctx = secp256k1_context_create(flags[i]);
152 CHECK(context_eq(none_ctx, tmp_ctx));
154 }
156}
157
159 secp256k1_pubkey pubkey;
160 secp256k1_pubkey zero_pubkey;
162 unsigned char ctmp[32];
163
164 /* Setup */
165 memset(ctmp, 1, 32);
166 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
167
168 /* Verify context-type checking illegal-argument errors. */
170 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
171 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
172 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
173 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL));
174 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
175 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
176 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
177 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
178 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
179 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
180 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
181 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
183 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
186 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
187}
188
189static void run_static_context_tests(int use_prealloc) {
190 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
192
193 {
194 unsigned char seed[32] = {0x17};
195
196 /* Randomizing secp256k1_context_static is not supported. */
199
200 /* Destroying or cloning secp256k1_context_static is not supported. */
201 if (use_prealloc) {
203 {
204 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
205 CHECK(my_static_ctx != NULL);
206 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
208 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
209 free(my_static_ctx);
210 }
212 } else {
215 }
216 }
217
218 {
219 /* Verify that setting and resetting illegal callback works */
220 int32_t dummy = 0;
227 }
228}
229
230static void run_proper_context_tests(int use_prealloc) {
231 int32_t dummy = 0;
232 secp256k1_context *my_ctx, *my_ctx_fresh;
233 void *my_ctx_prealloc = NULL;
234 unsigned char seed[32] = {0x17};
235
236 secp256k1_gej pubj;
237 secp256k1_ge pub;
239 secp256k1_scalar sigr, sigs;
240
241 /* Fresh reference context for comparison */
243
244 if (use_prealloc) {
246 CHECK(my_ctx_prealloc != NULL);
248 } else {
250 }
251
252 /* Randomize and reset randomization */
253 CHECK(context_eq(my_ctx, my_ctx_fresh));
254 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
255 CHECK(!context_eq(my_ctx, my_ctx_fresh));
256 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
257 CHECK(context_eq(my_ctx, my_ctx_fresh));
258
259 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
263
264 /* check if sizes for cloning are consistent */
266
267 /*** clone and destroy all of them to make sure cloning was complete ***/
268 {
269 secp256k1_context *ctx_tmp;
270
271 if (use_prealloc) {
272 /* clone into a non-preallocated context and then again into a new preallocated one. */
273 ctx_tmp = my_ctx;
274 my_ctx = secp256k1_context_clone(my_ctx);
275 CHECK(context_eq(ctx_tmp, my_ctx));
277
278 free(my_ctx_prealloc);
280 CHECK(my_ctx_prealloc != NULL);
281 ctx_tmp = my_ctx;
282 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
283 CHECK(context_eq(ctx_tmp, my_ctx));
285 } else {
286 /* clone into a preallocated context and then again into a new non-preallocated one. */
287 void *prealloc_tmp;
288
290 CHECK(prealloc_tmp != NULL);
291 ctx_tmp = my_ctx;
292 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
293 CHECK(context_eq(ctx_tmp, my_ctx));
295
296 ctx_tmp = my_ctx;
297 my_ctx = secp256k1_context_clone(my_ctx);
298 CHECK(context_eq(ctx_tmp, my_ctx));
300 free(prealloc_tmp);
301 }
302 }
303
304 /* Verify that the error callback makes it across the clone. */
307 /* And that it resets back to default. */
308 secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
310 CHECK(context_eq(my_ctx, my_ctx_fresh));
311
312 /* Verify that setting and resetting illegal callback works */
315 CHECK(my_ctx->illegal_callback.data == &dummy);
316 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
318 CHECK(my_ctx->illegal_callback.data == NULL);
319 CHECK(context_eq(my_ctx, my_ctx_fresh));
320
321 /*** attempt to use them ***/
324 secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
325 secp256k1_ge_set_gej(&pub, &pubj);
326
327 /* obtain a working nonce */
328 do {
330 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
331
332 /* try signing */
333 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
334
335 /* try verifying */
336 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
337
338 /* cleanup */
339 if (use_prealloc) {
341 free(my_ctx_prealloc);
342 } else {
344 }
345 secp256k1_context_destroy(my_ctx_fresh);
346
347 /* Defined as no-op. */
350}
351
352static void run_scratch_tests(void) {
353 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
354
355 size_t checkpoint;
356 size_t checkpoint_2;
358 secp256k1_scratch_space local_scratch;
359
360 /* Test public API */
361 scratch = secp256k1_scratch_space_create(CTX, 1000);
362 CHECK(scratch != NULL);
363
364 /* Test internal API */
366 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
367 CHECK(scratch->alloc_size == 0);
368 CHECK(scratch->alloc_size % ALIGNMENT == 0);
369
370 /* Allocating 500 bytes succeeds */
371 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
372 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
373 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
374 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
375 CHECK(scratch->alloc_size != 0);
376 CHECK(scratch->alloc_size % ALIGNMENT == 0);
377
378 /* Allocating another 501 bytes fails */
379 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
380 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
381 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
382 CHECK(scratch->alloc_size != 0);
383 CHECK(scratch->alloc_size % ALIGNMENT == 0);
384
385 /* ...but it succeeds once we apply the checkpoint to undo it */
387 CHECK(scratch->alloc_size == 0);
389 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
390 CHECK(scratch->alloc_size != 0);
391
392 /* try to apply a bad checkpoint */
393 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
395 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */
396 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */
397
398 /* try to use badly initialized scratch space */
400 memset(&local_scratch, 0, sizeof(local_scratch));
401 scratch = &local_scratch;
405
406 /* Test that large integers do not wrap around in a bad way */
407 scratch = secp256k1_scratch_space_create(CTX, 1000);
408 /* Try max allocation with a large number of objects. Only makes sense if
409 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
410 * space. */
411 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
412 /* Try allocating SIZE_MAX to test wrap around which only happens if
413 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
414 * space is too small. */
415 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
417
418 /* cleanup */
419 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
420}
421
422static void run_ctz_tests(void) {
423 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
424 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
425 int shift;
426 unsigned i;
427 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
428 for (shift = 0; shift < 32; ++shift) {
429 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
430 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
431 }
432 }
433 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
434 for (shift = 0; shift < 64; ++shift) {
435 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
436 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
437 }
438 }
439}
440
441/***** HASH TESTS *****/
442
444 static const char *inputs[] = {
445 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
446 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
447 "For this sample, this 63-byte string will be used as input data",
448 "This is exactly 64 bytes long, not counting the terminating byte",
449 "aaaaa",
450 };
451 static const unsigned int repeat[] = {
452 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
453 };
454 static const unsigned char outputs[][32] = {
455 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
456 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
457 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
458 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
459 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
460 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
461 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
462 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
463 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
464 };
465 unsigned int i, ninputs;
466
467 /* Skip last input vector for low iteration counts */
468 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
469 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
470
471 for (i = 0; i < ninputs; i++) {
472 unsigned char out[32];
473 secp256k1_sha256 hasher;
474 unsigned int j;
475 /* 1. Run: simply write the input bytestrings */
476 j = repeat[i];
478 while (j > 0) {
479 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
480 j--;
481 }
483 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
484 /* 2. Run: split the input bytestrings randomly before writing */
485 if (strlen(inputs[i]) > 0) {
486 int split = testrand_int(strlen(inputs[i]));
488 j = repeat[i];
489 while (j > 0) {
490 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
491 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
492 j--;
493 }
495 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
496 }
497 }
498}
499
544static void run_sha256_counter_tests(void) {
545 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
546 static const secp256k1_sha256 midstates[] = {
547 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
548 {0x00}, 0xfffc0},
549 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
550 {0x00}, 0x1fffc0},
551 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
552 {0x00}, 0x3fffc0},
553 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
554 {0x00}, 0x7fffc0},
555 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
556 {0x00}, 0xffffc0},
557 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
558 {0x00}, 0x1ffffc0},
559 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
560 {0x00}, 0x3ffffc0},
561 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
562 {0x00}, 0x7ffffc0},
563 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
564 {0x00}, 0xfffffc0},
565 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
566 {0x00}, 0x1fffffc0},
567 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
568 {0x00}, 0x3fffffc0},
569 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
570 {0x00}, 0x7fffffc0},
571 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
572 {0x00}, 0xffffffc0},
573 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
574 {0x00}, 0x1ffffffc0},
575 };
576 static const unsigned char outputs[][32] = {
577 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
578 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
579 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
580 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
581 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
582 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
583 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
584 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
585 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
586 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
587 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
588 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
589 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
590 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
591 };
592 unsigned int i;
593 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
594 unsigned char out[32];
595 secp256k1_sha256 hasher = midstates[i];
596 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
598 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
599 }
600}
601
602/* Tests for the equality of two sha256 structs. This function only produces a
603 * correct result if an integer multiple of 64 many bytes have been written
604 * into the hash functions. This function is used by some module tests. */
605static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
606 /* Is buffer fully consumed? */
607 CHECK((sha1->bytes & 0x3F) == 0);
608
609 CHECK(sha1->bytes == sha2->bytes);
610 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
611}
612
613static void run_hmac_sha256_tests(void) {
614 static const char *keys[6] = {
615 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
616 "\x4a\x65\x66\x65",
617 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
618 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
619 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
620 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
621 };
622 static const char *inputs[6] = {
623 "\x48\x69\x20\x54\x68\x65\x72\x65",
624 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
625 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
626 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
627 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
628 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
629 };
630 static const unsigned char outputs[6][32] = {
631 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
632 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
633 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
634 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
635 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
636 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
637 };
638 int i;
639 for (i = 0; i < 6; i++) {
641 unsigned char out[32];
642 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
643 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
645 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
646 if (strlen(inputs[i]) > 0) {
647 int split = testrand_int(strlen(inputs[i]));
648 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
649 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
650 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
652 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
653 }
654 }
655}
656
658 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
659 static const unsigned char out1[3][32] = {
660 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
661 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
662 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
663 };
664
665 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
666 static const unsigned char out2[3][32] = {
667 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
668 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
669 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
670 };
671
673 unsigned char out[32];
674 int i;
675
677 for (i = 0; i < 3; i++) {
679 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
680 }
682
684 for (i = 0; i < 3; i++) {
686 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
687 }
689
691 for (i = 0; i < 3; i++) {
693 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
694 }
696}
697
698static void run_tagged_sha256_tests(void) {
699 unsigned char tag[32] = { 0 };
700 unsigned char msg[32] = { 0 };
701 unsigned char hash32[32];
702 unsigned char hash_expected[32] = {
703 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
704 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
705 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
706 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
707 };
708
709 /* API test */
710 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
711 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)));
712 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)));
713 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0));
714
715 /* Static test vector */
716 memcpy(tag, "tag", 3);
717 memcpy(msg, "msg", 3);
718 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
719 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
720}
721
722/***** MODINV TESTS *****/
723
724/* Compute the modular inverse of (odd) x mod 2^64. */
725static uint64_t modinv2p64(uint64_t x) {
726 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
727 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
728 * why. Start with L=0, for which it is true for every odd x that
729 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
730 int l;
731 uint64_t w = 1;
732 CHECK(x & 1);
733 for (l = 0; l < 6; ++l) w *= (2 - w*x);
734 return w;
735}
736
737
738/* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
739 *
740 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
741 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
742static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
743 uint16_t mul[32];
744 uint64_t c = 0;
745 int i, j;
746 int m_bitlen = 0;
747 int mul_bitlen = 0;
748
749 if (b != NULL) {
750 /* Compute the product of a and b, and put it in mul. */
751 for (i = 0; i < 32; ++i) {
752 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
753 c += (uint64_t)a[j] * b[i - j];
754 }
755 mul[i] = c & 0xFFFF;
756 c >>= 16;
757 }
758 CHECK(c == 0);
759
760 /* compute the highest set bit in mul */
761 for (i = 511; i >= 0; --i) {
762 if ((mul[i >> 4] >> (i & 15)) & 1) {
763 mul_bitlen = i;
764 break;
765 }
766 }
767 } else {
768 /* if b==NULL, set mul=a. */
769 memcpy(mul, a, 32);
770 memset(mul + 16, 0, 32);
771 /* compute the highest set bit in mul */
772 for (i = 255; i >= 0; --i) {
773 if ((mul[i >> 4] >> (i & 15)) & 1) {
774 mul_bitlen = i;
775 break;
776 }
777 }
778 }
779
780 if (m) {
781 /* Compute the highest set bit in m. */
782 for (i = 255; i >= 0; --i) {
783 if ((m[i >> 4] >> (i & 15)) & 1) {
784 m_bitlen = i;
785 break;
786 }
787 }
788
789 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
790 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
791 uint16_t mul2[32];
792 int64_t cs;
793
794 /* Compute mul2 = mul - m<<i. */
795 cs = 0; /* accumulator */
796 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
797 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
798 uint16_t sub = 0;
799 int p;
800 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
801 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
802 if (bitpos >= 0 && bitpos < 256) {
803 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
804 }
805 }
806 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
807 cs += mul[j];
808 cs -= sub;
809 mul2[j] = (cs & 0xFFFF);
810 cs >>= 16;
811 }
812 /* If remainder of subtraction is 0, set mul = mul2. */
813 if (cs == 0) {
814 memcpy(mul, mul2, sizeof(mul));
815 }
816 }
817 /* Sanity check: test that all limbs higher than m's highest are zero */
818 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
819 CHECK(mul[i] == 0);
820 }
821 }
822 memcpy(out, mul, 32);
823}
824
825/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
826static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
827 int i;
828 memset(out->v, 0, sizeof(out->v));
829 for (i = 0; i < 256; ++i) {
830 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
831 }
832}
833
834/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
835static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
836 int i;
837 memset(out, 0, 32);
838 for (i = 0; i < 256; ++i) {
839 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
840 }
841}
842
843/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
845 int i;
846 for (i = 0; i < 16; ++i) {
847 int pos = testrand_bits(3);
848 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
849 x->v[pos] -= 0x40000000;
850 x->v[pos + 1] += 1;
851 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
852 x->v[pos] += 0x40000000;
853 x->v[pos + 1] -= 1;
854 }
855 }
856}
857
858/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
859static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
860 uint16_t tmp[16];
863 int i, vartime, nonzero;
864
865 uint16_to_signed30(&x, in);
866 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
867 uint16_to_signed30(&m.modulus, mod);
868
869 /* compute 1/modulus mod 2^30 */
870 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
871 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
872
873 /* Test secp256k1_jacobi32_maybe_var. */
874 if (nonzero) {
875 int jac;
876 uint16_t sqr[16], negone[16];
877 mulmod256(sqr, in, in, mod);
878 uint16_to_signed30(&x, sqr);
879 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
881 CHECK(jac == 0 || jac == 1);
882 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
883 * jacobi symbols if and only if (mod % 4) == 3. */
884 negone[0] = mod[0] - 1;
885 for (i = 1; i < 16; ++i) negone[i] = mod[i];
886 mulmod256(sqr, sqr, negone, mod);
887 uint16_to_signed30(&x, sqr);
889 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
890 }
891
892 uint16_to_signed30(&x, in);
893 mutate_sign_signed30(&m.modulus);
894 for (vartime = 0; vartime < 2; ++vartime) {
895 /* compute inverse */
896 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
897
898 /* produce output */
900
901 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
902 mulmod256(tmp, out, in, mod);
903 CHECK(tmp[0] == nonzero);
904 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
905
906 /* invert again */
907 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
908
909 /* check if the result is equal to the input */
910 signed30_to_uint16(tmp, &x);
911 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
912 }
913}
914
915#ifdef SECP256K1_WIDEMUL_INT128
916/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
917static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
918 int i;
919 memset(out->v, 0, sizeof(out->v));
920 for (i = 0; i < 256; ++i) {
921 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
922 }
923}
924
925/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
926static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
927 int i;
928 memset(out, 0, 32);
929 for (i = 0; i < 256; ++i) {
930 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
931 }
932}
933
934/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
935static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
936 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
937 int i;
938 for (i = 0; i < 8; ++i) {
939 int pos = testrand_bits(2);
940 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
941 x->v[pos] -= (M62 + 1);
942 x->v[pos + 1] += 1;
943 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
944 x->v[pos] += (M62 + 1);
945 x->v[pos + 1] -= 1;
946 }
947 }
948}
949
950/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
951static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
952 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
953 uint16_t tmp[16];
956 int i, vartime, nonzero;
957
958 uint16_to_signed62(&x, in);
959 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
960 uint16_to_signed62(&m.modulus, mod);
961
962 /* compute 1/modulus mod 2^62 */
963 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
964 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
965
966 /* Test secp256k1_jacobi64_maybe_var. */
967 if (nonzero) {
968 int jac;
969 uint16_t sqr[16], negone[16];
970 mulmod256(sqr, in, in, mod);
971 uint16_to_signed62(&x, sqr);
972 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
973 jac = secp256k1_jacobi64_maybe_var(&x, &m);
974 CHECK(jac == 0 || jac == 1);
975 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
976 * jacobi symbols if and only if (mod % 4) == 3. */
977 negone[0] = mod[0] - 1;
978 for (i = 1; i < 16; ++i) negone[i] = mod[i];
979 mulmod256(sqr, sqr, negone, mod);
980 uint16_to_signed62(&x, sqr);
981 jac = secp256k1_jacobi64_maybe_var(&x, &m);
982 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
983 }
984
985 uint16_to_signed62(&x, in);
986 mutate_sign_signed62(&m.modulus);
987 for (vartime = 0; vartime < 2; ++vartime) {
988 /* compute inverse */
989 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
990
991 /* produce output */
992 signed62_to_uint16(out, &x);
993
994 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
995 mulmod256(tmp, out, in, mod);
996 CHECK(tmp[0] == nonzero);
997 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
998
999 /* invert again */
1000 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1001
1002 /* check if the result is equal to the input */
1003 signed62_to_uint16(tmp, &x);
1004 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1005 }
1006}
1007#endif
1008
1009/* test if a and b are coprime */
1010static int coprime(const uint16_t* a, const uint16_t* b) {
1011 uint16_t x[16], y[16], t[16];
1012 int i;
1013 int iszero;
1014 memcpy(x, a, 32);
1015 memcpy(y, b, 32);
1016
1017 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1018 while (1) {
1019 iszero = 1;
1020 for (i = 0; i < 16; ++i) {
1021 if (x[i] != 0) {
1022 iszero = 0;
1023 break;
1024 }
1025 }
1026 if (iszero) break;
1027 mulmod256(t, y, NULL, x);
1028 memcpy(y, x, 32);
1029 memcpy(x, t, 32);
1030 }
1031
1032 /* return whether y=1 */
1033 if (y[0] != 1) return 0;
1034 for (i = 1; i < 16; ++i) {
1035 if (y[i] != 0) return 0;
1036 }
1037 return 1;
1038}
1039
1040static void run_modinv_tests(void) {
1041 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1042 static const uint16_t CASES[][3][16] = {
1043 /* Test cases triggering edge cases in divsteps */
1044
1045 /* Test case known to need 713 divsteps */
1046 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1047 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1048 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1049 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1050 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1051 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1052 /* Test case known to need 589 divsteps, reaching delta=-140 and
1053 delta=141. */
1054 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1055 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1056 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1057 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1058 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1059 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1060 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1061 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1062 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1063 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1064 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1065 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1066 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1067 /* example needing 713 divsteps; delta=-2..3 */
1068 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1069 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1070 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1071 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1072 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1073 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1074 /* example needing 713 divsteps; delta=-2..3 */
1075 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1076 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1077 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1078 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1079 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1080 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1081 /* example needing 713 divsteps; delta=-2..3 */
1082 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1083 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1084 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1085 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1086 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1087 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1088 /* example reaching delta=-64..65; 661 divsteps */
1089 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1090 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1091 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1092 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1093 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1094 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1095 /* example reaching delta=-64..65; 661 divsteps */
1096 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1097 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1098 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1099 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1100 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1101 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1102 /* example reaching delta=-64..65; 661 divsteps */
1103 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1104 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1105 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1106 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1107 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1108 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1109 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1110 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1111 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1112 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1113 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1114 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1115 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1116 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1117 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1118 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1119 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1120 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1121 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1122 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1123 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1124 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1125 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1126 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1127 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1128 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1129 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1130 /* example doing 446 (f,g/2) steps; 523 divsteps */
1131 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1132 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1133 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1134 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1135 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1136 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1137 /* example doing 446 (f,g/2) steps; 523 divsteps */
1138 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1139 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1140 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1141 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1142 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1143 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1144 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1145 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1146 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1147 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1148 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1149 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1150 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1151 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1152 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1153 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1154 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1155 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1156 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1157 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1158 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1159 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1160 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1161 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1162 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1163 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1164 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1165 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1166 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1167 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1168 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1169 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1170 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1171 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1172
1173 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1174
1175 /* example needing 590 divsteps; delta=-5/2..7/2 */
1176 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1177 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1178 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1179 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1180 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1181 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1182 /* example needing 590 divsteps; delta=-3/2..5/2 */
1183 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1184 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1185 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1186 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1187 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1188 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1189 /* example needing 590 divsteps; delta=-3/2..5/2 */
1190 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1191 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1192 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1193 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1194 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1195 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1196 /* example needing 590 divsteps; delta=-5/2..7/2 */
1197 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1198 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1199 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1200 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1201 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1202 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1203 /* example needing 590 divsteps; delta=-3/2..5/2 */
1204 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1205 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1206 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1207 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1208 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1209 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1210 /* example reaching delta=-127/2..129/2; 571 divsteps */
1211 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1212 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1213 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1214 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1215 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1216 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1217 /* example reaching delta=-127/2..129/2; 571 divsteps */
1218 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1219 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1220 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1221 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1222 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1223 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1224 /* example reaching delta=-127/2..129/2; 571 divsteps */
1225 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1226 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1227 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1228 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1229 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1230 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1231 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1232 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1233 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1234 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1235 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1236 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1237 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1238 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1239 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1240 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1241 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1242 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1243 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1244 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1245 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1246 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1247 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1248 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1249 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1250 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1251 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1252 /* example doing 453 (f,g/2) steps; 514 divsteps */
1253 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1254 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1255 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1256 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1257 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1258 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1259 /* example doing 453 (f,g/2) steps; 514 divsteps */
1260 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1261 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1262 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1263 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1264 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1265 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1266 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1267 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1268 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1269 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1270 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1271 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1272 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1273 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1274 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1275 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1276 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1277 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1278 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1279 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1280 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1281 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1282 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1283 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1284 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1285 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1286 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1287 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1288 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1289 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1290 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1291 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1292 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1293 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1294
1295 /* Test cases with the group order as modulus. */
1296
1297 /* Test case with the group order as modulus, needing 635 divsteps. */
1298 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1299 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1300 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1301 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1302 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1303 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1304 /* example with group size as modulus needing 631 divsteps */
1305 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1306 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1307 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1308 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1309 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1310 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1311 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1312 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1313 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1314 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1315 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1316 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1317 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1318 /* Test case with the group size as modulus, needing 981 divsteps with
1319 broken eta handling. */
1320 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1321 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1322 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1323 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1324 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1325 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1326 /* Test case with the group size as modulus, input = 0. */
1327 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1328 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1329 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1330 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1331 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1332 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1333 /* Test case with the group size as modulus, input = 1. */
1334 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1335 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1336 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1337 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1338 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1339 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1340 /* Test case with the group size as modulus, input = 2. */
1341 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1342 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1343 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1344 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1345 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1346 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1347 /* Test case with the group size as modulus, input = group - 1. */
1348 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1349 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1350 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1351 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1352 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1353 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1354
1355 /* Test cases with the field size as modulus. */
1356
1357 /* Test case with the field size as modulus, needing 637 divsteps. */
1358 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1359 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1360 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1361 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1362 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1363 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1364 /* example with field size as modulus needing 637 divsteps */
1365 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1366 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1367 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1368 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1369 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1370 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1371 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1372 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1373 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1374 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1375 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1376 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1377 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1378 /* Test case with the field size as modulus, needing 935 divsteps with
1379 broken eta handling. */
1380 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1381 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1382 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1383 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1384 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1385 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1386 /* Test case with the field size as modulus, input = 0. */
1387 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1388 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1389 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1390 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1391 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1392 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1393 /* Test case with the field size as modulus, input = 1. */
1394 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1395 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1396 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1397 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1398 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1399 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1400 /* Test case with the field size as modulus, input = 2. */
1401 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1402 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1403 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1404 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1405 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1406 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1407 /* Test case with the field size as modulus, input = field - 1. */
1408 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1409 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1410 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1411 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1412 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1413 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1414
1415 /* Selected from a large number of random inputs to reach small/large
1416 * d/e values in various configurations. */
1417 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1418 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1419 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1420 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1421 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1422 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1423 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1424 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1425 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1426 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1427 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1428 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1429 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1430 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1431 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1432 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1433 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1434 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1435 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1436 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1437 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1438 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1439 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1440 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1441 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1442 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1443 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1444 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1445 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1446 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1447 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1448 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1449 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1450 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1451 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1452 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1453 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1454 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1455 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1456 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1457 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1458 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1459 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1460 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1461 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1462 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1463 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1464 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1465 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1466 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1467 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1468 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1469 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1470 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1471 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1472 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1473 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1474 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1475 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1476 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1477 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1478 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1479 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1480 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1481 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1482 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1483 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1484 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1485 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1486 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1487 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1488 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1489 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1490 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1491 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1492 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1493 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1494 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1495 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1496 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1497 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1498 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1499 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1500 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1501 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1502 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1503 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1504 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1505 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1506 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1507 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1508 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1509 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1510 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1511 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1512 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1513 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1514 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1515 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1516 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1517 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1518 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1519 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1520 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1521 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1522 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1523 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1524 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1525 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1526 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1527 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1528 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1529 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1530 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1531 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1532 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1533 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1534 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1535 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1536 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1537 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1538 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1539 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1540 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1541 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1542 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1543 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1544 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1545 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1546 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1547 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1548 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1549 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1550 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1551 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1552 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1553 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1554 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1555 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1556 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1557 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1558 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1559 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1560 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1561 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1562 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1563 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1564 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1565 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1566 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1567 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1568 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1569 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1570 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1571 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1572 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1573 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1574 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1575 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1576 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1577 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1578 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1579 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1580 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1581 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1582 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1583 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1584 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1585 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1586 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1587 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1588 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1589 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1590 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1591 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1592 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1593 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1594 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1595 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1596 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1597 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1598 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1599 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1600 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1601 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1602 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1603 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1604 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1605 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1606 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1607 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1608 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1609 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1610 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1611 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1612 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1613 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1614 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1615 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1616 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1617 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1618 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1619 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1620 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1621 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1622 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1623 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1624 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1625 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1626 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1627 };
1628
1629 int i, j, ok;
1630
1631 /* Test known inputs/outputs */
1632 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1633 uint16_t out[16];
1634 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1635 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1636#ifdef SECP256K1_WIDEMUL_INT128
1637 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1638 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1639#endif
1640 }
1641
1642 for (i = 0; i < 100 * COUNT; ++i) {
1643 /* 256-bit numbers in 16-uint16_t's notation */
1644 static const uint16_t ZERO[16] = {0};
1645 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1646 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1647 uint16_t id[16]; /* the inverse of xd mod md */
1648
1649 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1650 do {
1651 /* generate random xd and md (with many subsequent 0s and 1s) */
1652 testrand256_test((unsigned char*)xd);
1653 testrand256_test((unsigned char*)md);
1654 md[0] |= 1; /* modulus must be odd */
1655 /* If modulus is 1, find another one. */
1656 ok = md[0] != 1;
1657 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1658 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1659 } while (!(ok && coprime(xd, md)));
1660
1661 test_modinv32_uint16(id, xd, md);
1662#ifdef SECP256K1_WIDEMUL_INT128
1663 test_modinv64_uint16(id, xd, md);
1664#endif
1665
1666 /* In a few cases, also test with input=0 */
1667 if (i < COUNT) {
1668 test_modinv32_uint16(id, ZERO, md);
1669#ifdef SECP256K1_WIDEMUL_INT128
1670 test_modinv64_uint16(id, ZERO, md);
1671#endif
1672 }
1673 }
1674}
1675
1676/***** INT128 TESTS *****/
1677
1678#ifdef SECP256K1_WIDEMUL_INT128
1679/* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1680static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1681 int i;
1682 uint32_t carry = 0;
1683 for (i = 0; i < 16; ++i) {
1684 carry += a[i];
1685 carry += b[i];
1686 out[i] = carry;
1687 carry >>= 16;
1688 }
1689}
1690
1691/* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1692static void neg256(uint16_t* out, const uint16_t* a) {
1693 int i;
1694 uint32_t carry = 1;
1695 for (i = 0; i < 16; ++i) {
1696 carry += (uint16_t)~a[i];
1697 out[i] = carry;
1698 carry >>= 16;
1699 }
1700}
1701
1702/* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1703static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1704 uint16_t sign = sign_extend && (a[15] >> 15);
1705 int i, j;
1706 for (i = 15; i >= 0; --i) {
1707 uint16_t v = 0;
1708 for (j = 0; j < 16; ++j) {
1709 int frompos = i*16 + j + n;
1710 if (frompos >= 256) {
1711 v |= sign << j;
1712 } else {
1713 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1714 }
1715 }
1716 out[i] = v;
1717 }
1718}
1719
1720/* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1721static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1722 int i;
1723 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1724 for (i = 0; i < 4; ++i) {
1725 out[i] = v >> (16 * i);
1726 }
1727 for (i = 4; i < 16; ++i) {
1728 out[i] = sign;
1729 }
1730}
1731
1732/* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1733static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1734 int i;
1735 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1736 for (i = 0; i < 4; ++i) {
1737 out[i] = lo >> (16 * i);
1738 }
1739 for (i = 4; i < 8; ++i) {
1740 out[i] = hi >> (16 * (i - 4));
1741 }
1742 for (i = 8; i < 16; ++i) {
1743 out[i] = sign;
1744 }
1745}
1746
1747/* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1748static int int256is127(const uint16_t* v) {
1749 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1750 int i;
1751 for (i = 8; i < 16; ++i) {
1752 if (v[i] != 0) all_0 = 0;
1753 if (v[i] != 0xffff) all_1 = 0;
1754 }
1755 return all_0 || all_1;
1756}
1757
1758static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1759 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1760 load256two64(out, hi, lo, 0);
1761}
1762
1763static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1764 uint64_t lo;
1765 int64_t hi;
1766 secp256k1_int128 c = *v;
1767 lo = secp256k1_i128_to_u64(&c);
1768 secp256k1_i128_rshift(&c, 64);
1769 hi = secp256k1_i128_to_i64(&c);
1770 load256two64(out, hi, lo, 1);
1771}
1772
1773static void run_int128_test_case(void) {
1774 unsigned char buf[32];
1775 uint64_t v[4];
1776 secp256k1_int128 swa, swz;
1777 secp256k1_uint128 uwa, uwz;
1778 uint64_t ub, uc;
1779 int64_t sb, sc;
1780 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1781 uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1782 int i;
1783
1784 /* Generate 32-byte random value. */
1785 testrand256_test(buf);
1786 /* Convert into 4 64-bit integers. */
1787 for (i = 0; i < 4; ++i) {
1788 uint64_t vi = 0;
1789 int j;
1790 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1791 v[i] = vi;
1792 }
1793 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1794 secp256k1_u128_load(&uwa, v[1], v[0]);
1795 secp256k1_i128_load(&swa, v[1], v[0]);
1796 ub = v[2];
1797 sb = v[2];
1798 uc = v[3];
1799 sc = v[3];
1800 /* Load those also into 16-bit array representations. */
1801 load256u128(ruwa, &uwa);
1802 load256i128(rswa, &swa);
1803 load256u64(rub, ub, 0);
1804 load256u64(rsb, sb, 1);
1805 load256u64(ruc, uc, 0);
1806 load256u64(rsc, sc, 1);
1807 /* test secp256k1_u128_mul */
1808 mulmod256(ruwr, rub, ruc, NULL);
1809 secp256k1_u128_mul(&uwz, ub, uc);
1810 load256u128(ruwz, &uwz);
1811 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1812 /* test secp256k1_u128_accum_mul */
1813 mulmod256(ruwr, rub, ruc, NULL);
1814 add256(ruwr, ruwr, ruwa);
1815 uwz = uwa;
1816 secp256k1_u128_accum_mul(&uwz, ub, uc);
1817 load256u128(ruwz, &uwz);
1818 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1819 /* test secp256k1_u128_accum_u64 */
1820 add256(ruwr, rub, ruwa);
1821 uwz = uwa;
1822 secp256k1_u128_accum_u64(&uwz, ub);
1823 load256u128(ruwz, &uwz);
1824 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1825 /* test secp256k1_u128_rshift */
1826 rshift256(ruwr, ruwa, uc % 128, 0);
1827 uwz = uwa;
1828 secp256k1_u128_rshift(&uwz, uc % 128);
1829 load256u128(ruwz, &uwz);
1830 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1831 /* test secp256k1_u128_to_u64 */
1832 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1833 /* test secp256k1_u128_hi_u64 */
1834 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1835 /* test secp256k1_u128_from_u64 */
1836 secp256k1_u128_from_u64(&uwz, ub);
1837 load256u128(ruwz, &uwz);
1838 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1839 /* test secp256k1_u128_check_bits */
1840 {
1841 int uwa_bits = 0;
1842 int j;
1843 for (j = 0; j < 128; ++j) {
1844 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1845 }
1846 for (j = 0; j < 128; ++j) {
1847 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1848 }
1849 }
1850 /* test secp256k1_i128_mul */
1851 mulmod256(rswr, rsb, rsc, NULL);
1852 secp256k1_i128_mul(&swz, sb, sc);
1853 load256i128(rswz, &swz);
1854 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1855 /* test secp256k1_i128_accum_mul */
1856 mulmod256(rswr, rsb, rsc, NULL);
1857 add256(rswr, rswr, rswa);
1858 if (int256is127(rswr)) {
1859 swz = swa;
1860 secp256k1_i128_accum_mul(&swz, sb, sc);
1861 load256i128(rswz, &swz);
1862 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1863 }
1864 /* test secp256k1_i128_det */
1865 {
1866 uint16_t rsd[16], rse[16], rst[32];
1867 int64_t sd = v[0], se = v[1];
1868 load256u64(rsd, sd, 1);
1869 load256u64(rse, se, 1);
1870 mulmod256(rst, rsc, rsd, NULL);
1871 neg256(rst, rst);
1872 mulmod256(rswr, rsb, rse, NULL);
1873 add256(rswr, rswr, rst);
1874 secp256k1_i128_det(&swz, sb, sc, sd, se);
1875 load256i128(rswz, &swz);
1876 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1877 }
1878 /* test secp256k1_i128_rshift */
1879 rshift256(rswr, rswa, uc % 127, 1);
1880 swz = swa;
1881 secp256k1_i128_rshift(&swz, uc % 127);
1882 load256i128(rswz, &swz);
1883 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1884 /* test secp256k1_i128_to_u64 */
1885 CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
1886 /* test secp256k1_i128_from_i64 */
1887 secp256k1_i128_from_i64(&swz, sb);
1888 load256i128(rswz, &swz);
1889 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
1890 /* test secp256k1_i128_to_i64 */
1891 CHECK(secp256k1_i128_to_i64(&swz) == sb);
1892 /* test secp256k1_i128_eq_var */
1893 {
1894 int expect = (uc & 1);
1895 swz = swa;
1896 if (!expect) {
1897 /* Make sure swz != swa */
1898 uint64_t v0c = v[0], v1c = v[1];
1899 if (ub & 64) {
1900 v1c ^= (((uint64_t)1) << (ub & 63));
1901 } else {
1902 v0c ^= (((uint64_t)1) << (ub & 63));
1903 }
1904 secp256k1_i128_load(&swz, v1c, v0c);
1905 }
1906 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
1907 }
1908 /* test secp256k1_i128_check_pow2 (sign == 1) */
1909 {
1910 int expect = (uc & 1);
1911 int pos = ub % 127;
1912 if (expect) {
1913 /* If expect==1, set swz to exactly 2^pos. */
1914 uint64_t hi = 0;
1915 uint64_t lo = 0;
1916 if (pos >= 64) {
1917 hi = (((uint64_t)1) << (pos & 63));
1918 } else {
1919 lo = (((uint64_t)1) << (pos & 63));
1920 }
1921 secp256k1_i128_load(&swz, hi, lo);
1922 } else {
1923 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
1924 if (pos >= 64) {
1925 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
1926 } else {
1927 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
1928 }
1929 swz = swa;
1930 }
1931 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
1932 }
1933 /* test secp256k1_i128_check_pow2 (sign == -1) */
1934 {
1935 int expect = (uc & 1);
1936 int pos = ub % 127;
1937 if (expect) {
1938 /* If expect==1, set swz to exactly -2^pos. */
1939 uint64_t hi = ~(uint64_t)0;
1940 uint64_t lo = ~(uint64_t)0;
1941 if (pos >= 64) {
1942 hi <<= (pos & 63);
1943 lo = 0;
1944 } else {
1945 lo <<= (pos & 63);
1946 }
1947 secp256k1_i128_load(&swz, hi, lo);
1948 } else {
1949 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
1950 if (pos >= 64) {
1951 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
1952 } else {
1953 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
1954 }
1955 swz = swa;
1956 }
1957 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
1958 }
1959}
1960
1961static void run_int128_tests(void) {
1962 { /* secp256k1_u128_accum_mul */
1964
1965 /* Check secp256k1_u128_accum_mul overflow */
1966 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
1967 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
1968 CHECK(secp256k1_u128_to_u64(&res) == 2);
1969 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
1970 }
1971 { /* secp256k1_u128_accum_mul */
1972 secp256k1_int128 res;
1973
1974 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
1975 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
1976 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
1977 CHECK(secp256k1_i128_to_u64(&res) == 2);
1978 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
1979 secp256k1_i128_accum_mul(&res, 1, 1);
1980 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
1981 secp256k1_i128_rshift(&res, 64);
1982 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
1983
1984 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
1985 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
1986 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
1987 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
1988 CHECK(secp256k1_i128_to_u64(&res) == 0);
1989 secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
1990 CHECK(secp256k1_i128_to_u64(&res) == 0);
1991 secp256k1_i128_rshift(&res, 64);
1992 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
1993 }
1994 {
1995 /* Randomized tests. */
1996 int i;
1997 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
1998 }
1999}
2000#endif
2001
2002/***** SCALAR TESTS *****/
2003
2004static void scalar_test(void) {
2008 unsigned char c[32];
2009
2010 /* Set 's' to a random scalar, with value 'snum'. */
2012
2013 /* Set 's1' to a random scalar, with value 's1num'. */
2015
2016 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2019
2020 {
2021 int i;
2022 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2025 for (i = 0; i < 256; i += 4) {
2027 int j;
2029 for (j = 0; j < 4; j++) {
2030 secp256k1_scalar_add(&n, &n, &n);
2031 }
2032 secp256k1_scalar_add(&n, &n, &t);
2033 }
2035 }
2036
2037 {
2038 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2040 int i = 0;
2042 while (i < 256) {
2044 int j;
2045 int now = testrand_int(15) + 1;
2046 if (now + i > 256) {
2047 now = 256 - i;
2048 }
2050 for (j = 0; j < now; j++) {
2051 secp256k1_scalar_add(&n, &n, &n);
2052 }
2053 secp256k1_scalar_add(&n, &n, &t);
2054 i += now;
2055 }
2057 }
2058
2059 {
2060 /* Test commutativity of add. */
2061 secp256k1_scalar r1, r2;
2062 secp256k1_scalar_add(&r1, &s1, &s2);
2063 secp256k1_scalar_add(&r2, &s2, &s1);
2064 CHECK(secp256k1_scalar_eq(&r1, &r2));
2065 }
2066
2067 {
2068 secp256k1_scalar r1, r2;
2070 int i;
2071 /* Test add_bit. */
2072 int bit = testrand_bits(8);
2075 for (i = 0; i < bit; i++) {
2076 secp256k1_scalar_add(&b, &b, &b);
2077 }
2078 r1 = s1;
2079 r2 = s1;
2080 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2081 /* No overflow happened. */
2082 secp256k1_scalar_cadd_bit(&r2, bit, 1);
2083 CHECK(secp256k1_scalar_eq(&r1, &r2));
2084 /* cadd is a noop when flag is zero */
2085 secp256k1_scalar_cadd_bit(&r2, bit, 0);
2086 CHECK(secp256k1_scalar_eq(&r1, &r2));
2087 }
2088 }
2089
2090 {
2091 /* Test commutativity of mul. */
2092 secp256k1_scalar r1, r2;
2093 secp256k1_scalar_mul(&r1, &s1, &s2);
2094 secp256k1_scalar_mul(&r2, &s2, &s1);
2095 CHECK(secp256k1_scalar_eq(&r1, &r2));
2096 }
2097
2098 {
2099 /* Test associativity of add. */
2100 secp256k1_scalar r1, r2;
2101 secp256k1_scalar_add(&r1, &s1, &s2);
2102 secp256k1_scalar_add(&r1, &r1, &s);
2103 secp256k1_scalar_add(&r2, &s2, &s);
2104 secp256k1_scalar_add(&r2, &s1, &r2);
2105 CHECK(secp256k1_scalar_eq(&r1, &r2));
2106 }
2107
2108 {
2109 /* Test associativity of mul. */
2110 secp256k1_scalar r1, r2;
2111 secp256k1_scalar_mul(&r1, &s1, &s2);
2112 secp256k1_scalar_mul(&r1, &r1, &s);
2113 secp256k1_scalar_mul(&r2, &s2, &s);
2114 secp256k1_scalar_mul(&r2, &s1, &r2);
2115 CHECK(secp256k1_scalar_eq(&r1, &r2));
2116 }
2117
2118 {
2119 /* Test distributitivity of mul over add. */
2120 secp256k1_scalar r1, r2, t;
2121 secp256k1_scalar_add(&r1, &s1, &s2);
2122 secp256k1_scalar_mul(&r1, &r1, &s);
2123 secp256k1_scalar_mul(&r2, &s1, &s);
2124 secp256k1_scalar_mul(&t, &s2, &s);
2125 secp256k1_scalar_add(&r2, &r2, &t);
2126 CHECK(secp256k1_scalar_eq(&r1, &r2));
2127 }
2128
2129 {
2130 /* Test multiplicative identity. */
2133 CHECK(secp256k1_scalar_eq(&r1, &s1));
2134 }
2135
2136 {
2137 /* Test additive identity. */
2140 CHECK(secp256k1_scalar_eq(&r1, &s1));
2141 }
2142
2143 {
2144 /* Test zero product property. */
2148 }
2149
2150 {
2151 /* Test halving. */
2153 secp256k1_scalar_add(&r, &s, &s);
2154 secp256k1_scalar_half(&r, &r);
2156 }
2157}
2158
2160 unsigned char b32[32];
2163
2164 /* Usually set_b32 and set_b32_seckey give the same result */
2166 secp256k1_scalar_set_b32(&s1, b32, NULL);
2167 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2168 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2169
2170 memset(b32, 0, sizeof(b32));
2171 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2172 memset(b32, 0xFF, sizeof(b32));
2173 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2174}
2175
2176static void run_scalar_tests(void) {
2177 int i;
2178 for (i = 0; i < 128 * COUNT; i++) {
2179 scalar_test();
2180 }
2181 for (i = 0; i < COUNT; i++) {
2183 }
2184
2185 {
2186 /* Check that the scalar constants secp256k1_scalar_zero and
2187 secp256k1_scalar_one contain the expected values. */
2188 secp256k1_scalar zero, one;
2189
2191 secp256k1_scalar_set_int(&zero, 0);
2193
2195 secp256k1_scalar_set_int(&one, 1);
2197 }
2198
2199 {
2200 /* (-1)+1 should be zero. */
2207 }
2208
2209 {
2210 /* Test that halving and doubling roundtrips on some fixed values. */
2211 static const secp256k1_scalar HALF_TESTS[] = {
2212 /* 0 */
2213 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2214 /* 1 */
2215 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2216 /* -1 */
2217 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul),
2218 /* -2 (largest odd value) */
2219 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful),
2220 /* Half the secp256k1 order */
2221 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul),
2222 /* Half the secp256k1 order + 1 */
2223 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul),
2224 /* 2^255 */
2225 SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0),
2226 /* 2^255 - 1 */
2227 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful),
2228 };
2229 unsigned n;
2230 for (n = 0; n < sizeof(HALF_TESTS) / sizeof(HALF_TESTS[0]); ++n) {
2232 secp256k1_scalar_half(&s, &HALF_TESTS[n]);
2233 secp256k1_scalar_add(&s, &s, &s);
2234 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2235 secp256k1_scalar_add(&s, &s, &s);
2237 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2238 }
2239 }
2240
2241 {
2242 /* Does check_overflow check catch all ones? */
2243 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2244 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2245 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2246 );
2248 }
2249
2250 {
2251 /* Static test vectors.
2252 * These were reduced from ~10^12 random vectors based on comparison-decision
2253 * and edge-case coverage on 32-bit and 64-bit implementations.
2254 * The responses were generated with Sage 5.9.
2255 */
2262 secp256k1_scalar zzv;
2263 int overflow;
2264 unsigned char chal[33][2][32] = {
2265 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2267 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2268 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2269 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2271 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2272 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2273 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2274 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2277 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2278 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2279 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2280 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2281 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2282 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2283 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2284 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2285 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2286 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2287 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2288 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2289 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2290 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2291 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2292 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2293 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2294 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2295 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2296 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2297 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2298 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2299 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2300 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2301 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2302 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2303 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2304 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2305 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2306 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2307 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2308 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2309 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2310 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2311 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2312 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2313 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2314 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2315 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2316 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2317 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2318 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2319 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2320 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2321 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2322 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2323 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2324 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2325 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2326 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2327 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2328 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2329 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2330 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2331 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2332 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2333 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2334 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2336 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2337 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2338 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2339 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2340 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2341 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2342 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2343 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2344 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2345 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2346 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2347 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2348 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2349 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2350 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2351 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2352 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2353 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2354 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2355 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2356 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2357 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2358 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2359 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2361 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2362 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2363 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2364 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2365 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2366 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2367 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2368 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2369 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2370 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2371 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2372 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2373 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2374 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2375 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2376 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2377 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2378 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2379 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2380 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2381 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2382 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2383 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2384 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2385 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2386 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2387 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2388 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2389 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2390 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2391 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2392 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2393 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2394 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2395 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2396 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2397 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2398 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2399 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2400 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2401 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2402 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2403 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2404 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2405 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2406 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2407 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2408 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2409 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2410 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2411 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2412 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2413 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2414 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2415 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2416 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2417 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2418 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2419 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2420 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2421 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2422 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2423 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2424 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2425 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2426 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2428 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2429 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2430 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2431 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2432 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2433 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2434 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2435 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2436 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2437 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2438 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2439 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2440 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2441 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2442 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2443 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2444 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2445 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2446 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2447 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2448 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2449 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2450 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2451 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2452 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2453 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2454 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2455 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2456 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2457 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2458 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2459 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2460 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2461 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2462 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2465 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2466 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2467 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2468 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2469 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2470 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2471 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2472 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2473 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2474 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2475 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2476 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2477 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2478 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2479 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2480 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2481 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2482 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2483 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2484 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2485 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2486 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2487 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2488 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2489 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2490 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2491 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2492 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2493 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2494 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2495 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2496 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2497 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2498 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2499 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2500 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2501 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2502 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2503 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2504 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2505 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2506 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2507 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2508 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2509 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2510 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2511 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2512 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2513 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2514 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2515 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2516 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2517 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2518 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2519 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2520 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2521 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2522 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2523 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2524 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2525 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2526 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2527 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2528 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2529 };
2530 unsigned char res[33][2][32] = {
2531 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2532 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2533 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2534 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2535 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2536 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2537 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2538 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2539 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2540 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2541 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2542 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2543 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2544 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2545 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2546 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2547 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2548 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2549 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2550 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2551 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2552 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2553 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2554 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2555 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2556 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2557 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2558 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2559 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2560 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2561 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2562 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2563 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2564 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2565 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2566 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2567 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2568 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2569 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2570 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2571 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2572 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2573 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2574 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2575 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2576 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2577 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2578 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2579 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2580 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2581 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2582 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2583 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2584 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2585 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2586 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2587 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2588 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2589 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2590 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2591 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2592 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2593 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2594 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2595 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2596 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2597 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2598 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2599 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2600 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2601 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2602 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2603 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2604 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2605 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2606 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2607 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2608 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2609 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2610 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2611 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2612 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2613 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2614 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2615 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2616 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2617 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2618 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2619 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2620 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2621 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2622 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2623 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2624 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2625 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2626 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2627 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2628 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2629 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2630 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2631 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2632 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2633 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2634 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2635 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2636 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2637 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2638 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2639 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2640 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2641 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2642 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2643 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2644 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2645 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2646 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2647 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2648 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2649 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2650 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2651 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2652 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2653 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2654 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2655 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2656 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2657 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2658 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2659 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2660 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2661 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2662 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2663 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2664 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2665 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2666 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2667 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2668 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2669 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2670 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2671 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2672 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2673 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2674 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2675 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2676 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2677 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2678 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2679 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2680 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2681 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2682 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2683 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2684 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2685 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2686 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2687 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2688 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2689 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2690 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2691 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2694 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2695 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2699 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2700 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2703 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2707 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2708 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2709 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2710 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2711 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2712 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2713 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2714 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2715 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2716 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2717 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2718 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2719 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2720 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2721 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2722 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2723 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2724 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2725 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2726 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2727 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2728 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2729 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2730 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2731 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2732 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2733 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2734 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2735 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2737 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2738 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2739 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2740 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2741 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2742 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2743 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2744 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2745 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2746 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2747 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2748 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2749 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2750 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2751 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2752 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2753 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2754 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2755 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2756 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2757 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2758 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2759 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2760 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2761 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2762 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2763 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2764 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2765 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2766 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2767 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2768 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2769 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2770 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2771 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2772 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2773 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2774 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2775 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2776 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2777 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2778 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2779 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2780 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2781 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2782 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2783 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2784 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2785 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2786 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2787 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2788 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2789 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2790 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2791 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2792 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2793 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2794 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2795 };
2796 for (i = 0; i < 33; i++) {
2797 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2798 CHECK(!overflow);
2799 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2800 CHECK(!overflow);
2801 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2802 CHECK(!overflow);
2803 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2804 CHECK(!overflow);
2805 secp256k1_scalar_mul(&z, &x, &y);
2806 CHECK(secp256k1_scalar_eq(&r1, &z));
2807 if (!secp256k1_scalar_is_zero(&y)) {
2808 secp256k1_scalar_inverse(&zz, &y);
2810 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2811 secp256k1_scalar_mul(&z, &z, &zz);
2812 CHECK(secp256k1_scalar_eq(&x, &z));
2813 secp256k1_scalar_mul(&zz, &zz, &y);
2815 }
2816 secp256k1_scalar_mul(&z, &x, &x);
2817 CHECK(secp256k1_scalar_eq(&r2, &z));
2818 }
2819 }
2820}
2821
2822/***** FIELD TESTS *****/
2823
2825 secp256k1_fe r;
2827 if (secp256k1_fe_sqrt(&r, ns)) {
2828 secp256k1_fe_negate(ns, ns, 1);
2829 }
2830}
2831
2832static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2833 secp256k1_fe an = *a;
2834 secp256k1_fe bn = *b;
2836 return secp256k1_fe_equal(&an, &bn);
2837}
2838
2839static void run_field_convert(void) {
2840 static const unsigned char b32[32] = {
2841 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2842 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2843 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2844 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2845 };
2847 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2848 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2849 );
2850 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2851 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2852 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2853 );
2854 secp256k1_fe fe2;
2855 unsigned char b322[32];
2857 /* Check conversions to fe. */
2859 CHECK(secp256k1_fe_equal(&fe, &fe2));
2860 secp256k1_fe_from_storage(&fe2, &fes);
2861 CHECK(secp256k1_fe_equal(&fe, &fe2));
2862 /* Check conversion from fe. */
2863 secp256k1_fe_get_b32(b322, &fe);
2864 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2865 secp256k1_fe_to_storage(&fes2, &fe);
2866 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2867}
2868
2869static void run_field_be32_overflow(void) {
2870 {
2871 static const unsigned char zero_overflow[32] = {
2872 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2873 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2874 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2875 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
2876 };
2877 static const unsigned char zero[32] = { 0x00 };
2878 unsigned char out[32];
2879 secp256k1_fe fe;
2880 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
2881 secp256k1_fe_set_b32_mod(&fe, zero_overflow);
2884 CHECK(secp256k1_fe_is_zero(&fe) == 1);
2886 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
2887 }
2888 {
2889 static const unsigned char one_overflow[32] = {
2890 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2891 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2892 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2893 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
2894 };
2895 static const unsigned char one[32] = {
2896 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2897 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2898 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2899 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2900 };
2901 unsigned char out[32];
2902 secp256k1_fe fe;
2903 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
2904 secp256k1_fe_set_b32_mod(&fe, one_overflow);
2908 CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
2909 }
2910 {
2911 static const unsigned char ff_overflow[32] = {
2912 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2913 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2914 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2915 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2916 };
2917 static const unsigned char ff[32] = {
2918 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2919 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2920 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2921 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
2922 };
2923 unsigned char out[32];
2924 secp256k1_fe fe;
2925 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
2926 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
2927 secp256k1_fe_set_b32_mod(&fe, ff_overflow);
2929 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
2931 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
2932 }
2933}
2934
2935/* Returns true if two field elements have the same representation. */
2936static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
2937 int ret = 1;
2938 /* Compare the struct member that holds the limbs. */
2939 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
2940 return ret;
2941}
2942
2943static void run_field_half(void) {
2944 secp256k1_fe t, u;
2945 int m;
2946
2947 /* Check magnitude 0 input */
2950#ifdef VERIFY
2951 CHECK(t.magnitude == 1);
2952 CHECK(t.normalized == 0);
2953#endif
2955
2956 /* Check non-zero magnitudes in the supported range */
2957 for (m = 1; m < 32; m++) {
2958 /* Check max-value input */
2960
2961 u = t;
2963#ifdef VERIFY
2964 CHECK(u.magnitude == (m >> 1) + 1);
2965 CHECK(u.normalized == 0);
2966#endif
2968 secp256k1_fe_add(&u, &u);
2969 CHECK(fe_equal(&t, &u));
2970
2971 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
2972 * which will also cause all carries to be 1, since all limbs that can
2973 * generate a carry are initially even and all limbs of P are odd in
2974 * every existing field implementation. */
2976 CHECK(t.n[0] > 0);
2977 CHECK((t.n[0] & 1) == 0);
2978 --t.n[0];
2979
2980 u = t;
2982#ifdef VERIFY
2983 CHECK(u.magnitude == (m >> 1) + 1);
2984 CHECK(u.normalized == 0);
2985#endif
2987 secp256k1_fe_add(&u, &u);
2988 CHECK(fe_equal(&t, &u));
2989 }
2990}
2991
2992static void run_field_misc(void) {
2993 secp256k1_fe x;
2994 secp256k1_fe y;
2995 secp256k1_fe z;
2996 secp256k1_fe q;
2997 int v;
2998 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2999 int i, j;
3000 for (i = 0; i < 1000 * COUNT; i++) {
3001 secp256k1_fe_storage xs, ys, zs;
3002 if (i & 1) {
3004 } else {
3006 }
3008 v = testrand_bits(15);
3009 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3010 secp256k1_fe_set_int(&q, v); /* q = v */
3011 z = x; /* z = x */
3012 secp256k1_fe_add(&z, &q); /* z = x+v */
3013 q = x; /* q = x */
3014 secp256k1_fe_add_int(&q, v); /* q = x+v */
3015 CHECK(fe_equal(&q, &z));
3016 /* Test the fe equality and comparison operations. */
3017 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3018 CHECK(secp256k1_fe_equal(&x, &x));
3019 z = x;
3020 secp256k1_fe_add(&z,&y);
3021 /* Test fe conditional move; z is not normalized here. */
3022 q = x;
3023 secp256k1_fe_cmov(&x, &z, 0);
3024#ifdef VERIFY
3025 CHECK(!x.normalized);
3026 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3027 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3028#endif
3029 x = q;
3030 secp256k1_fe_cmov(&x, &x, 1);
3031 CHECK(!fe_identical(&x, &z));
3032 CHECK(fe_identical(&x, &q));
3033 secp256k1_fe_cmov(&q, &z, 1);
3034#ifdef VERIFY
3035 CHECK(!q.normalized);
3036 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3037 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3038#endif
3039 CHECK(fe_identical(&q, &z));
3040 q = z;
3043 CHECK(!secp256k1_fe_equal(&x, &z));
3045 secp256k1_fe_cmov(&q, &z, (i&1));
3046#ifdef VERIFY
3047 CHECK(q.normalized && q.magnitude == 1);
3048#endif
3049 for (j = 0; j < 6; j++) {
3050 secp256k1_fe_negate_unchecked(&z, &z, j+1);
3052 secp256k1_fe_cmov(&q, &z, (j&1));
3053#ifdef VERIFY
3054 CHECK(!q.normalized && q.magnitude == z.magnitude);
3055#endif
3056 }
3058 /* Test storage conversion and conditional moves. */
3059 secp256k1_fe_to_storage(&xs, &x);
3060 secp256k1_fe_to_storage(&ys, &y);
3061 secp256k1_fe_to_storage(&zs, &z);
3062 secp256k1_fe_storage_cmov(&zs, &xs, 0);
3063 secp256k1_fe_storage_cmov(&zs, &zs, 1);
3064 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3065 secp256k1_fe_storage_cmov(&ys, &xs, 1);
3066 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3070 /* Test that mul_int, mul, and add agree. */
3071 secp256k1_fe_add(&y, &x);
3072 secp256k1_fe_add(&y, &x);
3073 z = x;
3074 secp256k1_fe_mul_int(&z, 3);
3075 CHECK(fe_equal(&y, &z));
3076 secp256k1_fe_add(&y, &x);
3077 secp256k1_fe_add(&z, &x);
3078 CHECK(fe_equal(&z, &y));
3079 z = x;
3080 secp256k1_fe_mul_int(&z, 5);
3081 secp256k1_fe_mul(&q, &x, &fe5);
3082 CHECK(fe_equal(&z, &q));
3083 secp256k1_fe_negate(&x, &x, 1);
3084 secp256k1_fe_add(&z, &x);
3085 secp256k1_fe_add(&q, &x);
3086 CHECK(fe_equal(&y, &z));
3087 CHECK(fe_equal(&q, &y));
3088 /* Check secp256k1_fe_half. */
3089 z = x;
3091 secp256k1_fe_add(&z, &z);
3092 CHECK(fe_equal(&x, &z));
3093 secp256k1_fe_add(&z, &z);
3095 CHECK(fe_equal(&x, &z));
3096 }
3097}
3098
3099static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3100{
3101 secp256k1_fe c, an, bn;
3102 /* Variables in BE 32-byte format. */
3103 unsigned char a32[32], b32[32], c32[32];
3104 /* Variables in LE 16x uint16_t format. */
3105 uint16_t a16[16], b16[16], c16[16];
3106 /* Field modulus in LE 16x uint16_t format. */
3107 static const uint16_t m16[16] = {
3108 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3109 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3110 };
3111 uint16_t t16[32];
3112 int i;
3113
3114 /* Compute C = A * B in fe format. */
3115 c = *a;
3116 if (use_sqr) {
3117 secp256k1_fe_sqr(&c, &c);
3118 } else {
3119 secp256k1_fe_mul(&c, &c, b);
3120 }
3121
3122 /* Convert A, B, C into LE 16x uint16_t format. */
3123 an = *a;
3124 bn = *b;
3128 secp256k1_fe_get_b32(a32, &an);
3129 secp256k1_fe_get_b32(b32, &bn);
3130 secp256k1_fe_get_b32(c32, &c);
3131 for (i = 0; i < 16; ++i) {
3132 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3133 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3134 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3135 }
3136 /* Compute T = A * B in LE 16x uint16_t format. */
3137 mulmod256(t16, a16, b16, m16);
3138 /* Compare */
3139 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3140}
3141
3142static void run_fe_mul(void) {
3143 int i;
3144 for (i = 0; i < 100 * COUNT; ++i) {
3145 secp256k1_fe a, b, c, d;
3154 test_fe_mul(&a, &a, 1);
3155 test_fe_mul(&c, &c, 1);
3156 test_fe_mul(&a, &b, 0);
3157 test_fe_mul(&a, &c, 0);
3158 test_fe_mul(&c, &b, 0);
3159 test_fe_mul(&c, &d, 0);
3160 }
3161}
3162
3163static void run_sqr(void) {
3164 int i;
3165 secp256k1_fe x, y, lhs, rhs, tmp;
3166
3167 secp256k1_fe_set_int(&x, 1);
3168 secp256k1_fe_negate(&x, &x, 1);
3169
3170 for (i = 1; i <= 512; ++i) {
3171 secp256k1_fe_mul_int(&x, 2);
3173
3174 /* Check that (x+y)*(x-y) = x^2 - y*2 for some random values y */
3176
3177 lhs = x;
3178 secp256k1_fe_add(&lhs, &y); /* lhs = x+y */
3179 secp256k1_fe_negate(&tmp, &y, 1); /* tmp = -y */
3180 secp256k1_fe_add(&tmp, &x); /* tmp = x-y */
3181 secp256k1_fe_mul(&lhs, &lhs, &tmp); /* lhs = (x+y)*(x-y) */
3182
3183 secp256k1_fe_sqr(&rhs, &x); /* rhs = x^2 */
3184 secp256k1_fe_sqr(&tmp, &y); /* tmp = y^2 */
3185 secp256k1_fe_negate(&tmp, &tmp, 1); /* tmp = -y^2 */
3186 secp256k1_fe_add(&rhs, &tmp); /* rhs = x^2 - y^2 */
3187
3188 CHECK(fe_equal(&lhs, &rhs));
3189 }
3190}
3191
3192static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3193 secp256k1_fe r1, r2;
3194 int v = secp256k1_fe_sqrt(&r1, a);
3195 CHECK((v == 0) == (k == NULL));
3196
3197 if (k != NULL) {
3198 /* Check that the returned root is +/- the given known answer */
3199 secp256k1_fe_negate(&r2, &r1, 1);
3200 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3203 }
3204}
3205
3206static void run_sqrt(void) {
3207 secp256k1_fe ns, x, s, t;
3208 int i;
3209
3210 /* Check sqrt(0) is 0 */
3211 secp256k1_fe_set_int(&x, 0);
3212 secp256k1_fe_sqr(&s, &x);
3213 test_sqrt(&s, &x);
3214
3215 /* Check sqrt of small squares (and their negatives) */
3216 for (i = 1; i <= 100; i++) {
3217 secp256k1_fe_set_int(&x, i);
3218 secp256k1_fe_sqr(&s, &x);
3219 test_sqrt(&s, &x);
3220 secp256k1_fe_negate(&t, &s, 1);
3221 test_sqrt(&t, NULL);
3222 }
3223
3224 /* Consistency checks for large random values */
3225 for (i = 0; i < 10; i++) {
3226 int j;
3228 for (j = 0; j < COUNT; j++) {
3230 secp256k1_fe_sqr(&s, &x);
3232 test_sqrt(&s, &x);
3233 secp256k1_fe_negate(&t, &s, 1);
3235 test_sqrt(&t, NULL);
3236 secp256k1_fe_mul(&t, &s, &ns);
3237 test_sqrt(&t, NULL);
3238 }
3239 }
3240}
3241
3242/***** FIELD/SCALAR INVERSE TESTS *****/
3243
3245 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3246 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3247);
3248
3250 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3251 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3252);
3253
3254/* These tests test the following identities:
3255 *
3256 * for x==0: 1/x == 0
3257 * for x!=0: x*(1/x) == 1
3258 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3259 */
3260
3262{
3263 secp256k1_scalar l, r, t;
3264
3265 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3266 if (out) *out = l;
3267 if (secp256k1_scalar_is_zero(x)) {
3269 return;
3270 }
3271 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3272 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3273 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3274 if (secp256k1_scalar_is_zero(&r)) return;
3275 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3276 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3277 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3278 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3279 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3280 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3281}
3282
3283static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3284{
3285 secp256k1_fe l, r, t;
3286
3287 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3288 if (out) *out = l;
3289 t = *x; /* t = x */
3292 return;
3293 }
3294 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3295 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3296 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3297 r = *x; /* r = x */
3298 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3300 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3301 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3302 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3303 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3304 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3306}
3307
3308static void run_inverse_tests(void)
3309{
3310 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3311 static const secp256k1_fe fe_cases[][2] = {
3312 /* 0 */
3313 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3314 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3315 /* 1 */
3316 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3317 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3318 /* -1 */
3319 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3320 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3321 /* 2 */
3322 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3323 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3324 /* 2**128 */
3325 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3326 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3327 /* Input known to need 637 divsteps */
3328 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3329 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3330 /* Input known to need 567 divsteps starting with delta=1/2. */
3331 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3332 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3333 /* Input known to need 566 divsteps starting with delta=1/2. */
3334 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3335 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3336 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3337 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3338 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3339 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3340 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3341 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3342 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3343 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3344 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3345 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3346 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3347 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3348 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3349 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3350 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3351 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3352 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3353 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3354 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3355 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3356 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3357 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3358 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3359 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3360 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3361 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3362 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3363 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3364 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3365 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3366 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3367 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3368 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3369 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3370 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3371 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3372 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3373 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3374 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3375 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3376 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3377 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3378 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3379 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3380 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3381 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3382 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3383 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3384 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3385 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3386 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3387 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3388 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3389 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3390 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3391 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3392 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3393 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3394 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3395 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3396 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3397 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3398 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3399 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3400 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3401 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3402 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3403 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3404 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3405 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3406 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3407 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3408 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3409 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3410 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3411 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3412 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3413 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3414 };
3415 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3416 static const secp256k1_scalar scalar_cases[][2] = {
3417 /* 0 */
3418 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3419 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3420 /* 1 */
3421 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3422 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3423 /* -1 */
3424 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3425 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3426 /* 2 */
3427 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3428 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3429 /* 2**128 */
3430 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3431 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3432 /* Input known to need 635 divsteps */
3433 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3434 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3435 /* Input known to need 566 divsteps starting with delta=1/2. */
3436 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3437 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3438 /* Input known to need 565 divsteps starting with delta=1/2. */
3439 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3440 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3441 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3442 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3443 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3444 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3445 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3446 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3447 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3448 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3449 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3450 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3451 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3452 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3453 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3454 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3455 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3456 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3457 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3458 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3459 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3460 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3461 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3462 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3463 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3464 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3465 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3466 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3467 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3468 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3469 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3470 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3471 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3472 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3473 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3474 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3475 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3476 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3477 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3478 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3479 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3480 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3481 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3482 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3483 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3484 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3485 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3486 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3487 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3488 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3489 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3490 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3491 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3492 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3493 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3494 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3495 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3496 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3497 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3498 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3499 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3500 };
3501 int i, var, testrand;
3502 unsigned char b32[32];
3503 secp256k1_fe x_fe;
3504 secp256k1_scalar x_scalar;
3505 memset(b32, 0, sizeof(b32));
3506 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3507 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3508 for (var = 0; var <= 1; ++var) {
3509 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3510 CHECK(fe_equal(&x_fe, &fe_cases[i][1]));
3511 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3512 CHECK(fe_equal(&x_fe, &fe_cases[i][0]));
3513 }
3514 }
3515 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3516 for (var = 0; var <= 1; ++var) {
3517 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3518 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3519 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3520 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3521 }
3522 }
3523 /* Test inputs 0..999 and their respective negations. */
3524 for (i = 0; i < 1000; ++i) {
3525 b32[31] = i & 0xff;
3526 b32[30] = (i >> 8) & 0xff;
3527 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3528 secp256k1_fe_set_b32_mod(&x_fe, b32);
3529 for (var = 0; var <= 1; ++var) {
3530 test_inverse_scalar(NULL, &x_scalar, var);
3531 test_inverse_field(NULL, &x_fe, var);
3532 }
3533 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3534 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3535 for (var = 0; var <= 1; ++var) {
3536 test_inverse_scalar(NULL, &x_scalar, var);
3537 test_inverse_field(NULL, &x_fe, var);
3538 }
3539 }
3540 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3541 for (testrand = 0; testrand <= 1; ++testrand) {
3542 for (i = 0; i < 64 * COUNT; ++i) {
3543 (testrand ? testrand256_test : testrand256)(b32);
3544 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3545 secp256k1_fe_set_b32_mod(&x_fe, b32);
3546 for (var = 0; var <= 1; ++var) {
3547 test_inverse_scalar(NULL, &x_scalar, var);
3548 test_inverse_field(NULL, &x_fe, var);
3549 }
3550 }
3551 }
3552}
3553
3554/***** HSORT TESTS *****/
3555
3556static void test_heap_swap(void) {
3557 unsigned char a[600];
3558 unsigned char e[sizeof(a)];
3559 memset(a, 21, 200);
3560 memset(a + 200, 99, 200);
3561 memset(a + 400, 42, 200);
3562 memset(e, 42, 200);
3563 memset(e + 200, 99, 200);
3564 memset(e + 400, 21, 200);
3565 secp256k1_heap_swap(a, 0, 2, 200);
3566 CHECK(secp256k1_memcmp_var(a, e, sizeof(a)) == 0);
3567}
3568
3569static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len) {
3570 size_t i;
3571 for (i = 1; i < n; i++) {
3572 CHECK(secp256k1_memcmp_var(&elements[(i-1) * len], &elements[i * len], len) <= 0);
3573 }
3574}
3575
3577 size_t counter;
3579};
3580
3581
3582static int test_hsort_cmp(const void *ele1, const void *ele2, void *data) {
3583 struct test_hsort_cmp_data *d = (struct test_hsort_cmp_data *) data;
3584 d->counter += 1;
3585 return secp256k1_memcmp_var((unsigned char *)ele1, (unsigned char *)ele2, d->element_len);
3586}
3587
3588#define NUM 65
3589#define MAX_ELEMENT_LEN 65
3590static void test_hsort(size_t element_len) {
3591 unsigned char elements[NUM * MAX_ELEMENT_LEN] = { 0 };
3593 int i;
3594
3596 data.counter = 0;
3597 data.element_len = element_len;
3598
3600 CHECK(data.counter == 0);
3602 CHECK(data.counter == 0);
3604 CHECK(data.counter >= NUM - 1);
3606
3607 /* Test hsort with array of random length n */
3608 for (i = 0; i < COUNT; i++) {
3609 int n = testrand_int(NUM);
3610 testrand_bytes_test(elements, n*element_len);
3612 test_hsort_is_sorted(elements, n, element_len);
3613 }
3614}
3615#undef NUM
3616#undef MAX_ELEMENT_LEN
3617
3618
3619static void run_hsort_tests(void) {
3621 test_hsort(1);
3622 test_hsort(64);
3623 test_hsort(65);
3624}
3625
3626/***** GROUP TESTS *****/
3627
3628/* This compares jacobian points including their Z, not just their geometric meaning. */
3629static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3630 secp256k1_gej a2;
3631 secp256k1_gej b2;
3632 int ret = 1;
3633 ret &= a->infinity == b->infinity;
3634 if (ret && !a->infinity) {
3635 a2 = *a;
3636 b2 = *b;
3643 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3644 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3645 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3646 }
3647 return ret;
3648}
3649
3650static void test_ge(void) {
3651 int i, i1;
3652 int runs = 6;
3653 /* 25 points are used:
3654 * - infinity
3655 * - for each of four random points p1 p2 p3 p4, we add the point, its
3656 * negation, and then those two again but with randomized Z coordinate.
3657 * - The same is then done for lambda*p1 and lambda^2*p1.
3658 */
3659 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3660 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3661 secp256k1_fe zf, r;
3662 secp256k1_fe zfi2, zfi3;
3663
3666 for (i = 0; i < runs; i++) {
3667 int j, k;
3670 if (i >= runs - 2) {
3671 secp256k1_ge_mul_lambda(&g, &ge[1]);
3672 CHECK(!secp256k1_ge_eq_var(&g, &ge[1]));
3673 }
3674 if (i >= runs - 1) {
3676 }
3677 ge[1 + 4 * i] = g;
3678 ge[2 + 4 * i] = g;
3679 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3680 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3681 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3682 testutil_random_ge_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3683 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3684 testutil_random_ge_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3685 for (j = 0; j < 4; j++) {
3686 testutil_random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3687 testutil_random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3688 testutil_random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3689 testutil_random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3690 testutil_random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3691 }
3692
3693 for (j = 0; j < 4; ++j) {
3694 for (k = 0; k < 4; ++k) {
3695 int expect_equal = (j >> 1) == (k >> 1);
3696 CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3697 CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal);
3698 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3699 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal);
3700 }
3701 }
3702 }
3703
3704 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3707 secp256k1_fe_inv_var(&zfi3, &zf);
3708 secp256k1_fe_sqr(&zfi2, &zfi3);
3709 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3710
3711 /* Generate random r */
3713
3714 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3715 int i2;
3716 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3717 /* Compute reference result using gej + gej (var). */
3718 secp256k1_gej refj, resj;
3719 secp256k1_ge ref;
3720 secp256k1_fe zr;
3721 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3722 /* Check Z ratio. */
3723 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3724 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3725 CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3726 }
3727 secp256k1_ge_set_gej_var(&ref, &refj);
3728
3729 /* Test gej + ge with Z ratio result (var). */
3730 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3731 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3732 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3733 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3734 CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3735 }
3736
3737 /* Test gej + ge (var, with additional Z factor). */
3738 {
3739 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3740 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3741 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3744 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3745 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3746 }
3747
3748 /* Test gej + ge (const). */
3749 if (i2 != 0) {
3750 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3751 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3752 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3753 }
3754
3755 /* Test doubling (var). */
3756 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3757 secp256k1_fe zr2;
3758 /* Normal doubling with Z ratio result. */
3759 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3760 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3761 /* Check Z ratio. */
3762 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3763 CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3764 /* Normal doubling. */
3765 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3766 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3767 /* Constant-time doubling. */
3768 secp256k1_gej_double(&resj, &gej[i2]);
3769 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3770 }
3771
3772 /* Test adding opposites. */
3773 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3775 }
3776
3777 /* Test adding infinity. */
3778 if (i1 == 0) {
3781 CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref));
3782 }
3783 if (i2 == 0) {
3786 CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref));
3787 }
3788 }
3789 }
3790
3791 /* Test adding all points together in random order equals infinity. */
3792 {
3794 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3795 for (i = 0; i < 4 * runs + 1; i++) {
3796 gej_shuffled[i] = gej[i];
3797 }
3798 for (i = 0; i < 4 * runs + 1; i++) {
3799 int swap = i + testrand_int(4 * runs + 1 - i);
3800 if (swap != i) {
3801 secp256k1_gej t = gej_shuffled[i];
3802 gej_shuffled[i] = gej_shuffled[swap];
3803 gej_shuffled[swap] = t;
3804 }
3805 }
3806 for (i = 0; i < 4 * runs + 1; i++) {
3807 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3808 }
3810 free(gej_shuffled);
3811 }
3812
3813 /* Test batch gej -> ge conversion without known z ratios. */
3814 {
3815 secp256k1_ge *ge_set_all_var = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3816 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3817 secp256k1_ge_set_all_gej_var(&ge_set_all_var[0], &gej[0], 4 * runs + 1);
3818 for (i = 0; i < 4 * runs + 1; i++) {
3821 secp256k1_gej_rescale(&gej[i], &s);
3822 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all_var[i]));
3823 }
3824
3825 /* Skip infinity at &gej[0]. */
3826 secp256k1_ge_set_all_gej(&ge_set_all[1], &gej[1], 4 * runs);
3827 for (i = 1; i < 4 * runs + 1; i++) {
3830 secp256k1_gej_rescale(&gej[i], &s);
3831 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i]));
3832 CHECK(secp256k1_ge_eq_var(&ge_set_all_var[i], &ge_set_all[i]));
3833 }
3834
3835 /* Test with an array of length 1. */
3836 secp256k1_ge_set_all_gej_var(ge_set_all_var, &gej[1], 1);
3837 secp256k1_ge_set_all_gej(ge_set_all, &gej[1], 1);
3838 CHECK(secp256k1_gej_eq_ge_var(&gej[1], &ge_set_all_var[1]));
3839 CHECK(secp256k1_gej_eq_ge_var(&gej[1], &ge_set_all[1]));
3840 CHECK(secp256k1_ge_eq_var(&ge_set_all_var[1], &ge_set_all[1]));
3841
3842 /* Test with an array of length 0. */
3843 secp256k1_ge_set_all_gej_var(NULL, NULL, 0);
3844 secp256k1_ge_set_all_gej(NULL, NULL, 0);
3845
3846 free(ge_set_all_var);
3847 free(ge_set_all);
3848 }
3849
3850 /* Test that all elements have X coordinates on the curve. */
3851 for (i = 1; i < 4 * runs + 1; i++) {
3852 secp256k1_fe n;
3854 /* And the same holds after random rescaling. */
3855 secp256k1_fe_mul(&n, &zf, &ge[i].x);
3857 }
3858
3859 /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3860 {
3861 secp256k1_fe n;
3862 secp256k1_ge q;
3863 int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3864 secp256k1_fe_mul(&n, &zf, &r);
3865 ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3866 ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3867 ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3868 CHECK(ret_on_curve == ret_frac_on_curve);
3869 CHECK(ret_on_curve == ret_set_xo);
3870 if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
3871 }
3872
3873 /* Test batch gej -> ge conversion with many infinities. */
3874 for (i = 0; i < 4 * runs + 1; i++) {
3875 int odd;
3877 odd = secp256k1_fe_is_odd(&ge[i].x);
3878 CHECK(odd == 0 || odd == 1);
3879 /* randomly set half the points to infinity */
3880 if (odd == i % 2) {
3882 }
3883 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3884 }
3885 /* batch convert */
3886 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3887 /* check result */
3888 for (i = 0; i < 4 * runs + 1; i++) {
3889 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i]));
3890 }
3891
3892 /* Test batch gej -> ge conversion with all infinities. */
3893 for (i = 0; i < 4 * runs + 1; i++) {
3895 }
3896 /* batch convert */
3897 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3898 /* check result */
3899 for (i = 0; i < 4 * runs + 1; i++) {
3901 }
3902
3903 free(ge);
3904 free(gej);
3905}
3906
3907static void test_intialized_inf(void) {
3908 secp256k1_ge p;
3909 secp256k1_gej pj, npj, infj1, infj2, infj3;
3910 secp256k1_fe zinv;
3911
3912 /* Test that adding P+(-P) results in a fully initialized infinity*/
3914 secp256k1_gej_set_ge(&pj, &p);
3915 secp256k1_gej_neg(&npj, &pj);
3916
3917 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3919 CHECK(secp256k1_fe_is_zero(&infj1.x));
3920 CHECK(secp256k1_fe_is_zero(&infj1.y));
3921 CHECK(secp256k1_fe_is_zero(&infj1.z));
3922
3923 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3925 CHECK(secp256k1_fe_is_zero(&infj2.x));
3926 CHECK(secp256k1_fe_is_zero(&infj2.y));
3927 CHECK(secp256k1_fe_is_zero(&infj2.z));
3928
3929 secp256k1_fe_set_int(&zinv, 1);
3930 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3932 CHECK(secp256k1_fe_is_zero(&infj3.x));
3933 CHECK(secp256k1_fe_is_zero(&infj3.y));
3934 CHECK(secp256k1_fe_is_zero(&infj3.z));
3935
3936
3937}
3938
3939static void test_add_neg_y_diff_x(void) {
3940 /* The point of this test is to check that we can add two points
3941 * whose y-coordinates are negatives of each other but whose x
3942 * coordinates differ. If the x-coordinates were the same, these
3943 * points would be negatives of each other and their sum is
3944 * infinity. This is cool because it "covers up" any degeneracy
3945 * in the addition algorithm that would cause the xy coordinates
3946 * of the sum to be wrong (since infinity has no xy coordinates).
3947 * HOWEVER, if the x-coordinates are different, infinity is the
3948 * wrong answer, and such degeneracies are exposed. This is the
3949 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3950 * which this test is a regression test for.
3951 *
3952 * These points were generated in sage as
3953 *
3954 * load("secp256k1_params.sage")
3955 *
3956 * # random "bad pair"
3957 * P = C.random_element()
3958 * Q = -int(LAMBDA) * P
3959 * print(" P: %x %x" % P.xy())
3960 * print(" Q: %x %x" % Q.xy())
3961 * print("P + Q: %x %x" % (P + Q).xy())
3962 */
3964 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3965 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3966 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3967 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3968 );
3970 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3971 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3972 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3973 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3974 );
3976 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3977 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3978 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3979 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3980 );
3981 secp256k1_ge b;
3982 secp256k1_gej resj;
3983 secp256k1_ge res;
3984 secp256k1_ge_set_gej(&b, &bj);
3985
3986 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3987 secp256k1_ge_set_gej(&res, &resj);
3988 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
3989
3990 secp256k1_gej_add_ge(&resj, &aj, &b);
3991 secp256k1_ge_set_gej(&res, &resj);
3992 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
3993
3994 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
3995 secp256k1_ge_set_gej(&res, &resj);
3996 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
3997}
3998
3999static void test_ge_bytes(void) {
4000 int i;
4001
4002 for (i = 0; i < COUNT + 1; i++) {
4003 unsigned char buf[64];
4004 secp256k1_ge p, q;
4005
4006 if (i == 0) {
4008 } else {
4010 }
4011
4012 if (!secp256k1_ge_is_infinity(&p)) {
4013 secp256k1_ge_to_bytes(buf, &p);
4014
4015 secp256k1_ge_from_bytes(&q, buf);
4016 CHECK(secp256k1_ge_eq_var(&p, &q));
4017
4019 CHECK(secp256k1_ge_eq_var(&p, &q));
4020 }
4023 CHECK(secp256k1_ge_eq_var(&p, &q));
4024 }
4025}
4026
4027static void run_ge(void) {
4028 int i;
4029 for (i = 0; i < COUNT * 32; i++) {
4030 test_ge();
4031 }
4034 test_ge_bytes();
4035}
4036
4037static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4038 secp256k1_gej t = *a;
4039 secp256k1_gej_cmov(&t, b, 0);
4041 secp256k1_gej_cmov(&t, b, 1);
4043}
4044
4045static void run_gej(void) {
4046 int i;
4047 secp256k1_gej a, b;
4048
4049 /* Tests for secp256k1_gej_cmov */
4050 for (i = 0; i < COUNT; i++) {
4053 test_gej_cmov(&a, &b);
4054
4056 test_gej_cmov(&a, &b);
4057 test_gej_cmov(&b, &a);
4058
4059 b = a;
4060 test_gej_cmov(&a, &b);
4061
4063 test_gej_cmov(&a, &b);
4064 test_gej_cmov(&b, &a);
4065 }
4066
4067 /* Tests for secp256k1_gej_eq_var */
4068 for (i = 0; i < COUNT; i++) {
4069 secp256k1_fe fe;
4072 CHECK(!secp256k1_gej_eq_var(&a, &b));
4073
4074 b = a;
4076 secp256k1_gej_rescale(&a, &fe);
4077 CHECK(secp256k1_gej_eq_var(&a, &b));
4078 }
4079}
4080
4081static void test_ec_combine(void) {
4084 const secp256k1_pubkey* d[6];
4086 secp256k1_pubkey sd2;
4087 secp256k1_gej Qj;
4088 secp256k1_ge Q;
4089 int i;
4090 for (i = 1; i <= 6; i++) {
4095 secp256k1_ge_set_gej(&Q, &Qj);
4096 secp256k1_pubkey_save(&data[i - 1], &Q);
4097 d[i - 1] = &data[i - 1];
4099 secp256k1_ge_set_gej(&Q, &Qj);
4100 secp256k1_pubkey_save(&sd, &Q);
4101 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4102 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4103 }
4104}
4105
4106static void run_ec_combine(void) {
4107 int i;
4108 for (i = 0; i < COUNT * 8; i++) {
4110 }
4111}
4112
4114 /* The input itself, normalized. */
4115 secp256k1_fe fex = *x;
4116 /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
4117 secp256k1_ge ge_even, ge_odd;
4118 /* Return values of the above calls. */
4119 int res_even, res_odd;
4120
4122
4123 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4124 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4125
4126 CHECK(res_even == res_odd);
4127
4128 if (res_even) {
4130 secp256k1_fe_normalize_var(&ge_even.x);
4132 secp256k1_fe_normalize_var(&ge_even.y);
4133
4134 /* No infinity allowed. */
4135 CHECK(!ge_even.infinity);
4136 CHECK(!ge_odd.infinity);
4137
4138 /* Check that the x coordinates check out. */
4139 CHECK(secp256k1_fe_equal(&ge_even.x, x));
4140 CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4141
4142 /* Check odd/even Y in ge_odd, ge_even. */
4143 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4144 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4145 }
4146}
4147
4148static void run_group_decompress(void) {
4149 int i;
4150 for (i = 0; i < COUNT * 4; i++) {
4151 secp256k1_fe fe;
4154 }
4155}
4156
4157/***** ECMULT TESTS *****/
4158
4159static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4160 /* Tests the pre_g / pre_g_128 tables for consistency.
4161 * For independent verification we take a "geometric" approach to verification.
4162 * We check that every entry is on-curve.
4163 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4164 * (1) p, gg, and -q are colinear.
4165 * (2) p, gg, and -q are all distinct.
4166 * where gg is twice the generator, where the generator is the first table entry.
4167 *
4168 * Checking the table's generators are correct is done in run_ecmult_pre_g.
4169 */
4170 secp256k1_gej g2;
4171 secp256k1_ge p, q, gg;
4172 secp256k1_fe dpx, dpy, dqx, dqy;
4173 size_t i;
4174
4175 CHECK(0 < n);
4176
4177 secp256k1_ge_from_storage(&p, &pre_g[0]);
4179
4180 secp256k1_gej_set_ge(&g2, &p);
4181 secp256k1_gej_double_var(&g2, &g2, NULL);
4182 secp256k1_ge_set_gej_var(&gg, &g2);
4183 for (i = 1; i < n; ++i) {
4184 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4185 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4186 /* Check that p is not equal to gg */
4188
4189 secp256k1_ge_from_storage(&q, &pre_g[i]);
4191
4192 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4193 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4194 /* Check that -q is not equal to gg */
4196
4197 /* Check that -q is not equal to p */
4198 CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4199
4200 /* Check that p, -q and gg are colinear */
4201 secp256k1_fe_mul(&dpx, &dpx, &dqy);
4202 secp256k1_fe_mul(&dpy, &dpy, &dqx);
4203 CHECK(secp256k1_fe_equal(&dpx, &dpy));
4204
4205 p = q;
4206 }
4207}
4208
4209static void run_ecmult_pre_g(void) {
4211 secp256k1_gej gj;
4213 size_t i;
4214
4215 /* Check that the pre_g and pre_g_128 tables are consistent. */
4218
4219 /* Check the first entry from the pre_g table. */
4221 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4222
4223 /* Check the first entry from the pre_g_128 table. */
4225 for (i = 0; i < 128; ++i) {
4226 secp256k1_gej_double_var(&gj, &gj, NULL);
4227 }
4228 secp256k1_ge_set_gej(&g, &gj);
4230 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4231}
4232
4233static void run_ecmult_chain(void) {
4234 /* random starting point A (on the curve) */
4236 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4237 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4238 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4239 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4240 );
4241 /* two random initial factors xn and gn */
4243 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4244 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4245 );
4247 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4248 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4249 );
4250 /* two small multipliers to be applied to xn and gn in every iteration: */
4251 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4252 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4253 /* accumulators with the resulting coefficients to A and G */
4256 /* actual points */
4257 secp256k1_gej x;
4258 secp256k1_gej x2;
4259 int i;
4260
4261 /* the point being computed */
4262 x = a;
4263 for (i = 0; i < 200*COUNT; i++) {
4264 /* in each iteration, compute X = xn*X + gn*G; */
4265 secp256k1_ecmult(&x, &x, &xn, &gn);
4266 /* also compute ae and ge: the actual accumulated factors for A and G */
4267 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4268 secp256k1_scalar_mul(&ae, &ae, &xn);
4269 secp256k1_scalar_mul(&ge, &ge, &xn);
4270 secp256k1_scalar_add(&ge, &ge, &gn);
4271 /* modify xn and gn */
4272 secp256k1_scalar_mul(&xn, &xn, &xf);
4273 secp256k1_scalar_mul(&gn, &gn, &gf);
4274
4275 /* verify */
4276 if (i == 19999) {
4277 /* expected result after 19999 iterations */
4279 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4280 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4281 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4282 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4283 );
4284 CHECK(secp256k1_gej_eq_var(&rp, &x));
4285 }
4286 }
4287 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4288 secp256k1_ecmult(&x2, &a, &ae, &ge);
4289 CHECK(secp256k1_gej_eq_var(&x, &x2));
4290}
4291
4292static void test_point_times_order(const secp256k1_gej *point) {
4293 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4296 secp256k1_gej res1, res2;
4297 secp256k1_ge res3;
4298 unsigned char pub[65];
4299 size_t psize = 65;
4301 secp256k1_scalar_negate(&nx, &x);
4302 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4303 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4304 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4306 secp256k1_ge_set_gej(&res3, &res1);
4308 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4309 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4310 psize = 65;
4311 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4312 /* check zero/one edge cases */
4314 secp256k1_ge_set_gej(&res3, &res1);
4317 secp256k1_ge_set_gej(&res3, &res1);
4318 CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4320 secp256k1_ge_set_gej(&res3, &res1);
4322}
4323
4324/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4325 *
4326 * They are computed as:
4327 * - For a in [-2, -1, 0, 1, 2]:
4328 * - For b in [-3, -1, 1, 3]:
4329 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4330 */
4332 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4333 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4334 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4335 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4336 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4337 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4338 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4339 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4340 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4341 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4342 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4343 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4344 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4345 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4346 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4347 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4348 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4349 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4350 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4351 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4352};
4353
4354static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4355 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4356 secp256k1_scalar n1, n2;
4357 secp256k1_ge p;
4358 secp256k1_gej pj, p1j, p2j, ptj;
4359
4360 /* Generate random n1,n2 such that n1+n2 = -target. */
4362 secp256k1_scalar_add(&n2, &n1, target);
4363 secp256k1_scalar_negate(&n2, &n2);
4364
4365 /* Generate a random input point. */
4366 if (mode != 0) {
4368 secp256k1_gej_set_ge(&pj, &p);
4369 }
4370
4371 /* EC multiplications */
4372 if (mode == 0) {
4375 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4376 } else if (mode == 1) {
4377 secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4378 secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4379 secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4380 } else {
4381 secp256k1_ecmult_const(&p1j, &p, &n1);
4382 secp256k1_ecmult_const(&p2j, &p, &n2);
4383 secp256k1_ecmult_const(&ptj, &p, target);
4384 }
4385
4386 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4387 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4388 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4390}
4391
4393 int i;
4394 unsigned j;
4395 for (i = 0; i < 4*COUNT; ++i) {
4396 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4400 }
4401 }
4402}
4403
4404static void run_point_times_order(void) {
4405 int i;
4406 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4407 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4408 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4409 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4410 );
4411 for (i = 0; i < 500; i++) {
4412 secp256k1_ge p;
4413 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4414 secp256k1_gej j;
4416 secp256k1_gej_set_ge(&j, &p);
4418 }
4419 secp256k1_fe_sqr(&x, &x);
4420 }
4422 CHECK(secp256k1_fe_equal(&x, &xr));
4423}
4424
4425static void ecmult_const_random_mult(void) {
4426 /* random starting point A (on the curve) */
4428 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4429 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4430 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4431 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4432 );
4433 /* random initial factor xn */
4435 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4436 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4437 );
4438 /* expected xn * A (from sage) */
4439 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4440 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4441 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4442 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4443 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4444 );
4445 secp256k1_gej b;
4446 secp256k1_ecmult_const(&b, &a, &xn);
4447
4449 CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b));
4450}
4451
4455 secp256k1_gej res1;
4456 secp256k1_gej res2;
4457 secp256k1_ge mid1;
4458 secp256k1_ge mid2;
4461
4464 secp256k1_ge_set_gej(&mid1, &res1);
4465 secp256k1_ge_set_gej(&mid2, &res2);
4466 secp256k1_ecmult_const(&res1, &mid1, &b);
4467 secp256k1_ecmult_const(&res2, &mid2, &a);
4468 secp256k1_ge_set_gej(&mid1, &res1);
4469 secp256k1_ge_set_gej(&mid2, &res2);
4470 CHECK(secp256k1_ge_eq_var(&mid1, &mid2));
4471}
4472
4475 secp256k1_scalar negone;
4476 secp256k1_gej res1;
4477 secp256k1_ge res2;
4478 secp256k1_ge point;
4479 secp256k1_ge inf;
4480
4485
4486 /* 0*point */
4489
4490 /* s*inf */
4491 secp256k1_ecmult_const(&res1, &inf, &s);
4493
4494 /* 1*point */
4496 secp256k1_ge_set_gej(&res2, &res1);
4497 CHECK(secp256k1_ge_eq_var(&res2, &point));
4498
4499 /* -1*point */
4500 secp256k1_ecmult_const(&res1, &point, &negone);
4501 secp256k1_gej_neg(&res1, &res1);
4502 secp256k1_ge_set_gej(&res2, &res1);
4503 CHECK(secp256k1_ge_eq_var(&res2, &point));
4504}
4505
4506static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) {
4507 secp256k1_gej pointj, res2j;
4508 secp256k1_ge res2;
4509 secp256k1_gej_set_ge(&pointj, A);
4510 secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero);
4511 secp256k1_ge_set_gej(&res2, &res2j);
4512 CHECK(secp256k1_gej_eq_ge_var(res, &res2));
4513}
4514
4515static void ecmult_const_edges(void) {
4517 secp256k1_ge point;
4518 secp256k1_gej res;
4519 size_t i;
4520 size_t cases = 1 + sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]);
4521
4522 /* We are trying to reach the following edge cases (variables are defined as
4523 * in ecmult_const_impl.h):
4524 * 1. i = 0: s = 0 <=> q = -K
4525 * 2. i > 0: v1, v2 large values
4526 * <=> s1, s2 large values
4527 * <=> s = scalars_near_split_bounds[i]
4528 * <=> q = 2*scalars_near_split_bounds[i] - K
4529 */
4530 for (i = 0; i < cases; ++i) {
4532 if (i > 0) {
4535 }
4537 secp256k1_ecmult_const(&res, &point, &q);
4538 ecmult_const_check_result(&point, &q, &res);
4539 }
4540}
4541
4542static void ecmult_const_mult_xonly(void) {
4543 int i;
4544
4545 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4546 for (i = 0; i < 2*COUNT; ++i) {
4547 secp256k1_ge base;
4548 secp256k1_gej basej, resj;
4549 secp256k1_fe n, d, resx, v;
4551 int res;
4552 /* Random base point. */
4554 /* Random scalar to multiply it with. */
4556 /* If i is odd, n=d*base.x for random non-zero d */
4557 if (i & 1) {
4559 secp256k1_fe_mul(&n, &base.x, &d);
4560 } else {
4561 n = base.x;
4562 }
4563 /* Perform x-only multiplication. */
4564 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4565 CHECK(res);
4566 /* Perform normal multiplication. */
4567 secp256k1_gej_set_ge(&basej, &base);
4568 secp256k1_ecmult(&resj, &basej, &q, NULL);
4569 /* Check that resj's X coordinate corresponds with resx. */
4570 secp256k1_fe_sqr(&v, &resj.z);
4571 secp256k1_fe_mul(&v, &v, &resx);
4572 CHECK(fe_equal(&v, &resj.x));
4573 }
4574
4575 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4576 for (i = 0; i < 2*COUNT; ++i) {
4577 secp256k1_fe x, n, d, r;
4578 int res;
4581 /* Generate random X coordinate not on the curve. */
4582 do {
4584 } while (secp256k1_ge_x_on_curve_var(&x));
4585 /* If i is odd, n=d*x for random non-zero d. */
4586 if (i & 1) {
4588 secp256k1_fe_mul(&n, &x, &d);
4589 } else {
4590 n = x;
4591 }
4592 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4593 CHECK(res == 0);
4594 }
4595}
4596
4598 /* Check known result (randomly generated test problem from sage) */
4600 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4601 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4602 );
4603 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4604 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4605 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4606 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4607 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4608 );
4609 secp256k1_gej point;
4610 secp256k1_ge res;
4611 int i;
4612
4614 for (i = 0; i < 100; ++i) {
4615 secp256k1_ge tmp;
4616 secp256k1_ge_set_gej(&tmp, &point);
4617 secp256k1_ecmult_const(&point, &tmp, &scalar);
4618 }
4619 secp256k1_ge_set_gej(&res, &point);
4620 CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res));
4621}
4622
4623static void run_ecmult_const_tests(void) {
4630}
4631
4632typedef struct {
4636
4637static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4639 *sc = data->sc[idx];
4640 *pt = data->pt[idx];
4641 return 1;
4642}
4643
4644static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4645 (void)sc;
4646 (void)pt;
4647 (void)idx;
4648 (void)cbdata;
4649 return 0;
4650}
4651
4653 int ncount;
4654 secp256k1_scalar sc[32];
4655 secp256k1_ge pt[32];
4656 secp256k1_gej r;
4657 secp256k1_gej r2;
4659
4660 data.sc = sc;
4661 data.pt = pt;
4662
4663 /* No points to multiply */
4664 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4665
4666 /* Check 1- and 2-point multiplies against ecmult */
4667 for (ncount = 0; ncount < COUNT; ncount++) {
4668 secp256k1_ge ptg;
4669 secp256k1_gej ptgj;
4672
4674 secp256k1_gej_set_ge(&ptgj, &ptg);
4675 pt[0] = ptg;
4676 pt[1] = secp256k1_ge_const_g;
4677
4678 /* only G scalar */
4679 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4680 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4681 CHECK(secp256k1_gej_eq_var(&r, &r2));
4682
4683 /* 1-point */
4684 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4685 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4686 CHECK(secp256k1_gej_eq_var(&r, &r2));
4687
4688 /* Try to multiply 1 point, but callback returns false */
4689 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4690
4691 /* 2-point */
4692 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4693 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4694 CHECK(secp256k1_gej_eq_var(&r, &r2));
4695
4696 /* 2-point with G scalar */
4697 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4698 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4699 CHECK(secp256k1_gej_eq_var(&r, &r2));
4700 }
4701
4702 /* Check infinite outputs of various forms */
4703 for (ncount = 0; ncount < COUNT; ncount++) {
4704 secp256k1_ge ptg;
4705 size_t i, j;
4706 size_t sizes[] = { 2, 10, 32 };
4707
4708 for (j = 0; j < 3; j++) {
4709 for (i = 0; i < 32; i++) {
4712 }
4713 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4715 }
4716
4717 for (j = 0; j < 3; j++) {
4718 for (i = 0; i < 32; i++) {
4720 pt[i] = ptg;
4721 secp256k1_scalar_set_int(&sc[i], 0);
4722 }
4723 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4725 }
4726
4727 for (j = 0; j < 3; j++) {
4729 for (i = 0; i < 16; i++) {
4731 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4732 pt[2 * i] = ptg;
4733 pt[2 * i + 1] = ptg;
4734 }
4735
4736 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4738
4740 for (i = 0; i < 16; i++) {
4742
4743 sc[2*i] = sc[0];
4744 sc[2*i+1] = sc[0];
4745 pt[2 * i] = ptg;
4746 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4747 }
4748
4749 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4751 }
4752
4754 secp256k1_scalar_set_int(&sc[0], 0);
4755 pt[0] = ptg;
4756 for (i = 1; i < 32; i++) {
4757 pt[i] = ptg;
4758
4760 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4761 secp256k1_scalar_negate(&sc[i], &sc[i]);
4762 }
4763
4764 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4766 }
4767
4768 /* Check random points, constant scalar */
4769 for (ncount = 0; ncount < COUNT; ncount++) {
4770 size_t i;
4772
4774 for (i = 0; i < 20; i++) {
4775 secp256k1_ge ptg;
4776 sc[i] = sc[0];
4778 pt[i] = ptg;
4779 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4780 }
4781
4782 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4783 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4784 CHECK(secp256k1_gej_eq_var(&r, &r2));
4785 }
4786
4787 /* Check random scalars, constant point */
4788 for (ncount = 0; ncount < COUNT; ncount++) {
4789 size_t i;
4790 secp256k1_ge ptg;
4791 secp256k1_gej p0j;
4794
4796 for (i = 0; i < 20; i++) {
4798 pt[i] = ptg;
4799 secp256k1_scalar_add(&rs, &rs, &sc[i]);
4800 }
4801
4802 secp256k1_gej_set_ge(&p0j, &pt[0]);
4803 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4804 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4805 CHECK(secp256k1_gej_eq_var(&r, &r2));
4806 }
4807
4808 /* Sanity check that zero scalars don't cause problems */
4809 for (ncount = 0; ncount < 20; ncount++) {
4810 testutil_random_scalar_order(&sc[ncount]);
4811 testutil_random_ge_test(&pt[ncount]);
4812 }
4813
4814 secp256k1_scalar_set_int(&sc[0], 0);
4815 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4816 secp256k1_scalar_set_int(&sc[1], 0);
4817 secp256k1_scalar_set_int(&sc[2], 0);
4818 secp256k1_scalar_set_int(&sc[3], 0);
4819 secp256k1_scalar_set_int(&sc[4], 0);
4820 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4821 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4823
4824 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4825 {
4826 const size_t TOP = 8;
4827 size_t s0i, s1i;
4828 size_t t0i, t1i;
4829 secp256k1_ge ptg;
4830 secp256k1_gej ptgj;
4831
4833 secp256k1_gej_set_ge(&ptgj, &ptg);
4834
4835 for(t0i = 0; t0i < TOP; t0i++) {
4836 for(t1i = 0; t1i < TOP; t1i++) {
4837 secp256k1_gej t0p, t1p;
4838 secp256k1_scalar t0, t1;
4839
4840 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4841 secp256k1_scalar_cond_negate(&t0, t0i & 1);
4842 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4843 secp256k1_scalar_cond_negate(&t1, t1i & 1);
4844
4845 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4846 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4847
4848 for(s0i = 0; s0i < TOP; s0i++) {
4849 for(s1i = 0; s1i < TOP; s1i++) {
4850 secp256k1_scalar tmp1, tmp2;
4851 secp256k1_gej expected, actual;
4852
4853 secp256k1_ge_set_gej(&pt[0], &t0p);
4854 secp256k1_ge_set_gej(&pt[1], &t1p);
4855
4856 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4857 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4858 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4859 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4860
4861 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4862 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4863 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4864
4865 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4866 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4867 CHECK(secp256k1_gej_eq_var(&actual, &expected));
4868 }
4869 }
4870 }
4871 }
4872 }
4873}
4874
4876 /* Large random test for ecmult_multi_* functions which exercises:
4877 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4878 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4879 * - Including or excluding an nonzero a*G term (or such a term at all).
4880 * - Final expected result equal to infinity or not (roughly 50%).
4881 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4882 */
4883
4884 /* These 4 variables define the eventual input to the ecmult_multi function.
4885 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4886 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4887 * which form its normal inputs. */
4888 int filled = 0;
4890 secp256k1_scalar scalars[128];
4891 secp256k1_gej gejs[128];
4892 /* The expected result, and the computed result. */
4893 secp256k1_gej expected, computed;
4894 /* Temporaries. */
4895 secp256k1_scalar sc_tmp;
4896 secp256k1_ge ge_tmp;
4897 /* Variables needed for the actual input to ecmult_multi. */
4898 secp256k1_ge ges[128];
4900
4901 int i;
4902 /* Which multiplication function to use */
4903 int fn = testrand_int(3);
4907 /* Simulate exponentially distributed num. */
4908 int num_bits = 2 + testrand_int(6);
4909 /* Number of (scalar, point) inputs (excluding g). */
4910 int num = testrand_int((1 << num_bits) + 1);
4911 /* Number of those which are nonzero. */
4912 int num_nonzero = testrand_int(num + 1);
4913 /* Whether we're aiming to create an input with nonzero expected result. */
4914 int nonzero_result = testrand_bits(1);
4915 /* Whether we will provide nonzero g multiplicand. In some cases our hand
4916 * is forced here based on num_nonzero and nonzero_result. */
4917 int g_nonzero = num_nonzero == 0 ? nonzero_result :
4918 num_nonzero == 1 && !nonzero_result ? 1 :
4919 (int)testrand_bits(1);
4920 /* Which g_scalar pointer to pass into ecmult_multi(). */
4921 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || testrand_bits(1)) ? &g_scalar : NULL;
4922 /* How many EC multiplications were performed in this function. */
4923 int mults = 0;
4924 /* How many randomization steps to apply to the input list. */
4925 int rands = (int)testrand_bits(3);
4926 if (rands > num_nonzero) rands = num_nonzero;
4927
4928 secp256k1_gej_set_infinity(&expected);
4930 secp256k1_scalar_set_int(&scalars[0], 0);
4931
4932 if (g_nonzero) {
4933 /* If g_nonzero, set g_scalar to nonzero value r. */
4935 if (!nonzero_result) {
4936 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4937 CHECK(num_nonzero > filled);
4939 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4940 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4941 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4942 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4943 ++filled;
4944 ++mults;
4945 }
4946 }
4947
4948 if (nonzero_result && filled < num_nonzero) {
4949 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4950 testutil_random_scalar_order_test(&scalars[filled]);
4951 testutil_random_ge_test(&ge_tmp);
4952 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4953 ++filled;
4954 }
4955
4956 if (nonzero_result) {
4957 /* Compute the expected result using normal ecmult. */
4958 CHECK(filled <= 1);
4959 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4960 mults += filled + g_nonzero;
4961 }
4962
4963 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4964 CHECK(filled <= 1 + !nonzero_result);
4965 CHECK(filled <= num_nonzero);
4966
4967 /* Add entries to scalars,gejs so that there are num of them. All the added entries
4968 * either have scalar=0 or point=infinity, so these do not change the expected result. */
4969 while (filled < num) {
4970 if (testrand_bits(1)) {
4971 secp256k1_gej_set_infinity(&gejs[filled]);
4972 testutil_random_scalar_order_test(&scalars[filled]);
4973 } else {
4974 secp256k1_scalar_set_int(&scalars[filled], 0);
4975 testutil_random_ge_test(&ge_tmp);
4976 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4977 }
4978 ++filled;
4979 }
4980
4981 /* Now perform cheapish transformations on gejs and scalars, for indices
4982 * 0..num_nonzero-1, which do not change the expected result, but may
4983 * convert some of them to be both non-0-scalar and non-infinity-point. */
4984 for (i = 0; i < rands; ++i) {
4985 int j;
4986 secp256k1_scalar v, iv;
4987 /* Shuffle the entries. */
4988 for (j = 0; j < num_nonzero; ++j) {
4989 int k = testrand_int(num_nonzero - j);
4990 if (k != 0) {
4991 secp256k1_gej gej = gejs[j];
4992 secp256k1_scalar sc = scalars[j];
4993 gejs[j] = gejs[j + k];
4994 scalars[j] = scalars[j + k];
4995 gejs[j + k] = gej;
4996 scalars[j + k] = sc;
4997 }
4998 }
4999 /* Perturb all consecutive pairs of inputs:
5000 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5001 for (j = 0; j + 1 < num_nonzero; j += 2) {
5002 secp256k1_gej gej;
5003 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5004 secp256k1_gej_neg(&gej, &gejs[j]);
5005 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5006 }
5007 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5008 CHECK(num_nonzero >= 1);
5010 secp256k1_scalar_inverse(&iv, &v);
5011 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5012 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5013 ++mults;
5014 }
5015
5016 /* Shuffle all entries (0..num-1). */
5017 for (i = 0; i < num; ++i) {
5018 int j = testrand_int(num - i);
5019 if (j != 0) {
5020 secp256k1_gej gej = gejs[i];
5021 secp256k1_scalar sc = scalars[i];
5022 gejs[i] = gejs[i + j];
5023 scalars[i] = scalars[i + j];
5024 gejs[i + j] = gej;
5025 scalars[i + j] = sc;
5026 }
5027 }
5028
5029 /* Compute affine versions of all inputs. */
5030 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5031 /* Invoke ecmult_multi code. */
5032 data.sc = scalars;
5033 data.pt = ges;
5034 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5035 mults += num_nonzero + g_nonzero;
5036 /* Compare with expected result. */
5037 CHECK(secp256k1_gej_eq_var(&computed, &expected));
5038 return mults;
5039}
5040
5043 secp256k1_ge pt;
5044 secp256k1_gej r;
5046 secp256k1_scratch *scratch_empty;
5047
5050 data.sc = &sc;
5051 data.pt = &pt;
5052
5053 /* Try to multiply 1 point, but scratch space is empty.*/
5054 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5055 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5057}
5058
5060 int i;
5061
5063 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5064 /* Bucket_window of 8 is not used with endo */
5065 if (i == 8) {
5066 continue;
5067 }
5069 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5071 }
5072 }
5073}
5074
5080 size_t scratch_size = testrand_bits(8);
5082 secp256k1_scratch *scratch;
5083 size_t n_points_supported;
5084 int bucket_window = 0;
5085
5086 for(; scratch_size < max_size; scratch_size+=256) {
5087 size_t i;
5088 size_t total_alloc;
5089 size_t checkpoint;
5090 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5091 CHECK(scratch != NULL);
5092 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5093 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5094 if (n_points_supported == 0) {
5096 continue;
5097 }
5098 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5099 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5100 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5101 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5103 total_alloc--;
5104 }
5105 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5108 }
5109 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5110}
5111
5113 size_t n_batches, n_batch_points, max_n_batch_points, n;
5114
5115 max_n_batch_points = 0;
5116 n = 1;
5117 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5118
5119 max_n_batch_points = 1;
5120 n = 0;
5121 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5122 CHECK(n_batches == 0);
5123 CHECK(n_batch_points == 0);
5124
5125 max_n_batch_points = 2;
5126 n = 5;
5127 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5128 CHECK(n_batches == 3);
5129 CHECK(n_batch_points == 2);
5130
5131 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5133 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5134 CHECK(n_batches == 1);
5135 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5136
5137 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5139 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5140 CHECK(n_batches == 2);
5141 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5142
5143 max_n_batch_points = 1;
5144 n = SIZE_MAX;
5145 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5146 CHECK(n_batches == SIZE_MAX);
5147 CHECK(n_batch_points == 1);
5148
5149 max_n_batch_points = 2;
5150 n = SIZE_MAX;
5151 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5152 CHECK(n_batches == SIZE_MAX/2 + 1);
5153 CHECK(n_batch_points == 2);
5154}
5155
5161 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5162 secp256k1_scalar scG;
5165 secp256k1_gej r;
5166 secp256k1_gej r2;
5168 int i;
5169 secp256k1_scratch *scratch;
5170
5172
5173 /* Get random scalars and group elements and compute result */
5175 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5176 for(i = 0; i < n_points; i++) {
5177 secp256k1_ge ptg;
5178 secp256k1_gej ptgj;
5180 secp256k1_gej_set_ge(&ptgj, &ptg);
5181 pt[i] = ptg;
5183 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5184 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5185 }
5186 data.sc = sc;
5187 data.pt = pt;
5188 secp256k1_gej_neg(&r2, &r2);
5189
5190 /* Test with empty scratch space. It should compute the correct result using
5191 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5194 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5197
5198 /* Test with space for 1 point in pippenger. That's not enough because
5199 * ecmult_multi selects strauss which requires more memory. It should
5200 * therefore select the simple algorithm. */
5203 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5206
5207 for(i = 1; i <= n_points; i++) {
5209 int bucket_window = secp256k1_pippenger_bucket_window(i);
5210 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5212 } else {
5213 size_t scratch_size = secp256k1_strauss_scratch_size(i);
5215 }
5217 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5220 }
5221 free(sc);
5222 free(pt);
5223}
5224
5225static void run_ecmult_multi_tests(void) {
5226 secp256k1_scratch *scratch;
5227 int64_t todo = (int64_t)320 * COUNT;
5228
5231 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5238 while (todo > 0) {
5239 todo -= test_ecmult_multi_random(scratch);
5240 }
5242
5243 /* Run test_ecmult_multi with space for exactly one point */
5247
5250}
5251
5252static void test_wnaf(const secp256k1_scalar *number, int w) {
5253 secp256k1_scalar x, two, t;
5254 int wnaf[256];
5255 int zeroes = -1;
5256 int i;
5257 int bits;
5259 secp256k1_scalar_set_int(&two, 2);
5260 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5261 CHECK(bits <= 256);
5262 for (i = bits-1; i >= 0; i--) {
5263 int v = wnaf[i];
5264 secp256k1_scalar_mul(&x, &x, &two);
5265 if (v) {
5266 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5267 zeroes=0;
5268 CHECK((v & 1) == 1); /* check non-zero elements are odd */
5269 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5270 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5271 } else {
5272 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5273 zeroes++;
5274 }
5275 if (v >= 0) {
5277 } else {
5280 }
5281 secp256k1_scalar_add(&x, &x, &t);
5282 }
5283 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5284}
5285
5286static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5287 secp256k1_scalar x, shift;
5288 int wnaf[256] = {0};
5289 int i;
5290 int skew;
5291 secp256k1_scalar num, unused;
5292
5294 secp256k1_scalar_set_int(&shift, 1 << w);
5295 /* Make num a 128-bit scalar. */
5296 secp256k1_scalar_split_128(&num, &unused, number);
5297 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5298
5299 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5301 int v = wnaf[i];
5302 CHECK(v == 0 || v & 1); /* check parity */
5303 CHECK(v > -(1 << w)); /* check range above */
5304 CHECK(v < (1 << w)); /* check range below */
5305
5306 secp256k1_scalar_mul(&x, &x, &shift);
5307 if (v >= 0) {
5309 } else {
5312 }
5313 secp256k1_scalar_add(&x, &x, &t);
5314 }
5315 /* If skew is 1 then add 1 to num */
5316 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5317 CHECK(secp256k1_scalar_eq(&x, &num));
5318}
5319
5320/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5321 * rest is 0.*/
5322static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5323 int i;
5324 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5325 CHECK(wnaf[i] == 0);
5326 }
5327 for (i = 7; i >= 0; --i) {
5328 CHECK(wnaf[i] == wnaf_expected[i]);
5329 }
5330}
5331
5332static void test_fixed_wnaf_small(void) {
5333 int w = 4;
5334 int wnaf[256] = {0};
5335 int i;
5336 int skew;
5337 secp256k1_scalar num;
5338
5339 secp256k1_scalar_set_int(&num, 0);
5340 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5341 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5342 int v = wnaf[i];
5343 CHECK(v == 0);
5344 }
5345 CHECK(skew == 0);
5346
5347 secp256k1_scalar_set_int(&num, 1);
5348 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5349 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5350 int v = wnaf[i];
5351 CHECK(v == 0);
5352 }
5353 CHECK(wnaf[0] == 1);
5354 CHECK(skew == 0);
5355
5356 {
5357 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5358 secp256k1_scalar_set_int(&num, 0xffffffff);
5359 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5360 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5361 CHECK(skew == 0);
5362 }
5363 {
5364 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5365 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5366 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5367 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5368 CHECK(skew == 1);
5369 }
5370 {
5371 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5372 secp256k1_scalar_set_int(&num, 0x01010101);
5373 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5374 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5375 CHECK(skew == 0);
5376 }
5377 {
5378 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5379 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5380 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5381 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5382 CHECK(skew == 0);
5383 }
5384}
5385
5386static void run_wnaf(void) {
5387 int i;
5389
5390 /* Test 0 for fixed wnaf */
5392 /* Random tests */
5393 for (i = 0; i < COUNT; i++) {
5395 test_wnaf(&n, 4+(i%10));
5396 test_fixed_wnaf(&n, 4 + (i % 10));
5397 }
5399 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5403}
5404
5405static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5406 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5407 *sc = *indata;
5409 CHECK(idx == 0);
5410 return 1;
5411}
5412
5414 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5415 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5416 secp256k1_ge r;
5417 unsigned char bytes[65];
5418 size_t size = 65;
5423 secp256k1_ecmult(&rj3, &infj, &secp256k1_scalar_zero, x);
5424 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &rj4, x, NULL, NULL, 0));
5427 secp256k1_ge_set_gej_var(&r, &rj1);
5428 CHECK(secp256k1_gej_eq_ge_var(&rj2, &r));
5429 CHECK(secp256k1_gej_eq_ge_var(&rj3, &r));
5430 CHECK(secp256k1_gej_eq_ge_var(&rj4, &r));
5431 CHECK(secp256k1_gej_eq_ge_var(&rj5, &r));
5432 CHECK(secp256k1_gej_eq_ge_var(&rj6, &r));
5433 if (secp256k1_ge_is_infinity(&r)) {
5434 /* Store infinity as 0x00 */
5435 const unsigned char zerobyte[1] = {0};
5436 secp256k1_sha256_write(acc, zerobyte, 1);
5437 } else {
5438 /* Store other points using their uncompressed serialization. */
5439 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5440 CHECK(size == 65);
5441 secp256k1_sha256_write(acc, bytes, size);
5442 }
5443}
5444
5446 /* Using test_ecmult_accumulate, test ecmult for:
5447 * - For i in 0..36:
5448 * - Key i
5449 * - Key -i
5450 * - For i in 0..255:
5451 * - For j in 1..255 (only odd values):
5452 * - Key (j*2^i) mod order
5453 */
5455 secp256k1_sha256 acc;
5456 unsigned char b32[32];
5457 int i, j;
5459
5460 /* Expected hash of all the computed points; created with an independent
5461 * implementation. */
5462 static const unsigned char expected32[32] = {
5463 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5464 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5465 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5466 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5467 };
5469 for (i = 0; i <= 36; ++i) {
5471 test_ecmult_accumulate(&acc, &x, scratch);
5473 test_ecmult_accumulate(&acc, &x, scratch);
5474 };
5475 for (i = 0; i < 256; ++i) {
5476 for (j = 1; j < 256; j += 2) {
5477 int k;
5479 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5480 test_ecmult_accumulate(&acc, &x, scratch);
5481 }
5482 }
5483 secp256k1_sha256_finalize(&acc, b32);
5484 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5485
5487}
5488
5489static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5490 /* Using test_ecmult_accumulate, test ecmult for:
5491 * - Key 0
5492 * - Key 1
5493 * - Key -1
5494 * - For i in range(iter):
5495 * - Key SHA256(LE32(prefix) || LE16(i))
5496 */
5498 secp256k1_sha256 acc;
5499 unsigned char b32[32];
5500 unsigned char inp[6];
5501 size_t i;
5503
5504 inp[0] = prefix & 0xFF;
5505 inp[1] = (prefix >> 8) & 0xFF;
5506 inp[2] = (prefix >> 16) & 0xFF;
5507 inp[3] = (prefix >> 24) & 0xFF;
5510 test_ecmult_accumulate(&acc, &x, scratch);
5512 test_ecmult_accumulate(&acc, &x, scratch);
5514 test_ecmult_accumulate(&acc, &x, scratch);
5515
5516 for (i = 0; i < iter; ++i) {
5517 secp256k1_sha256 gen;
5518 inp[4] = i & 0xff;
5519 inp[5] = (i >> 8) & 0xff;
5521 secp256k1_sha256_write(&gen, inp, sizeof(inp));
5522 secp256k1_sha256_finalize(&gen, b32);
5523 secp256k1_scalar_set_b32(&x, b32, NULL);
5524 test_ecmult_accumulate(&acc, &x, scratch);
5525 }
5526 secp256k1_sha256_finalize(&acc, b32);
5527 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5528
5530}
5531
5532static void run_ecmult_constants(void) {
5533 /* Expected hashes of all points in the tests below. Computed using an
5534 * independent implementation. */
5535 static const unsigned char expected32_6bit20[32] = {
5536 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5537 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5538 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5539 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5540 };
5541 static const unsigned char expected32_8bit8[32] = {
5542 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5543 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5544 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5545 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5546 };
5547 /* For every combination of 6 bit positions out of 256, restricted to
5548 * 20-bit windows (i.e., the first and last bit position are no more than
5549 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5550 * this test. */
5551 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5552 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5553 }
5554
5555 /* For every combination of 8 consecutive bit positions, all 256 bit
5556 * patterns occur in the input scalars used in this test. */
5557 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5558 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5559 }
5560
5561 CONDITIONAL_TEST(16, "test_ecmult_constants_2bit") {
5563 }
5564}
5565
5566static void test_ecmult_gen_blind(void) {
5567 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5568 secp256k1_scalar key;
5570 unsigned char seed32[32];
5571 secp256k1_gej pgej;
5572 secp256k1_gej pgej2;
5573 secp256k1_ge p;
5574 secp256k1_ge pge;
5576 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5577 testrand256(seed32);
5582 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5583 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5585 secp256k1_ge_set_gej(&pge, &pgej);
5586 CHECK(secp256k1_gej_eq_ge_var(&pgej2, &pge));
5587}
5588
5590 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5592 secp256k1_ge p1, p2;
5599 CHECK(secp256k1_ge_eq_var(&p1, &p2));
5600}
5601
5602/* Verify that ecmult_gen for scalars gn for which gn + scalar_offset = {-1,0,1}. */
5604 int i;
5605 secp256k1_gej res1, res2, res3;
5606 secp256k1_scalar gn = secp256k1_scalar_one; /* gn = 1 */
5607 secp256k1_scalar_add(&gn, &gn, &CTX->ecmult_gen_ctx.scalar_offset); /* gn = 1 + scalar_offset */
5608 secp256k1_scalar_negate(&gn, &gn); /* gn = -1 - scalar_offset */
5609
5610 for (i = -1; i < 2; ++i) {
5611 /* Run test with gn = i - scalar_offset (so that the ecmult_gen recoded value represents i). */
5613 secp256k1_ecmult(&res2, NULL, &secp256k1_scalar_zero, &gn);
5615 CHECK(secp256k1_gej_eq_var(&res1, &res2));
5616 CHECK(secp256k1_gej_eq_var(&res1, &res3));
5618 }
5619}
5620
5621static void run_ecmult_gen_blind(void) {
5622 int i;
5625 for (i = 0; i < 10; i++) {
5627 }
5628}
5629
5630/***** ENDOMORPHISH TESTS *****/
5631static void test_scalar_split(const secp256k1_scalar* full) {
5632 secp256k1_scalar s, s1, slam;
5633 const unsigned char zero[32] = {0};
5634 unsigned char tmp[32];
5635
5636 secp256k1_scalar_split_lambda(&s1, &slam, full);
5637
5638 /* check slam*lambda + s1 == full */
5640 secp256k1_scalar_add(&s, &s, &s1);
5641 CHECK(secp256k1_scalar_eq(&s, full));
5642
5643 /* check that both are <= 128 bits in size */
5644 if (secp256k1_scalar_is_high(&s1)) {
5645 secp256k1_scalar_negate(&s1, &s1);
5646 }
5647 if (secp256k1_scalar_is_high(&slam)) {
5648 secp256k1_scalar_negate(&slam, &slam);
5649 }
5650
5651 secp256k1_scalar_get_b32(tmp, &s1);
5652 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5653 secp256k1_scalar_get_b32(tmp, &slam);
5654 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5655}
5656
5657
5658static void run_endomorphism_tests(void) {
5659 unsigned i;
5660 static secp256k1_scalar s;
5668
5669 for (i = 0; i < 100U * COUNT; ++i) {
5670 secp256k1_scalar full;
5672 test_scalar_split(&full);
5673 }
5674 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5676 }
5677}
5678
5679static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5680 unsigned char pubkeyc[65];
5681 secp256k1_pubkey pubkey;
5682 secp256k1_ge ge;
5683 size_t pubkeyclen;
5684
5685 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5686 /* Smaller sizes are tested exhaustively elsewhere. */
5687 int32_t i;
5688 memcpy(&pubkeyc[1], input, 64);
5689 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5690 for (i = 0; i < 256; i++) {
5691 /* Try all type bytes. */
5692 int xpass;
5693 int ypass;
5694 int ysign;
5695 pubkeyc[0] = i;
5696 /* What sign does this point have? */
5697 ysign = (input[63] & 1) + 2;
5698 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5699 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5700 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5701 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5702 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5703 if (xpass || ypass) {
5704 /* These cases must parse. */
5705 unsigned char pubkeyo[65];
5706 size_t outl;
5707 memset(&pubkey, 0, sizeof(pubkey));
5708 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5709 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5710 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5711 outl = 65;
5712 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5713 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5714 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5715 CHECK(outl == 33);
5716 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5717 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5718 if (ypass) {
5719 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5720 CHECK(pubkeyo[0] == ysign);
5721 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5722 memset(&pubkey, 0, sizeof(pubkey));
5723 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5724 secp256k1_pubkey_save(&pubkey, &ge);
5725 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5726 outl = 65;
5727 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5728 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5729 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5730 CHECK(outl == 65);
5731 CHECK(pubkeyo[0] == 4);
5732 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5733 }
5734 } else {
5735 /* These cases must fail to parse. */
5736 memset(&pubkey, 0xfe, sizeof(pubkey));
5737 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5738 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5739 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5740 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5741 }
5742 }
5743 }
5744}
5745
5746static void run_ec_pubkey_parse_test(void) {
5747#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5748 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5749 {
5750 /* Point with leading and trailing zeros in x and y serialization. */
5751 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5753 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5754 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5755 },
5756 {
5757 /* Point with x equal to a 3rd root of unity.*/
5758 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5759 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5760 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5761 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5762 },
5763 {
5764 /* Point with largest x. (1/2) */
5765 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5766 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5767 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5768 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5769 },
5770 {
5771 /* Point with largest x. (2/2) */
5772 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5773 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5774 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5775 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5776 },
5777 {
5778 /* Point with smallest x. (1/2) */
5779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5780 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5781 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5782 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5783 },
5784 {
5785 /* Point with smallest x. (2/2) */
5786 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5787 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5788 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5789 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5790 },
5791 {
5792 /* Point with largest y. (1/3) */
5793 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5794 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5795 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5796 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5797 },
5798 {
5799 /* Point with largest y. (2/3) */
5800 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5801 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5802 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5803 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5804 },
5805 {
5806 /* Point with largest y. (3/3) */
5807 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5808 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5809 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5810 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5811 },
5812 {
5813 /* Point with smallest y. (1/3) */
5814 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5815 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5817 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5818 },
5819 {
5820 /* Point with smallest y. (2/3) */
5821 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5822 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5823 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5824 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5825 },
5826 {
5827 /* Point with smallest y. (3/3) */
5828 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5829 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5830 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5831 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5832 }
5833 };
5834#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5835 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5836 {
5837 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5838 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5839 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5840 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5841 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5842 },
5843 {
5844 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5845 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5846 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5847 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5848 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5849 },
5850 {
5851 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5852 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5853 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5854 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5855 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5856 },
5857 {
5858 /* x on curve, y is from y^2 = x^3 + 8. */
5859 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5860 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5862 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5863 }
5864 };
5865#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5866 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5867 {
5868 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5869 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5870 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5871 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5872 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5873 },
5874 {
5875 /* Valid if x overflow ignored (x = 1 mod p). */
5876 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5877 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5878 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5879 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5880 },
5881 {
5882 /* Valid if x overflow ignored (x = 1 mod p). */
5883 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5884 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5885 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5886 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5887 },
5888 {
5889 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5890 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5891 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5892 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5893 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5894 },
5895 {
5896 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5897 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5898 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5899 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5900 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5901 },
5902 {
5903 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5904 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5905 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5906 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5907 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5908 },
5909 {
5910 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5911 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5913 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5914 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5915 }
5916 };
5917 const unsigned char pubkeyc[66] = {
5918 /* Serialization of G. */
5919 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5920 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5921 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5922 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5923 0xB8, 0x00
5924 };
5925 unsigned char sout[65];
5926 unsigned char shortkey[2] = { 0 };
5927 secp256k1_ge ge;
5928 secp256k1_pubkey pubkey;
5929 size_t len;
5930 int32_t i;
5931
5932 /* Nothing should be reading this far into pubkeyc. */
5933 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
5934 /* Zero length claimed, fail, zeroize, no illegal arg error. */
5935 memset(&pubkey, 0xfe, sizeof(pubkey));
5936 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
5937 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5938 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
5939 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5940 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5941 /* Length one claimed, fail, zeroize, no illegal arg error. */
5942 for (i = 0; i < 256 ; i++) {
5943 memset(&pubkey, 0xfe, sizeof(pubkey));
5944 shortkey[0] = i;
5945 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
5946 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5947 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
5948 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5949 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5950 }
5951 /* Length two claimed, fail, zeroize, no illegal arg error. */
5952 for (i = 0; i < 65536 ; i++) {
5953 memset(&pubkey, 0xfe, sizeof(pubkey));
5954 shortkey[0] = i & 255;
5955 shortkey[1] = i >> 8;
5956 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5957 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
5958 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5959 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5960 }
5961 memset(&pubkey, 0xfe, sizeof(pubkey));
5962 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5963 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5964 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
5965 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5966 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5967 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5968 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65));
5969 /* NULL input string. Illegal arg and zeroize output. */
5970 memset(&pubkey, 0xfe, sizeof(pubkey));
5971 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5972 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65));
5973 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5974 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5975 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5976 memset(&pubkey, 0xfe, sizeof(pubkey));
5977 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5978 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
5979 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5980 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5981 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5982 memset(&pubkey, 0xfe, sizeof(pubkey));
5983 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5984 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
5985 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5986 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5987 /* Valid parse. */
5988 memset(&pubkey, 0, sizeof(pubkey));
5989 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5990 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
5991 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
5992 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5993 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
5994 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5995 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
5996 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
5999 /* secp256k1_ec_pubkey_serialize illegal args. */
6000 len = 65;
6002 CHECK(len == 0);
6004 len = 65;
6007 SECP256K1_CHECKMEM_CHECK(sout, 65);
6008 CHECK(len == 0);
6009 len = 65;
6010 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0));
6011 CHECK(len == 0);
6012 len = 65;
6015 SECP256K1_CHECKMEM_CHECK(sout, 65);
6016 CHECK(len == 65);
6017 /* Multiple illegal args. Should still set arg error only once. */
6019 /* Try a bunch of prefabbed points with all possible encodings. */
6020 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6021 ec_pubkey_parse_pointtest(valid[i], 1, 1);
6022 }
6023 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6024 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6025 }
6026 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6027 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6028 }
6029}
6030
6031static void run_eckey_edge_case_test(void) {
6032 const unsigned char orderc[32] = {
6033 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6034 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6035 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6036 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
6037 };
6038 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6039 unsigned char ctmp[33];
6040 unsigned char ctmp2[33];
6041 secp256k1_pubkey pubkey;
6042 secp256k1_pubkey pubkey2;
6043 secp256k1_pubkey pubkey_one;
6044 secp256k1_pubkey pubkey_negone;
6045 const secp256k1_pubkey *pubkeys[3];
6046 size_t len;
6047 /* Group order is too large, reject. */
6048 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6049 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6050 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6051 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6052 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6053 /* Maximum value is too large, reject. */
6054 memset(ctmp, 255, 32);
6056 memset(&pubkey, 1, sizeof(pubkey));
6057 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6058 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6059 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6060 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6061 /* Zero is too small, reject. */
6062 memset(ctmp, 0, 32);
6064 memset(&pubkey, 1, sizeof(pubkey));
6065 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6066 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6067 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6068 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6069 /* One must be accepted. */
6070 ctmp[31] = 0x01;
6072 memset(&pubkey, 0, sizeof(pubkey));
6073 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6074 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6075 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6076 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6077 pubkey_one = pubkey;
6078 /* Group order + 1 is too large, reject. */
6079 memcpy(ctmp, orderc, 32);
6080 ctmp[31] = 0x42;
6082 memset(&pubkey, 1, sizeof(pubkey));
6083 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6084 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6085 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6086 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6087 /* -1 must be accepted. */
6088 ctmp[31] = 0x40;
6090 memset(&pubkey, 0, sizeof(pubkey));
6091 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6092 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6093 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6094 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6095 pubkey_negone = pubkey;
6096 /* Tweak of zero leaves the value unchanged. */
6097 memset(ctmp2, 0, 32);
6098 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6099 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6100 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6101 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6102 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6103 /* Multiply tweak of zero zeroizes the output. */
6104 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6105 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6106 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6107 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6108 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6109 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6110 seckey, the seckey is zeroized. */
6111 memcpy(ctmp, orderc, 32);
6112 memset(ctmp2, 0, 32);
6113 ctmp2[31] = 0x01;
6114 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6116 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6117 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6118 memcpy(ctmp, orderc, 32);
6119 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6120 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6121 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6122 tweak, the seckey is zeroized. */
6123 memcpy(ctmp, orderc, 32);
6124 ctmp[31] = 0x40;
6125 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6126 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6127 memcpy(ctmp, orderc, 32);
6128 ctmp[31] = 0x40;
6129 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6130 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6131 memcpy(ctmp, orderc, 32);
6132 ctmp[31] = 0x40;
6133 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6134 tweak, the pubkey is zeroized. */
6135 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6136 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6137 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6138 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6139 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6140 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6141 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6142 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6143 * case the pubkey is zeroized. */
6144 memcpy(ctmp, orderc, 32);
6145 ctmp[31] = 0x40;
6146 memset(ctmp2, 0, 32);
6147 ctmp2[31] = 1;
6148 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6149 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6150 ctmp2[31] = 1;
6151 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6152 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6153 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6154 /* Tweak computation wraps and results in a key of 1. */
6155 ctmp2[31] = 2;
6156 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6157 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6158 ctmp2[31] = 2;
6159 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6160 ctmp2[31] = 1;
6161 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6162 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6163 /* Tweak mul * 2 = 1+1. */
6164 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6165 ctmp2[31] = 2;
6166 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6167 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6168 /* Zeroize pubkey on parse error. */
6169 memset(&pubkey, 0, 32);
6171 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6172 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6173 memset(&pubkey2, 0, 32);
6175 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6176 /* Plain argument errors. */
6179 memset(ctmp2, 0, 32);
6180 ctmp2[31] = 4;
6183 memset(ctmp2, 0, 32);
6184 ctmp2[31] = 4;
6187 memset(ctmp2, 0, 32);
6190 memset(ctmp2, 0, 32);
6191 ctmp2[31] = 1;
6195 memset(&pubkey, 1, sizeof(pubkey));
6197 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6198 /* secp256k1_ec_pubkey_combine tests. */
6199 pubkeys[0] = &pubkey_one;
6200 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6201 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6202 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6203 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6205 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0));
6207 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6208 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1));
6209 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6210 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6212 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1));
6214 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6215 pubkeys[0] = &pubkey_negone;
6216 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6218 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6220 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6221 len = 33;
6223 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6224 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6225 /* Result is infinity. */
6226 pubkeys[0] = &pubkey_one;
6227 pubkeys[1] = &pubkey_negone;
6228 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6230 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6232 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6233 /* Passes through infinity but comes out one. */
6234 pubkeys[2] = &pubkey_one;
6235 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6237 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6239 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6240 len = 33;
6242 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6243 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6244 /* Adds to two. */
6245 pubkeys[1] = &pubkey_one;
6246 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6248 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6250 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6251}
6252
6253static void run_eckey_negate_test(void) {
6254 unsigned char seckey[32];
6255 unsigned char seckey_tmp[32];
6256
6258 memcpy(seckey_tmp, seckey, 32);
6259
6260 /* Verify negation changes the key and changes it back */
6261 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6262 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6263 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6264 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6265
6266 /* Negating all 0s fails */
6267 memset(seckey, 0, 32);
6268 memset(seckey_tmp, 0, 32);
6269 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6270 /* Check that seckey is not modified */
6271 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6272
6273 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6274 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6275 * doesn't just set seckey to a constant value in case of failure. */
6277 memset(seckey, 0xFF, 16);
6278 memset(seckey_tmp, 0, 32);
6279 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6280 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6281}
6282
6283static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6285 do {
6287 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6288}
6289
6290static void test_ecdsa_sign_verify(void) {
6291 secp256k1_gej pubj;
6292 secp256k1_ge pub;
6293 secp256k1_scalar one;
6294 secp256k1_scalar msg, key;
6295 secp256k1_scalar sigr, sigs;
6296 int getrec;
6297 int recid;
6300 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6301 secp256k1_ge_set_gej(&pub, &pubj);
6302 getrec = testrand_bits(1);
6303 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6304 See the commit messages of the commit that introduced this comment for details. */
6305 if (getrec) {
6306 random_sign(&sigr, &sigs, &key, &msg, &recid);
6307 CHECK(recid >= 0 && recid < 4);
6308 } else {
6309 random_sign(&sigr, &sigs, &key, &msg, NULL);
6310 }
6311 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6312 secp256k1_scalar_set_int(&one, 1);
6313 secp256k1_scalar_add(&msg, &msg, &one);
6314 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6315}
6316
6317static void run_ecdsa_sign_verify(void) {
6318 int i;
6319 for (i = 0; i < 10*COUNT; i++) {
6321 }
6322}
6323
6325static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6326 (void)msg32;
6327 (void)key32;
6328 (void)algo16;
6329 memcpy(nonce32, data, 32);
6330 return (counter == 0);
6331}
6332
6333static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6334 /* Dummy nonce generator that has a fatal error on the first counter value. */
6335 if (counter == 0) {
6336 return 0;
6337 }
6338 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6339}
6340
6341static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6342 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6343 if (counter < 3) {
6344 memset(nonce32, counter==0 ? 0 : 255, 32);
6345 if (counter == 2) {
6346 nonce32[31]--;
6347 }
6348 return 1;
6349 }
6350 if (counter < 5) {
6351 static const unsigned char order[] = {
6352 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6353 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6354 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6355 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6356 };
6357 memcpy(nonce32, order, 32);
6358 if (counter == 4) {
6359 nonce32[31]++;
6360 }
6361 return 1;
6362 }
6363 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6364 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6365 if (counter > 5) {
6366 return 0;
6367 }
6368 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6369}
6370
6372 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6373 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6374}
6375
6376static void test_ecdsa_end_to_end(void) {
6377 unsigned char extra[32] = {0x00};
6378 unsigned char privkey[32];
6379 unsigned char message[32];
6380 unsigned char privkey2[32];
6381 secp256k1_ecdsa_signature signature[6];
6383 unsigned char sig[74];
6384 size_t siglen = 74;
6385 unsigned char pubkeyc[65];
6386 size_t pubkeyclen = 65;
6387 secp256k1_pubkey pubkey;
6388 secp256k1_pubkey pubkey_tmp;
6389 unsigned char seckey[300];
6390 size_t seckeylen = 300;
6391
6392 /* Generate a random key and message. */
6393 {
6394 secp256k1_scalar msg, key;
6397 secp256k1_scalar_get_b32(privkey, &key);
6398 secp256k1_scalar_get_b32(message, &msg);
6399 }
6400
6401 /* Construct and verify corresponding public key. */
6402 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6403 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6404
6405 /* Verify exporting and importing public key. */
6407 memset(&pubkey, 0, sizeof(pubkey));
6408 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6409
6410 /* Verify negation changes the key and changes it back */
6411 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6412 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6413 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6414 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6415 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6416
6417 /* Verify private key import and export. */
6418 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, testrand_bits(1) == 1));
6419 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6420 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6421
6422 /* Optionally tweak the keys using addition. */
6423 if (testrand_int(3) == 0) {
6424 int ret1;
6425 int ret2;
6426 unsigned char rnd[32];
6427 secp256k1_pubkey pubkey2;
6428 testrand256_test(rnd);
6429 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6430 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6431 CHECK(ret1 == ret2);
6432 if (ret1 == 0) {
6433 return;
6434 }
6435 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6436 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6437 }
6438
6439 /* Optionally tweak the keys using multiplication. */
6440 if (testrand_int(3) == 0) {
6441 int ret1;
6442 int ret2;
6443 unsigned char rnd[32];
6444 secp256k1_pubkey pubkey2;
6445 testrand256_test(rnd);
6446 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6447 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6448 CHECK(ret1 == ret2);
6449 if (ret1 == 0) {
6450 return;
6451 }
6452 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6453 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6454 }
6455
6456 /* Sign. */
6457 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6458 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6459 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6460 extra[31] = 1;
6461 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6462 extra[31] = 0;
6463 extra[0] = 1;
6464 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6465 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6466 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6467 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6468 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6469 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6470 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6471 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6472 /* Verify. */
6473 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6474 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6475 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6476 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6477 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6478 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6479 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6481 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6482 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6483 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6484 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6485 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6486 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6487 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6489 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6490 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6491 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6492 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6493
6494 /* Serialize/parse DER and verify again */
6495 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6496 memset(&signature[0], 0, sizeof(signature[0]));
6497 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6498 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6499 /* Serialize/destroy/parse DER and verify again. */
6500 siglen = 74;
6501 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6502 sig[testrand_int(siglen)] += 1 + testrand_int(255);
6503 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6504 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6505}
6506
6507static void test_random_pubkeys(void) {
6508 secp256k1_ge elem;
6509 secp256k1_ge elem2;
6510 unsigned char in[65];
6511 /* Generate some randomly sized pubkeys. */
6512 size_t len = testrand_bits(2) == 0 ? 65 : 33;
6513 if (testrand_bits(2) == 0) {
6514 len = testrand_bits(6);
6515 }
6516 if (len == 65) {
6517 in[0] = testrand_bits(1) ? 4 : (testrand_bits(1) ? 6 : 7);
6518 } else {
6519 in[0] = testrand_bits(1) ? 2 : 3;
6520 }
6521 if (testrand_bits(3) == 0) {
6522 in[0] = testrand_bits(8);
6523 }
6524 if (len > 1) {
6525 testrand256(&in[1]);
6526 }
6527 if (len > 33) {
6528 testrand256(&in[33]);
6529 }
6530 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6531 unsigned char out[65];
6532 unsigned char firstb;
6533 int res;
6534 size_t size = len;
6535 firstb = in[0];
6536 /* If the pubkey can be parsed, it should round-trip... */
6537 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6538 CHECK(size == len);
6539 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6540 /* ... except for the type of hybrid inputs. */
6541 if ((in[0] != 6) && (in[0] != 7)) {
6542 CHECK(in[0] == out[0]);
6543 }
6544 size = 65;
6545 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6546 CHECK(size == 65);
6547 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6548 CHECK(secp256k1_ge_eq_var(&elem2, &elem));
6549 /* Check that the X9.62 hybrid type is checked. */
6550 in[0] = testrand_bits(1) ? 6 : 7;
6551 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6552 if (firstb == 2 || firstb == 3) {
6553 if (in[0] == firstb + 4) {
6554 CHECK(res);
6555 } else {
6556 CHECK(!res);
6557 }
6558 }
6559 if (res) {
6560 CHECK(secp256k1_ge_eq_var(&elem, &elem2));
6561 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6562 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6563 }
6564 }
6565}
6566
6567static void run_pubkey_comparison(void) {
6568 unsigned char pk1_ser[33] = {
6569 0x02,
6570 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6571 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6572 };
6573 const unsigned char pk2_ser[33] = {
6574 0x02,
6575 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6576 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6577 };
6578 secp256k1_pubkey pk1;
6579 secp256k1_pubkey pk2;
6580
6581 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6582 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6583
6586 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6587 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6588 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6589 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6590 {
6591 secp256k1_pubkey pk_tmp;
6592 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6594 {
6595 int32_t ecount = 0;
6597 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6598 CHECK(ecount == 2);
6600 }
6602 }
6603
6604 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6605 * an uncompressed encoding, these would have the opposite ordering */
6606 pk1_ser[0] = 3;
6607 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6608 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6609 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6610}
6611
6612static void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk) {
6613 size_t i;
6614 const secp256k1_pubkey *pk_test[5];
6615
6616 for (i = 0; i < n_pk; i++) {
6617 pk_test[i] = &pk[pk_order[i]];
6618 }
6619 secp256k1_ec_pubkey_sort(CTX, pk_test, n_pk);
6620 for (i = 0; i < n_pk; i++) {
6621 CHECK(secp256k1_memcmp_var(pk_test[i], &pk[i], sizeof(*pk_test[i])) == 0);
6622 }
6623}
6624
6625static void permute(size_t *arr, size_t n) {
6626 size_t i;
6627 for (i = n - 1; i >= 1; i--) {
6628 size_t tmp, j;
6629 j = testrand_int(i + 1);
6630 tmp = arr[i];
6631 arr[i] = arr[j];
6632 arr[j] = tmp;
6633 }
6634}
6635
6636static void test_sort_api(void) {
6637 secp256k1_pubkey pks[2];
6638 const secp256k1_pubkey *pks_ptr[2];
6639
6640 pks_ptr[0] = &pks[0];
6641 pks_ptr[1] = &pks[1];
6642
6645
6646 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1);
6648 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 0) == 1);
6649 /* Test illegal public keys */
6650 memset(&pks[0], 0, sizeof(pks[0]));
6652 memset(&pks[1], 0, sizeof(pks[1]));
6653 {
6654 int32_t ecount = 0;
6656 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1);
6657 CHECK(ecount == 2);
6659 }
6660}
6661
6662static void test_sort(void) {
6664 unsigned char pk_ser[5][33] = {
6665 { 0x02, 0x08 },
6666 { 0x02, 0x0b },
6667 { 0x02, 0x0c },
6668 { 0x03, 0x05 },
6669 { 0x03, 0x0a },
6670 };
6671 int i;
6672 size_t pk_order[5] = { 0, 1, 2, 3, 4 };
6673
6674 for (i = 0; i < 5; i++) {
6675 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk[i], pk_ser[i], sizeof(pk_ser[i])));
6676 }
6677
6678 permute(pk_order, 1);
6679 test_sort_helper(pk, pk_order, 1);
6680 permute(pk_order, 2);
6681 test_sort_helper(pk, pk_order, 2);
6682 permute(pk_order, 3);
6683 test_sort_helper(pk, pk_order, 3);
6684 for (i = 0; i < COUNT; i++) {
6685 permute(pk_order, 4);
6686 test_sort_helper(pk, pk_order, 4);
6687 }
6688 for (i = 0; i < COUNT; i++) {
6689 permute(pk_order, 5);
6690 test_sort_helper(pk, pk_order, 5);
6691 }
6692 /* Check that sorting also works for random pubkeys */
6693 for (i = 0; i < COUNT; i++) {
6694 int j;
6695 const secp256k1_pubkey *pk_ptr[5];
6696 for (j = 0; j < 5; j++) {
6698 pk_ptr[j] = &pk[j];
6699 }
6700 secp256k1_ec_pubkey_sort(CTX, pk_ptr, 5);
6701 for (j = 1; j < 5; j++) {
6702 CHECK(secp256k1_ec_pubkey_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], CTX) <= 0);
6703 }
6704 }
6705}
6706
6707/* Test vectors from BIP-MuSig2 */
6708static void test_sort_vectors(void) {
6709 enum { N_PUBKEYS = 6 };
6710 unsigned char pk_ser[N_PUBKEYS][33] = {
6711 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6712 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6713 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 },
6714 { 0x02, 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, 0x49, 0x34,
6715 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, 0xB5, 0x31, 0xC8, 0x45, 0x83,
6716 0x6F, 0x99, 0xB0, 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 },
6717 { 0x03, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 0x36, 0x18,
6718 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2,
6719 0xDE, 0xCE, 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 },
6720 { 0x02, 0x35, 0x90, 0xA9, 0x4E, 0x76, 0x8F, 0x8E, 0x18, 0x15, 0xC2,
6721 0xF2, 0x4B, 0x4D, 0x80, 0xA8, 0xE3, 0x14, 0x93, 0x16, 0xC3, 0x51,
6722 0x8C, 0xE7, 0xB7, 0xAD, 0x33, 0x83, 0x68, 0xD0, 0x38, 0xCA, 0x66 },
6723 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6724 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6725 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xFF },
6726 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6727 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6728 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 }
6729 };
6730 secp256k1_pubkey pubkeys[N_PUBKEYS];
6731 secp256k1_pubkey *sorted[N_PUBKEYS];
6732 const secp256k1_pubkey *pks_ptr[N_PUBKEYS];
6733 int i;
6734
6735 sorted[0] = &pubkeys[3];
6736 sorted[1] = &pubkeys[0];
6737 sorted[2] = &pubkeys[0];
6738 sorted[3] = &pubkeys[4];
6739 sorted[4] = &pubkeys[1];
6740 sorted[5] = &pubkeys[2];
6741
6742 for (i = 0; i < N_PUBKEYS; i++) {
6743 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i])));
6744 pks_ptr[i] = &pubkeys[i];
6745 }
6747 for (i = 0; i < N_PUBKEYS; i++) {
6748 CHECK(secp256k1_memcmp_var(pks_ptr[i], sorted[i], sizeof(secp256k1_pubkey)) == 0);
6749 }
6750}
6751
6752static void run_pubkey_sort(void) {
6753 test_sort_api();
6754 test_sort();
6756}
6757
6758
6759static void run_random_pubkeys(void) {
6760 int i;
6761 for (i = 0; i < 10*COUNT; i++) {
6763 }
6764}
6765
6766static void run_ecdsa_end_to_end(void) {
6767 int i;
6768 for (i = 0; i < 64*COUNT; i++) {
6770 }
6771}
6772
6773static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6774 static const unsigned char zeroes[32] = {0};
6775
6776 int ret = 0;
6777
6779 unsigned char roundtrip_der[2048];
6780 unsigned char compact_der[64];
6781 size_t len_der = 2048;
6782 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6783
6784 secp256k1_ecdsa_signature sig_der_lax;
6785 unsigned char roundtrip_der_lax[2048];
6786 unsigned char compact_der_lax[64];
6787 size_t len_der_lax = 2048;
6788 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6789
6790 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
6791 if (parsed_der) {
6792 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
6793 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6794 }
6795 if (valid_der) {
6796 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
6797 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6798 }
6799
6800 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
6801 if (parsed_der_lax) {
6802 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
6803 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6804 }
6805 if (valid_der_lax) {
6806 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6807 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6808 }
6809
6810 if (certainly_der) {
6811 ret |= (!parsed_der) << 2;
6812 }
6813 if (certainly_not_der) {
6814 ret |= (parsed_der) << 17;
6815 }
6816 if (valid_der) {
6817 ret |= (!roundtrips_der) << 3;
6818 }
6819
6820 if (valid_der) {
6821 ret |= (!roundtrips_der_lax) << 12;
6822 ret |= (len_der != len_der_lax) << 13;
6823 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6824 }
6825 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6826 if (parsed_der) {
6827 ret |= (!parsed_der_lax) << 16;
6828 }
6829
6830 return ret;
6831}
6832
6833static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6834 size_t i;
6835 for (i = 0; i < ptrlen; i++) {
6836 int shift = ptrlen - 1 - i;
6837 if (shift >= 4) {
6838 ptr[i] = 0;
6839 } else {
6840 ptr[i] = (val >> shift) & 0xFF;
6841 }
6842 }
6843}
6844
6845static void damage_array(unsigned char *sig, size_t *len) {
6846 int pos;
6847 int action = testrand_bits(3);
6848 if (action < 1 && *len > 3) {
6849 /* Delete a byte. */
6850 pos = testrand_int(*len);
6851 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6852 (*len)--;
6853 return;
6854 } else if (action < 2 && *len < 2048) {
6855 /* Insert a byte. */
6856 pos = testrand_int(1 + *len);
6857 memmove(sig + pos + 1, sig + pos, *len - pos);
6858 sig[pos] = testrand_bits(8);
6859 (*len)++;
6860 return;
6861 } else if (action < 4) {
6862 /* Modify a byte. */
6863 sig[testrand_int(*len)] += 1 + testrand_int(255);
6864 return;
6865 } else { /* action < 8 */
6866 /* Modify a bit. */
6867 sig[testrand_int(*len)] ^= 1 << testrand_bits(3);
6868 return;
6869 }
6870}
6871
6872static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6873 int der;
6874 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6875 size_t tlen, elen, glen;
6876 int indet;
6877 int n;
6878
6879 *len = 0;
6880 der = testrand_bits(2) == 0;
6881 *certainly_der = der;
6882 *certainly_not_der = 0;
6883 indet = der ? 0 : testrand_int(10) == 0;
6884
6885 for (n = 0; n < 2; n++) {
6886 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6887 nlow[n] = der ? 1 : (testrand_bits(3) != 0);
6888 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6889 nlen[n] = nlow[n] ? testrand_int(33) : 32 + testrand_int(200) * testrand_bits(3) / 8;
6890 CHECK(nlen[n] <= 232);
6891 /* The top bit of the number. */
6892 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : testrand_bits(1));
6893 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6894 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + testrand_bits(7) : 1 + testrand_int(127));
6895 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6896 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? testrand_int(3) : testrand_int(300 - nlen[n]) * testrand_bits(3) / 8);
6897 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6898 *certainly_not_der = 1;
6899 }
6900 CHECK(nlen[n] + nzlen[n] <= 300);
6901 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6902 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6903 if (!der) {
6904 /* nlenlen[n] max 127 bytes */
6905 int add = testrand_int(127 - nlenlen[n]) * testrand_bits(4) * testrand_bits(4) / 256;
6906 nlenlen[n] += add;
6907 if (add != 0) {
6908 *certainly_not_der = 1;
6909 }
6910 }
6911 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6912 }
6913
6914 /* The total length of the data to go, so far */
6915 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6916 CHECK(tlen <= 856);
6917
6918 /* The length of the garbage inside the tuple. */
6919 elen = (der || indet) ? 0 : testrand_int(980 - tlen) * testrand_bits(3) / 8;
6920 if (elen != 0) {
6921 *certainly_not_der = 1;
6922 }
6923 tlen += elen;
6924 CHECK(tlen <= 980);
6925
6926 /* The length of the garbage after the end of the tuple. */
6927 glen = der ? 0 : testrand_int(990 - tlen) * testrand_bits(3) / 8;
6928 if (glen != 0) {
6929 *certainly_not_der = 1;
6930 }
6931 CHECK(tlen + glen <= 990);
6932
6933 /* Write the tuple header. */
6934 sig[(*len)++] = 0x30;
6935 if (indet) {
6936 /* Indeterminate length */
6937 sig[(*len)++] = 0x80;
6938 *certainly_not_der = 1;
6939 } else {
6940 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6941 if (!der) {
6942 int add = testrand_int(127 - tlenlen) * testrand_bits(4) * testrand_bits(4) / 256;
6943 tlenlen += add;
6944 if (add != 0) {
6945 *certainly_not_der = 1;
6946 }
6947 }
6948 if (tlenlen == 0) {
6949 /* Short length notation */
6950 sig[(*len)++] = tlen;
6951 } else {
6952 /* Long length notation */
6953 sig[(*len)++] = 128 + tlenlen;
6954 assign_big_endian(sig + *len, tlenlen, tlen);
6955 *len += tlenlen;
6956 }
6957 tlen += tlenlen;
6958 }
6959 tlen += 2;
6960 CHECK(tlen + glen <= 1119);
6961
6962 for (n = 0; n < 2; n++) {
6963 /* Write the integer header. */
6964 sig[(*len)++] = 0x02;
6965 if (nlenlen[n] == 0) {
6966 /* Short length notation */
6967 sig[(*len)++] = nlen[n] + nzlen[n];
6968 } else {
6969 /* Long length notation. */
6970 sig[(*len)++] = 128 + nlenlen[n];
6971 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6972 *len += nlenlen[n];
6973 }
6974 /* Write zero padding */
6975 while (nzlen[n] > 0) {
6976 sig[(*len)++] = 0x00;
6977 nzlen[n]--;
6978 }
6979 if (nlen[n] == 32 && !nlow[n]) {
6980 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6981 int i;
6982 for (i = 0; i < 16; i++) {
6983 sig[(*len)++] = 0xFF;
6984 }
6985 nlen[n] -= 16;
6986 }
6987 /* Write first byte of number */
6988 if (nlen[n] > 0) {
6989 sig[(*len)++] = nhbyte[n];
6990 nlen[n]--;
6991 }
6992 /* Generate remaining random bytes of number */
6993 testrand_bytes_test(sig + *len, nlen[n]);
6994 *len += nlen[n];
6995 nlen[n] = 0;
6996 }
6997
6998 /* Generate random garbage inside tuple. */
6999 testrand_bytes_test(sig + *len, elen);
7000 *len += elen;
7001
7002 /* Generate end-of-contents bytes. */
7003 if (indet) {
7004 sig[(*len)++] = 0;
7005 sig[(*len)++] = 0;
7006 tlen += 2;
7007 }
7008 CHECK(tlen + glen <= 1121);
7009
7010 /* Generate random garbage outside tuple. */
7011 testrand_bytes_test(sig + *len, glen);
7012 *len += glen;
7013 tlen += glen;
7014 CHECK(tlen <= 1121);
7015 CHECK(tlen == *len);
7016}
7017
7018static void run_ecdsa_der_parse(void) {
7019 int i,j;
7020 for (i = 0; i < 200 * COUNT; i++) {
7021 unsigned char buffer[2048];
7022 size_t buflen = 0;
7023 int certainly_der = 0;
7024 int certainly_not_der = 0;
7025 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
7026 CHECK(buflen <= 2048);
7027 for (j = 0; j < 16; j++) {
7028 int ret = 0;
7029 if (j > 0) {
7030 damage_array(buffer, &buflen);
7031 /* We don't know anything anymore about the DERness of the result */
7032 certainly_der = 0;
7033 certainly_not_der = 0;
7034 }
7035 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
7036 if (ret != 0) {
7037 size_t k;
7038 fprintf(stderr, "Failure %x on ", ret);
7039 for (k = 0; k < buflen; k++) {
7040 fprintf(stderr, "%02x ", buffer[k]);
7041 }
7042 fprintf(stderr, "\n");
7043 }
7044 CHECK(ret == 0);
7045 }
7046 }
7047}
7048
7049/* Tests several edge cases. */
7050static void test_ecdsa_edge_cases(void) {
7051 int t;
7053
7054 /* Test the case where ECDSA recomputes a point that is infinity. */
7055 {
7056 secp256k1_gej keyj;
7057 secp256k1_ge key;
7059 secp256k1_scalar sr, ss;
7061 secp256k1_scalar_negate(&ss, &ss);
7062 secp256k1_scalar_inverse(&ss, &ss);
7065 secp256k1_ge_set_gej(&key, &keyj);
7066 msg = ss;
7067 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7068 }
7069
7070 /* Verify signature with r of zero fails. */
7071 {
7072 const unsigned char pubkey_mods_zero[33] = {
7073 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7074 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7075 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7076 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7077 0x41
7078 };
7079 secp256k1_ge key;
7081 secp256k1_scalar sr, ss;
7085 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
7086 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
7087 }
7088
7089 /* Verify signature with s of zero fails. */
7090 {
7091 const unsigned char pubkey[33] = {
7092 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7093 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7094 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7095 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7096 0x01
7097 };
7098 secp256k1_ge key;
7100 secp256k1_scalar sr, ss;
7104 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7105 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7106 }
7107
7108 /* Verify signature with message 0 passes. */
7109 {
7110 const unsigned char pubkey[33] = {
7111 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7112 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7115 0x02
7116 };
7117 const unsigned char pubkey2[33] = {
7118 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7119 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7120 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7121 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7122 0x43
7123 };
7124 secp256k1_ge key;
7125 secp256k1_ge key2;
7127 secp256k1_scalar sr, ss;
7131 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7132 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7133 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7134 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7135 secp256k1_scalar_negate(&ss, &ss);
7136 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7137 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7139 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7140 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7141 }
7142
7143 /* Verify signature with message 1 passes. */
7144 {
7145 const unsigned char pubkey[33] = {
7146 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
7147 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
7148 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7149 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7150 0x25
7151 };
7152 const unsigned char pubkey2[33] = {
7153 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7154 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7155 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7156 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7157 0x62
7158 };
7159 const unsigned char csr[32] = {
7160 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7161 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7162 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7163 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7164 };
7165 secp256k1_ge key;
7166 secp256k1_ge key2;
7168 secp256k1_scalar sr, ss;
7171 secp256k1_scalar_set_b32(&sr, csr, NULL);
7172 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7173 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7174 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7175 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7176 secp256k1_scalar_negate(&ss, &ss);
7177 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7178 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7181 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7182 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7183 }
7184
7185 /* Verify signature with message -1 passes. */
7186 {
7187 const unsigned char pubkey[33] = {
7188 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7189 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7190 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7191 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7192 0xf1
7193 };
7194 const unsigned char csr[32] = {
7195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7196 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7197 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7198 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7199 };
7200 secp256k1_ge key;
7202 secp256k1_scalar sr, ss;
7206 secp256k1_scalar_set_b32(&sr, csr, NULL);
7207 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7208 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7209 secp256k1_scalar_negate(&ss, &ss);
7210 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7213 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7214 }
7215
7216 /* Signature where s would be zero. */
7217 {
7218 secp256k1_pubkey pubkey;
7219 size_t siglen;
7220 unsigned char signature[72];
7221 static const unsigned char nonce[32] = {
7222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7224 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7226 };
7227 static const unsigned char nonce2[32] = {
7228 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7229 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7230 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7231 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7232 };
7233 const unsigned char key[32] = {
7234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7236 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7238 };
7239 unsigned char msg[32] = {
7240 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7241 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7242 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7243 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7244 };
7246 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7247 msg[31] = 0xaa;
7252 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7253 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7254 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey));
7255 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey));
7257 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7259 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7260 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey));
7261 siglen = 72;
7264 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL));
7265 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7266 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen));
7268 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7269 siglen = 10;
7270 /* Too little room for a signature does not fail via ARGCHECK. */
7271 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7278 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7279 memset(signature, 255, 64);
7280 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7281 }
7282
7283 /* Nonce function corner cases. */
7284 for (t = 0; t < 2; t++) {
7285 static const unsigned char zero[32] = {0x00};
7286 int i;
7287 unsigned char key[32];
7288 unsigned char msg[32];
7290 secp256k1_scalar sr[512], ss;
7291 const unsigned char *extra;
7292 extra = t == 0 ? NULL : zero;
7293 memset(msg, 0, 32);
7294 msg[31] = 1;
7295 /* High key results in signature failure. */
7296 memset(key, 0xFF, 32);
7297 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7299 /* Zero key results in signature failure. */
7300 memset(key, 0, 32);
7301 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7303 /* Nonce function failure results in signature failure. */
7304 key[31] = 1;
7305 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7307 /* The retry loop successfully makes its way to the first good value. */
7308 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7309 CHECK(!is_empty_signature(&sig));
7310 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7311 CHECK(!is_empty_signature(&sig2));
7312 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7313 /* The default nonce function is deterministic. */
7314 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7315 CHECK(!is_empty_signature(&sig2));
7316 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7317 /* The default nonce function changes output with different messages. */
7318 for(i = 0; i < 256; i++) {
7319 int j;
7320 msg[0] = i;
7321 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7322 CHECK(!is_empty_signature(&sig2));
7323 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7324 for (j = 0; j < i; j++) {
7325 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7326 }
7327 }
7328 msg[0] = 0;
7329 msg[31] = 2;
7330 /* The default nonce function changes output with different keys. */
7331 for(i = 256; i < 512; i++) {
7332 int j;
7333 key[0] = i - 256;
7334 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7335 CHECK(!is_empty_signature(&sig2));
7336 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7337 for (j = 0; j < i; j++) {
7338 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7339 }
7340 }
7341 key[0] = 0;
7342 }
7343
7344 {
7345 /* Check that optional nonce arguments do not have equivalent effect. */
7346 const unsigned char zeros[32] = {0};
7347 unsigned char nonce[32];
7348 unsigned char nonce2[32];
7349 unsigned char nonce3[32];
7350 unsigned char nonce4[32];
7352 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7353 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7354 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7355 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7357 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7358 SECP256K1_CHECKMEM_CHECK(nonce2,32);
7359 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7360 SECP256K1_CHECKMEM_CHECK(nonce3,32);
7361 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7362 SECP256K1_CHECKMEM_CHECK(nonce4,32);
7363 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7364 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7365 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7366 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7367 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7368 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7369 }
7370
7371
7372 /* Privkey export where pubkey is the point at infinity. */
7373 {
7374 unsigned char privkey[300];
7375 unsigned char seckey[32] = {
7376 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7377 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7378 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7379 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7380 };
7381 size_t outlen = 300;
7382 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7383 outlen = 300;
7384 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7385 }
7386}
7387
7388static void run_ecdsa_edge_cases(void) {
7390}
7391
7396static void test_ecdsa_wycheproof(void) {
7398
7399 int t;
7401 secp256k1_ecdsa_signature signature;
7402 secp256k1_sha256 hasher;
7403 secp256k1_pubkey pubkey;
7404 const unsigned char *msg, *sig, *pk;
7405 unsigned char out[32] = {0};
7406 int actual_verify = 0;
7407
7408 memset(&pubkey, 0, sizeof(pubkey));
7410 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7411
7414 secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len);
7416
7417 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset];
7418 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7419 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7420 }
7421 CHECK(testvectors[t].expected_verify == actual_verify);
7422 }
7423}
7424
7425/* Tests cases from Wycheproof test suite. */
7426static void run_ecdsa_wycheproof(void) {
7428}
7429
7430#ifdef ENABLE_MODULE_ECDH
7431# include "modules/ecdh/tests_impl.h"
7432#endif
7433
7434#ifdef ENABLE_MODULE_RECOVERY
7436#endif
7437
7438#ifdef ENABLE_MODULE_EXTRAKEYS
7440#endif
7441
7442#ifdef ENABLE_MODULE_SCHNORRSIG
7444#endif
7445
7446#ifdef ENABLE_MODULE_MUSIG
7448#endif
7449
7450#ifdef ENABLE_MODULE_ELLSWIFT
7452#endif
7453
7455 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7456 unsigned char buf2[sizeof(buf1)];
7457
7458 /* secp256k1_memczero(..., ..., 0) is a noop. */
7459 memcpy(buf2, buf1, sizeof(buf1));
7460 secp256k1_memczero(buf1, sizeof(buf1), 0);
7461 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7462
7463 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7464 memset(buf2, 0, sizeof(buf2));
7465 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7466 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7467}
7468
7469
7471 unsigned char buf1[3] = {0, 1};
7472 unsigned char buf2[3] = {1, 0};
7473
7474 CHECK(secp256k1_is_zero_array(buf1, 0) == 1);
7475 CHECK(secp256k1_is_zero_array(buf1, 1) == 1);
7476 CHECK(secp256k1_is_zero_array(buf1, 2) == 0);
7477 CHECK(secp256k1_is_zero_array(buf2, 1) == 0);
7478 CHECK(secp256k1_is_zero_array(buf2, 2) == 0);
7479}
7480
7482 {
7483 const uint32_t x = 0xFF03AB45;
7484 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7485 unsigned char buf[4];
7486 uint32_t x_;
7487
7488 secp256k1_write_be32(buf, x);
7489 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7490
7491 x_ = secp256k1_read_be32(buf);
7492 CHECK(x == x_);
7493 }
7494
7495 {
7496 const uint64_t x = 0xCAFE0123BEEF4567;
7497 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7498 unsigned char buf[8];
7499 uint64_t x_;
7500
7501 secp256k1_write_be64(buf, x);
7502 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7503
7504 x_ = secp256k1_read_be64(buf);
7505 CHECK(x == x_);
7506 }
7507}
7508
7509static void int_cmov_test(void) {
7510 int r = INT_MAX;
7511 int a = 0;
7512
7513 secp256k1_int_cmov(&r, &a, 0);
7514 CHECK(r == INT_MAX);
7515
7516 r = 0; a = INT_MAX;
7517 secp256k1_int_cmov(&r, &a, 1);
7518 CHECK(r == INT_MAX);
7519
7520 a = 0;
7521 secp256k1_int_cmov(&r, &a, 1);
7522 CHECK(r == 0);
7523
7524 a = 1;
7525 secp256k1_int_cmov(&r, &a, 1);
7526 CHECK(r == 1);
7527
7528 r = 1; a = 0;
7529 secp256k1_int_cmov(&r, &a, 0);
7530 CHECK(r == 1);
7531
7532}
7533
7534static void fe_cmov_test(void) {
7535 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7536 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7537 static const secp256k1_fe max = SECP256K1_FE_CONST(
7538 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7539 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7540 );
7541 secp256k1_fe r = max;
7542 secp256k1_fe a = zero;
7543
7544 secp256k1_fe_cmov(&r, &a, 0);
7545 CHECK(fe_identical(&r, &max));
7546
7547 r = zero; a = max;
7548 secp256k1_fe_cmov(&r, &a, 1);
7549 CHECK(fe_identical(&r, &max));
7550
7551 a = zero;
7552 secp256k1_fe_cmov(&r, &a, 1);
7553 CHECK(fe_identical(&r, &zero));
7554
7555 a = one;
7556 secp256k1_fe_cmov(&r, &a, 1);
7557 CHECK(fe_identical(&r, &one));
7558
7559 r = one; a = zero;
7560 secp256k1_fe_cmov(&r, &a, 0);
7561 CHECK(fe_identical(&r, &one));
7562}
7563
7564static void fe_storage_cmov_test(void) {
7565 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7566 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7568 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7569 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7570 );
7571 secp256k1_fe_storage r = max;
7572 secp256k1_fe_storage a = zero;
7573
7574 secp256k1_fe_storage_cmov(&r, &a, 0);
7575 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7576
7577 r = zero; a = max;
7578 secp256k1_fe_storage_cmov(&r, &a, 1);
7579 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7580
7581 a = zero;
7582 secp256k1_fe_storage_cmov(&r, &a, 1);
7583 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7584
7585 a = one;
7586 secp256k1_fe_storage_cmov(&r, &a, 1);
7587 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7588
7589 r = one; a = zero;
7590 secp256k1_fe_storage_cmov(&r, &a, 0);
7591 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7592}
7593
7594static void scalar_cmov_test(void) {
7595 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7596 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
7597 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
7598 );
7599 secp256k1_scalar r = max;
7601
7602 secp256k1_scalar_cmov(&r, &a, 0);
7603 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7604
7605 r = secp256k1_scalar_zero; a = max;
7606 secp256k1_scalar_cmov(&r, &a, 1);
7607 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7608
7610 secp256k1_scalar_cmov(&r, &a, 1);
7611 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0);
7612
7614 secp256k1_scalar_cmov(&r, &a, 1);
7615 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7616
7618 secp256k1_scalar_cmov(&r, &a, 0);
7619 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7620}
7621
7622static void ge_storage_cmov_test(void) {
7623 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7624 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7626 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7627 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7628 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7629 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7630 );
7631 secp256k1_ge_storage r = max;
7632 secp256k1_ge_storage a = zero;
7633
7634 secp256k1_ge_storage_cmov(&r, &a, 0);
7635 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7636
7637 r = zero; a = max;
7638 secp256k1_ge_storage_cmov(&r, &a, 1);
7639 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7640
7641 a = zero;
7642 secp256k1_ge_storage_cmov(&r, &a, 1);
7643 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7644
7645 a = one;
7646 secp256k1_ge_storage_cmov(&r, &a, 1);
7647 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7648
7649 r = one; a = zero;
7650 secp256k1_ge_storage_cmov(&r, &a, 0);
7651 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7652}
7653
7654static void run_cmov_tests(void) {
7655 int_cmov_test();
7656 fe_cmov_test();
7660}
7661
7662int main(int argc, char **argv) {
7663 /* Disable buffering for stdout to improve reliability of getting
7664 * diagnostic information. Happens right at the start of main because
7665 * setbuf must be used before any other operation on the stream. */
7666 setbuf(stdout, NULL);
7667 /* Also disable buffering for stderr because it's not guaranteed that it's
7668 * unbuffered on all systems. */
7669 setbuf(stderr, NULL);
7670
7671 /* find iteration count */
7672 if (argc > 1) {
7673 COUNT = strtol(argv[1], NULL, 0);
7674 } else {
7675 const char* env = getenv("SECP256K1_TEST_ITERS");
7676 if (env && strlen(env) > 0) {
7677 COUNT = strtol(env, NULL, 0);
7678 }
7679 }
7680 if (COUNT <= 0) {
7681 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7682 return EXIT_FAILURE;
7683 }
7684 printf("test count = %i\n", COUNT);
7685
7686 /* run test RNG tests (must run before we really initialize the test RNG) */
7688
7689 /* find random seed */
7690 testrand_init(argc > 2 ? argv[2] : NULL);
7691
7692 /*** Setup test environment ***/
7693
7694 /* Create a global context available to all tests */
7696 /* Randomize the context only with probability 15/16
7697 to make sure we test without context randomization from time to time.
7698 TODO Reconsider this when recalibrating the tests. */
7699 if (testrand_bits(4)) {
7700 unsigned char rand32[32];
7701 testrand256(rand32);
7703 }
7704 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
7705 that write to the context. The API does not support cloning the static context, so we use
7706 memcpy instead. The user is not supposed to copy a context but we should still ensure that
7707 the API functions handle copies of the static context gracefully. */
7708 STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
7709 CHECK(STATIC_CTX != NULL);
7712
7713 /*** Run actual tests ***/
7714
7715 /* selftest tests */
7717
7718 /* context tests */
7722
7723 /* scratch tests */
7725
7726 /* integer arithmetic tests */
7727#ifdef SECP256K1_WIDEMUL_INT128
7728 run_int128_tests();
7729#endif
7730 run_ctz_tests();
7733
7734 /* sorting tests */
7736
7737 /* hash tests */
7743
7744 /* scalar tests */
7746
7747 /* field tests */
7752 run_fe_mul();
7753 run_sqr();
7754 run_sqrt();
7755
7756 /* group tests */
7757 run_ge();
7758 run_gej();
7760
7761 /* ecmult tests */
7763 run_wnaf();
7772
7773 /* endomorphism tests */
7775
7776 /* EC point parser test */
7778
7779 /* EC key edge cases */
7781
7782 /* EC key arithmetic test */
7784
7785#ifdef ENABLE_MODULE_ECDH
7786 /* ecdh tests */
7788#endif
7789
7790 /* ecdsa tests */
7800
7801#ifdef ENABLE_MODULE_RECOVERY
7802 /* ECDSA pubkey recovery tests */
7804#endif
7805
7806#ifdef ENABLE_MODULE_EXTRAKEYS
7808#endif
7809
7810#ifdef ENABLE_MODULE_SCHNORRSIG
7812#endif
7813
7814#ifdef ENABLE_MODULE_MUSIG
7816#endif
7817
7818#ifdef ENABLE_MODULE_ELLSWIFT
7820#endif
7821
7822 /* util tests */
7826
7828
7829 /*** Tear down test environment ***/
7830 free(STATIC_CTX);
7832
7834
7835 printf("no problems found\n");
7836 return EXIT_SUCCESS;
7837}
int ret
int flags
Definition: bitcoin-tx.cpp:529
return EXIT_SUCCESS
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:90
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:92
static void run_ecdh_tests(void)
Definition: tests_impl.h:185
static const wycheproof_ecdh_testvector testvectors[SECP256K1_ECDH_WYCHEPROOF_NUMBER_TESTVECTORS]
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
static const unsigned char wycheproof_ecdsa_signatures[]
static const unsigned char wycheproof_ecdsa_public_keys[]
static const unsigned char wycheproof_ecdsa_messages[]
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
static const secp256k1_scalar secp256k1_ecmult_const_K
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:610
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:727
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:406
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:421
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:162
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:361
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:581
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:718
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:788
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:648
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:806
void run_ellswift_tests(void)
Definition: tests_impl.h:179
volatile double sum
Definition: examples.cpp:10
static void run_extrakeys_tests(void)
Definition: tests_impl.h:470
#define N_PUBKEYS
Definition: tests_impl.h:251
#define secp256k1_fe_cmov
Definition: field.h:95
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:211
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:233
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
#define secp256k1_fe_cmp_var
Definition: field.h:86
#define secp256k1_fe_normalize_weak
Definition: field.h:79
#define secp256k1_fe_is_odd
Definition: field.h:85
#define secp256k1_fe_mul
Definition: field.h:93
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
#define secp256k1_fe_add
Definition: field.h:92
#define secp256k1_fe_normalize_var
Definition: field.h:80
#define secp256k1_fe_half
Definition: field.h:101
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
#define secp256k1_fe_to_storage
Definition: field.h:96
#define secp256k1_fe_inv_var
Definition: field.h:99
#define secp256k1_fe_is_zero
Definition: field.h:84
#define secp256k1_fe_set_b32_limit
Definition: field.h:88
#define secp256k1_fe_is_square_var
Definition: field.h:103
#define secp256k1_fe_get_bounds
Definition: field.h:100
#define secp256k1_fe_from_storage
Definition: field.h:97
#define secp256k1_fe_set_b32_mod
Definition: field.h:87
#define secp256k1_fe_negate_unchecked
Definition: field.h:90
#define secp256k1_fe_get_b32
Definition: field.h:89
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
#define secp256k1_fe_inv
Definition: field.h:98
#define secp256k1_fe_sqr
Definition: field.h:94
#define secp256k1_fe_normalize
Definition: field.h:78
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
#define secp256k1_fe_add_int
Definition: field.h:102
#define secp256k1_fe_set_int
Definition: field.h:83
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
static int secp256k1_ge_eq_var(const secp256k1_ge *a, const secp256k1_ge *b)
Check two group elements (affine) for equality in variable time.
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
static void secp256k1_ge_to_bytes_ext(unsigned char *data, const secp256k1_ge *ge)
Convert a group element (that is allowed to be infinity) to a 64-byte array.
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b)
Check two group elements (jacobian and affine) for equality in variable time.
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
static void secp256k1_ge_from_bytes_ext(secp256k1_ge *ge, const unsigned char *data)
Convert a 64-byte array into a group element.
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static void secp256k1_ge_set_all_gej(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set group elements r[0:len] (affine) equal to group elements a[0:len] (jacobian).
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set group elements r[0:len] (affine) equal to group elements a[0:len] (jacobian).
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
static void secp256k1_ge_to_bytes(unsigned char *buf, const secp256k1_ge *a)
Convert a group element that is not infinity to a 64-byte array.
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static void secp256k1_ge_from_bytes(secp256k1_ge *r, const unsigned char *buf)
Convert a 64-byte array into group element.
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:72
static void secp256k1_hsort(void *ptr, size_t count, size_t size, int(*cmp)(const void *, const void *, void *), void *cmp_data)
static SECP256K1_INLINE void secp256k1_heap_swap(unsigned char *arr, size_t i, size_t j, size_t stride)
Definition: hsort_impl.h:34
int128_t secp256k1_int128
Definition: int128_native.h:17
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
static void pool cs
unsigned int nonce
Definition: miner_tests.cpp:74
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static void run_musig_tests(void)
Definition: tests_impl.h:1119
static int sign(const secp256k1_context *ctx, struct signer_secrets *signer_secrets, struct signer *signer, const secp256k1_musig_keyagg_cache *cache, const unsigned char *msg32, unsigned char *sig64)
Definition: musig.c:106
static const auto ZERO
A stack consisting of a single zero-length element (interpreted as 0 by the script interpreter in num...
Definition: miniscript.h:331
Internal SHA-1 implementation.
Definition: sha1.cpp:16
static std::vector< std::string > split(const std::string &str, const std::string &delims=" \t")
Definition: subprocess.h:317
void printf(FormatStringCheck< sizeof...(Args)> fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1096
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
#define WINDOW_G
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:45
static void run_recovery_tests(void)
Definition: tests_impl.h:327
const char * prefix
Definition: rest.cpp:1009
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a)
Multiply a scalar with the multiplicative inverse of 2.
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*2^128 = k.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 < count <= 32) from a scalar.
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 < count <= 32) from a scalar.
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:83
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:968
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:382
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:255
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:285
#define ALIGNMENT
Definition: util.h:176
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:102
static SECP256K1_INLINE int secp256k1_is_zero_array(const unsigned char *s, size_t len)
Definition: util.h:270
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:400
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:364
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:408
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:428
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:97
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:353
#define VERIFY_CHECK(cond)
Definition: util.h:159
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:341
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:416
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:162
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:208
const secp256k1_context *const secp256k1_context_no_precomp
Definition: secp256k1.c:75
static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition: secp256k1.c:228
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:82
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:359
static secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition: secp256k1.c:223
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:240
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:246
static int secp256k1_ec_pubkey_sort_cmp(const void *pk1, const void *pk2, void *ctx)
Definition: secp256k1.c:317
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:471
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:345
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:187
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:704
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:206
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:747
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:757
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:622
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:385
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:268
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:211
SECP256K1_API int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:637
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:291
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an elliptic curve secret key.
Definition: secp256k1.c:580
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:141
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:199
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:566
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:250
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:202
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:369
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:86
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:604
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:212
struct secp256k1_pubkey secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:450
SECP256K1_API int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:783
SECP256K1_API const secp256k1_context *const secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:233
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:431
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:163
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:687
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:213
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:406
struct secp256k1_ecdsa_signature secp256k1_ecdsa_signature
Opaque data structure that holds a parsed ECDSA signature.
SECP256K1_API int secp256k1_ec_pubkey_sort(const secp256k1_context *ctx, const secp256k1_pubkey **pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Sort public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:323
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:205
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:664
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:724
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:418
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:112
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:176
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:118
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:92
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:152
secp256k1_scalar * sc
Definition: tests.c:4633
secp256k1_ge * pt
Definition: tests.c:4634
void(* fn)(const char *text, void *data)
Definition: util.h:88
const void * data
Definition: util.h:89
secp256k1_callback illegal_callback
Definition: secp256k1.c:63
secp256k1_callback error_callback
Definition: secp256k1.c:64
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:62
Opaque data structure that holds a parsed ECDSA signature.
Definition: secp256k1.h:74
secp256k1_scalar scalar_offset
Definition: ecmult_gen.h:127
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
uint32_t n[10]
Definition: field_10x26.h:22
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
int infinity
Definition: group.h:19
secp256k1_fe x
Definition: group.h:17
secp256k1_fe y
Definition: group.h:18
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_fe y
Definition: group.h:30
secp256k1_fe x
Definition: group.h:29
int infinity
Definition: group.h:32
secp256k1_fe z
Definition: group.h:31
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
uint64_t bytes
Definition: hash.h:16
uint32_t s[8]
Definition: hash.h:14
size_t element_len
Definition: tests.c:3578
static void testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
static uint32_t testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
static SECP256K1_INLINE void testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
static void testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
static void testrand_finish(void)
Print final test information.
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
static void run_random_pubkeys(void)
Definition: tests.c:6759
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:70
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5252
static void run_inverse_tests(void)
Definition: tests.c:3308
static void counting_callback_fn(const char *str, void *data)
Definition: tests.c:81
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:844
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5679
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6290
static void test_ge(void)
Definition: tests.c:3650
#define CHECK_ERROR_VOID(ctx, expr_or_stmt)
Definition: tests.c:68
static void run_pubkey_comparison(void)
Definition: tests.c:6567
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6317
static void run_field_misc(void)
Definition: tests.c:2992
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5589
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5746
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:189
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6283
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6333
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6341
#define SECP256K1_EC_PARSE_TEST_NINVALID
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4875
static int COUNT
Definition: tests.c:40
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:742
static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar *q, const secp256k1_gej *res)
Definition: tests.c:4506
static void test_sort(void)
Definition: tests.c:6662
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:78
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3629
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:124
static void run_tagged_sha256_tests(void)
Definition: tests.c:698
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:544
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5322
static int test_hsort_cmp(const void *ele1, const void *ele2, void *data)
Definition: tests.c:3582
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:44
static void test_intialized_inf(void)
Definition: tests.c:3907
static void test_fixed_wnaf_small(void)
Definition: tests.c:5332
int main(int argc, char **argv)
Definition: tests.c:7662
static void run_ecmult_const_tests(void)
Definition: tests.c:4623
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2936
#define SECP256K1_EC_PARSE_TEST_NVALID
static void run_eckey_edge_case_test(void)
Definition: tests.c:6031
static void run_pubkey_sort(void)
Definition: tests.c:6752
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2824
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7481
static void run_ecmult_constants(void)
Definition: tests.c:5532
static void run_field_be32_overflow(void)
Definition: tests.c:2869
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:859
static void run_ecmult_chain(void)
Definition: tests.c:4233
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3283
static void run_ec_combine(void)
Definition: tests.c:4106
static void run_deprecated_context_flags_test(void)
Definition: tests.c:140
static secp256k1_context * CTX
Definition: tests.c:41
static void run_point_times_order(void)
Definition: tests.c:4404
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6872
static void test_sort_vectors(void)
Definition: tests.c:6708
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:38
static void ecmult_const_commutativity(void)
Definition: tests.c:4452
static void int_cmov_test(void)
Definition: tests.c:7509
static void test_ge_bytes(void)
Definition: tests.c:3999
static void test_add_neg_y_diff_x(void)
Definition: tests.c:3939
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5413
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4292
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6833
static void run_hmac_sha256_tests(void)
Definition: tests.c:613
static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2832
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5041
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:835
static void run_secp256k1_is_zero_array_test(void)
Definition: tests.c:7470
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6371
static void run_field_half(void)
Definition: tests.c:2943
static void run_eckey_negate_test(void)
Definition: tests.c:6253
static void scalar_test(void)
Definition: tests.c:2004
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2159
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4652
static void run_hsort_tests(void)
Definition: tests.c:3619
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6325
static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len)
Definition: tests.c:3569
static void run_gej(void)
Definition: tests.c:4045
static void run_ge(void)
Definition: tests.c:4027
#define MAX_ELEMENT_LEN
Definition: tests.c:3589
static void ge_storage_cmov_test(void)
Definition: tests.c:7622
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3244
static void fe_storage_cmov_test(void)
Definition: tests.c:7564
static void test_ec_combine(void)
Definition: tests.c:4081
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5059
static void test_ecmult_gen_edge_cases(void)
Definition: tests.c:5603
static void run_ctz_tests(void)
Definition: tests.c:422
static void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk)
Definition: tests.c:6612
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5079
static void run_scalar_tests(void)
Definition: tests.c:2176
static void test_random_pubkeys(void)
Definition: tests.c:6507
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4037
static void test_heap_swap(void)
Definition: tests.c:3556
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3192
static void scalar_cmov_test(void)
Definition: tests.c:7594
static void run_ecmult_gen_blind(void)
Definition: tests.c:5621
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6376
static void run_sha256_known_output_tests(void)
Definition: tests.c:443
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4354
#define NUM
Definition: tests.c:3588
#define CHECK_ERROR(ctx, expr)
Definition: tests.c:79
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6766
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4637
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4542
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:230
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3099
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4113
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5445
static void run_cmov_tests(void)
Definition: tests.c:7654
static void permute(size_t *arr, size_t n)
Definition: tests.c:6625
static void run_ecdsa_der_parse(void)
Definition: tests.c:7018
static void ecmult_const_random_mult(void)
Definition: tests.c:4425
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5631
static void run_field_convert(void)
Definition: tests.c:2839
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6773
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:158
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7426
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5489
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5160
static void run_sqrt(void)
Definition: tests.c:3206
static void run_modinv_tests(void)
Definition: tests.c:1040
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4331
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:826
static void run_xoshiro256pp_tests(void)
Definition: tests.c:90
static void run_wnaf(void)
Definition: tests.c:5386
static void run_ecmult_multi_tests(void)
Definition: tests.c:5225
static void run_selftest_tests(void)
Definition: tests.c:119
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1010
static void run_sqr(void)
Definition: tests.c:3163
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:131
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5112
static void run_endomorphism_tests(void)
Definition: tests.c:5658
static void run_scratch_tests(void)
Definition: tests.c:352
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7396
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4392
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7388
static void fe_cmov_test(void)
Definition: tests.c:7534
static void run_group_decompress(void)
Definition: tests.c:4148
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4473
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5405
static void ecmult_const_edges(void)
Definition: tests.c:4515
static void test_ecdsa_edge_cases(void)
Definition: tests.c:7050
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4597
static void run_ecmult_pre_g(void)
Definition: tests.c:4209
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4644
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:605
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4159
static void test_hsort(size_t element_len)
Definition: tests.c:3590
static void test_sort_api(void)
Definition: tests.c:6636
static secp256k1_context * STATIC_CTX
Definition: tests.c:42
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5286
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3261
static void test_ecmult_gen_blind(void)
Definition: tests.c:5566
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7454
static void run_fe_mul(void)
Definition: tests.c:3142
#define SECP256K1_EC_PARSE_TEST_NXVALID
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6845
static const secp256k1_fe fe_minus_one
Definition: tests.c:3249
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:657
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:725
static void testutil_random_fe_test(secp256k1_fe *x)
Definition: testutil.h:46
static void testutil_random_pubkey_test(secp256k1_pubkey *pk)
Definition: testutil.h:110
static void testutil_random_gej_y_magnitude(secp256k1_gej *gej)
Definition: testutil.h:74
static void testutil_random_fe_non_zero(secp256k1_fe *nz)
Definition: testutil.h:24
static void testutil_random_scalar_order(secp256k1_scalar *num)
Definition: testutil.h:129
static void testutil_random_gej_test(secp256k1_gej *gej)
Definition: testutil.h:104
static void testutil_random_scalar_order_test(secp256k1_scalar *num)
Definition: testutil.h:116
static void testutil_random_scalar_order_b32(unsigned char *b32)
Definition: testutil.h:142
static void testutil_random_fe(secp256k1_fe *x)
Definition: testutil.h:14
static void testutil_random_fe_non_zero_test(secp256k1_fe *fe)
Definition: testutil.h:56
static void testutil_random_gej_x_magnitude(secp256k1_gej *gej)
Definition: testutil.h:70
static void testutil_random_fe_magnitude(secp256k1_fe *fe, int m)
Definition: testutil.h:30
static void testutil_random_ge_x_magnitude(secp256k1_ge *ge)
Definition: testutil.h:62
static void testutil_random_gej_z_magnitude(secp256k1_gej *gej)
Definition: testutil.h:78
static void testutil_random_ge_test(secp256k1_ge *ge)
Definition: testutil.h:82
static void testutil_random_ge_y_magnitude(secp256k1_ge *ge)
Definition: testutil.h:66
static void testutil_random_ge_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: testutil.h:94
#define expect(bit)