Bitcoin Core 30.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <time.h>
12
13#ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16#endif
17#if defined(VERIFY) && defined(COVERAGE)
18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19#endif
20#include "secp256k1.c"
21
22#include "../include/secp256k1.h"
23#include "../include/secp256k1_preallocated.h"
24#include "testrand_impl.h"
25#include "checkmem.h"
26#include "testutil.h"
27#include "util.h"
28#include "unit_test.h"
29#include "unit_test.c"
30
31#include "../contrib/lax_der_parsing.c"
32#include "../contrib/lax_der_privatekey_parsing.c"
33
34#include "modinv32_impl.h"
35#ifdef SECP256K1_WIDEMUL_INT128
36#include "modinv64_impl.h"
37#include "int128_impl.h"
38#endif
39
40#define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
41
42static secp256k1_context *CTX = NULL;
44
45static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
46 const unsigned char *p = s;
47 size_t i;
48
49 for (i = 0; i < n; i++) {
50 if (p[i] != value) {
51 return 0;
52 }
53 }
54 return 1;
55}
56
57#define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \
58 int32_t _calls_to_callback = 0; \
59 secp256k1_callback _saved_callback = ctx->callback; \
60 callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \
61 { expr_or_stmt; } \
62 ctx->callback = _saved_callback; \
63 CHECK(_calls_to_callback == 1); \
64} while(0);
65
66/* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once
67 *
68 * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */
69#define CHECK_ERROR_VOID(ctx, expr_or_stmt) \
70 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback)
71#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \
72 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback)
73
74/* CHECK that
75 * - expr calls the illegal callback of ctx exactly once and,
76 * - expr == 0 (or equivalently, expr == NULL)
77 *
78 * Useful for checking functions that return an integer or a pointer. */
79#define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
80#define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0))
81
82static void counting_callback_fn(const char* str, void* data) {
83 /* Dummy callback function that just counts. */
84 int32_t *p;
85 (void)str;
86 p = data;
87 CHECK(*p != INT32_MAX);
88 (*p)++;
89}
90
91static void run_xoshiro256pp_tests(void) {
92 {
93 size_t i;
94 /* Sanity check that we run before the actual seeding. */
95 for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
97 }
98 }
99 {
100 int i;
101 unsigned char buf32[32];
102 unsigned char seed16[16] = {
103 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
104 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
105 };
106 unsigned char buf32_expected[32] = {
107 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
108 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
109 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
110 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
111 };
112 testrand_seed(seed16);
113 for (i = 0; i < 17; i++) {
114 testrand256(buf32);
115 }
116 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
117 }
118}
119
120static void run_selftest_tests(void) {
121 /* Test public API */
123}
124
126 return a->built == b->built
130}
131
132static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
133 return a->declassify == b->declassify
139}
140
142 /* Check that a context created with any of the flags in the flags array is
143 * identical to the NONE context. */
144 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
148 int i;
149 for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
150 secp256k1_context *tmp_ctx;
152 tmp_ctx = secp256k1_context_create(flags[i]);
153 CHECK(context_eq(none_ctx, tmp_ctx));
155 }
157}
158
160 secp256k1_pubkey pubkey;
161 secp256k1_pubkey zero_pubkey;
163 unsigned char ctmp[32];
164
165 /* Setup */
166 memset(ctmp, 1, 32);
167 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
168
169 /* Verify context-type checking illegal-argument errors. */
171 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
172 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
173 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
174 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL));
175 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
176 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
177 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
178 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
179 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
180 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
181 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
182 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
184 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
187 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
188}
189
190static void run_static_context_tests(int use_prealloc) {
191 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
193
194 {
195 unsigned char seed[32] = {0x17};
196
197 /* Randomizing secp256k1_context_static is not supported. */
200
201 /* Destroying or cloning secp256k1_context_static is not supported. */
202 if (use_prealloc) {
204 {
205 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
206 CHECK(my_static_ctx != NULL);
207 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
209 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
210 free(my_static_ctx);
211 }
213 } else {
216 }
217 }
218
219 {
220 /* Verify that setting and resetting illegal callback works */
221 int32_t dummy = 0;
228 }
229}
230
232{
235}
236
237static void run_proper_context_tests(int use_prealloc) {
238 int32_t dummy = 0;
239 secp256k1_context *my_ctx, *my_ctx_fresh;
240 void *my_ctx_prealloc = NULL;
241 unsigned char seed[32] = {0x17};
242
243 secp256k1_gej pubj;
244 secp256k1_ge pub;
246 secp256k1_scalar sigr, sigs;
247
248 /* Fresh reference context for comparison */
250
251 if (use_prealloc) {
253 CHECK(my_ctx_prealloc != NULL);
255 } else {
257 }
258
259 /* Randomize and reset randomization */
260 CHECK(context_eq(my_ctx, my_ctx_fresh));
261 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
262 CHECK(!context_eq(my_ctx, my_ctx_fresh));
263 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
264 CHECK(context_eq(my_ctx, my_ctx_fresh));
265
266 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
270
271 /* check if sizes for cloning are consistent */
273
274 /*** clone and destroy all of them to make sure cloning was complete ***/
275 {
276 secp256k1_context *ctx_tmp;
277
278 if (use_prealloc) {
279 /* clone into a non-preallocated context and then again into a new preallocated one. */
280 ctx_tmp = my_ctx;
281 my_ctx = secp256k1_context_clone(my_ctx);
282 CHECK(context_eq(ctx_tmp, my_ctx));
284
285 free(my_ctx_prealloc);
287 CHECK(my_ctx_prealloc != NULL);
288 ctx_tmp = my_ctx;
289 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
290 CHECK(context_eq(ctx_tmp, my_ctx));
292 } else {
293 /* clone into a preallocated context and then again into a new non-preallocated one. */
294 void *prealloc_tmp;
295
297 CHECK(prealloc_tmp != NULL);
298 ctx_tmp = my_ctx;
299 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
300 CHECK(context_eq(ctx_tmp, my_ctx));
302
303 ctx_tmp = my_ctx;
304 my_ctx = secp256k1_context_clone(my_ctx);
305 CHECK(context_eq(ctx_tmp, my_ctx));
307 free(prealloc_tmp);
308 }
309 }
310
311 /* Verify that the error callback makes it across the clone. */
314 /* And that it resets back to default. */
315 secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
317 CHECK(context_eq(my_ctx, my_ctx_fresh));
318
319 /* Verify that setting and resetting illegal callback works */
322 CHECK(my_ctx->illegal_callback.data == &dummy);
323 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
325 CHECK(my_ctx->illegal_callback.data == NULL);
326 CHECK(context_eq(my_ctx, my_ctx_fresh));
327
328 /*** attempt to use them ***/
331 secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
332 secp256k1_ge_set_gej(&pub, &pubj);
333
334 /* obtain a working nonce */
335 do {
337 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
338
339 /* try signing */
340 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
341
342 /* try verifying */
343 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
344
345 /* cleanup */
346 if (use_prealloc) {
348 free(my_ctx_prealloc);
349 } else {
351 }
352 secp256k1_context_destroy(my_ctx_fresh);
353
354 /* Defined as no-op. */
357}
358
360{
363}
364
365static void run_scratch_tests(void) {
366 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
367
368 size_t checkpoint;
369 size_t checkpoint_2;
371 secp256k1_scratch_space local_scratch;
372
373 /* Test public API */
374 scratch = secp256k1_scratch_space_create(CTX, 1000);
375 CHECK(scratch != NULL);
376
377 /* Test internal API */
379 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
380 CHECK(scratch->alloc_size == 0);
381 CHECK(scratch->alloc_size % ALIGNMENT == 0);
382
383 /* Allocating 500 bytes succeeds */
384 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
385 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
386 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
387 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
388 CHECK(scratch->alloc_size != 0);
389 CHECK(scratch->alloc_size % ALIGNMENT == 0);
390
391 /* Allocating another 501 bytes fails */
392 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
393 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
394 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
395 CHECK(scratch->alloc_size != 0);
396 CHECK(scratch->alloc_size % ALIGNMENT == 0);
397
398 /* ...but it succeeds once we apply the checkpoint to undo it */
400 CHECK(scratch->alloc_size == 0);
402 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
403 CHECK(scratch->alloc_size != 0);
404
405 /* try to apply a bad checkpoint */
406 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
408 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */
409 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */
410
411 /* try to use badly initialized scratch space */
413 memset(&local_scratch, 0, sizeof(local_scratch));
414 scratch = &local_scratch;
418
419 /* Test that large integers do not wrap around in a bad way */
420 scratch = secp256k1_scratch_space_create(CTX, 1000);
421 /* Try max allocation with a large number of objects. Only makes sense if
422 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
423 * space. */
424 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
425 /* Try allocating SIZE_MAX to test wrap around which only happens if
426 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
427 * space is too small. */
428 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
430
431 /* cleanup */
432 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
433}
434
435static void run_ctz_tests(void) {
436 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
437 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
438 int shift;
439 unsigned i;
440 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
441 for (shift = 0; shift < 32; ++shift) {
442 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
443 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
444 }
445 }
446 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
447 for (shift = 0; shift < 64; ++shift) {
448 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
449 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
450 }
451 }
452}
453
454/***** HASH TESTS *****/
455
457 static const char *inputs[] = {
458 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
459 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
460 "For this sample, this 63-byte string will be used as input data",
461 "This is exactly 64 bytes long, not counting the terminating byte",
462 "aaaaa",
463 };
464 static const unsigned int repeat[] = {
465 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
466 };
467 static const unsigned char outputs[][32] = {
468 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
469 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
470 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
471 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
472 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
473 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
474 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
475 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
476 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
477 };
478 unsigned int i, ninputs;
479
480 /* Skip last input vector for low iteration counts */
481 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
482 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
483
484 for (i = 0; i < ninputs; i++) {
485 unsigned char out[32];
486 secp256k1_sha256 hasher;
487 unsigned int j;
488 /* 1. Run: simply write the input bytestrings */
489 j = repeat[i];
491 while (j > 0) {
492 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
493 j--;
494 }
496 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
497 /* 2. Run: split the input bytestrings randomly before writing */
498 if (strlen(inputs[i]) > 0) {
499 int split = testrand_int(strlen(inputs[i]));
501 j = repeat[i];
502 while (j > 0) {
503 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
504 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
505 j--;
506 }
508 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
509 }
510 }
511}
512
557static void run_sha256_counter_tests(void) {
558 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
559 static const secp256k1_sha256 midstates[] = {
560 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
561 {0x00}, 0xfffc0},
562 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
563 {0x00}, 0x1fffc0},
564 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
565 {0x00}, 0x3fffc0},
566 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
567 {0x00}, 0x7fffc0},
568 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
569 {0x00}, 0xffffc0},
570 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
571 {0x00}, 0x1ffffc0},
572 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
573 {0x00}, 0x3ffffc0},
574 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
575 {0x00}, 0x7ffffc0},
576 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
577 {0x00}, 0xfffffc0},
578 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
579 {0x00}, 0x1fffffc0},
580 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
581 {0x00}, 0x3fffffc0},
582 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
583 {0x00}, 0x7fffffc0},
584 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
585 {0x00}, 0xffffffc0},
586 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
587 {0x00}, 0x1ffffffc0},
588 };
589 static const unsigned char outputs[][32] = {
590 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
591 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
592 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
593 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
594 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
595 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
596 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
597 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
598 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
599 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
600 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
601 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
602 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
603 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
604 };
605 unsigned int i;
606 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
607 unsigned char out[32];
608 secp256k1_sha256 hasher = midstates[i];
609 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
611 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
612 }
613}
614
615/* Tests for the equality of two sha256 structs. This function only produces a
616 * correct result if an integer multiple of 64 many bytes have been written
617 * into the hash functions. This function is used by some module tests. */
618static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
619 /* Is buffer fully consumed? */
620 CHECK((sha1->bytes & 0x3F) == 0);
621
622 CHECK(sha1->bytes == sha2->bytes);
623 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
624}
625/* Convenience function for using test_sha256_eq to verify the correctness of a
626 * tagged hash midstate. This function is used by some module tests. */
627static void test_sha256_tag_midstate(secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen) {
629 secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
630 test_sha256_eq(&sha, sha_tagged);
631}
632
633static void run_hmac_sha256_tests(void) {
634 static const char *keys[6] = {
635 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
636 "\x4a\x65\x66\x65",
637 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
638 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
639 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
640 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
641 };
642 static const char *inputs[6] = {
643 "\x48\x69\x20\x54\x68\x65\x72\x65",
644 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
645 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
646 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
647 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
648 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
649 };
650 static const unsigned char outputs[6][32] = {
651 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
652 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
653 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
654 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
655 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
656 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
657 };
658 int i;
659 for (i = 0; i < 6; i++) {
661 unsigned char out[32];
662 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
663 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
665 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
666 if (strlen(inputs[i]) > 0) {
667 int split = testrand_int(strlen(inputs[i]));
668 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
669 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
670 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
672 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
673 }
674 }
675}
676
678 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
679 static const unsigned char out1[3][32] = {
680 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
681 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
682 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
683 };
684
685 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
686 static const unsigned char out2[3][32] = {
687 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
688 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
689 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
690 };
691
693 unsigned char out[32];
694 int i;
695
697 for (i = 0; i < 3; i++) {
699 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
700 }
702
704 for (i = 0; i < 3; i++) {
706 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
707 }
709
711 for (i = 0; i < 3; i++) {
713 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
714 }
716}
717
718static void run_tagged_sha256_tests(void) {
719 unsigned char tag[32] = { 0 };
720 unsigned char msg[32] = { 0 };
721 unsigned char hash32[32];
722 unsigned char hash_expected[32] = {
723 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
724 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
725 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
726 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
727 };
728
729 /* API test */
730 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
731 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)));
732 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)));
733 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0));
734
735 /* Static test vector */
736 memcpy(tag, "tag", 3);
737 memcpy(msg, "msg", 3);
738 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
739 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
740}
741
742/***** MODINV TESTS *****/
743
744/* Compute the modular inverse of (odd) x mod 2^64. */
745static uint64_t modinv2p64(uint64_t x) {
746 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
747 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
748 * why. Start with L=0, for which it is true for every odd x that
749 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
750 int l;
751 uint64_t w = 1;
752 CHECK(x & 1);
753 for (l = 0; l < 6; ++l) w *= (2 - w*x);
754 return w;
755}
756
757
758/* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
759 *
760 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
761 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
762static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
763 uint16_t mul[32];
764 uint64_t c = 0;
765 int i, j;
766 int m_bitlen = 0;
767 int mul_bitlen = 0;
768
769 if (b != NULL) {
770 /* Compute the product of a and b, and put it in mul. */
771 for (i = 0; i < 32; ++i) {
772 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
773 c += (uint64_t)a[j] * b[i - j];
774 }
775 mul[i] = c & 0xFFFF;
776 c >>= 16;
777 }
778 CHECK(c == 0);
779
780 /* compute the highest set bit in mul */
781 for (i = 511; i >= 0; --i) {
782 if ((mul[i >> 4] >> (i & 15)) & 1) {
783 mul_bitlen = i;
784 break;
785 }
786 }
787 } else {
788 /* if b==NULL, set mul=a. */
789 memcpy(mul, a, 32);
790 memset(mul + 16, 0, 32);
791 /* compute the highest set bit in mul */
792 for (i = 255; i >= 0; --i) {
793 if ((mul[i >> 4] >> (i & 15)) & 1) {
794 mul_bitlen = i;
795 break;
796 }
797 }
798 }
799
800 if (m) {
801 /* Compute the highest set bit in m. */
802 for (i = 255; i >= 0; --i) {
803 if ((m[i >> 4] >> (i & 15)) & 1) {
804 m_bitlen = i;
805 break;
806 }
807 }
808
809 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
810 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
811 uint16_t mul2[32];
812 int64_t cs;
813
814 /* Compute mul2 = mul - m<<i. */
815 cs = 0; /* accumulator */
816 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
817 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
818 uint16_t sub = 0;
819 int p;
820 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
821 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
822 if (bitpos >= 0 && bitpos < 256) {
823 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
824 }
825 }
826 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
827 cs += mul[j];
828 cs -= sub;
829 mul2[j] = (cs & 0xFFFF);
830 cs >>= 16;
831 }
832 /* If remainder of subtraction is 0, set mul = mul2. */
833 if (cs == 0) {
834 memcpy(mul, mul2, sizeof(mul));
835 }
836 }
837 /* Sanity check: test that all limbs higher than m's highest are zero */
838 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
839 CHECK(mul[i] == 0);
840 }
841 }
842 memcpy(out, mul, 32);
843}
844
845/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
846static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
847 int i;
848 memset(out->v, 0, sizeof(out->v));
849 for (i = 0; i < 256; ++i) {
850 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
851 }
852}
853
854/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
855static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
856 int i;
857 memset(out, 0, 32);
858 for (i = 0; i < 256; ++i) {
859 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
860 }
861}
862
863/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
865 int i;
866 for (i = 0; i < 16; ++i) {
867 int pos = testrand_bits(3);
868 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
869 x->v[pos] -= 0x40000000;
870 x->v[pos + 1] += 1;
871 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
872 x->v[pos] += 0x40000000;
873 x->v[pos + 1] -= 1;
874 }
875 }
876}
877
878/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
879static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
880 uint16_t tmp[16];
883 int i, vartime, nonzero;
884
885 uint16_to_signed30(&x, in);
886 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
887 uint16_to_signed30(&m.modulus, mod);
888
889 /* compute 1/modulus mod 2^30 */
890 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
891 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
892
893 /* Test secp256k1_jacobi32_maybe_var. */
894 if (nonzero) {
895 int jac;
896 uint16_t sqr[16], negone[16];
897 mulmod256(sqr, in, in, mod);
898 uint16_to_signed30(&x, sqr);
899 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
901 CHECK(jac == 0 || jac == 1);
902 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
903 * jacobi symbols if and only if (mod % 4) == 3. */
904 negone[0] = mod[0] - 1;
905 for (i = 1; i < 16; ++i) negone[i] = mod[i];
906 mulmod256(sqr, sqr, negone, mod);
907 uint16_to_signed30(&x, sqr);
909 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
910 }
911
912 uint16_to_signed30(&x, in);
913 mutate_sign_signed30(&m.modulus);
914 for (vartime = 0; vartime < 2; ++vartime) {
915 /* compute inverse */
916 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
917
918 /* produce output */
920
921 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
922 mulmod256(tmp, out, in, mod);
923 CHECK(tmp[0] == nonzero);
924 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
925
926 /* invert again */
927 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
928
929 /* check if the result is equal to the input */
930 signed30_to_uint16(tmp, &x);
931 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
932 }
933}
934
935#ifdef SECP256K1_WIDEMUL_INT128
936/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
937static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
938 int i;
939 memset(out->v, 0, sizeof(out->v));
940 for (i = 0; i < 256; ++i) {
941 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
942 }
943}
944
945/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
946static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
947 int i;
948 memset(out, 0, 32);
949 for (i = 0; i < 256; ++i) {
950 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
951 }
952}
953
954/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
955static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
956 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
957 int i;
958 for (i = 0; i < 8; ++i) {
959 int pos = testrand_bits(2);
960 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
961 x->v[pos] -= (M62 + 1);
962 x->v[pos + 1] += 1;
963 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
964 x->v[pos] += (M62 + 1);
965 x->v[pos + 1] -= 1;
966 }
967 }
968}
969
970/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
971static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
972 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
973 uint16_t tmp[16];
976 int i, vartime, nonzero;
977
978 uint16_to_signed62(&x, in);
979 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
980 uint16_to_signed62(&m.modulus, mod);
981
982 /* compute 1/modulus mod 2^62 */
983 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
984 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
985
986 /* Test secp256k1_jacobi64_maybe_var. */
987 if (nonzero) {
988 int jac;
989 uint16_t sqr[16], negone[16];
990 mulmod256(sqr, in, in, mod);
991 uint16_to_signed62(&x, sqr);
992 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
993 jac = secp256k1_jacobi64_maybe_var(&x, &m);
994 CHECK(jac == 0 || jac == 1);
995 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
996 * jacobi symbols if and only if (mod % 4) == 3. */
997 negone[0] = mod[0] - 1;
998 for (i = 1; i < 16; ++i) negone[i] = mod[i];
999 mulmod256(sqr, sqr, negone, mod);
1000 uint16_to_signed62(&x, sqr);
1001 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1002 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1003 }
1004
1005 uint16_to_signed62(&x, in);
1006 mutate_sign_signed62(&m.modulus);
1007 for (vartime = 0; vartime < 2; ++vartime) {
1008 /* compute inverse */
1009 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1010
1011 /* produce output */
1012 signed62_to_uint16(out, &x);
1013
1014 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1015 mulmod256(tmp, out, in, mod);
1016 CHECK(tmp[0] == nonzero);
1017 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1018
1019 /* invert again */
1020 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1021
1022 /* check if the result is equal to the input */
1023 signed62_to_uint16(tmp, &x);
1024 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1025 }
1026}
1027#endif
1028
1029/* test if a and b are coprime */
1030static int coprime(const uint16_t* a, const uint16_t* b) {
1031 uint16_t x[16], y[16], t[16];
1032 int i;
1033 int iszero;
1034 memcpy(x, a, 32);
1035 memcpy(y, b, 32);
1036
1037 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1038 while (1) {
1039 iszero = 1;
1040 for (i = 0; i < 16; ++i) {
1041 if (x[i] != 0) {
1042 iszero = 0;
1043 break;
1044 }
1045 }
1046 if (iszero) break;
1047 mulmod256(t, y, NULL, x);
1048 memcpy(y, x, 32);
1049 memcpy(x, t, 32);
1050 }
1051
1052 /* return whether y=1 */
1053 if (y[0] != 1) return 0;
1054 for (i = 1; i < 16; ++i) {
1055 if (y[i] != 0) return 0;
1056 }
1057 return 1;
1058}
1059
1060static void run_modinv_tests(void) {
1061 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1062 static const uint16_t CASES[][3][16] = {
1063 /* Test cases triggering edge cases in divsteps */
1064
1065 /* Test case known to need 713 divsteps */
1066 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1067 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1068 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1069 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1070 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1071 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1072 /* Test case known to need 589 divsteps, reaching delta=-140 and
1073 delta=141. */
1074 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1075 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1076 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1077 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1078 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1079 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1080 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1081 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1082 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1083 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1084 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1085 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1086 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1087 /* example needing 713 divsteps; delta=-2..3 */
1088 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1089 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1090 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1091 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1092 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1093 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1094 /* example needing 713 divsteps; delta=-2..3 */
1095 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1096 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1097 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1098 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1099 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1100 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1101 /* example needing 713 divsteps; delta=-2..3 */
1102 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1103 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1104 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1105 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1106 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1107 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1108 /* example reaching delta=-64..65; 661 divsteps */
1109 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1110 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1111 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1112 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1113 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1114 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1115 /* example reaching delta=-64..65; 661 divsteps */
1116 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1117 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1118 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1119 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1120 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1121 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1122 /* example reaching delta=-64..65; 661 divsteps */
1123 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1124 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1125 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1126 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1127 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1128 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1129 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1130 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1131 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1132 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1133 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1134 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1135 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1136 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1137 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1138 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1139 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1140 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1141 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1142 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1143 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1144 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1145 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1146 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1147 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1148 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1149 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1150 /* example doing 446 (f,g/2) steps; 523 divsteps */
1151 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1152 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1153 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1154 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1155 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1156 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1157 /* example doing 446 (f,g/2) steps; 523 divsteps */
1158 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1159 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1160 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1161 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1162 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1163 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1164 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1165 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1166 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1167 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1168 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1169 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1170 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1171 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1172 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1173 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1174 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1175 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1176 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1177 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1178 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1179 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1180 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1181 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1182 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1183 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1184 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1185 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1186 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1187 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1188 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1189 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1190 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1191 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1192
1193 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1194
1195 /* example needing 590 divsteps; delta=-5/2..7/2 */
1196 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1197 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1198 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1199 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1200 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1201 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1202 /* example needing 590 divsteps; delta=-3/2..5/2 */
1203 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1204 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1205 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1206 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1207 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1208 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1209 /* example needing 590 divsteps; delta=-3/2..5/2 */
1210 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1211 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1212 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1213 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1214 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1215 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1216 /* example needing 590 divsteps; delta=-5/2..7/2 */
1217 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1218 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1219 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1220 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1221 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1222 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1223 /* example needing 590 divsteps; delta=-3/2..5/2 */
1224 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1225 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1226 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1227 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1228 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1229 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1230 /* example reaching delta=-127/2..129/2; 571 divsteps */
1231 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1232 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1233 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1234 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1235 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1236 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1237 /* example reaching delta=-127/2..129/2; 571 divsteps */
1238 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1239 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1240 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1241 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1242 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1243 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1244 /* example reaching delta=-127/2..129/2; 571 divsteps */
1245 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1246 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1247 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1248 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1249 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1250 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1251 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1252 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1253 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1254 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1255 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1256 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1257 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1258 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1259 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1260 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1261 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1262 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1263 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1264 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1265 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1266 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1267 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1268 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1269 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1270 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1271 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1272 /* example doing 453 (f,g/2) steps; 514 divsteps */
1273 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1274 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1275 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1276 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1277 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1278 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1279 /* example doing 453 (f,g/2) steps; 514 divsteps */
1280 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1281 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1282 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1283 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1284 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1285 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1286 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1287 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1288 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1289 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1290 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1291 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1292 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1293 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1294 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1295 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1296 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1297 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1298 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1299 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1300 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1301 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1302 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1303 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1304 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1305 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1306 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1307 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1308 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1309 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1310 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1311 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1312 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1313 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1314
1315 /* Test cases with the group order as modulus. */
1316
1317 /* Test case with the group order as modulus, needing 635 divsteps. */
1318 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1319 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1320 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1321 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1322 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1323 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1324 /* example with group size as modulus needing 631 divsteps */
1325 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1326 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1327 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1328 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1329 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1330 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1331 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1332 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1333 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1334 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1335 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1336 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1337 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1338 /* Test case with the group size as modulus, needing 981 divsteps with
1339 broken eta handling. */
1340 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1341 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1342 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1343 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1344 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1345 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1346 /* Test case with the group size as modulus, input = 0. */
1347 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1348 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1349 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1350 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1351 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1352 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1353 /* Test case with the group size as modulus, input = 1. */
1354 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1355 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1356 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1357 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1358 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1359 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1360 /* Test case with the group size as modulus, input = 2. */
1361 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1362 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1363 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1364 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1365 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1366 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1367 /* Test case with the group size as modulus, input = group - 1. */
1368 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1369 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1370 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1371 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1372 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1373 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1374
1375 /* Test cases with the field size as modulus. */
1376
1377 /* Test case with the field size as modulus, needing 637 divsteps. */
1378 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1379 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1380 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1381 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1382 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1383 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1384 /* example with field size as modulus needing 637 divsteps */
1385 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1386 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1387 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1388 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1389 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1390 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1391 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1392 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1393 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1394 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1395 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1396 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1397 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1398 /* Test case with the field size as modulus, needing 935 divsteps with
1399 broken eta handling. */
1400 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1401 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1402 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1403 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1404 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1405 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1406 /* Test case with the field size as modulus, input = 0. */
1407 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1408 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1409 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1410 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1411 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1412 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1413 /* Test case with the field size as modulus, input = 1. */
1414 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1415 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1416 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1417 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1418 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1419 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1420 /* Test case with the field size as modulus, input = 2. */
1421 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1422 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1423 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1424 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1425 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1426 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1427 /* Test case with the field size as modulus, input = field - 1. */
1428 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1429 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1430 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1431 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1432 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1433 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1434
1435 /* Selected from a large number of random inputs to reach small/large
1436 * d/e values in various configurations. */
1437 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1438 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1439 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1440 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1441 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1442 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1443 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1444 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1445 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1446 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1447 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1448 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1449 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1450 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1451 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1452 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1453 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1454 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1455 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1456 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1457 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1458 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1459 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1460 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1461 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1462 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1463 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1464 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1465 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1466 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1467 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1468 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1469 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1470 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1471 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1472 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1473 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1474 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1475 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1476 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1477 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1478 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1479 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1480 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1481 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1482 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1483 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1484 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1485 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1486 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1487 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1488 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1489 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1490 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1491 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1492 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1493 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1494 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1495 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1496 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1497 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1498 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1499 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1500 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1501 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1502 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1503 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1504 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1505 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1506 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1507 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1508 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1509 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1510 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1511 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1512 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1513 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1514 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1515 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1516 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1517 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1518 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1519 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1520 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1521 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1522 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1523 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1524 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1525 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1526 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1527 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1528 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1529 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1530 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1531 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1532 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1533 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1534 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1535 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1536 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1537 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1538 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1539 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1540 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1541 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1542 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1543 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1544 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1545 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1546 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1547 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1548 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1549 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1550 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1551 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1552 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1553 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1554 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1555 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1556 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1557 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1558 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1559 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1560 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1561 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1562 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1563 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1564 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1565 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1566 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1567 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1568 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1569 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1570 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1571 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1572 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1573 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1574 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1575 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1576 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1577 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1578 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1579 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1580 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1581 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1582 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1583 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1584 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1585 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1586 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1587 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1588 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1589 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1590 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1591 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1592 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1593 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1594 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1595 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1596 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1597 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1598 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1599 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1600 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1601 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1602 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1603 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1604 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1605 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1606 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1607 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1608 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1609 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1610 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1611 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1612 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1613 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1614 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1615 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1616 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1617 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1618 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1619 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1620 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1621 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1622 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1623 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1624 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1625 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1626 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1627 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1628 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1629 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1630 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1631 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1632 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1633 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1634 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1635 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1636 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1637 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1638 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1639 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1640 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1641 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1642 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1643 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1644 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1645 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1646 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1647 };
1648
1649 int i, j, ok;
1650
1651 /* Test known inputs/outputs */
1652 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1653 uint16_t out[16];
1654 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1655 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1656#ifdef SECP256K1_WIDEMUL_INT128
1657 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1658 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1659#endif
1660 }
1661
1662 for (i = 0; i < 100 * COUNT; ++i) {
1663 /* 256-bit numbers in 16-uint16_t's notation */
1664 static const uint16_t ZERO[16] = {0};
1665 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1666 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1667 uint16_t id[16]; /* the inverse of xd mod md */
1668
1669 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1670 do {
1671 /* generate random xd and md (with many subsequent 0s and 1s) */
1672 testrand256_test((unsigned char*)xd);
1673 testrand256_test((unsigned char*)md);
1674 md[0] |= 1; /* modulus must be odd */
1675 /* If modulus is 1, find another one. */
1676 ok = md[0] != 1;
1677 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1678 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1679 } while (!(ok && coprime(xd, md)));
1680
1681 test_modinv32_uint16(id, xd, md);
1682#ifdef SECP256K1_WIDEMUL_INT128
1683 test_modinv64_uint16(id, xd, md);
1684#endif
1685
1686 /* In a few cases, also test with input=0 */
1687 if (i < COUNT) {
1688 test_modinv32_uint16(id, ZERO, md);
1689#ifdef SECP256K1_WIDEMUL_INT128
1690 test_modinv64_uint16(id, ZERO, md);
1691#endif
1692 }
1693 }
1694}
1695
1696/***** INT128 TESTS *****/
1697
1698#ifdef SECP256K1_WIDEMUL_INT128
1699/* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1700static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1701 int i;
1702 uint32_t carry = 0;
1703 for (i = 0; i < 16; ++i) {
1704 carry += a[i];
1705 carry += b[i];
1706 out[i] = carry;
1707 carry >>= 16;
1708 }
1709}
1710
1711/* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1712static void neg256(uint16_t* out, const uint16_t* a) {
1713 int i;
1714 uint32_t carry = 1;
1715 for (i = 0; i < 16; ++i) {
1716 carry += (uint16_t)~a[i];
1717 out[i] = carry;
1718 carry >>= 16;
1719 }
1720}
1721
1722/* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1723static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1724 uint16_t sign = sign_extend && (a[15] >> 15);
1725 int i, j;
1726 for (i = 15; i >= 0; --i) {
1727 uint16_t v = 0;
1728 for (j = 0; j < 16; ++j) {
1729 int frompos = i*16 + j + n;
1730 if (frompos >= 256) {
1731 v |= sign << j;
1732 } else {
1733 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1734 }
1735 }
1736 out[i] = v;
1737 }
1738}
1739
1740/* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1741static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1742 int i;
1743 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1744 for (i = 0; i < 4; ++i) {
1745 out[i] = v >> (16 * i);
1746 }
1747 for (i = 4; i < 16; ++i) {
1748 out[i] = sign;
1749 }
1750}
1751
1752/* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1753static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1754 int i;
1755 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1756 for (i = 0; i < 4; ++i) {
1757 out[i] = lo >> (16 * i);
1758 }
1759 for (i = 4; i < 8; ++i) {
1760 out[i] = hi >> (16 * (i - 4));
1761 }
1762 for (i = 8; i < 16; ++i) {
1763 out[i] = sign;
1764 }
1765}
1766
1767/* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1768static int int256is127(const uint16_t* v) {
1769 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1770 int i;
1771 for (i = 8; i < 16; ++i) {
1772 if (v[i] != 0) all_0 = 0;
1773 if (v[i] != 0xffff) all_1 = 0;
1774 }
1775 return all_0 || all_1;
1776}
1777
1778static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1779 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1780 load256two64(out, hi, lo, 0);
1781}
1782
1783static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1784 uint64_t lo;
1785 int64_t hi;
1786 secp256k1_int128 c = *v;
1787 lo = secp256k1_i128_to_u64(&c);
1788 secp256k1_i128_rshift(&c, 64);
1789 hi = secp256k1_i128_to_i64(&c);
1790 load256two64(out, hi, lo, 1);
1791}
1792
1793static void run_int128_test_case(void) {
1794 unsigned char buf[32];
1795 uint64_t v[4];
1796 secp256k1_int128 swa, swz;
1797 secp256k1_uint128 uwa, uwz;
1798 uint64_t ub, uc;
1799 int64_t sb, sc;
1800 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1801 uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1802 int i;
1803
1804 /* Generate 32-byte random value. */
1805 testrand256_test(buf);
1806 /* Convert into 4 64-bit integers. */
1807 for (i = 0; i < 4; ++i) {
1808 uint64_t vi = 0;
1809 int j;
1810 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1811 v[i] = vi;
1812 }
1813 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1814 secp256k1_u128_load(&uwa, v[1], v[0]);
1815 secp256k1_i128_load(&swa, v[1], v[0]);
1816 ub = v[2];
1817 sb = v[2];
1818 uc = v[3];
1819 sc = v[3];
1820 /* Load those also into 16-bit array representations. */
1821 load256u128(ruwa, &uwa);
1822 load256i128(rswa, &swa);
1823 load256u64(rub, ub, 0);
1824 load256u64(rsb, sb, 1);
1825 load256u64(ruc, uc, 0);
1826 load256u64(rsc, sc, 1);
1827 /* test secp256k1_u128_mul */
1828 mulmod256(ruwr, rub, ruc, NULL);
1829 secp256k1_u128_mul(&uwz, ub, uc);
1830 load256u128(ruwz, &uwz);
1831 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1832 /* test secp256k1_u128_accum_mul */
1833 mulmod256(ruwr, rub, ruc, NULL);
1834 add256(ruwr, ruwr, ruwa);
1835 uwz = uwa;
1836 secp256k1_u128_accum_mul(&uwz, ub, uc);
1837 load256u128(ruwz, &uwz);
1838 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1839 /* test secp256k1_u128_accum_u64 */
1840 add256(ruwr, rub, ruwa);
1841 uwz = uwa;
1842 secp256k1_u128_accum_u64(&uwz, ub);
1843 load256u128(ruwz, &uwz);
1844 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1845 /* test secp256k1_u128_rshift */
1846 rshift256(ruwr, ruwa, uc % 128, 0);
1847 uwz = uwa;
1848 secp256k1_u128_rshift(&uwz, uc % 128);
1849 load256u128(ruwz, &uwz);
1850 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1851 /* test secp256k1_u128_to_u64 */
1852 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1853 /* test secp256k1_u128_hi_u64 */
1854 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1855 /* test secp256k1_u128_from_u64 */
1856 secp256k1_u128_from_u64(&uwz, ub);
1857 load256u128(ruwz, &uwz);
1858 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1859 /* test secp256k1_u128_check_bits */
1860 {
1861 int uwa_bits = 0;
1862 int j;
1863 for (j = 0; j < 128; ++j) {
1864 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1865 }
1866 for (j = 0; j < 128; ++j) {
1867 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1868 }
1869 }
1870 /* test secp256k1_i128_mul */
1871 mulmod256(rswr, rsb, rsc, NULL);
1872 secp256k1_i128_mul(&swz, sb, sc);
1873 load256i128(rswz, &swz);
1874 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1875 /* test secp256k1_i128_accum_mul */
1876 mulmod256(rswr, rsb, rsc, NULL);
1877 add256(rswr, rswr, rswa);
1878 if (int256is127(rswr)) {
1879 swz = swa;
1880 secp256k1_i128_accum_mul(&swz, sb, sc);
1881 load256i128(rswz, &swz);
1882 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1883 }
1884 /* test secp256k1_i128_det */
1885 {
1886 uint16_t rsd[16], rse[16], rst[32];
1887 int64_t sd = v[0], se = v[1];
1888 load256u64(rsd, sd, 1);
1889 load256u64(rse, se, 1);
1890 mulmod256(rst, rsc, rsd, NULL);
1891 neg256(rst, rst);
1892 mulmod256(rswr, rsb, rse, NULL);
1893 add256(rswr, rswr, rst);
1894 secp256k1_i128_det(&swz, sb, sc, sd, se);
1895 load256i128(rswz, &swz);
1896 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1897 }
1898 /* test secp256k1_i128_rshift */
1899 rshift256(rswr, rswa, uc % 127, 1);
1900 swz = swa;
1901 secp256k1_i128_rshift(&swz, uc % 127);
1902 load256i128(rswz, &swz);
1903 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1904 /* test secp256k1_i128_to_u64 */
1905 CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
1906 /* test secp256k1_i128_from_i64 */
1907 secp256k1_i128_from_i64(&swz, sb);
1908 load256i128(rswz, &swz);
1909 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
1910 /* test secp256k1_i128_to_i64 */
1911 CHECK(secp256k1_i128_to_i64(&swz) == sb);
1912 /* test secp256k1_i128_eq_var */
1913 {
1914 int expect = (uc & 1);
1915 swz = swa;
1916 if (!expect) {
1917 /* Make sure swz != swa */
1918 uint64_t v0c = v[0], v1c = v[1];
1919 if (ub & 64) {
1920 v1c ^= (((uint64_t)1) << (ub & 63));
1921 } else {
1922 v0c ^= (((uint64_t)1) << (ub & 63));
1923 }
1924 secp256k1_i128_load(&swz, v1c, v0c);
1925 }
1926 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
1927 }
1928 /* test secp256k1_i128_check_pow2 (sign == 1) */
1929 {
1930 int expect = (uc & 1);
1931 int pos = ub % 127;
1932 if (expect) {
1933 /* If expect==1, set swz to exactly 2^pos. */
1934 uint64_t hi = 0;
1935 uint64_t lo = 0;
1936 if (pos >= 64) {
1937 hi = (((uint64_t)1) << (pos & 63));
1938 } else {
1939 lo = (((uint64_t)1) << (pos & 63));
1940 }
1941 secp256k1_i128_load(&swz, hi, lo);
1942 } else {
1943 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
1944 if (pos >= 64) {
1945 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
1946 } else {
1947 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
1948 }
1949 swz = swa;
1950 }
1951 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
1952 }
1953 /* test secp256k1_i128_check_pow2 (sign == -1) */
1954 {
1955 int expect = (uc & 1);
1956 int pos = ub % 127;
1957 if (expect) {
1958 /* If expect==1, set swz to exactly -2^pos. */
1959 uint64_t hi = ~(uint64_t)0;
1960 uint64_t lo = ~(uint64_t)0;
1961 if (pos >= 64) {
1962 hi <<= (pos & 63);
1963 lo = 0;
1964 } else {
1965 lo <<= (pos & 63);
1966 }
1967 secp256k1_i128_load(&swz, hi, lo);
1968 } else {
1969 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
1970 if (pos >= 64) {
1971 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
1972 } else {
1973 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
1974 }
1975 swz = swa;
1976 }
1977 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
1978 }
1979}
1980
1981static void run_int128_tests(void) {
1982 { /* secp256k1_u128_accum_mul */
1984
1985 /* Check secp256k1_u128_accum_mul overflow */
1986 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
1987 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
1988 CHECK(secp256k1_u128_to_u64(&res) == 2);
1989 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
1990 }
1991 { /* secp256k1_u128_accum_mul */
1992 secp256k1_int128 res;
1993
1994 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
1995 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
1996 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
1997 CHECK(secp256k1_i128_to_u64(&res) == 2);
1998 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
1999 secp256k1_i128_accum_mul(&res, 1, 1);
2000 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2001 secp256k1_i128_rshift(&res, 64);
2002 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2003
2004 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2005 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2006 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2007 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2008 CHECK(secp256k1_i128_to_u64(&res) == 0);
2009 secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2010 CHECK(secp256k1_i128_to_u64(&res) == 0);
2011 secp256k1_i128_rshift(&res, 64);
2012 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2013 }
2014 {
2015 /* Randomized tests. */
2016 int i;
2017 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2018 }
2019}
2020#endif
2021
2022/***** SCALAR TESTS *****/
2023
2024static void scalar_test(void) {
2028 unsigned char c[32];
2029
2030 /* Set 's' to a random scalar, with value 'snum'. */
2032
2033 /* Set 's1' to a random scalar, with value 's1num'. */
2035
2036 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2039
2040 {
2041 int i;
2042 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2045 for (i = 0; i < 256; i += 4) {
2047 int j;
2049 for (j = 0; j < 4; j++) {
2050 secp256k1_scalar_add(&n, &n, &n);
2051 }
2052 secp256k1_scalar_add(&n, &n, &t);
2053 }
2055 }
2056
2057 {
2058 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2060 int i = 0;
2062 while (i < 256) {
2064 int j;
2065 int now = testrand_int(15) + 1;
2066 if (now + i > 256) {
2067 now = 256 - i;
2068 }
2070 for (j = 0; j < now; j++) {
2071 secp256k1_scalar_add(&n, &n, &n);
2072 }
2073 secp256k1_scalar_add(&n, &n, &t);
2074 i += now;
2075 }
2077 }
2078
2079 {
2080 /* Test commutativity of add. */
2081 secp256k1_scalar r1, r2;
2082 secp256k1_scalar_add(&r1, &s1, &s2);
2083 secp256k1_scalar_add(&r2, &s2, &s1);
2084 CHECK(secp256k1_scalar_eq(&r1, &r2));
2085 }
2086
2087 {
2088 secp256k1_scalar r1, r2;
2090 int i;
2091 /* Test add_bit. */
2092 int bit = testrand_bits(8);
2095 for (i = 0; i < bit; i++) {
2096 secp256k1_scalar_add(&b, &b, &b);
2097 }
2098 r1 = s1;
2099 r2 = s1;
2100 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2101 /* No overflow happened. */
2102 secp256k1_scalar_cadd_bit(&r2, bit, 1);
2103 CHECK(secp256k1_scalar_eq(&r1, &r2));
2104 /* cadd is a noop when flag is zero */
2105 secp256k1_scalar_cadd_bit(&r2, bit, 0);
2106 CHECK(secp256k1_scalar_eq(&r1, &r2));
2107 }
2108 }
2109
2110 {
2111 /* Test commutativity of mul. */
2112 secp256k1_scalar r1, r2;
2113 secp256k1_scalar_mul(&r1, &s1, &s2);
2114 secp256k1_scalar_mul(&r2, &s2, &s1);
2115 CHECK(secp256k1_scalar_eq(&r1, &r2));
2116 }
2117
2118 {
2119 /* Test associativity of add. */
2120 secp256k1_scalar r1, r2;
2121 secp256k1_scalar_add(&r1, &s1, &s2);
2122 secp256k1_scalar_add(&r1, &r1, &s);
2123 secp256k1_scalar_add(&r2, &s2, &s);
2124 secp256k1_scalar_add(&r2, &s1, &r2);
2125 CHECK(secp256k1_scalar_eq(&r1, &r2));
2126 }
2127
2128 {
2129 /* Test associativity of mul. */
2130 secp256k1_scalar r1, r2;
2131 secp256k1_scalar_mul(&r1, &s1, &s2);
2132 secp256k1_scalar_mul(&r1, &r1, &s);
2133 secp256k1_scalar_mul(&r2, &s2, &s);
2134 secp256k1_scalar_mul(&r2, &s1, &r2);
2135 CHECK(secp256k1_scalar_eq(&r1, &r2));
2136 }
2137
2138 {
2139 /* Test distributitivity of mul over add. */
2140 secp256k1_scalar r1, r2, t;
2141 secp256k1_scalar_add(&r1, &s1, &s2);
2142 secp256k1_scalar_mul(&r1, &r1, &s);
2143 secp256k1_scalar_mul(&r2, &s1, &s);
2144 secp256k1_scalar_mul(&t, &s2, &s);
2145 secp256k1_scalar_add(&r2, &r2, &t);
2146 CHECK(secp256k1_scalar_eq(&r1, &r2));
2147 }
2148
2149 {
2150 /* Test multiplicative identity. */
2153 CHECK(secp256k1_scalar_eq(&r1, &s1));
2154 }
2155
2156 {
2157 /* Test additive identity. */
2160 CHECK(secp256k1_scalar_eq(&r1, &s1));
2161 }
2162
2163 {
2164 /* Test zero product property. */
2168 }
2169
2170 {
2171 /* Test halving. */
2173 secp256k1_scalar_add(&r, &s, &s);
2174 secp256k1_scalar_half(&r, &r);
2176 }
2177}
2178
2180 unsigned char b32[32];
2183
2184 /* Usually set_b32 and set_b32_seckey give the same result */
2186 secp256k1_scalar_set_b32(&s1, b32, NULL);
2187 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2188 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2189
2190 memset(b32, 0, sizeof(b32));
2191 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2192 memset(b32, 0xFF, sizeof(b32));
2193 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2194}
2195
2196static void run_scalar_tests(void) {
2197 int i;
2198 for (i = 0; i < 128 * COUNT; i++) {
2199 scalar_test();
2200 }
2201 for (i = 0; i < COUNT; i++) {
2203 }
2204
2205 {
2206 /* Check that the scalar constants secp256k1_scalar_zero and
2207 secp256k1_scalar_one contain the expected values. */
2208 secp256k1_scalar zero, one;
2209
2211 secp256k1_scalar_set_int(&zero, 0);
2213
2215 secp256k1_scalar_set_int(&one, 1);
2217 }
2218
2219 {
2220 /* (-1)+1 should be zero. */
2227 }
2228
2229 {
2230 /* Test that halving and doubling roundtrips on some fixed values. */
2231 static const secp256k1_scalar HALF_TESTS[] = {
2232 /* 0 */
2233 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2234 /* 1 */
2235 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2236 /* -1 */
2237 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul),
2238 /* -2 (largest odd value) */
2239 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful),
2240 /* Half the secp256k1 order */
2241 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul),
2242 /* Half the secp256k1 order + 1 */
2243 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul),
2244 /* 2^255 */
2245 SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0),
2246 /* 2^255 - 1 */
2247 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful),
2248 };
2249 unsigned n;
2250 for (n = 0; n < sizeof(HALF_TESTS) / sizeof(HALF_TESTS[0]); ++n) {
2252 secp256k1_scalar_half(&s, &HALF_TESTS[n]);
2253 secp256k1_scalar_add(&s, &s, &s);
2254 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2255 secp256k1_scalar_add(&s, &s, &s);
2257 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2258 }
2259 }
2260
2261 {
2262 /* Does check_overflow check catch all ones? */
2263 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2264 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2265 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2266 );
2268 }
2269
2270 {
2271 /* Static test vectors.
2272 * These were reduced from ~10^12 random vectors based on comparison-decision
2273 * and edge-case coverage on 32-bit and 64-bit implementations.
2274 * The responses were generated with Sage 5.9.
2275 */
2282 secp256k1_scalar zzv;
2283 int overflow;
2284 unsigned char chal[33][2][32] = {
2285 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2286 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2287 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2288 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2289 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2290 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2291 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2292 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2293 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2294 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2295 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2296 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2297 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2298 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2299 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2300 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2301 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2302 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2303 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2304 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2305 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2306 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2307 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2308 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2309 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2310 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2311 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2312 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2313 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2314 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2315 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2316 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2317 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2318 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2319 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2320 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2321 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2322 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2323 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2324 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2325 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2326 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2327 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2328 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2329 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2330 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2331 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2332 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2333 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2334 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2335 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2336 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2337 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2338 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2339 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2341 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2342 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2343 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2344 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2345 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2346 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2347 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2348 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2349 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2350 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2351 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2352 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2353 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2354 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2355 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2356 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2357 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2358 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2359 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2360 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2361 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2362 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2363 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2364 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2365 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2366 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2367 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2368 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2369 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2370 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2372 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2373 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2374 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2375 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2376 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2377 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2378 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2379 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2380 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2381 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2382 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2384 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2385 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2386 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2387 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2388 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2389 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2390 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2391 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2392 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2393 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2394 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2395 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2396 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2397 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2398 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2399 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2400 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2401 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2402 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2403 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2404 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2405 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2406 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2407 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2408 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2409 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2410 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2411 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2412 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2413 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2414 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2415 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2416 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2417 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2418 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2419 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2420 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2421 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2422 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2423 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2424 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2425 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2426 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2427 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2428 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2429 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2430 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2431 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2432 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2433 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2434 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2435 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2436 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2437 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2438 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2439 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2440 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2441 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2442 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2443 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2444 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2445 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2446 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2447 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2448 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2449 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2450 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2451 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2452 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2453 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2457 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2458 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2461 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2462 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2463 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2464 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2465 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2466 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2467 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2468 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2469 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2470 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2471 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2472 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2473 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2474 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2475 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2476 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2477 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2478 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2479 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2480 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2481 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2482 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2483 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2485 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2486 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2487 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2488 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2489 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2490 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2491 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2492 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2493 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2494 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2495 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2496 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2497 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2498 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2499 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2500 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2501 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2502 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2503 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2504 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2505 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2506 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2507 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2508 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2509 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2510 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2511 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2512 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2513 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2514 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2515 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2516 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2517 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2518 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2519 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2520 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2521 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2522 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2523 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2524 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2525 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2526 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2527 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2528 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2529 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2530 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2531 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2532 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2533 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2534 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2535 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2536 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2537 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2538 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2539 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2540 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2541 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2542 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2543 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2544 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2545 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2546 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2547 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2548 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2549 };
2550 unsigned char res[33][2][32] = {
2551 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2552 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2553 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2554 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2555 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2556 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2557 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2558 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2559 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2560 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2561 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2562 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2563 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2564 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2565 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2566 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2567 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2568 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2569 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2570 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2571 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2572 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2573 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2574 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2575 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2576 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2577 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2578 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2579 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2580 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2581 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2582 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2583 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2584 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2585 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2586 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2587 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2588 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2589 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2590 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2591 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2592 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2593 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2594 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2595 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2596 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2597 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2598 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2599 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2600 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2601 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2602 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2603 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2604 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2605 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2606 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2607 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2608 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2609 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2610 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2611 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2612 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2613 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2614 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2615 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2616 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2617 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2618 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2619 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2620 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2621 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2622 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2623 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2624 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2625 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2626 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2627 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2628 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2629 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2630 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2631 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2632 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2633 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2634 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2635 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2636 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2637 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2638 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2639 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2640 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2641 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2642 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2643 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2644 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2645 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2646 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2647 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2648 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2649 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2650 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2651 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2652 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2653 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2654 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2655 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2656 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2657 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2658 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2659 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2660 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2661 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2662 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2663 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2664 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2665 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2666 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2667 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2668 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2669 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2670 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2671 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2672 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2673 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2674 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2675 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2676 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2677 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2678 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2679 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2680 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2681 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2682 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2683 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2684 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2685 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2686 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2687 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2688 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2689 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2690 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2691 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2692 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2693 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2694 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2695 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2696 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2697 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2698 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2699 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2700 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2701 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2702 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2703 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2704 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2705 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2706 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2707 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2708 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2709 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2710 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2711 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2713 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2714 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2715 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2716 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2717 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2718 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2719 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2720 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2721 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2723 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2724 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2725 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2726 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2727 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2728 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2729 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2730 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2731 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2732 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2733 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2734 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2735 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2736 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2737 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2738 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2739 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2740 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2741 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2742 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2743 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2745 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2746 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2747 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2748 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2749 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2750 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2751 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2752 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2753 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2754 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2755 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2757 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2758 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2759 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2760 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2761 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2762 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2763 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2764 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2765 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2766 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2767 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2768 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2769 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2770 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2771 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2772 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2773 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2774 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2775 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2776 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2777 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2778 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2779 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2780 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2781 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2782 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2783 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2784 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2785 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2786 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2787 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2788 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2789 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2790 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2791 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2792 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2793 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2794 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2795 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2796 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2797 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2798 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2799 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2800 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2801 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2802 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2803 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2804 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2805 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2806 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2807 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2808 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2809 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2810 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2811 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2812 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2813 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2814 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2815 };
2816 for (i = 0; i < 33; i++) {
2817 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2818 CHECK(!overflow);
2819 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2820 CHECK(!overflow);
2821 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2822 CHECK(!overflow);
2823 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2824 CHECK(!overflow);
2825 secp256k1_scalar_mul(&z, &x, &y);
2826 CHECK(secp256k1_scalar_eq(&r1, &z));
2827 if (!secp256k1_scalar_is_zero(&y)) {
2828 secp256k1_scalar_inverse(&zz, &y);
2830 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2831 secp256k1_scalar_mul(&z, &z, &zz);
2832 CHECK(secp256k1_scalar_eq(&x, &z));
2833 secp256k1_scalar_mul(&zz, &zz, &y);
2835 }
2836 secp256k1_scalar_mul(&z, &x, &x);
2837 CHECK(secp256k1_scalar_eq(&r2, &z));
2838 }
2839 }
2840}
2841
2842/***** FIELD TESTS *****/
2843
2845 secp256k1_fe r;
2847 if (secp256k1_fe_sqrt(&r, ns)) {
2848 secp256k1_fe_negate(ns, ns, 1);
2849 }
2850}
2851
2852static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2853 secp256k1_fe an = *a;
2854 secp256k1_fe bn = *b;
2856 return secp256k1_fe_equal(&an, &bn);
2857}
2858
2859static void run_field_convert(void) {
2860 static const unsigned char b32[32] = {
2861 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2862 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2863 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2864 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2865 };
2867 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2868 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2869 );
2870 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2871 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2872 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2873 );
2874 secp256k1_fe fe2;
2875 unsigned char b322[32];
2877 /* Check conversions to fe. */
2879 CHECK(secp256k1_fe_equal(&fe, &fe2));
2880 secp256k1_fe_from_storage(&fe2, &fes);
2881 CHECK(secp256k1_fe_equal(&fe, &fe2));
2882 /* Check conversion from fe. */
2883 secp256k1_fe_get_b32(b322, &fe);
2884 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2885 secp256k1_fe_to_storage(&fes2, &fe);
2886 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2887}
2888
2889static void run_field_be32_overflow(void) {
2890 {
2891 static const unsigned char zero_overflow[32] = {
2892 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2893 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2894 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2895 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
2896 };
2897 static const unsigned char zero[32] = { 0x00 };
2898 unsigned char out[32];
2899 secp256k1_fe fe;
2900 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
2901 secp256k1_fe_set_b32_mod(&fe, zero_overflow);
2904 CHECK(secp256k1_fe_is_zero(&fe) == 1);
2906 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
2907 }
2908 {
2909 static const unsigned char one_overflow[32] = {
2910 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2911 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2912 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2913 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
2914 };
2915 static const unsigned char one[32] = {
2916 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2917 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2918 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2919 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2920 };
2921 unsigned char out[32];
2922 secp256k1_fe fe;
2923 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
2924 secp256k1_fe_set_b32_mod(&fe, one_overflow);
2928 CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
2929 }
2930 {
2931 static const unsigned char ff_overflow[32] = {
2932 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2933 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2934 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2935 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2936 };
2937 static const unsigned char ff[32] = {
2938 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2939 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2941 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
2942 };
2943 unsigned char out[32];
2944 secp256k1_fe fe;
2945 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
2946 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
2947 secp256k1_fe_set_b32_mod(&fe, ff_overflow);
2949 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
2951 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
2952 }
2953}
2954
2955/* Returns true if two field elements have the same representation. */
2956static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
2957 int ret = 1;
2958 /* Compare the struct member that holds the limbs. */
2959 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
2960 return ret;
2961}
2962
2963static void run_field_half(void) {
2964 secp256k1_fe t, u;
2965 int m;
2966
2967 /* Check magnitude 0 input */
2970#ifdef VERIFY
2971 CHECK(t.magnitude == 1);
2972 CHECK(t.normalized == 0);
2973#endif
2975
2976 /* Check non-zero magnitudes in the supported range */
2977 for (m = 1; m < 32; m++) {
2978 /* Check max-value input */
2980
2981 u = t;
2983#ifdef VERIFY
2984 CHECK(u.magnitude == (m >> 1) + 1);
2985 CHECK(u.normalized == 0);
2986#endif
2988 secp256k1_fe_add(&u, &u);
2989 CHECK(fe_equal(&t, &u));
2990
2991 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
2992 * which will also cause all carries to be 1, since all limbs that can
2993 * generate a carry are initially even and all limbs of P are odd in
2994 * every existing field implementation. */
2996 CHECK(t.n[0] > 0);
2997 CHECK((t.n[0] & 1) == 0);
2998 --t.n[0];
2999
3000 u = t;
3002#ifdef VERIFY
3003 CHECK(u.magnitude == (m >> 1) + 1);
3004 CHECK(u.normalized == 0);
3005#endif
3007 secp256k1_fe_add(&u, &u);
3008 CHECK(fe_equal(&t, &u));
3009 }
3010}
3011
3012static void run_field_misc(void) {
3013 secp256k1_fe x;
3014 secp256k1_fe y;
3015 secp256k1_fe z;
3016 secp256k1_fe q;
3017 int v;
3018 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3019 int i, j;
3020 for (i = 0; i < 1000 * COUNT; i++) {
3021 secp256k1_fe_storage xs, ys, zs;
3022 if (i & 1) {
3024 } else {
3026 }
3028 v = testrand_bits(15);
3029 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3030 secp256k1_fe_set_int(&q, v); /* q = v */
3031 z = x; /* z = x */
3032 secp256k1_fe_add(&z, &q); /* z = x+v */
3033 q = x; /* q = x */
3034 secp256k1_fe_add_int(&q, v); /* q = x+v */
3035 CHECK(fe_equal(&q, &z));
3036 /* Test the fe equality and comparison operations. */
3037 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3038 CHECK(secp256k1_fe_equal(&x, &x));
3039 z = x;
3040 secp256k1_fe_add(&z,&y);
3041 /* Test fe conditional move; z is not normalized here. */
3042 q = x;
3043 secp256k1_fe_cmov(&x, &z, 0);
3044#ifdef VERIFY
3045 CHECK(!x.normalized);
3046 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3047 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3048#endif
3049 x = q;
3050 secp256k1_fe_cmov(&x, &x, 1);
3051 CHECK(!fe_identical(&x, &z));
3052 CHECK(fe_identical(&x, &q));
3053 secp256k1_fe_cmov(&q, &z, 1);
3054#ifdef VERIFY
3055 CHECK(!q.normalized);
3056 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3057 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3058#endif
3059 CHECK(fe_identical(&q, &z));
3060 q = z;
3063 CHECK(!secp256k1_fe_equal(&x, &z));
3065 secp256k1_fe_cmov(&q, &z, (i&1));
3066#ifdef VERIFY
3067 CHECK(q.normalized && q.magnitude == 1);
3068#endif
3069 for (j = 0; j < 6; j++) {
3070 secp256k1_fe_negate_unchecked(&z, &z, j+1);
3072 secp256k1_fe_cmov(&q, &z, (j&1));
3073#ifdef VERIFY
3074 CHECK(!q.normalized && q.magnitude == z.magnitude);
3075#endif
3076 }
3078 /* Test storage conversion and conditional moves. */
3079 secp256k1_fe_to_storage(&xs, &x);
3080 secp256k1_fe_to_storage(&ys, &y);
3081 secp256k1_fe_to_storage(&zs, &z);
3082 secp256k1_fe_storage_cmov(&zs, &xs, 0);
3083 secp256k1_fe_storage_cmov(&zs, &zs, 1);
3084 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3085 secp256k1_fe_storage_cmov(&ys, &xs, 1);
3086 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3090 /* Test that mul_int, mul, and add agree. */
3091 secp256k1_fe_add(&y, &x);
3092 secp256k1_fe_add(&y, &x);
3093 z = x;
3094 secp256k1_fe_mul_int(&z, 3);
3095 CHECK(fe_equal(&y, &z));
3096 secp256k1_fe_add(&y, &x);
3097 secp256k1_fe_add(&z, &x);
3098 CHECK(fe_equal(&z, &y));
3099 z = x;
3100 secp256k1_fe_mul_int(&z, 5);
3101 secp256k1_fe_mul(&q, &x, &fe5);
3102 CHECK(fe_equal(&z, &q));
3103 secp256k1_fe_negate(&x, &x, 1);
3104 secp256k1_fe_add(&z, &x);
3105 secp256k1_fe_add(&q, &x);
3106 CHECK(fe_equal(&y, &z));
3107 CHECK(fe_equal(&q, &y));
3108 /* Check secp256k1_fe_half. */
3109 z = x;
3111 secp256k1_fe_add(&z, &z);
3112 CHECK(fe_equal(&x, &z));
3113 secp256k1_fe_add(&z, &z);
3115 CHECK(fe_equal(&x, &z));
3116 }
3117}
3118
3119static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3120{
3121 secp256k1_fe c, an, bn;
3122 /* Variables in BE 32-byte format. */
3123 unsigned char a32[32], b32[32], c32[32];
3124 /* Variables in LE 16x uint16_t format. */
3125 uint16_t a16[16], b16[16], c16[16];
3126 /* Field modulus in LE 16x uint16_t format. */
3127 static const uint16_t m16[16] = {
3128 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3129 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3130 };
3131 uint16_t t16[32];
3132 int i;
3133
3134 /* Compute C = A * B in fe format. */
3135 c = *a;
3136 if (use_sqr) {
3137 secp256k1_fe_sqr(&c, &c);
3138 } else {
3139 secp256k1_fe_mul(&c, &c, b);
3140 }
3141
3142 /* Convert A, B, C into LE 16x uint16_t format. */
3143 an = *a;
3144 bn = *b;
3148 secp256k1_fe_get_b32(a32, &an);
3149 secp256k1_fe_get_b32(b32, &bn);
3150 secp256k1_fe_get_b32(c32, &c);
3151 for (i = 0; i < 16; ++i) {
3152 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3153 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3154 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3155 }
3156 /* Compute T = A * B in LE 16x uint16_t format. */
3157 mulmod256(t16, a16, b16, m16);
3158 /* Compare */
3159 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3160}
3161
3162static void run_fe_mul(void) {
3163 int i;
3164 for (i = 0; i < 100 * COUNT; ++i) {
3165 secp256k1_fe a, b, c, d;
3174 test_fe_mul(&a, &a, 1);
3175 test_fe_mul(&c, &c, 1);
3176 test_fe_mul(&a, &b, 0);
3177 test_fe_mul(&a, &c, 0);
3178 test_fe_mul(&c, &b, 0);
3179 test_fe_mul(&c, &d, 0);
3180 }
3181}
3182
3183static void run_sqr(void) {
3184 int i;
3185 secp256k1_fe x, y, lhs, rhs, tmp;
3186
3187 secp256k1_fe_set_int(&x, 1);
3188 secp256k1_fe_negate(&x, &x, 1);
3189
3190 for (i = 1; i <= 512; ++i) {
3191 secp256k1_fe_mul_int(&x, 2);
3193
3194 /* Check that (x+y)*(x-y) = x^2 - y*2 for some random values y */
3196
3197 lhs = x;
3198 secp256k1_fe_add(&lhs, &y); /* lhs = x+y */
3199 secp256k1_fe_negate(&tmp, &y, 1); /* tmp = -y */
3200 secp256k1_fe_add(&tmp, &x); /* tmp = x-y */
3201 secp256k1_fe_mul(&lhs, &lhs, &tmp); /* lhs = (x+y)*(x-y) */
3202
3203 secp256k1_fe_sqr(&rhs, &x); /* rhs = x^2 */
3204 secp256k1_fe_sqr(&tmp, &y); /* tmp = y^2 */
3205 secp256k1_fe_negate(&tmp, &tmp, 1); /* tmp = -y^2 */
3206 secp256k1_fe_add(&rhs, &tmp); /* rhs = x^2 - y^2 */
3207
3208 CHECK(fe_equal(&lhs, &rhs));
3209 }
3210}
3211
3212static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3213 secp256k1_fe r1, r2;
3214 int v = secp256k1_fe_sqrt(&r1, a);
3215 CHECK((v == 0) == (k == NULL));
3216
3217 if (k != NULL) {
3218 /* Check that the returned root is +/- the given known answer */
3219 secp256k1_fe_negate(&r2, &r1, 1);
3220 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3223 }
3224}
3225
3226static void run_sqrt(void) {
3227 secp256k1_fe ns, x, s, t;
3228 int i;
3229
3230 /* Check sqrt(0) is 0 */
3231 secp256k1_fe_set_int(&x, 0);
3232 secp256k1_fe_sqr(&s, &x);
3233 test_sqrt(&s, &x);
3234
3235 /* Check sqrt of small squares (and their negatives) */
3236 for (i = 1; i <= 100; i++) {
3237 secp256k1_fe_set_int(&x, i);
3238 secp256k1_fe_sqr(&s, &x);
3239 test_sqrt(&s, &x);
3240 secp256k1_fe_negate(&t, &s, 1);
3241 test_sqrt(&t, NULL);
3242 }
3243
3244 /* Consistency checks for large random values */
3245 for (i = 0; i < 10; i++) {
3246 int j;
3248 for (j = 0; j < COUNT; j++) {
3250 secp256k1_fe_sqr(&s, &x);
3252 test_sqrt(&s, &x);
3253 secp256k1_fe_negate(&t, &s, 1);
3255 test_sqrt(&t, NULL);
3256 secp256k1_fe_mul(&t, &s, &ns);
3257 test_sqrt(&t, NULL);
3258 }
3259 }
3260}
3261
3262/***** FIELD/SCALAR INVERSE TESTS *****/
3263
3265 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3266 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3267);
3268
3270 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3271 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3272);
3273
3274/* These tests test the following identities:
3275 *
3276 * for x==0: 1/x == 0
3277 * for x!=0: x*(1/x) == 1
3278 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3279 */
3280
3282{
3283 secp256k1_scalar l, r, t;
3284
3285 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3286 if (out) *out = l;
3287 if (secp256k1_scalar_is_zero(x)) {
3289 return;
3290 }
3291 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3292 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3293 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3294 if (secp256k1_scalar_is_zero(&r)) return;
3295 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3296 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3297 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3298 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3299 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3300 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3301}
3302
3303static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3304{
3305 secp256k1_fe l, r, t;
3306
3307 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3308 if (out) *out = l;
3309 t = *x; /* t = x */
3312 return;
3313 }
3314 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3315 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3316 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3317 r = *x; /* r = x */
3318 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3320 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3321 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3322 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3323 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3324 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3326}
3327
3328static void run_inverse_tests(void)
3329{
3330 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3331 static const secp256k1_fe fe_cases[][2] = {
3332 /* 0 */
3333 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3334 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3335 /* 1 */
3336 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3337 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3338 /* -1 */
3339 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3340 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3341 /* 2 */
3342 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3343 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3344 /* 2**128 */
3345 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3346 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3347 /* Input known to need 637 divsteps */
3348 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3349 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3350 /* Input known to need 567 divsteps starting with delta=1/2. */
3351 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3352 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3353 /* Input known to need 566 divsteps starting with delta=1/2. */
3354 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3355 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3356 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3357 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3358 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3359 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3360 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3361 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3362 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3363 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3364 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3365 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3366 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3367 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3368 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3369 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3370 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3371 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3372 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3373 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3374 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3375 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3376 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3377 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3378 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3379 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3380 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3381 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3382 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3383 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3384 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3385 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3386 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3387 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3388 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3389 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3390 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3391 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3392 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3393 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3394 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3395 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3396 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3397 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3398 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3399 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3400 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3401 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3402 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3403 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3404 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3405 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3406 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3407 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3408 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3409 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3410 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3411 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3412 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3413 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3414 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3415 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3416 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3417 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3418 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3419 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3420 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3421 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3422 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3423 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3424 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3425 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3426 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3427 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3428 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3429 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3430 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3431 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3432 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3433 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3434 };
3435 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3436 static const secp256k1_scalar scalar_cases[][2] = {
3437 /* 0 */
3438 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3439 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3440 /* 1 */
3441 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3442 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3443 /* -1 */
3444 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3445 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3446 /* 2 */
3447 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3448 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3449 /* 2**128 */
3450 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3451 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3452 /* Input known to need 635 divsteps */
3453 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3454 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3455 /* Input known to need 566 divsteps starting with delta=1/2. */
3456 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3457 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3458 /* Input known to need 565 divsteps starting with delta=1/2. */
3459 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3460 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3461 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3462 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3463 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3464 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3465 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3466 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3467 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3468 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3469 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3470 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3471 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3472 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3473 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3474 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3475 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3476 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3477 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3478 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3479 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3480 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3481 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3482 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3483 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3484 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3485 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3486 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3487 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3488 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3489 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3490 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3491 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3492 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3493 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3494 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3495 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3496 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3497 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3498 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3499 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3500 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3501 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3502 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3503 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3504 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3505 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3506 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3507 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3508 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3509 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3510 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3511 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3512 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3513 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3514 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3515 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3516 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3517 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3518 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3519 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3520 };
3521 int i, var, testrand;
3522 unsigned char b32[32];
3523 secp256k1_fe x_fe;
3524 secp256k1_scalar x_scalar;
3525 memset(b32, 0, sizeof(b32));
3526 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3527 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3528 for (var = 0; var <= 1; ++var) {
3529 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3530 CHECK(fe_equal(&x_fe, &fe_cases[i][1]));
3531 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3532 CHECK(fe_equal(&x_fe, &fe_cases[i][0]));
3533 }
3534 }
3535 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3536 for (var = 0; var <= 1; ++var) {
3537 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3538 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3539 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3540 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3541 }
3542 }
3543 /* Test inputs 0..999 and their respective negations. */
3544 for (i = 0; i < 1000; ++i) {
3545 b32[31] = i & 0xff;
3546 b32[30] = (i >> 8) & 0xff;
3547 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3548 secp256k1_fe_set_b32_mod(&x_fe, b32);
3549 for (var = 0; var <= 1; ++var) {
3550 test_inverse_scalar(NULL, &x_scalar, var);
3551 test_inverse_field(NULL, &x_fe, var);
3552 }
3553 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3554 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3555 for (var = 0; var <= 1; ++var) {
3556 test_inverse_scalar(NULL, &x_scalar, var);
3557 test_inverse_field(NULL, &x_fe, var);
3558 }
3559 }
3560 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3561 for (testrand = 0; testrand <= 1; ++testrand) {
3562 for (i = 0; i < 64 * COUNT; ++i) {
3563 (testrand ? testrand256_test : testrand256)(b32);
3564 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3565 secp256k1_fe_set_b32_mod(&x_fe, b32);
3566 for (var = 0; var <= 1; ++var) {
3567 test_inverse_scalar(NULL, &x_scalar, var);
3568 test_inverse_field(NULL, &x_fe, var);
3569 }
3570 }
3571 }
3572}
3573
3574/***** HSORT TESTS *****/
3575
3576static void test_heap_swap(void) {
3577 unsigned char a[600];
3578 unsigned char e[sizeof(a)];
3579 memset(a, 21, 200);
3580 memset(a + 200, 99, 200);
3581 memset(a + 400, 42, 200);
3582 memset(e, 42, 200);
3583 memset(e + 200, 99, 200);
3584 memset(e + 400, 21, 200);
3585 secp256k1_heap_swap(a, 0, 2, 200);
3586 CHECK(secp256k1_memcmp_var(a, e, sizeof(a)) == 0);
3587}
3588
3589static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len) {
3590 size_t i;
3591 for (i = 1; i < n; i++) {
3592 CHECK(secp256k1_memcmp_var(&elements[(i-1) * len], &elements[i * len], len) <= 0);
3593 }
3594}
3595
3597 size_t counter;
3599};
3600
3601
3602static int test_hsort_cmp(const void *ele1, const void *ele2, void *data) {
3603 struct test_hsort_cmp_data *d = (struct test_hsort_cmp_data *) data;
3604 d->counter += 1;
3605 return secp256k1_memcmp_var((unsigned char *)ele1, (unsigned char *)ele2, d->element_len);
3606}
3607
3608#define NUM 65
3609#define MAX_ELEMENT_LEN 65
3610static void test_hsort(size_t element_len) {
3611 unsigned char elements[NUM * MAX_ELEMENT_LEN] = { 0 };
3613 int i;
3614
3616 data.counter = 0;
3617 data.element_len = element_len;
3618
3620 CHECK(data.counter == 0);
3622 CHECK(data.counter == 0);
3624 CHECK(data.counter >= NUM - 1);
3626
3627 /* Test hsort with array of random length n */
3628 for (i = 0; i < COUNT; i++) {
3629 int n = testrand_int(NUM);
3630 testrand_bytes_test(elements, n*element_len);
3632 test_hsort_is_sorted(elements, n, element_len);
3633 }
3634}
3635#undef NUM
3636#undef MAX_ELEMENT_LEN
3637
3638
3639static void run_hsort_tests(void) {
3641 test_hsort(1);
3642 test_hsort(64);
3643 test_hsort(65);
3644}
3645
3646/***** GROUP TESTS *****/
3647
3648/* This compares jacobian points including their Z, not just their geometric meaning. */
3649static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3650 secp256k1_gej a2;
3651 secp256k1_gej b2;
3652 int ret = 1;
3653 ret &= a->infinity == b->infinity;
3654 if (ret && !a->infinity) {
3655 a2 = *a;
3656 b2 = *b;
3663 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3664 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3665 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3666 }
3667 return ret;
3668}
3669
3670static void test_ge(void) {
3671 int i, i1;
3672 int runs = 6;
3673 /* 25 points are used:
3674 * - infinity
3675 * - for each of four random points p1 p2 p3 p4, we add the point, its
3676 * negation, and then those two again but with randomized Z coordinate.
3677 * - The same is then done for lambda*p1 and lambda^2*p1.
3678 */
3679 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3680 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3681 secp256k1_fe zf, r;
3682 secp256k1_fe zfi2, zfi3;
3683
3686 for (i = 0; i < runs; i++) {
3687 int j, k;
3690 if (i >= runs - 2) {
3691 secp256k1_ge_mul_lambda(&g, &ge[1]);
3692 CHECK(!secp256k1_ge_eq_var(&g, &ge[1]));
3693 }
3694 if (i >= runs - 1) {
3696 }
3697 ge[1 + 4 * i] = g;
3698 ge[2 + 4 * i] = g;
3699 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3700 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3701 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3702 testutil_random_ge_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3703 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3704 testutil_random_ge_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3705 for (j = 0; j < 4; j++) {
3706 testutil_random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3707 testutil_random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3708 testutil_random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3709 testutil_random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3710 testutil_random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3711 }
3712
3713 for (j = 0; j < 4; ++j) {
3714 for (k = 0; k < 4; ++k) {
3715 int expect_equal = (j >> 1) == (k >> 1);
3716 CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3717 CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal);
3718 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3719 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal);
3720 }
3721 }
3722 }
3723
3724 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3727 secp256k1_fe_inv_var(&zfi3, &zf);
3728 secp256k1_fe_sqr(&zfi2, &zfi3);
3729 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3730
3731 /* Generate random r */
3733
3734 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3735 int i2;
3736 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3737 /* Compute reference result using gej + gej (var). */
3738 secp256k1_gej refj, resj;
3739 secp256k1_ge ref;
3740 secp256k1_fe zr;
3741 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3742 /* Check Z ratio. */
3743 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3744 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3745 CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3746 }
3747 secp256k1_ge_set_gej_var(&ref, &refj);
3748
3749 /* Test gej + ge with Z ratio result (var). */
3750 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3751 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3752 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3753 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3754 CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3755 }
3756
3757 /* Test gej + ge (var, with additional Z factor). */
3758 {
3759 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3760 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3761 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3764 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3765 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3766 }
3767
3768 /* Test gej + ge (const). */
3769 if (i2 != 0) {
3770 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3771 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3772 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3773 }
3774
3775 /* Test doubling (var). */
3776 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3777 secp256k1_fe zr2;
3778 /* Normal doubling with Z ratio result. */
3779 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3780 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3781 /* Check Z ratio. */
3782 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3783 CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3784 /* Normal doubling. */
3785 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3786 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3787 /* Constant-time doubling. */
3788 secp256k1_gej_double(&resj, &gej[i2]);
3789 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3790 }
3791
3792 /* Test adding opposites. */
3793 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3795 }
3796
3797 /* Test adding infinity. */
3798 if (i1 == 0) {
3801 CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref));
3802 }
3803 if (i2 == 0) {
3806 CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref));
3807 }
3808 }
3809 }
3810
3811 /* Test adding all points together in random order equals infinity. */
3812 {
3814 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3815 for (i = 0; i < 4 * runs + 1; i++) {
3816 gej_shuffled[i] = gej[i];
3817 }
3818 for (i = 0; i < 4 * runs + 1; i++) {
3819 int swap = i + testrand_int(4 * runs + 1 - i);
3820 if (swap != i) {
3821 secp256k1_gej t = gej_shuffled[i];
3822 gej_shuffled[i] = gej_shuffled[swap];
3823 gej_shuffled[swap] = t;
3824 }
3825 }
3826 for (i = 0; i < 4 * runs + 1; i++) {
3827 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3828 }
3830 free(gej_shuffled);
3831 }
3832
3833 /* Test batch gej -> ge conversion without known z ratios. */
3834 {
3835 secp256k1_ge *ge_set_all_var = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3836 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3837 secp256k1_ge_set_all_gej_var(&ge_set_all_var[0], &gej[0], 4 * runs + 1);
3838 for (i = 0; i < 4 * runs + 1; i++) {
3841 secp256k1_gej_rescale(&gej[i], &s);
3842 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all_var[i]));
3843 }
3844
3845 /* Skip infinity at &gej[0]. */
3846 secp256k1_ge_set_all_gej(&ge_set_all[1], &gej[1], 4 * runs);
3847 for (i = 1; i < 4 * runs + 1; i++) {
3850 secp256k1_gej_rescale(&gej[i], &s);
3851 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i]));
3852 CHECK(secp256k1_ge_eq_var(&ge_set_all_var[i], &ge_set_all[i]));
3853 }
3854
3855 /* Test with an array of length 1. */
3856 secp256k1_ge_set_all_gej_var(ge_set_all_var, &gej[1], 1);
3857 secp256k1_ge_set_all_gej(ge_set_all, &gej[1], 1);
3858 CHECK(secp256k1_gej_eq_ge_var(&gej[1], &ge_set_all_var[1]));
3859 CHECK(secp256k1_gej_eq_ge_var(&gej[1], &ge_set_all[1]));
3860 CHECK(secp256k1_ge_eq_var(&ge_set_all_var[1], &ge_set_all[1]));
3861
3862 /* Test with an array of length 0. */
3863 secp256k1_ge_set_all_gej_var(NULL, NULL, 0);
3864 secp256k1_ge_set_all_gej(NULL, NULL, 0);
3865
3866 free(ge_set_all_var);
3867 free(ge_set_all);
3868 }
3869
3870 /* Test that all elements have X coordinates on the curve. */
3871 for (i = 1; i < 4 * runs + 1; i++) {
3872 secp256k1_fe n;
3874 /* And the same holds after random rescaling. */
3875 secp256k1_fe_mul(&n, &zf, &ge[i].x);
3877 }
3878
3879 /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3880 {
3881 secp256k1_fe n;
3882 secp256k1_ge q;
3883 int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3884 secp256k1_fe_mul(&n, &zf, &r);
3885 ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3886 ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3887 ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3888 CHECK(ret_on_curve == ret_frac_on_curve);
3889 CHECK(ret_on_curve == ret_set_xo);
3890 if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
3891 }
3892
3893 /* Test batch gej -> ge conversion with many infinities. */
3894 for (i = 0; i < 4 * runs + 1; i++) {
3895 int odd;
3897 odd = secp256k1_fe_is_odd(&ge[i].x);
3898 CHECK(odd == 0 || odd == 1);
3899 /* randomly set half the points to infinity */
3900 if (odd == i % 2) {
3902 }
3903 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3904 }
3905 /* batch convert */
3906 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3907 /* check result */
3908 for (i = 0; i < 4 * runs + 1; i++) {
3909 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i]));
3910 }
3911
3912 /* Test batch gej -> ge conversion with all infinities. */
3913 for (i = 0; i < 4 * runs + 1; i++) {
3915 }
3916 /* batch convert */
3917 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3918 /* check result */
3919 for (i = 0; i < 4 * runs + 1; i++) {
3921 }
3922
3923 free(ge);
3924 free(gej);
3925}
3926
3927static void test_initialized_inf(void) {
3928 secp256k1_ge p;
3929 secp256k1_gej pj, npj, infj1, infj2, infj3;
3930 secp256k1_fe zinv;
3931
3932 /* Test that adding P+(-P) results in a fully initialized infinity*/
3934 secp256k1_gej_set_ge(&pj, &p);
3935 secp256k1_gej_neg(&npj, &pj);
3936
3937 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3939 CHECK(secp256k1_fe_is_zero(&infj1.x));
3940 CHECK(secp256k1_fe_is_zero(&infj1.y));
3941 CHECK(secp256k1_fe_is_zero(&infj1.z));
3942
3943 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3945 CHECK(secp256k1_fe_is_zero(&infj2.x));
3946 CHECK(secp256k1_fe_is_zero(&infj2.y));
3947 CHECK(secp256k1_fe_is_zero(&infj2.z));
3948
3949 secp256k1_fe_set_int(&zinv, 1);
3950 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3952 CHECK(secp256k1_fe_is_zero(&infj3.x));
3953 CHECK(secp256k1_fe_is_zero(&infj3.y));
3954 CHECK(secp256k1_fe_is_zero(&infj3.z));
3955
3956
3957}
3958
3959static void test_add_neg_y_diff_x(void) {
3960 /* The point of this test is to check that we can add two points
3961 * whose y-coordinates are negatives of each other but whose x
3962 * coordinates differ. If the x-coordinates were the same, these
3963 * points would be negatives of each other and their sum is
3964 * infinity. This is cool because it "covers up" any degeneracy
3965 * in the addition algorithm that would cause the xy coordinates
3966 * of the sum to be wrong (since infinity has no xy coordinates).
3967 * HOWEVER, if the x-coordinates are different, infinity is the
3968 * wrong answer, and such degeneracies are exposed. This is the
3969 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3970 * which this test is a regression test for.
3971 *
3972 * These points were generated in sage as
3973 *
3974 * load("secp256k1_params.sage")
3975 *
3976 * # random "bad pair"
3977 * P = C.random_element()
3978 * Q = -int(LAMBDA) * P
3979 * print(" P: %x %x" % P.xy())
3980 * print(" Q: %x %x" % Q.xy())
3981 * print("P + Q: %x %x" % (P + Q).xy())
3982 */
3984 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3985 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3986 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3987 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3988 );
3990 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3991 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3992 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3993 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3994 );
3996 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3997 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3998 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3999 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
4000 );
4001 secp256k1_ge b;
4002 secp256k1_gej resj;
4003 secp256k1_ge res;
4004 secp256k1_ge_set_gej(&b, &bj);
4005
4006 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4007 secp256k1_ge_set_gej(&res, &resj);
4008 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4009
4010 secp256k1_gej_add_ge(&resj, &aj, &b);
4011 secp256k1_ge_set_gej(&res, &resj);
4012 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4013
4014 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4015 secp256k1_ge_set_gej(&res, &resj);
4016 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4017}
4018
4019static void test_ge_bytes(void) {
4020 int i;
4021
4022 for (i = 0; i < COUNT + 1; i++) {
4023 unsigned char buf[64];
4024 secp256k1_ge p, q;
4025
4026 if (i == 0) {
4028 } else {
4030 }
4031
4032 if (!secp256k1_ge_is_infinity(&p)) {
4033 secp256k1_ge_to_bytes(buf, &p);
4034
4035 secp256k1_ge_from_bytes(&q, buf);
4036 CHECK(secp256k1_ge_eq_var(&p, &q));
4037
4039 CHECK(secp256k1_ge_eq_var(&p, &q));
4040 }
4043 CHECK(secp256k1_ge_eq_var(&p, &q));
4044 }
4045}
4046
4047static void run_ge(void) {
4048 int i;
4049 for (i = 0; i < COUNT * 32; i++) {
4050 test_ge();
4051 }
4054 test_ge_bytes();
4055}
4056
4057static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4058 secp256k1_gej t = *a;
4059 secp256k1_gej_cmov(&t, b, 0);
4061 secp256k1_gej_cmov(&t, b, 1);
4063}
4064
4065static void run_gej(void) {
4066 int i;
4067 secp256k1_gej a, b;
4068
4069 /* Tests for secp256k1_gej_cmov */
4070 for (i = 0; i < COUNT; i++) {
4073 test_gej_cmov(&a, &b);
4074
4076 test_gej_cmov(&a, &b);
4077 test_gej_cmov(&b, &a);
4078
4079 b = a;
4080 test_gej_cmov(&a, &b);
4081
4083 test_gej_cmov(&a, &b);
4084 test_gej_cmov(&b, &a);
4085 }
4086
4087 /* Tests for secp256k1_gej_eq_var */
4088 for (i = 0; i < COUNT; i++) {
4089 secp256k1_fe fe;
4092 CHECK(!secp256k1_gej_eq_var(&a, &b));
4093
4094 b = a;
4096 secp256k1_gej_rescale(&a, &fe);
4097 CHECK(secp256k1_gej_eq_var(&a, &b));
4098 }
4099}
4100
4101static void test_ec_combine(void) {
4104 const secp256k1_pubkey* d[6];
4106 secp256k1_pubkey sd2;
4107 secp256k1_gej Qj;
4108 secp256k1_ge Q;
4109 int i;
4110 for (i = 1; i <= 6; i++) {
4115 secp256k1_ge_set_gej(&Q, &Qj);
4116 secp256k1_pubkey_save(&data[i - 1], &Q);
4117 d[i - 1] = &data[i - 1];
4119 secp256k1_ge_set_gej(&Q, &Qj);
4120 secp256k1_pubkey_save(&sd, &Q);
4121 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4122 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4123 }
4124}
4125
4126static void run_ec_combine(void) {
4127 int i;
4128 for (i = 0; i < COUNT * 8; i++) {
4130 }
4131}
4132
4134 /* The input itself, normalized. */
4135 secp256k1_fe fex = *x;
4136 /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
4137 secp256k1_ge ge_even, ge_odd;
4138 /* Return values of the above calls. */
4139 int res_even, res_odd;
4140
4142
4143 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4144 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4145
4146 CHECK(res_even == res_odd);
4147
4148 if (res_even) {
4150 secp256k1_fe_normalize_var(&ge_even.x);
4152 secp256k1_fe_normalize_var(&ge_even.y);
4153
4154 /* No infinity allowed. */
4155 CHECK(!ge_even.infinity);
4156 CHECK(!ge_odd.infinity);
4157
4158 /* Check that the x coordinates check out. */
4159 CHECK(secp256k1_fe_equal(&ge_even.x, x));
4160 CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4161
4162 /* Check odd/even Y in ge_odd, ge_even. */
4163 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4164 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4165 }
4166}
4167
4168static void run_group_decompress(void) {
4169 int i;
4170 for (i = 0; i < COUNT * 4; i++) {
4171 secp256k1_fe fe;
4174 }
4175}
4176
4177/***** ECMULT TESTS *****/
4178
4179static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4180 /* Tests the pre_g / pre_g_128 tables for consistency.
4181 * For independent verification we take a "geometric" approach to verification.
4182 * We check that every entry is on-curve.
4183 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4184 * (1) p, gg, and -q are colinear.
4185 * (2) p, gg, and -q are all distinct.
4186 * where gg is twice the generator, where the generator is the first table entry.
4187 *
4188 * Checking the table's generators are correct is done in run_ecmult_pre_g.
4189 */
4190 secp256k1_gej g2;
4191 secp256k1_ge p, q, gg;
4192 secp256k1_fe dpx, dpy, dqx, dqy;
4193 size_t i;
4194
4195 CHECK(0 < n);
4196
4197 secp256k1_ge_from_storage(&p, &pre_g[0]);
4199
4200 secp256k1_gej_set_ge(&g2, &p);
4201 secp256k1_gej_double_var(&g2, &g2, NULL);
4202 secp256k1_ge_set_gej_var(&gg, &g2);
4203 for (i = 1; i < n; ++i) {
4204 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4205 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4206 /* Check that p is not equal to gg */
4208
4209 secp256k1_ge_from_storage(&q, &pre_g[i]);
4211
4212 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4213 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4214 /* Check that -q is not equal to gg */
4216
4217 /* Check that -q is not equal to p */
4218 CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4219
4220 /* Check that p, -q and gg are colinear */
4221 secp256k1_fe_mul(&dpx, &dpx, &dqy);
4222 secp256k1_fe_mul(&dpy, &dpy, &dqx);
4223 CHECK(secp256k1_fe_equal(&dpx, &dpy));
4224
4225 p = q;
4226 }
4227}
4228
4229static void run_ecmult_pre_g(void) {
4231 secp256k1_gej gj;
4233 size_t i;
4234
4235 /* Check that the pre_g and pre_g_128 tables are consistent. */
4238
4239 /* Check the first entry from the pre_g table. */
4241 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4242
4243 /* Check the first entry from the pre_g_128 table. */
4245 for (i = 0; i < 128; ++i) {
4246 secp256k1_gej_double_var(&gj, &gj, NULL);
4247 }
4248 secp256k1_ge_set_gej(&g, &gj);
4250 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4251}
4252
4253static void run_ecmult_chain(void) {
4254 /* random starting point A (on the curve) */
4256 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4257 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4258 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4259 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4260 );
4261 /* two random initial factors xn and gn */
4263 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4264 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4265 );
4267 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4268 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4269 );
4270 /* two small multipliers to be applied to xn and gn in every iteration: */
4271 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4272 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4273 /* accumulators with the resulting coefficients to A and G */
4276 /* actual points */
4277 secp256k1_gej x;
4278 secp256k1_gej x2;
4279 int i;
4280
4281 /* the point being computed */
4282 x = a;
4283 for (i = 0; i < 200*COUNT; i++) {
4284 /* in each iteration, compute X = xn*X + gn*G; */
4285 secp256k1_ecmult(&x, &x, &xn, &gn);
4286 /* also compute ae and ge: the actual accumulated factors for A and G */
4287 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4288 secp256k1_scalar_mul(&ae, &ae, &xn);
4289 secp256k1_scalar_mul(&ge, &ge, &xn);
4290 secp256k1_scalar_add(&ge, &ge, &gn);
4291 /* modify xn and gn */
4292 secp256k1_scalar_mul(&xn, &xn, &xf);
4293 secp256k1_scalar_mul(&gn, &gn, &gf);
4294
4295 /* verify */
4296 if (i == 19999) {
4297 /* expected result after 19999 iterations */
4299 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4300 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4301 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4302 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4303 );
4304 CHECK(secp256k1_gej_eq_var(&rp, &x));
4305 }
4306 }
4307 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4308 secp256k1_ecmult(&x2, &a, &ae, &ge);
4309 CHECK(secp256k1_gej_eq_var(&x, &x2));
4310}
4311
4312static void test_point_times_order(const secp256k1_gej *point) {
4313 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4316 secp256k1_gej res1, res2;
4317 secp256k1_ge res3;
4318 unsigned char pub[65];
4319 size_t psize = 65;
4321 secp256k1_scalar_negate(&nx, &x);
4322 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4323 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4324 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4326 secp256k1_ge_set_gej(&res3, &res1);
4328 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4329 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4330 psize = 65;
4331 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4332 /* check zero/one edge cases */
4334 secp256k1_ge_set_gej(&res3, &res1);
4337 secp256k1_ge_set_gej(&res3, &res1);
4338 CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4340 secp256k1_ge_set_gej(&res3, &res1);
4342}
4343
4344/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4345 *
4346 * They are computed as:
4347 * - For a in [-2, -1, 0, 1, 2]:
4348 * - For b in [-3, -1, 1, 3]:
4349 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4350 */
4352 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4353 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4354 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4355 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4356 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4357 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4358 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4359 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4360 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4361 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4362 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4363 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4364 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4365 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4366 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4367 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4368 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4369 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4370 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4371 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4372};
4373
4374static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4375 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4376 secp256k1_scalar n1, n2;
4377 secp256k1_ge p;
4378 secp256k1_gej pj, p1j, p2j, ptj;
4379
4380 /* Generate random n1,n2 such that n1+n2 = -target. */
4382 secp256k1_scalar_add(&n2, &n1, target);
4383 secp256k1_scalar_negate(&n2, &n2);
4384
4385 /* Generate a random input point. */
4386 if (mode != 0) {
4388 secp256k1_gej_set_ge(&pj, &p);
4389 }
4390
4391 /* EC multiplications */
4392 if (mode == 0) {
4395 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4396 } else if (mode == 1) {
4397 secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4398 secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4399 secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4400 } else {
4401 secp256k1_ecmult_const(&p1j, &p, &n1);
4402 secp256k1_ecmult_const(&p2j, &p, &n2);
4403 secp256k1_ecmult_const(&ptj, &p, target);
4404 }
4405
4406 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4407 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4408 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4410}
4411
4413 int i;
4414 unsigned j;
4415 for (i = 0; i < 4*COUNT; ++i) {
4416 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4420 }
4421 }
4422}
4423
4424static void run_point_times_order(void) {
4425 int i;
4426 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4427 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4428 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4429 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4430 );
4431 for (i = 0; i < 500; i++) {
4432 secp256k1_ge p;
4433 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4434 secp256k1_gej j;
4436 secp256k1_gej_set_ge(&j, &p);
4438 }
4439 secp256k1_fe_sqr(&x, &x);
4440 }
4442 CHECK(secp256k1_fe_equal(&x, &xr));
4443}
4444
4445static void ecmult_const_random_mult(void) {
4446 /* random starting point A (on the curve) */
4448 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4449 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4450 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4451 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4452 );
4453 /* random initial factor xn */
4455 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4456 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4457 );
4458 /* expected xn * A (from sage) */
4459 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4460 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4461 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4462 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4463 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4464 );
4465 secp256k1_gej b;
4466 secp256k1_ecmult_const(&b, &a, &xn);
4467
4469 CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b));
4470}
4471
4475 secp256k1_gej res1;
4476 secp256k1_gej res2;
4477 secp256k1_ge mid1;
4478 secp256k1_ge mid2;
4481
4484 secp256k1_ge_set_gej(&mid1, &res1);
4485 secp256k1_ge_set_gej(&mid2, &res2);
4486 secp256k1_ecmult_const(&res1, &mid1, &b);
4487 secp256k1_ecmult_const(&res2, &mid2, &a);
4488 secp256k1_ge_set_gej(&mid1, &res1);
4489 secp256k1_ge_set_gej(&mid2, &res2);
4490 CHECK(secp256k1_ge_eq_var(&mid1, &mid2));
4491}
4492
4495 secp256k1_scalar negone;
4496 secp256k1_gej res1;
4497 secp256k1_ge res2;
4498 secp256k1_ge point;
4499 secp256k1_ge inf;
4500
4505
4506 /* 0*point */
4509
4510 /* s*inf */
4511 secp256k1_ecmult_const(&res1, &inf, &s);
4513
4514 /* 1*point */
4516 secp256k1_ge_set_gej(&res2, &res1);
4517 CHECK(secp256k1_ge_eq_var(&res2, &point));
4518
4519 /* -1*point */
4520 secp256k1_ecmult_const(&res1, &point, &negone);
4521 secp256k1_gej_neg(&res1, &res1);
4522 secp256k1_ge_set_gej(&res2, &res1);
4523 CHECK(secp256k1_ge_eq_var(&res2, &point));
4524}
4525
4526static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) {
4527 secp256k1_gej pointj, res2j;
4528 secp256k1_ge res2;
4529 secp256k1_gej_set_ge(&pointj, A);
4530 secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero);
4531 secp256k1_ge_set_gej(&res2, &res2j);
4532 CHECK(secp256k1_gej_eq_ge_var(res, &res2));
4533}
4534
4535static void ecmult_const_edges(void) {
4537 secp256k1_ge point;
4538 secp256k1_gej res;
4539 size_t i;
4540 size_t cases = 1 + sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]);
4541
4542 /* We are trying to reach the following edge cases (variables are defined as
4543 * in ecmult_const_impl.h):
4544 * 1. i = 0: s = 0 <=> q = -K
4545 * 2. i > 0: v1, v2 large values
4546 * <=> s1, s2 large values
4547 * <=> s = scalars_near_split_bounds[i]
4548 * <=> q = 2*scalars_near_split_bounds[i] - K
4549 */
4550 for (i = 0; i < cases; ++i) {
4552 if (i > 0) {
4555 }
4557 secp256k1_ecmult_const(&res, &point, &q);
4558 ecmult_const_check_result(&point, &q, &res);
4559 }
4560}
4561
4562static void ecmult_const_mult_xonly(void) {
4563 int i;
4564
4565 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4566 for (i = 0; i < 2*COUNT; ++i) {
4567 secp256k1_ge base;
4568 secp256k1_gej basej, resj;
4569 secp256k1_fe n, d, resx, v;
4571 int res;
4572 /* Random base point. */
4574 /* Random scalar to multiply it with. */
4576 /* If i is odd, n=d*base.x for random non-zero d */
4577 if (i & 1) {
4579 secp256k1_fe_mul(&n, &base.x, &d);
4580 } else {
4581 n = base.x;
4582 }
4583 /* Perform x-only multiplication. */
4584 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4585 CHECK(res);
4586 /* Perform normal multiplication. */
4587 secp256k1_gej_set_ge(&basej, &base);
4588 secp256k1_ecmult(&resj, &basej, &q, NULL);
4589 /* Check that resj's X coordinate corresponds with resx. */
4590 secp256k1_fe_sqr(&v, &resj.z);
4591 secp256k1_fe_mul(&v, &v, &resx);
4592 CHECK(fe_equal(&v, &resj.x));
4593 }
4594
4595 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4596 for (i = 0; i < 2*COUNT; ++i) {
4597 secp256k1_fe x, n, d, r;
4598 int res;
4601 /* Generate random X coordinate not on the curve. */
4602 do {
4604 } while (secp256k1_ge_x_on_curve_var(&x));
4605 /* If i is odd, n=d*x for random non-zero d. */
4606 if (i & 1) {
4608 secp256k1_fe_mul(&n, &x, &d);
4609 } else {
4610 n = x;
4611 }
4612 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4613 CHECK(res == 0);
4614 }
4615}
4616
4618 /* Check known result (randomly generated test problem from sage) */
4620 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4621 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4622 );
4623 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4624 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4625 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4626 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4627 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4628 );
4629 secp256k1_gej point;
4630 secp256k1_ge res;
4631 int i;
4632
4634 for (i = 0; i < 100; ++i) {
4635 secp256k1_ge tmp;
4636 secp256k1_ge_set_gej(&tmp, &point);
4637 secp256k1_ecmult_const(&point, &tmp, &scalar);
4638 }
4639 secp256k1_ge_set_gej(&res, &point);
4640 CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res));
4641}
4642
4643static void run_ecmult_const_tests(void) {
4650}
4651
4652typedef struct {
4656
4657static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4659 *sc = data->sc[idx];
4660 *pt = data->pt[idx];
4661 return 1;
4662}
4663
4664static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4665 (void)sc;
4666 (void)pt;
4667 (void)idx;
4668 (void)cbdata;
4669 return 0;
4670}
4671
4673 int ncount;
4674 secp256k1_scalar sc[32];
4675 secp256k1_ge pt[32];
4676 secp256k1_gej r;
4677 secp256k1_gej r2;
4679
4680 data.sc = sc;
4681 data.pt = pt;
4682
4683 /* No points to multiply */
4684 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4685
4686 /* Check 1- and 2-point multiplies against ecmult */
4687 for (ncount = 0; ncount < COUNT; ncount++) {
4688 secp256k1_ge ptg;
4689 secp256k1_gej ptgj;
4692
4694 secp256k1_gej_set_ge(&ptgj, &ptg);
4695 pt[0] = ptg;
4696 pt[1] = secp256k1_ge_const_g;
4697
4698 /* only G scalar */
4699 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4700 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4701 CHECK(secp256k1_gej_eq_var(&r, &r2));
4702
4703 /* 1-point */
4704 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4705 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4706 CHECK(secp256k1_gej_eq_var(&r, &r2));
4707
4708 /* Try to multiply 1 point, but callback returns false */
4709 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4710
4711 /* 2-point */
4712 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4713 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4714 CHECK(secp256k1_gej_eq_var(&r, &r2));
4715
4716 /* 2-point with G scalar */
4717 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4718 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4719 CHECK(secp256k1_gej_eq_var(&r, &r2));
4720 }
4721
4722 /* Check infinite outputs of various forms */
4723 for (ncount = 0; ncount < COUNT; ncount++) {
4724 secp256k1_ge ptg;
4725 size_t i, j;
4726 size_t sizes[] = { 2, 10, 32 };
4727
4728 for (j = 0; j < 3; j++) {
4729 for (i = 0; i < 32; i++) {
4732 }
4733 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4735 }
4736
4737 for (j = 0; j < 3; j++) {
4738 for (i = 0; i < 32; i++) {
4740 pt[i] = ptg;
4741 secp256k1_scalar_set_int(&sc[i], 0);
4742 }
4743 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4745 }
4746
4747 for (j = 0; j < 3; j++) {
4749 for (i = 0; i < 16; i++) {
4751 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4752 pt[2 * i] = ptg;
4753 pt[2 * i + 1] = ptg;
4754 }
4755
4756 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4758
4760 for (i = 0; i < 16; i++) {
4762
4763 sc[2*i] = sc[0];
4764 sc[2*i+1] = sc[0];
4765 pt[2 * i] = ptg;
4766 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4767 }
4768
4769 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4771 }
4772
4774 secp256k1_scalar_set_int(&sc[0], 0);
4775 pt[0] = ptg;
4776 for (i = 1; i < 32; i++) {
4777 pt[i] = ptg;
4778
4780 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4781 secp256k1_scalar_negate(&sc[i], &sc[i]);
4782 }
4783
4784 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4786 }
4787
4788 /* Check random points, constant scalar */
4789 for (ncount = 0; ncount < COUNT; ncount++) {
4790 size_t i;
4792
4794 for (i = 0; i < 20; i++) {
4795 secp256k1_ge ptg;
4796 sc[i] = sc[0];
4798 pt[i] = ptg;
4799 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4800 }
4801
4802 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4803 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4804 CHECK(secp256k1_gej_eq_var(&r, &r2));
4805 }
4806
4807 /* Check random scalars, constant point */
4808 for (ncount = 0; ncount < COUNT; ncount++) {
4809 size_t i;
4810 secp256k1_ge ptg;
4811 secp256k1_gej p0j;
4814
4816 for (i = 0; i < 20; i++) {
4818 pt[i] = ptg;
4819 secp256k1_scalar_add(&rs, &rs, &sc[i]);
4820 }
4821
4822 secp256k1_gej_set_ge(&p0j, &pt[0]);
4823 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4824 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4825 CHECK(secp256k1_gej_eq_var(&r, &r2));
4826 }
4827
4828 /* Sanity check that zero scalars don't cause problems */
4829 for (ncount = 0; ncount < 20; ncount++) {
4830 testutil_random_scalar_order(&sc[ncount]);
4831 testutil_random_ge_test(&pt[ncount]);
4832 }
4833
4834 secp256k1_scalar_set_int(&sc[0], 0);
4835 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4836 secp256k1_scalar_set_int(&sc[1], 0);
4837 secp256k1_scalar_set_int(&sc[2], 0);
4838 secp256k1_scalar_set_int(&sc[3], 0);
4839 secp256k1_scalar_set_int(&sc[4], 0);
4840 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4841 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4843
4844 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4845 {
4846 const size_t TOP = 8;
4847 size_t s0i, s1i;
4848 size_t t0i, t1i;
4849 secp256k1_ge ptg;
4850 secp256k1_gej ptgj;
4851
4853 secp256k1_gej_set_ge(&ptgj, &ptg);
4854
4855 for(t0i = 0; t0i < TOP; t0i++) {
4856 for(t1i = 0; t1i < TOP; t1i++) {
4857 secp256k1_gej t0p, t1p;
4858 secp256k1_scalar t0, t1;
4859
4860 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4861 secp256k1_scalar_cond_negate(&t0, t0i & 1);
4862 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4863 secp256k1_scalar_cond_negate(&t1, t1i & 1);
4864
4865 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4866 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4867
4868 for(s0i = 0; s0i < TOP; s0i++) {
4869 for(s1i = 0; s1i < TOP; s1i++) {
4870 secp256k1_scalar tmp1, tmp2;
4871 secp256k1_gej expected, actual;
4872
4873 secp256k1_ge_set_gej(&pt[0], &t0p);
4874 secp256k1_ge_set_gej(&pt[1], &t1p);
4875
4876 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4877 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4878 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4879 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4880
4881 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4882 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4883 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4884
4885 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4886 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4887 CHECK(secp256k1_gej_eq_var(&actual, &expected));
4888 }
4889 }
4890 }
4891 }
4892 }
4893}
4894
4896 /* Large random test for ecmult_multi_* functions which exercises:
4897 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4898 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4899 * - Including or excluding an nonzero a*G term (or such a term at all).
4900 * - Final expected result equal to infinity or not (roughly 50%).
4901 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4902 */
4903
4904 /* These 4 variables define the eventual input to the ecmult_multi function.
4905 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4906 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4907 * which form its normal inputs. */
4908 int filled = 0;
4910 secp256k1_scalar scalars[128];
4911 secp256k1_gej gejs[128];
4912 /* The expected result, and the computed result. */
4913 secp256k1_gej expected, computed;
4914 /* Temporaries. */
4915 secp256k1_scalar sc_tmp;
4916 secp256k1_ge ge_tmp;
4917 /* Variables needed for the actual input to ecmult_multi. */
4918 secp256k1_ge ges[128];
4920
4921 int i;
4922 /* Which multiplication function to use */
4923 int fn = testrand_int(3);
4927 /* Simulate exponentially distributed num. */
4928 int num_bits = 2 + testrand_int(6);
4929 /* Number of (scalar, point) inputs (excluding g). */
4930 int num = testrand_int((1 << num_bits) + 1);
4931 /* Number of those which are nonzero. */
4932 int num_nonzero = testrand_int(num + 1);
4933 /* Whether we're aiming to create an input with nonzero expected result. */
4934 int nonzero_result = testrand_bits(1);
4935 /* Whether we will provide nonzero g multiplicand. In some cases our hand
4936 * is forced here based on num_nonzero and nonzero_result. */
4937 int g_nonzero = num_nonzero == 0 ? nonzero_result :
4938 num_nonzero == 1 && !nonzero_result ? 1 :
4939 (int)testrand_bits(1);
4940 /* Which g_scalar pointer to pass into ecmult_multi(). */
4941 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || testrand_bits(1)) ? &g_scalar : NULL;
4942 /* How many EC multiplications were performed in this function. */
4943 int mults = 0;
4944 /* How many randomization steps to apply to the input list. */
4945 int rands = (int)testrand_bits(3);
4946 if (rands > num_nonzero) rands = num_nonzero;
4947
4948 secp256k1_gej_set_infinity(&expected);
4950 secp256k1_scalar_set_int(&scalars[0], 0);
4951
4952 if (g_nonzero) {
4953 /* If g_nonzero, set g_scalar to nonzero value r. */
4955 if (!nonzero_result) {
4956 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4957 CHECK(num_nonzero > filled);
4959 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4960 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4961 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4962 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4963 ++filled;
4964 ++mults;
4965 }
4966 }
4967
4968 if (nonzero_result && filled < num_nonzero) {
4969 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4970 testutil_random_scalar_order_test(&scalars[filled]);
4971 testutil_random_ge_test(&ge_tmp);
4972 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4973 ++filled;
4974 }
4975
4976 if (nonzero_result) {
4977 /* Compute the expected result using normal ecmult. */
4978 CHECK(filled <= 1);
4979 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4980 mults += filled + g_nonzero;
4981 }
4982
4983 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4984 CHECK(filled <= 1 + !nonzero_result);
4985 CHECK(filled <= num_nonzero);
4986
4987 /* Add entries to scalars,gejs so that there are num of them. All the added entries
4988 * either have scalar=0 or point=infinity, so these do not change the expected result. */
4989 while (filled < num) {
4990 if (testrand_bits(1)) {
4991 secp256k1_gej_set_infinity(&gejs[filled]);
4992 testutil_random_scalar_order_test(&scalars[filled]);
4993 } else {
4994 secp256k1_scalar_set_int(&scalars[filled], 0);
4995 testutil_random_ge_test(&ge_tmp);
4996 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4997 }
4998 ++filled;
4999 }
5000
5001 /* Now perform cheapish transformations on gejs and scalars, for indices
5002 * 0..num_nonzero-1, which do not change the expected result, but may
5003 * convert some of them to be both non-0-scalar and non-infinity-point. */
5004 for (i = 0; i < rands; ++i) {
5005 int j;
5006 secp256k1_scalar v, iv;
5007 /* Shuffle the entries. */
5008 for (j = 0; j < num_nonzero; ++j) {
5009 int k = testrand_int(num_nonzero - j);
5010 if (k != 0) {
5011 secp256k1_gej gej = gejs[j];
5012 secp256k1_scalar sc = scalars[j];
5013 gejs[j] = gejs[j + k];
5014 scalars[j] = scalars[j + k];
5015 gejs[j + k] = gej;
5016 scalars[j + k] = sc;
5017 }
5018 }
5019 /* Perturb all consecutive pairs of inputs:
5020 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5021 for (j = 0; j + 1 < num_nonzero; j += 2) {
5022 secp256k1_gej gej;
5023 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5024 secp256k1_gej_neg(&gej, &gejs[j]);
5025 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5026 }
5027 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5028 CHECK(num_nonzero >= 1);
5030 secp256k1_scalar_inverse(&iv, &v);
5031 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5032 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5033 ++mults;
5034 }
5035
5036 /* Shuffle all entries (0..num-1). */
5037 for (i = 0; i < num; ++i) {
5038 int j = testrand_int(num - i);
5039 if (j != 0) {
5040 secp256k1_gej gej = gejs[i];
5041 secp256k1_scalar sc = scalars[i];
5042 gejs[i] = gejs[i + j];
5043 scalars[i] = scalars[i + j];
5044 gejs[i + j] = gej;
5045 scalars[i + j] = sc;
5046 }
5047 }
5048
5049 /* Compute affine versions of all inputs. */
5050 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5051 /* Invoke ecmult_multi code. */
5052 data.sc = scalars;
5053 data.pt = ges;
5054 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5055 mults += num_nonzero + g_nonzero;
5056 /* Compare with expected result. */
5057 CHECK(secp256k1_gej_eq_var(&computed, &expected));
5058 return mults;
5059}
5060
5063 secp256k1_ge pt;
5064 secp256k1_gej r;
5066 secp256k1_scratch *scratch_empty;
5067
5070 data.sc = &sc;
5071 data.pt = &pt;
5072
5073 /* Try to multiply 1 point, but scratch space is empty.*/
5074 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5075 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5077}
5078
5080 int i;
5081
5083 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5084 /* Bucket_window of 8 is not used with endo */
5085 if (i == 8) {
5086 continue;
5087 }
5089 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5091 }
5092 }
5093}
5094
5100 size_t scratch_size = testrand_bits(8);
5102 secp256k1_scratch *scratch;
5103 size_t n_points_supported;
5104 int bucket_window = 0;
5105
5106 for(; scratch_size < max_size; scratch_size+=256) {
5107 size_t i;
5108 size_t total_alloc;
5109 size_t checkpoint;
5110 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5111 CHECK(scratch != NULL);
5112 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5113 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5114 if (n_points_supported == 0) {
5116 continue;
5117 }
5118 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5119 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5120 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5121 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5123 total_alloc--;
5124 }
5125 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5128 }
5129 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5130}
5131
5133 size_t n_batches, n_batch_points, max_n_batch_points, n;
5134
5135 max_n_batch_points = 0;
5136 n = 1;
5137 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5138
5139 max_n_batch_points = 1;
5140 n = 0;
5141 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5142 CHECK(n_batches == 0);
5143 CHECK(n_batch_points == 0);
5144
5145 max_n_batch_points = 2;
5146 n = 5;
5147 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5148 CHECK(n_batches == 3);
5149 CHECK(n_batch_points == 2);
5150
5151 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5153 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5154 CHECK(n_batches == 1);
5155 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5156
5157 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5159 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5160 CHECK(n_batches == 2);
5161 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5162
5163 max_n_batch_points = 1;
5164 n = SIZE_MAX;
5165 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5166 CHECK(n_batches == SIZE_MAX);
5167 CHECK(n_batch_points == 1);
5168
5169 max_n_batch_points = 2;
5170 n = SIZE_MAX;
5171 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5172 CHECK(n_batches == SIZE_MAX/2 + 1);
5173 CHECK(n_batch_points == 2);
5174}
5175
5181 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5182 secp256k1_scalar scG;
5185 secp256k1_gej r;
5186 secp256k1_gej r2;
5188 int i;
5189 secp256k1_scratch *scratch;
5190
5192
5193 /* Get random scalars and group elements and compute result */
5195 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5196 for(i = 0; i < n_points; i++) {
5197 secp256k1_ge ptg;
5198 secp256k1_gej ptgj;
5200 secp256k1_gej_set_ge(&ptgj, &ptg);
5201 pt[i] = ptg;
5203 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5204 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5205 }
5206 data.sc = sc;
5207 data.pt = pt;
5208 secp256k1_gej_neg(&r2, &r2);
5209
5210 /* Test with empty scratch space. It should compute the correct result using
5211 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5214 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5217
5218 /* Test with space for 1 point in pippenger. That's not enough because
5219 * ecmult_multi selects strauss which requires more memory. It should
5220 * therefore select the simple algorithm. */
5223 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5226
5227 for(i = 1; i <= n_points; i++) {
5229 int bucket_window = secp256k1_pippenger_bucket_window(i);
5230 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5232 } else {
5233 size_t scratch_size = secp256k1_strauss_scratch_size(i);
5235 }
5237 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5240 }
5241 free(sc);
5242 free(pt);
5243}
5244
5245static void run_ecmult_multi_tests(void) {
5246 secp256k1_scratch *scratch;
5247 int64_t todo = (int64_t)320 * COUNT;
5248
5251 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5258 while (todo > 0) {
5259 todo -= test_ecmult_multi_random(scratch);
5260 }
5262
5263 /* Run test_ecmult_multi with space for exactly one point */
5267
5270}
5271
5272static void test_wnaf(const secp256k1_scalar *number, int w) {
5273 secp256k1_scalar x, two, t;
5274 int wnaf[256];
5275 int zeroes = -1;
5276 int i;
5277 int bits;
5279 secp256k1_scalar_set_int(&two, 2);
5280 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5281 CHECK(bits <= 256);
5282 for (i = bits-1; i >= 0; i--) {
5283 int v = wnaf[i];
5284 secp256k1_scalar_mul(&x, &x, &two);
5285 if (v) {
5286 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5287 zeroes=0;
5288 CHECK((v & 1) == 1); /* check non-zero elements are odd */
5289 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5290 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5291 } else {
5292 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5293 zeroes++;
5294 }
5295 if (v >= 0) {
5297 } else {
5300 }
5301 secp256k1_scalar_add(&x, &x, &t);
5302 }
5303 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5304}
5305
5306static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5307 secp256k1_scalar x, shift;
5308 int wnaf[256] = {0};
5309 int i;
5310 int skew;
5311 secp256k1_scalar num, unused;
5312
5314 secp256k1_scalar_set_int(&shift, 1 << w);
5315 /* Make num a 128-bit scalar. */
5316 secp256k1_scalar_split_128(&num, &unused, number);
5317 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5318
5319 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5321 int v = wnaf[i];
5322 CHECK(v == 0 || v & 1); /* check parity */
5323 CHECK(v > -(1 << w)); /* check range above */
5324 CHECK(v < (1 << w)); /* check range below */
5325
5326 secp256k1_scalar_mul(&x, &x, &shift);
5327 if (v >= 0) {
5329 } else {
5332 }
5333 secp256k1_scalar_add(&x, &x, &t);
5334 }
5335 /* If skew is 1 then add 1 to num */
5336 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5337 CHECK(secp256k1_scalar_eq(&x, &num));
5338}
5339
5340/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5341 * rest is 0.*/
5342static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5343 int i;
5344 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5345 CHECK(wnaf[i] == 0);
5346 }
5347 for (i = 7; i >= 0; --i) {
5348 CHECK(wnaf[i] == wnaf_expected[i]);
5349 }
5350}
5351
5352static void test_fixed_wnaf_small(void) {
5353 int w = 4;
5354 int wnaf[256] = {0};
5355 int i;
5356 int skew;
5357 secp256k1_scalar num;
5358
5359 secp256k1_scalar_set_int(&num, 0);
5360 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5361 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5362 int v = wnaf[i];
5363 CHECK(v == 0);
5364 }
5365 CHECK(skew == 0);
5366
5367 secp256k1_scalar_set_int(&num, 1);
5368 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5369 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5370 int v = wnaf[i];
5371 CHECK(v == 0);
5372 }
5373 CHECK(wnaf[0] == 1);
5374 CHECK(skew == 0);
5375
5376 {
5377 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5378 secp256k1_scalar_set_int(&num, 0xffffffff);
5379 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5380 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5381 CHECK(skew == 0);
5382 }
5383 {
5384 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5385 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5386 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5387 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5388 CHECK(skew == 1);
5389 }
5390 {
5391 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5392 secp256k1_scalar_set_int(&num, 0x01010101);
5393 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5394 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5395 CHECK(skew == 0);
5396 }
5397 {
5398 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5399 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5400 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5401 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5402 CHECK(skew == 0);
5403 }
5404}
5405
5406static void run_wnaf(void) {
5407 int i;
5409
5410 /* Test 0 for fixed wnaf */
5412 /* Random tests */
5413 for (i = 0; i < COUNT; i++) {
5415 test_wnaf(&n, 4+(i%10));
5416 test_fixed_wnaf(&n, 4 + (i % 10));
5417 }
5419 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5423}
5424
5425static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5426 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5427 *sc = *indata;
5429 CHECK(idx == 0);
5430 return 1;
5431}
5432
5434 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5435 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5436 secp256k1_ge r;
5437 unsigned char bytes[65];
5438 size_t size = 65;
5443 secp256k1_ecmult(&rj3, &infj, &secp256k1_scalar_zero, x);
5444 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &rj4, x, NULL, NULL, 0));
5447 secp256k1_ge_set_gej_var(&r, &rj1);
5448 CHECK(secp256k1_gej_eq_ge_var(&rj2, &r));
5449 CHECK(secp256k1_gej_eq_ge_var(&rj3, &r));
5450 CHECK(secp256k1_gej_eq_ge_var(&rj4, &r));
5451 CHECK(secp256k1_gej_eq_ge_var(&rj5, &r));
5452 CHECK(secp256k1_gej_eq_ge_var(&rj6, &r));
5453 if (secp256k1_ge_is_infinity(&r)) {
5454 /* Store infinity as 0x00 */
5455 const unsigned char zerobyte[1] = {0};
5456 secp256k1_sha256_write(acc, zerobyte, 1);
5457 } else {
5458 /* Store other points using their uncompressed serialization. */
5459 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5460 CHECK(size == 65);
5461 secp256k1_sha256_write(acc, bytes, size);
5462 }
5463}
5464
5466 /* Using test_ecmult_accumulate, test ecmult for:
5467 * - For i in 0..36:
5468 * - Key i
5469 * - Key -i
5470 * - For i in 0..255:
5471 * - For j in 1..255 (only odd values):
5472 * - Key (j*2^i) mod order
5473 */
5475 secp256k1_sha256 acc;
5476 unsigned char b32[32];
5477 int i, j;
5479
5480 /* Expected hash of all the computed points; created with an independent
5481 * implementation. */
5482 static const unsigned char expected32[32] = {
5483 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5484 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5485 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5486 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5487 };
5489 for (i = 0; i <= 36; ++i) {
5491 test_ecmult_accumulate(&acc, &x, scratch);
5493 test_ecmult_accumulate(&acc, &x, scratch);
5494 };
5495 for (i = 0; i < 256; ++i) {
5496 for (j = 1; j < 256; j += 2) {
5497 int k;
5499 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5500 test_ecmult_accumulate(&acc, &x, scratch);
5501 }
5502 }
5503 secp256k1_sha256_finalize(&acc, b32);
5504 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5505
5507}
5508
5509static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5510 /* Using test_ecmult_accumulate, test ecmult for:
5511 * - Key 0
5512 * - Key 1
5513 * - Key -1
5514 * - For i in range(iter):
5515 * - Key SHA256(LE32(prefix) || LE16(i))
5516 */
5518 secp256k1_sha256 acc;
5519 unsigned char b32[32];
5520 unsigned char inp[6];
5521 size_t i;
5523
5524 inp[0] = prefix & 0xFF;
5525 inp[1] = (prefix >> 8) & 0xFF;
5526 inp[2] = (prefix >> 16) & 0xFF;
5527 inp[3] = (prefix >> 24) & 0xFF;
5530 test_ecmult_accumulate(&acc, &x, scratch);
5532 test_ecmult_accumulate(&acc, &x, scratch);
5534 test_ecmult_accumulate(&acc, &x, scratch);
5535
5536 for (i = 0; i < iter; ++i) {
5537 secp256k1_sha256 gen;
5538 inp[4] = i & 0xff;
5539 inp[5] = (i >> 8) & 0xff;
5541 secp256k1_sha256_write(&gen, inp, sizeof(inp));
5542 secp256k1_sha256_finalize(&gen, b32);
5543 secp256k1_scalar_set_b32(&x, b32, NULL);
5544 test_ecmult_accumulate(&acc, &x, scratch);
5545 }
5546 secp256k1_sha256_finalize(&acc, b32);
5547 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5548
5550}
5551
5552static void run_ecmult_constants(void) {
5553 /* Expected hashes of all points in the tests below. Computed using an
5554 * independent implementation. */
5555 static const unsigned char expected32_6bit20[32] = {
5556 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5557 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5558 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5559 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5560 };
5561 static const unsigned char expected32_8bit8[32] = {
5562 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5563 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5564 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5565 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5566 };
5567 /* For every combination of 6 bit positions out of 256, restricted to
5568 * 20-bit windows (i.e., the first and last bit position are no more than
5569 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5570 * this test. */
5571 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5572 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5573 }
5574
5575 /* For every combination of 8 consecutive bit positions, all 256 bit
5576 * patterns occur in the input scalars used in this test. */
5577 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5578 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5579 }
5580
5581 CONDITIONAL_TEST(16, "test_ecmult_constants_2bit") {
5583 }
5584}
5585
5586static void test_ecmult_gen_blind(void) {
5587 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5588 secp256k1_scalar key;
5590 unsigned char seed32[32];
5591 secp256k1_gej pgej;
5592 secp256k1_gej pgej2;
5593 secp256k1_ge p;
5594 secp256k1_ge pge;
5596 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5597 testrand256(seed32);
5602 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5603 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5605 secp256k1_ge_set_gej(&pge, &pgej);
5606 CHECK(secp256k1_gej_eq_ge_var(&pgej2, &pge));
5607}
5608
5610 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5612 secp256k1_ge p1, p2;
5619 CHECK(secp256k1_ge_eq_var(&p1, &p2));
5620}
5621
5622/* Verify that ecmult_gen for scalars gn for which gn + scalar_offset = {-1,0,1}. */
5624 int i;
5625 secp256k1_gej res1, res2, res3;
5626 secp256k1_scalar gn = secp256k1_scalar_one; /* gn = 1 */
5627 secp256k1_scalar_add(&gn, &gn, &CTX->ecmult_gen_ctx.scalar_offset); /* gn = 1 + scalar_offset */
5628 secp256k1_scalar_negate(&gn, &gn); /* gn = -1 - scalar_offset */
5629
5630 for (i = -1; i < 2; ++i) {
5631 /* Run test with gn = i - scalar_offset (so that the ecmult_gen recoded value represents i). */
5633 secp256k1_ecmult(&res2, NULL, &secp256k1_scalar_zero, &gn);
5635 CHECK(secp256k1_gej_eq_var(&res1, &res2));
5636 CHECK(secp256k1_gej_eq_var(&res1, &res3));
5638 }
5639}
5640
5641static void run_ecmult_gen_blind(void) {
5642 int i;
5645 for (i = 0; i < 10; i++) {
5647 }
5648}
5649
5650/***** ENDOMORPHISH TESTS *****/
5651static void test_scalar_split(const secp256k1_scalar* full) {
5652 secp256k1_scalar s, s1, slam;
5653 const unsigned char zero[32] = {0};
5654 unsigned char tmp[32];
5655
5656 secp256k1_scalar_split_lambda(&s1, &slam, full);
5657
5658 /* check slam*lambda + s1 == full */
5660 secp256k1_scalar_add(&s, &s, &s1);
5661 CHECK(secp256k1_scalar_eq(&s, full));
5662
5663 /* check that both are <= 128 bits in size */
5664 if (secp256k1_scalar_is_high(&s1)) {
5665 secp256k1_scalar_negate(&s1, &s1);
5666 }
5667 if (secp256k1_scalar_is_high(&slam)) {
5668 secp256k1_scalar_negate(&slam, &slam);
5669 }
5670
5671 secp256k1_scalar_get_b32(tmp, &s1);
5672 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5673 secp256k1_scalar_get_b32(tmp, &slam);
5674 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5675}
5676
5677
5678static void run_endomorphism_tests(void) {
5679 unsigned i;
5680 static secp256k1_scalar s;
5688
5689 for (i = 0; i < 100U * COUNT; ++i) {
5690 secp256k1_scalar full;
5692 test_scalar_split(&full);
5693 }
5694 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5696 }
5697}
5698
5699static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5700 unsigned char pubkeyc[65];
5701 secp256k1_pubkey pubkey;
5702 secp256k1_ge ge;
5703 size_t pubkeyclen;
5704
5705 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5706 /* Smaller sizes are tested exhaustively elsewhere. */
5707 int32_t i;
5708 memcpy(&pubkeyc[1], input, 64);
5709 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5710 for (i = 0; i < 256; i++) {
5711 /* Try all type bytes. */
5712 int xpass;
5713 int ypass;
5714 int ysign;
5715 pubkeyc[0] = i;
5716 /* What sign does this point have? */
5717 ysign = (input[63] & 1) + 2;
5718 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5719 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5720 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5721 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5722 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5723 if (xpass || ypass) {
5724 /* These cases must parse. */
5725 unsigned char pubkeyo[65];
5726 size_t outl;
5727 memset(&pubkey, 0, sizeof(pubkey));
5728 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5729 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5730 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5731 outl = 65;
5732 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5733 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5734 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5735 CHECK(outl == 33);
5736 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5737 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5738 if (ypass) {
5739 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5740 CHECK(pubkeyo[0] == ysign);
5741 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5742 memset(&pubkey, 0, sizeof(pubkey));
5743 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5744 secp256k1_pubkey_save(&pubkey, &ge);
5745 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5746 outl = 65;
5747 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5748 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5749 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5750 CHECK(outl == 65);
5751 CHECK(pubkeyo[0] == 4);
5752 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5753 }
5754 } else {
5755 /* These cases must fail to parse. */
5756 memset(&pubkey, 0xfe, sizeof(pubkey));
5757 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5758 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5759 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5760 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5761 }
5762 }
5763 }
5764}
5765
5766static void run_ec_pubkey_parse_test(void) {
5767#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5768 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5769 {
5770 /* Point with leading and trailing zeros in x and y serialization. */
5771 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5773 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5774 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5775 },
5776 {
5777 /* Point with x equal to a 3rd root of unity.*/
5778 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5779 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5780 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5781 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5782 },
5783 {
5784 /* Point with largest x. (1/2) */
5785 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5786 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5787 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5788 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5789 },
5790 {
5791 /* Point with largest x. (2/2) */
5792 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5793 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5794 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5795 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5796 },
5797 {
5798 /* Point with smallest x. (1/2) */
5799 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5800 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5801 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5802 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5803 },
5804 {
5805 /* Point with smallest x. (2/2) */
5806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5808 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5809 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5810 },
5811 {
5812 /* Point with largest y. (1/3) */
5813 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5814 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5815 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5816 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5817 },
5818 {
5819 /* Point with largest y. (2/3) */
5820 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5821 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5822 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5823 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5824 },
5825 {
5826 /* Point with largest y. (3/3) */
5827 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5828 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5829 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5830 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5831 },
5832 {
5833 /* Point with smallest y. (1/3) */
5834 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5835 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5836 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5837 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5838 },
5839 {
5840 /* Point with smallest y. (2/3) */
5841 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5842 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5843 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5844 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5845 },
5846 {
5847 /* Point with smallest y. (3/3) */
5848 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5849 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5850 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5851 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5852 }
5853 };
5854#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5855 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5856 {
5857 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5858 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5859 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5860 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5861 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5862 },
5863 {
5864 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5865 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5866 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5867 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5868 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5869 },
5870 {
5871 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5872 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5873 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5874 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5875 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5876 },
5877 {
5878 /* x on curve, y is from y^2 = x^3 + 8. */
5879 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5880 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5881 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5882 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5883 }
5884 };
5885#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5886 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5887 {
5888 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5889 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5890 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5891 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5892 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5893 },
5894 {
5895 /* Valid if x overflow ignored (x = 1 mod p). */
5896 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5897 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5898 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5899 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5900 },
5901 {
5902 /* Valid if x overflow ignored (x = 1 mod p). */
5903 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5904 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5905 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5906 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5907 },
5908 {
5909 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5910 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5911 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5912 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5913 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5914 },
5915 {
5916 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5917 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5918 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5919 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5920 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5921 },
5922 {
5923 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5924 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5925 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5926 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5927 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5928 },
5929 {
5930 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5931 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5932 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5933 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5934 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5935 }
5936 };
5937 const unsigned char pubkeyc[66] = {
5938 /* Serialization of G. */
5939 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5940 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5941 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5942 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5943 0xB8, 0x00
5944 };
5945 unsigned char sout[65];
5946 unsigned char shortkey[2] = { 0 };
5947 secp256k1_ge ge;
5948 secp256k1_pubkey pubkey;
5949 size_t len;
5950 int32_t i;
5951
5952 /* Nothing should be reading this far into pubkeyc. */
5953 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
5954 /* Zero length claimed, fail, zeroize, no illegal arg error. */
5955 memset(&pubkey, 0xfe, sizeof(pubkey));
5956 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
5957 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5958 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
5959 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5960 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5961 /* Length one claimed, fail, zeroize, no illegal arg error. */
5962 for (i = 0; i < 256 ; i++) {
5963 memset(&pubkey, 0xfe, sizeof(pubkey));
5964 shortkey[0] = i;
5965 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
5966 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5967 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
5968 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5969 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5970 }
5971 /* Length two claimed, fail, zeroize, no illegal arg error. */
5972 for (i = 0; i < 65536 ; i++) {
5973 memset(&pubkey, 0xfe, sizeof(pubkey));
5974 shortkey[0] = i & 255;
5975 shortkey[1] = i >> 8;
5976 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5977 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
5978 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5979 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5980 }
5981 memset(&pubkey, 0xfe, sizeof(pubkey));
5982 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5983 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5984 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
5985 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5986 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5987 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5988 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65));
5989 /* NULL input string. Illegal arg and zeroize output. */
5990 memset(&pubkey, 0xfe, sizeof(pubkey));
5991 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5992 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65));
5993 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5994 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5995 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5996 memset(&pubkey, 0xfe, sizeof(pubkey));
5997 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5998 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
5999 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6000 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6001 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
6002 memset(&pubkey, 0xfe, sizeof(pubkey));
6003 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6004 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
6005 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6006 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6007 /* Valid parse. */
6008 memset(&pubkey, 0, sizeof(pubkey));
6009 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6010 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
6011 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
6012 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6013 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
6014 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
6015 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
6016 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
6019 /* secp256k1_ec_pubkey_serialize illegal args. */
6020 len = 65;
6022 CHECK(len == 0);
6024 len = 65;
6027 SECP256K1_CHECKMEM_CHECK(sout, 65);
6028 CHECK(len == 0);
6029 len = 65;
6030 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0));
6031 CHECK(len == 0);
6032 len = 65;
6035 SECP256K1_CHECKMEM_CHECK(sout, 65);
6036 CHECK(len == 65);
6037 /* Multiple illegal args. Should still set arg error only once. */
6039 /* Try a bunch of prefabbed points with all possible encodings. */
6040 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6041 ec_pubkey_parse_pointtest(valid[i], 1, 1);
6042 }
6043 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6044 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6045 }
6046 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6047 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6048 }
6049}
6050
6051static void run_eckey_edge_case_test(void) {
6052 const unsigned char *orderc = secp256k1_group_order_bytes;
6053 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6054 unsigned char ctmp[33];
6055 unsigned char ctmp2[33];
6056 secp256k1_pubkey pubkey;
6057 secp256k1_pubkey pubkey2;
6058 secp256k1_pubkey pubkey_one;
6059 secp256k1_pubkey pubkey_negone;
6060 const secp256k1_pubkey *pubkeys[3];
6061 size_t len;
6062 /* Group order is too large, reject. */
6063 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6064 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6065 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6066 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6067 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6068 /* Maximum value is too large, reject. */
6069 memset(ctmp, 255, 32);
6071 memset(&pubkey, 1, sizeof(pubkey));
6072 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6073 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6074 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6075 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6076 /* Zero is too small, reject. */
6077 memset(ctmp, 0, 32);
6079 memset(&pubkey, 1, sizeof(pubkey));
6080 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6081 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6082 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6083 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6084 /* One must be accepted. */
6085 ctmp[31] = 0x01;
6087 memset(&pubkey, 0, sizeof(pubkey));
6088 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6089 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6090 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6091 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6092 pubkey_one = pubkey;
6093 /* Group order + 1 is too large, reject. */
6094 memcpy(ctmp, orderc, 32);
6095 ctmp[31] = 0x42;
6097 memset(&pubkey, 1, sizeof(pubkey));
6098 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6099 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6100 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6101 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6102 /* -1 must be accepted. */
6103 ctmp[31] = 0x40;
6105 memset(&pubkey, 0, sizeof(pubkey));
6106 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6107 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6108 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6109 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6110 pubkey_negone = pubkey;
6111 /* Tweak of zero leaves the value unchanged. */
6112 memset(ctmp2, 0, 32);
6113 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6114 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6115 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6116 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6117 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6118 /* Multiply tweak of zero zeroizes the output. */
6119 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6120 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6121 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6122 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6123 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6124 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6125 seckey, the seckey is zeroized. */
6126 memcpy(ctmp, orderc, 32);
6127 memset(ctmp2, 0, 32);
6128 ctmp2[31] = 0x01;
6129 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6131 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6132 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6133 memcpy(ctmp, orderc, 32);
6134 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6135 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6136 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6137 tweak, the seckey is zeroized. */
6138 memcpy(ctmp, orderc, 32);
6139 ctmp[31] = 0x40;
6140 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6141 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6142 memcpy(ctmp, orderc, 32);
6143 ctmp[31] = 0x40;
6144 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6145 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6146 memcpy(ctmp, orderc, 32);
6147 ctmp[31] = 0x40;
6148 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6149 tweak, the pubkey is zeroized. */
6150 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6151 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6152 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6153 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6154 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6155 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6156 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6157 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6158 * case the pubkey is zeroized. */
6159 memcpy(ctmp, orderc, 32);
6160 ctmp[31] = 0x40;
6161 memset(ctmp2, 0, 32);
6162 ctmp2[31] = 1;
6163 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6164 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6165 ctmp2[31] = 1;
6166 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6167 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6168 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6169 /* Tweak computation wraps and results in a key of 1. */
6170 ctmp2[31] = 2;
6171 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6172 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6173 ctmp2[31] = 2;
6174 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6175 ctmp2[31] = 1;
6176 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6177 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6178 /* Tweak mul * 2 = 1+1. */
6179 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6180 ctmp2[31] = 2;
6181 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6182 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6183 /* Zeroize pubkey on parse error. */
6184 memset(&pubkey, 0, 32);
6186 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6187 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6188 memset(&pubkey2, 0, 32);
6190 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6191 /* Plain argument errors. */
6194 memset(ctmp2, 0, 32);
6195 ctmp2[31] = 4;
6198 memset(ctmp2, 0, 32);
6199 ctmp2[31] = 4;
6202 memset(ctmp2, 0, 32);
6205 memset(ctmp2, 0, 32);
6206 ctmp2[31] = 1;
6210 memset(&pubkey, 1, sizeof(pubkey));
6212 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6213 /* secp256k1_ec_pubkey_combine tests. */
6214 pubkeys[0] = &pubkey_one;
6215 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6216 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6217 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6218 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6220 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0));
6222 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6223 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1));
6224 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6225 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6227 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1));
6229 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6230 pubkeys[0] = &pubkey_negone;
6231 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6233 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6235 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6236 len = 33;
6238 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6239 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6240 /* Result is infinity. */
6241 pubkeys[0] = &pubkey_one;
6242 pubkeys[1] = &pubkey_negone;
6243 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6245 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6247 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6248 /* Passes through infinity but comes out one. */
6249 pubkeys[2] = &pubkey_one;
6250 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6252 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6254 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6255 len = 33;
6257 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6258 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6259 /* Adds to two. */
6260 pubkeys[1] = &pubkey_one;
6261 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6263 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6265 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6266}
6267
6268static void run_eckey_negate_test(void) {
6269 unsigned char seckey[32];
6270 unsigned char seckey_tmp[32];
6271
6273 memcpy(seckey_tmp, seckey, 32);
6274
6275 /* Verify negation changes the key and changes it back */
6276 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6277 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6278 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6279 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6280
6281 /* Negating all 0s fails */
6282 memset(seckey, 0, 32);
6283 memset(seckey_tmp, 0, 32);
6284 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6285 /* Check that seckey is not modified */
6286 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6287
6288 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6289 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6290 * doesn't just set seckey to a constant value in case of failure. */
6292 memset(seckey, 0xFF, 16);
6293 memset(seckey_tmp, 0, 32);
6294 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6295 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6296}
6297
6298static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6300 do {
6302 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6303}
6304
6305static void test_ecdsa_sign_verify(void) {
6306 secp256k1_gej pubj;
6307 secp256k1_ge pub;
6308 secp256k1_scalar one;
6309 secp256k1_scalar msg, key;
6310 secp256k1_scalar sigr, sigs;
6311 int getrec;
6312 int recid;
6315 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6316 secp256k1_ge_set_gej(&pub, &pubj);
6317 getrec = testrand_bits(1);
6318 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6319 See the commit messages of the commit that introduced this comment for details. */
6320 if (getrec) {
6321 random_sign(&sigr, &sigs, &key, &msg, &recid);
6322 CHECK(recid >= 0 && recid < 4);
6323 } else {
6324 random_sign(&sigr, &sigs, &key, &msg, NULL);
6325 }
6326 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6327 secp256k1_scalar_set_int(&one, 1);
6328 secp256k1_scalar_add(&msg, &msg, &one);
6329 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6330}
6331
6332static void run_ecdsa_sign_verify(void) {
6333 int i;
6334 for (i = 0; i < 10*COUNT; i++) {
6336 }
6337}
6338
6340static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6341 (void)msg32;
6342 (void)key32;
6343 (void)algo16;
6344 memcpy(nonce32, data, 32);
6345 return (counter == 0);
6346}
6347
6348static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6349 /* Dummy nonce generator that has a fatal error on the first counter value. */
6350 if (counter == 0) {
6351 return 0;
6352 }
6353 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6354}
6355
6356static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6357 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6358 if (counter < 3) {
6359 memset(nonce32, counter==0 ? 0 : 255, 32);
6360 if (counter == 2) {
6361 nonce32[31]--;
6362 }
6363 return 1;
6364 }
6365 if (counter < 5) {
6366 memcpy(nonce32, secp256k1_group_order_bytes, 32);
6367 if (counter == 4) {
6368 nonce32[31]++;
6369 }
6370 return 1;
6371 }
6372 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6373 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6374 if (counter > 5) {
6375 return 0;
6376 }
6377 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6378}
6379
6381 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6382 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6383}
6384
6385static void test_ecdsa_end_to_end(void) {
6386 unsigned char extra[32] = {0x00};
6387 unsigned char privkey[32];
6388 unsigned char message[32];
6389 unsigned char privkey2[32];
6390 secp256k1_ecdsa_signature signature[6];
6392 unsigned char sig[74];
6393 size_t siglen = 74;
6394 unsigned char pubkeyc[65];
6395 size_t pubkeyclen = 65;
6396 secp256k1_pubkey pubkey;
6397 secp256k1_pubkey pubkey_tmp;
6398 unsigned char seckey[300];
6399 size_t seckeylen = 300;
6400
6401 /* Generate a random key and message. */
6402 {
6403 secp256k1_scalar msg, key;
6406 secp256k1_scalar_get_b32(privkey, &key);
6407 secp256k1_scalar_get_b32(message, &msg);
6408 }
6409
6410 /* Construct and verify corresponding public key. */
6411 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6412 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6413
6414 /* Verify exporting and importing public key. */
6416 memset(&pubkey, 0, sizeof(pubkey));
6417 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6418
6419 /* Verify negation changes the key and changes it back */
6420 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6421 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6422 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6423 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6424 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6425
6426 /* Verify private key import and export. */
6427 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, testrand_bits(1) == 1));
6428 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6429 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6430
6431 /* Optionally tweak the keys using addition. */
6432 if (testrand_int(3) == 0) {
6433 int ret1;
6434 int ret2;
6435 unsigned char rnd[32];
6436 secp256k1_pubkey pubkey2;
6437 testrand256_test(rnd);
6438 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6439 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6440 CHECK(ret1 == ret2);
6441 if (ret1 == 0) {
6442 return;
6443 }
6444 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6445 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6446 }
6447
6448 /* Optionally tweak the keys using multiplication. */
6449 if (testrand_int(3) == 0) {
6450 int ret1;
6451 int ret2;
6452 unsigned char rnd[32];
6453 secp256k1_pubkey pubkey2;
6454 testrand256_test(rnd);
6455 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6456 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6457 CHECK(ret1 == ret2);
6458 if (ret1 == 0) {
6459 return;
6460 }
6461 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6462 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6463 }
6464
6465 /* Sign. */
6466 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6467 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6468 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6469 extra[31] = 1;
6470 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6471 extra[31] = 0;
6472 extra[0] = 1;
6473 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6474 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6475 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6476 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6477 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6478 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6479 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6480 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6481 /* Verify. */
6482 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6483 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6484 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6485 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6486 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6487 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6488 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6490 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6491 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6492 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6493 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6494 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6495 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6496 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6498 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6499 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6500 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6501 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6502
6503 /* Serialize/parse DER and verify again */
6504 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6505 memset(&signature[0], 0, sizeof(signature[0]));
6506 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6507 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6508 /* Serialize/destroy/parse DER and verify again. */
6509 siglen = 74;
6510 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6511 sig[testrand_int(siglen)] += 1 + testrand_int(255);
6512 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6513 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6514}
6515
6516static void test_random_pubkeys(void) {
6517 secp256k1_ge elem;
6518 secp256k1_ge elem2;
6519 unsigned char in[65];
6520 /* Generate some randomly sized pubkeys. */
6521 size_t len = testrand_bits(2) == 0 ? 65 : 33;
6522 if (testrand_bits(2) == 0) {
6523 len = testrand_bits(6);
6524 }
6525 if (len == 65) {
6526 in[0] = testrand_bits(1) ? 4 : (testrand_bits(1) ? 6 : 7);
6527 } else {
6528 in[0] = testrand_bits(1) ? 2 : 3;
6529 }
6530 if (testrand_bits(3) == 0) {
6531 in[0] = testrand_bits(8);
6532 }
6533 if (len > 1) {
6534 testrand256(&in[1]);
6535 }
6536 if (len > 33) {
6537 testrand256(&in[33]);
6538 }
6539 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6540 unsigned char out[65];
6541 unsigned char firstb;
6542 int res;
6543 size_t size = len;
6544 firstb = in[0];
6545 /* If the pubkey can be parsed, it should round-trip... */
6546 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6547 CHECK(size == len);
6548 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6549 /* ... except for the type of hybrid inputs. */
6550 if ((in[0] != 6) && (in[0] != 7)) {
6551 CHECK(in[0] == out[0]);
6552 }
6553 size = 65;
6554 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6555 CHECK(size == 65);
6556 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6557 CHECK(secp256k1_ge_eq_var(&elem2, &elem));
6558 /* Check that the X9.62 hybrid type is checked. */
6559 in[0] = testrand_bits(1) ? 6 : 7;
6560 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6561 if (firstb == 2 || firstb == 3) {
6562 if (in[0] == firstb + 4) {
6563 CHECK(res);
6564 } else {
6565 CHECK(!res);
6566 }
6567 }
6568 if (res) {
6569 CHECK(secp256k1_ge_eq_var(&elem, &elem2));
6570 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6571 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6572 }
6573 }
6574}
6575
6576static void run_pubkey_comparison(void) {
6577 unsigned char pk1_ser[33] = {
6578 0x02,
6579 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6580 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6581 };
6582 const unsigned char pk2_ser[33] = {
6583 0x02,
6584 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6585 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6586 };
6587 secp256k1_pubkey pk1;
6588 secp256k1_pubkey pk2;
6589
6590 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6591 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6592
6595 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6596 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6597 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6598 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6599 {
6600 secp256k1_pubkey pk_tmp;
6601 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6603 {
6604 int32_t ecount = 0;
6606 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6607 CHECK(ecount == 2);
6609 }
6611 }
6612
6613 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6614 * an uncompressed encoding, these would have the opposite ordering */
6615 pk1_ser[0] = 3;
6616 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6617 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6618 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6619}
6620
6621static void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk) {
6622 size_t i;
6623 const secp256k1_pubkey *pk_test[5];
6624
6625 for (i = 0; i < n_pk; i++) {
6626 pk_test[i] = &pk[pk_order[i]];
6627 }
6628 secp256k1_ec_pubkey_sort(CTX, pk_test, n_pk);
6629 for (i = 0; i < n_pk; i++) {
6630 CHECK(secp256k1_memcmp_var(pk_test[i], &pk[i], sizeof(*pk_test[i])) == 0);
6631 }
6632}
6633
6634static void permute(size_t *arr, size_t n) {
6635 size_t i;
6636 for (i = n - 1; i >= 1; i--) {
6637 size_t tmp, j;
6638 j = testrand_int(i + 1);
6639 tmp = arr[i];
6640 arr[i] = arr[j];
6641 arr[j] = tmp;
6642 }
6643}
6644
6645static void test_sort_api(void) {
6646 secp256k1_pubkey pks[2];
6647 const secp256k1_pubkey *pks_ptr[2];
6648
6649 pks_ptr[0] = &pks[0];
6650 pks_ptr[1] = &pks[1];
6651
6654
6655 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1);
6657 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 0) == 1);
6658 /* Test illegal public keys */
6659 memset(&pks[0], 0, sizeof(pks[0]));
6661 memset(&pks[1], 0, sizeof(pks[1]));
6662 {
6663 int32_t ecount = 0;
6665 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1);
6666 CHECK(ecount == 2);
6668 }
6669}
6670
6671static void test_sort(void) {
6673 unsigned char pk_ser[5][33] = {
6674 { 0x02, 0x08 },
6675 { 0x02, 0x0b },
6676 { 0x02, 0x0c },
6677 { 0x03, 0x05 },
6678 { 0x03, 0x0a },
6679 };
6680 int i;
6681 size_t pk_order[5] = { 0, 1, 2, 3, 4 };
6682
6683 for (i = 0; i < 5; i++) {
6684 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk[i], pk_ser[i], sizeof(pk_ser[i])));
6685 }
6686
6687 permute(pk_order, 1);
6688 test_sort_helper(pk, pk_order, 1);
6689 permute(pk_order, 2);
6690 test_sort_helper(pk, pk_order, 2);
6691 permute(pk_order, 3);
6692 test_sort_helper(pk, pk_order, 3);
6693 for (i = 0; i < COUNT; i++) {
6694 permute(pk_order, 4);
6695 test_sort_helper(pk, pk_order, 4);
6696 }
6697 for (i = 0; i < COUNT; i++) {
6698 permute(pk_order, 5);
6699 test_sort_helper(pk, pk_order, 5);
6700 }
6701 /* Check that sorting also works for random pubkeys */
6702 for (i = 0; i < COUNT; i++) {
6703 int j;
6704 const secp256k1_pubkey *pk_ptr[5];
6705 for (j = 0; j < 5; j++) {
6707 pk_ptr[j] = &pk[j];
6708 }
6709 secp256k1_ec_pubkey_sort(CTX, pk_ptr, 5);
6710 for (j = 1; j < 5; j++) {
6711 CHECK(secp256k1_ec_pubkey_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], CTX) <= 0);
6712 }
6713 }
6714}
6715
6716/* Test vectors from BIP-MuSig2 */
6717static void test_sort_vectors(void) {
6718 enum { N_PUBKEYS = 6 };
6719 unsigned char pk_ser[N_PUBKEYS][33] = {
6720 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6721 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6722 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 },
6723 { 0x02, 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, 0x49, 0x34,
6724 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, 0xB5, 0x31, 0xC8, 0x45, 0x83,
6725 0x6F, 0x99, 0xB0, 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 },
6726 { 0x03, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 0x36, 0x18,
6727 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2,
6728 0xDE, 0xCE, 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 },
6729 { 0x02, 0x35, 0x90, 0xA9, 0x4E, 0x76, 0x8F, 0x8E, 0x18, 0x15, 0xC2,
6730 0xF2, 0x4B, 0x4D, 0x80, 0xA8, 0xE3, 0x14, 0x93, 0x16, 0xC3, 0x51,
6731 0x8C, 0xE7, 0xB7, 0xAD, 0x33, 0x83, 0x68, 0xD0, 0x38, 0xCA, 0x66 },
6732 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6733 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6734 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xFF },
6735 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6736 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6737 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 }
6738 };
6739 secp256k1_pubkey pubkeys[N_PUBKEYS];
6740 secp256k1_pubkey *sorted[N_PUBKEYS];
6741 const secp256k1_pubkey *pks_ptr[N_PUBKEYS];
6742 int i;
6743
6744 sorted[0] = &pubkeys[3];
6745 sorted[1] = &pubkeys[0];
6746 sorted[2] = &pubkeys[0];
6747 sorted[3] = &pubkeys[4];
6748 sorted[4] = &pubkeys[1];
6749 sorted[5] = &pubkeys[2];
6750
6751 for (i = 0; i < N_PUBKEYS; i++) {
6752 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i])));
6753 pks_ptr[i] = &pubkeys[i];
6754 }
6756 for (i = 0; i < N_PUBKEYS; i++) {
6757 CHECK(secp256k1_memcmp_var(pks_ptr[i], sorted[i], sizeof(secp256k1_pubkey)) == 0);
6758 }
6759}
6760
6761static void run_pubkey_sort(void) {
6762 test_sort_api();
6763 test_sort();
6765}
6766
6767
6768static void run_random_pubkeys(void) {
6769 int i;
6770 for (i = 0; i < 10*COUNT; i++) {
6772 }
6773}
6774
6775static void run_ecdsa_end_to_end(void) {
6776 int i;
6777 for (i = 0; i < 64*COUNT; i++) {
6779 }
6780}
6781
6782static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6783 static const unsigned char zeroes[32] = {0};
6784
6785 int ret = 0;
6786
6788 unsigned char roundtrip_der[2048];
6789 unsigned char compact_der[64];
6790 size_t len_der = 2048;
6791 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6792
6793 secp256k1_ecdsa_signature sig_der_lax;
6794 unsigned char roundtrip_der_lax[2048];
6795 unsigned char compact_der_lax[64];
6796 size_t len_der_lax = 2048;
6797 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6798
6799 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
6800 if (parsed_der) {
6801 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
6802 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6803 }
6804 if (valid_der) {
6805 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
6806 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6807 }
6808
6809 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
6810 if (parsed_der_lax) {
6811 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
6812 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6813 }
6814 if (valid_der_lax) {
6815 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6816 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6817 }
6818
6819 if (certainly_der) {
6820 ret |= (!parsed_der) << 2;
6821 }
6822 if (certainly_not_der) {
6823 ret |= (parsed_der) << 17;
6824 }
6825 if (valid_der) {
6826 ret |= (!roundtrips_der) << 3;
6827 }
6828
6829 if (valid_der) {
6830 ret |= (!roundtrips_der_lax) << 12;
6831 ret |= (len_der != len_der_lax) << 13;
6832 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6833 }
6834 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6835 if (parsed_der) {
6836 ret |= (!parsed_der_lax) << 16;
6837 }
6838
6839 return ret;
6840}
6841
6842static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6843 size_t i;
6844 for (i = 0; i < ptrlen; i++) {
6845 int shift = ptrlen - 1 - i;
6846 if (shift >= 4) {
6847 ptr[i] = 0;
6848 } else {
6849 ptr[i] = (val >> shift) & 0xFF;
6850 }
6851 }
6852}
6853
6854static void damage_array(unsigned char *sig, size_t *len) {
6855 int pos;
6856 int action = testrand_bits(3);
6857 if (action < 1 && *len > 3) {
6858 /* Delete a byte. */
6859 pos = testrand_int(*len);
6860 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6861 (*len)--;
6862 return;
6863 } else if (action < 2 && *len < 2048) {
6864 /* Insert a byte. */
6865 pos = testrand_int(1 + *len);
6866 memmove(sig + pos + 1, sig + pos, *len - pos);
6867 sig[pos] = testrand_bits(8);
6868 (*len)++;
6869 return;
6870 } else if (action < 4) {
6871 /* Modify a byte. */
6872 sig[testrand_int(*len)] += 1 + testrand_int(255);
6873 return;
6874 } else { /* action < 8 */
6875 /* Modify a bit. */
6876 sig[testrand_int(*len)] ^= 1 << testrand_bits(3);
6877 return;
6878 }
6879}
6880
6881static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6882 int der;
6883 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6884 size_t tlen, elen, glen;
6885 int indet;
6886 int n;
6887
6888 *len = 0;
6889 der = testrand_bits(2) == 0;
6890 *certainly_der = der;
6891 *certainly_not_der = 0;
6892 indet = der ? 0 : testrand_int(10) == 0;
6893
6894 for (n = 0; n < 2; n++) {
6895 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6896 nlow[n] = der ? 1 : (testrand_bits(3) != 0);
6897 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6898 nlen[n] = nlow[n] ? testrand_int(33) : 32 + testrand_int(200) * testrand_bits(3) / 8;
6899 CHECK(nlen[n] <= 232);
6900 /* The top bit of the number. */
6901 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : testrand_bits(1));
6902 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6903 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + testrand_bits(7) : 1 + testrand_int(127));
6904 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6905 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? testrand_int(3) : testrand_int(300 - nlen[n]) * testrand_bits(3) / 8);
6906 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6907 *certainly_not_der = 1;
6908 }
6909 CHECK(nlen[n] + nzlen[n] <= 300);
6910 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6911 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6912 if (!der) {
6913 /* nlenlen[n] max 127 bytes */
6914 int add = testrand_int(127 - nlenlen[n]) * testrand_bits(4) * testrand_bits(4) / 256;
6915 nlenlen[n] += add;
6916 if (add != 0) {
6917 *certainly_not_der = 1;
6918 }
6919 }
6920 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6921 }
6922
6923 /* The total length of the data to go, so far */
6924 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6925 CHECK(tlen <= 856);
6926
6927 /* The length of the garbage inside the tuple. */
6928 elen = (der || indet) ? 0 : testrand_int(980 - tlen) * testrand_bits(3) / 8;
6929 if (elen != 0) {
6930 *certainly_not_der = 1;
6931 }
6932 tlen += elen;
6933 CHECK(tlen <= 980);
6934
6935 /* The length of the garbage after the end of the tuple. */
6936 glen = der ? 0 : testrand_int(990 - tlen) * testrand_bits(3) / 8;
6937 if (glen != 0) {
6938 *certainly_not_der = 1;
6939 }
6940 CHECK(tlen + glen <= 990);
6941
6942 /* Write the tuple header. */
6943 sig[(*len)++] = 0x30;
6944 if (indet) {
6945 /* Indeterminate length */
6946 sig[(*len)++] = 0x80;
6947 *certainly_not_der = 1;
6948 } else {
6949 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6950 if (!der) {
6951 int add = testrand_int(127 - tlenlen) * testrand_bits(4) * testrand_bits(4) / 256;
6952 tlenlen += add;
6953 if (add != 0) {
6954 *certainly_not_der = 1;
6955 }
6956 }
6957 if (tlenlen == 0) {
6958 /* Short length notation */
6959 sig[(*len)++] = tlen;
6960 } else {
6961 /* Long length notation */
6962 sig[(*len)++] = 128 + tlenlen;
6963 assign_big_endian(sig + *len, tlenlen, tlen);
6964 *len += tlenlen;
6965 }
6966 tlen += tlenlen;
6967 }
6968 tlen += 2;
6969 CHECK(tlen + glen <= 1119);
6970
6971 for (n = 0; n < 2; n++) {
6972 /* Write the integer header. */
6973 sig[(*len)++] = 0x02;
6974 if (nlenlen[n] == 0) {
6975 /* Short length notation */
6976 sig[(*len)++] = nlen[n] + nzlen[n];
6977 } else {
6978 /* Long length notation. */
6979 sig[(*len)++] = 128 + nlenlen[n];
6980 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6981 *len += nlenlen[n];
6982 }
6983 /* Write zero padding */
6984 while (nzlen[n] > 0) {
6985 sig[(*len)++] = 0x00;
6986 nzlen[n]--;
6987 }
6988 if (nlen[n] == 32 && !nlow[n]) {
6989 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6990 int i;
6991 for (i = 0; i < 16; i++) {
6992 sig[(*len)++] = 0xFF;
6993 }
6994 nlen[n] -= 16;
6995 }
6996 /* Write first byte of number */
6997 if (nlen[n] > 0) {
6998 sig[(*len)++] = nhbyte[n];
6999 nlen[n]--;
7000 }
7001 /* Generate remaining random bytes of number */
7002 testrand_bytes_test(sig + *len, nlen[n]);
7003 *len += nlen[n];
7004 nlen[n] = 0;
7005 }
7006
7007 /* Generate random garbage inside tuple. */
7008 testrand_bytes_test(sig + *len, elen);
7009 *len += elen;
7010
7011 /* Generate end-of-contents bytes. */
7012 if (indet) {
7013 sig[(*len)++] = 0;
7014 sig[(*len)++] = 0;
7015 tlen += 2;
7016 }
7017 CHECK(tlen + glen <= 1121);
7018
7019 /* Generate random garbage outside tuple. */
7020 testrand_bytes_test(sig + *len, glen);
7021 *len += glen;
7022 tlen += glen;
7023 CHECK(tlen <= 1121);
7024 CHECK(tlen == *len);
7025}
7026
7027static void run_ecdsa_der_parse(void) {
7028 int i,j;
7029 for (i = 0; i < 200 * COUNT; i++) {
7030 unsigned char buffer[2048];
7031 size_t buflen = 0;
7032 int certainly_der = 0;
7033 int certainly_not_der = 0;
7034 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
7035 CHECK(buflen <= 2048);
7036 for (j = 0; j < 16; j++) {
7037 int ret = 0;
7038 if (j > 0) {
7039 damage_array(buffer, &buflen);
7040 /* We don't know anything anymore about the DERness of the result */
7041 certainly_der = 0;
7042 certainly_not_der = 0;
7043 }
7044 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
7045 if (ret != 0) {
7046 size_t k;
7047 fprintf(stderr, "Failure %x on ", ret);
7048 for (k = 0; k < buflen; k++) {
7049 fprintf(stderr, "%02x ", buffer[k]);
7050 }
7051 fprintf(stderr, "\n");
7052 }
7053 CHECK(ret == 0);
7054 }
7055 }
7056}
7057
7058/* Tests several edge cases. */
7059static void test_ecdsa_edge_cases(void) {
7060 int t;
7062
7063 /* Test the case where ECDSA recomputes a point that is infinity. */
7064 {
7065 secp256k1_gej keyj;
7066 secp256k1_ge key;
7068 secp256k1_scalar sr, ss;
7070 secp256k1_scalar_negate(&ss, &ss);
7071 secp256k1_scalar_inverse(&ss, &ss);
7074 secp256k1_ge_set_gej(&key, &keyj);
7075 msg = ss;
7076 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7077 }
7078
7079 /* Verify signature with r of zero fails. */
7080 {
7081 const unsigned char pubkey_mods_zero[33] = {
7082 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7083 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7084 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7085 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7086 0x41
7087 };
7088 secp256k1_ge key;
7090 secp256k1_scalar sr, ss;
7094 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
7095 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
7096 }
7097
7098 /* Verify signature with s of zero fails. */
7099 {
7100 const unsigned char pubkey[33] = {
7101 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7103 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7104 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7105 0x01
7106 };
7107 secp256k1_ge key;
7109 secp256k1_scalar sr, ss;
7113 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7114 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7115 }
7116
7117 /* Verify signature with message 0 passes. */
7118 {
7119 const unsigned char pubkey[33] = {
7120 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7121 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7123 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7124 0x02
7125 };
7126 const unsigned char pubkey2[33] = {
7127 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7128 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7129 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7130 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7131 0x43
7132 };
7133 secp256k1_ge key;
7134 secp256k1_ge key2;
7136 secp256k1_scalar sr, ss;
7140 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7141 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7142 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7143 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7144 secp256k1_scalar_negate(&ss, &ss);
7145 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7146 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7148 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7149 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7150 }
7151
7152 /* Verify signature with message 1 passes. */
7153 {
7154 const unsigned char pubkey[33] = {
7155 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
7156 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
7157 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7158 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7159 0x25
7160 };
7161 const unsigned char pubkey2[33] = {
7162 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7163 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7164 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7165 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7166 0x62
7167 };
7168 const unsigned char csr[32] = {
7169 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7170 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7171 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7172 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7173 };
7174 secp256k1_ge key;
7175 secp256k1_ge key2;
7177 secp256k1_scalar sr, ss;
7180 secp256k1_scalar_set_b32(&sr, csr, NULL);
7181 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7182 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7183 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7184 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7185 secp256k1_scalar_negate(&ss, &ss);
7186 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7187 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7190 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7191 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7192 }
7193
7194 /* Verify signature with message -1 passes. */
7195 {
7196 const unsigned char pubkey[33] = {
7197 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7198 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7199 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7200 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7201 0xf1
7202 };
7203 const unsigned char csr[32] = {
7204 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7205 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7206 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7207 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7208 };
7209 secp256k1_ge key;
7211 secp256k1_scalar sr, ss;
7215 secp256k1_scalar_set_b32(&sr, csr, NULL);
7216 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7217 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7218 secp256k1_scalar_negate(&ss, &ss);
7219 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7222 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7223 }
7224
7225 /* Signature where s would be zero. */
7226 {
7227 secp256k1_pubkey pubkey;
7228 size_t siglen;
7229 unsigned char signature[72];
7230 static const unsigned char nonce[32] = {
7231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7232 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7235 };
7236 static const unsigned char nonce2[32] = {
7237 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7238 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7239 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7240 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7241 };
7242 const unsigned char key[32] = {
7243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7244 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7245 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7246 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7247 };
7248 unsigned char msg[32] = {
7249 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7250 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7251 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7252 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7253 };
7255 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7256 msg[31] = 0xaa;
7261 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7262 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7263 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey));
7264 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey));
7266 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7268 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7269 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey));
7270 siglen = 72;
7273 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL));
7274 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7275 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen));
7277 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7278 siglen = 10;
7279 /* Too little room for a signature does not fail via ARGCHECK. */
7280 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7287 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7288 memset(signature, 255, 64);
7289 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7290 }
7291
7292 /* Nonce function corner cases. */
7293 for (t = 0; t < 2; t++) {
7294 static const unsigned char zero[32] = {0x00};
7295 int i;
7296 unsigned char key[32];
7297 unsigned char msg[32];
7299 secp256k1_scalar sr[512], ss;
7300 const unsigned char *extra;
7301 extra = t == 0 ? NULL : zero;
7302 memset(msg, 0, 32);
7303 msg[31] = 1;
7304 /* High key results in signature failure. */
7305 memset(key, 0xFF, 32);
7306 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7308 /* Zero key results in signature failure. */
7309 memset(key, 0, 32);
7310 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7312 /* Nonce function failure results in signature failure. */
7313 key[31] = 1;
7314 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7316 /* The retry loop successfully makes its way to the first good value. */
7317 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7318 CHECK(!is_empty_signature(&sig));
7319 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7320 CHECK(!is_empty_signature(&sig2));
7321 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7322 /* The default nonce function is deterministic. */
7323 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7324 CHECK(!is_empty_signature(&sig2));
7325 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7326 /* The default nonce function changes output with different messages. */
7327 for(i = 0; i < 256; i++) {
7328 int j;
7329 msg[0] = i;
7330 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7331 CHECK(!is_empty_signature(&sig2));
7332 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7333 for (j = 0; j < i; j++) {
7334 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7335 }
7336 }
7337 msg[0] = 0;
7338 msg[31] = 2;
7339 /* The default nonce function changes output with different keys. */
7340 for(i = 256; i < 512; i++) {
7341 int j;
7342 key[0] = i - 256;
7343 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7344 CHECK(!is_empty_signature(&sig2));
7345 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7346 for (j = 0; j < i; j++) {
7347 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7348 }
7349 }
7350 key[0] = 0;
7351 }
7352
7353 {
7354 /* Check that optional nonce arguments do not have equivalent effect. */
7355 const unsigned char zeros[32] = {0};
7356 unsigned char nonce[32];
7357 unsigned char nonce2[32];
7358 unsigned char nonce3[32];
7359 unsigned char nonce4[32];
7361 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7362 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7363 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7364 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7366 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7367 SECP256K1_CHECKMEM_CHECK(nonce2,32);
7368 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7369 SECP256K1_CHECKMEM_CHECK(nonce3,32);
7370 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7371 SECP256K1_CHECKMEM_CHECK(nonce4,32);
7372 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7373 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7374 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7375 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7376 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7377 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7378 }
7379
7380
7381 /* Privkey export where pubkey is the point at infinity. */
7382 {
7383 unsigned char privkey[300];
7384 const unsigned char *seckey = secp256k1_group_order_bytes;
7385 size_t outlen = 300;
7386 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7387 outlen = 300;
7388 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7389 }
7390}
7391
7392static void run_ecdsa_edge_cases(void) {
7394}
7395
7400static void test_ecdsa_wycheproof(void) {
7402
7403 int t;
7405 secp256k1_ecdsa_signature signature;
7406 secp256k1_sha256 hasher;
7407 secp256k1_pubkey pubkey;
7408 const unsigned char *msg, *sig, *pk;
7409 unsigned char out[32] = {0};
7410 int actual_verify = 0;
7411
7412 memset(&pubkey, 0, sizeof(pubkey));
7414 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7415
7418 secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len);
7420
7421 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset];
7422 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7423 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7424 }
7425 CHECK(testvectors[t].expected_verify == actual_verify);
7426 }
7427}
7428
7429/* Tests cases from Wycheproof test suite. */
7430static void run_ecdsa_wycheproof(void) {
7432}
7433
7434#ifdef ENABLE_MODULE_ECDH
7435# include "modules/ecdh/tests_impl.h"
7436#endif
7437
7438#ifdef ENABLE_MODULE_RECOVERY
7440#endif
7441
7442#ifdef ENABLE_MODULE_EXTRAKEYS
7444#endif
7445
7446#ifdef ENABLE_MODULE_SCHNORRSIG
7448#endif
7449
7450#ifdef ENABLE_MODULE_MUSIG
7452#endif
7453
7454#ifdef ENABLE_MODULE_ELLSWIFT
7456#endif
7457
7459 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7460 unsigned char buf2[sizeof(buf1)];
7461
7462 /* secp256k1_memczero(..., ..., 0) is a noop. */
7463 memcpy(buf2, buf1, sizeof(buf1));
7464 secp256k1_memczero(buf1, sizeof(buf1), 0);
7465 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7466
7467 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7468 memset(buf2, 0, sizeof(buf2));
7469 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7470 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7471}
7472
7473
7475 unsigned char buf1[3] = {0, 1};
7476 unsigned char buf2[3] = {1, 0};
7477
7478 CHECK(secp256k1_is_zero_array(buf1, 0) == 1);
7479 CHECK(secp256k1_is_zero_array(buf1, 1) == 1);
7480 CHECK(secp256k1_is_zero_array(buf1, 2) == 0);
7481 CHECK(secp256k1_is_zero_array(buf2, 1) == 0);
7482 CHECK(secp256k1_is_zero_array(buf2, 2) == 0);
7483}
7484
7486 {
7487 const uint32_t x = 0xFF03AB45;
7488 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7489 unsigned char buf[4];
7490 uint32_t x_;
7491
7492 secp256k1_write_be32(buf, x);
7493 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7494
7495 x_ = secp256k1_read_be32(buf);
7496 CHECK(x == x_);
7497 }
7498
7499 {
7500 const uint64_t x = 0xCAFE0123BEEF4567;
7501 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7502 unsigned char buf[8];
7503 uint64_t x_;
7504
7505 secp256k1_write_be64(buf, x);
7506 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7507
7508 x_ = secp256k1_read_be64(buf);
7509 CHECK(x == x_);
7510 }
7511}
7512
7513static void int_cmov_test(void) {
7514 int r = INT_MAX;
7515 int a = 0;
7516
7517 secp256k1_int_cmov(&r, &a, 0);
7518 CHECK(r == INT_MAX);
7519
7520 r = 0; a = INT_MAX;
7521 secp256k1_int_cmov(&r, &a, 1);
7522 CHECK(r == INT_MAX);
7523
7524 a = 0;
7525 secp256k1_int_cmov(&r, &a, 1);
7526 CHECK(r == 0);
7527
7528 a = 1;
7529 secp256k1_int_cmov(&r, &a, 1);
7530 CHECK(r == 1);
7531
7532 r = 1; a = 0;
7533 secp256k1_int_cmov(&r, &a, 0);
7534 CHECK(r == 1);
7535
7536}
7537
7538static void fe_cmov_test(void) {
7539 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7540 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7541 static const secp256k1_fe max = SECP256K1_FE_CONST(
7542 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7543 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7544 );
7545 secp256k1_fe r = max;
7546 secp256k1_fe a = zero;
7547
7548 secp256k1_fe_cmov(&r, &a, 0);
7549 CHECK(fe_identical(&r, &max));
7550
7551 r = zero; a = max;
7552 secp256k1_fe_cmov(&r, &a, 1);
7553 CHECK(fe_identical(&r, &max));
7554
7555 a = zero;
7556 secp256k1_fe_cmov(&r, &a, 1);
7557 CHECK(fe_identical(&r, &zero));
7558
7559 a = one;
7560 secp256k1_fe_cmov(&r, &a, 1);
7561 CHECK(fe_identical(&r, &one));
7562
7563 r = one; a = zero;
7564 secp256k1_fe_cmov(&r, &a, 0);
7565 CHECK(fe_identical(&r, &one));
7566}
7567
7568static void fe_storage_cmov_test(void) {
7569 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7570 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7572 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7573 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7574 );
7575 secp256k1_fe_storage r = max;
7576 secp256k1_fe_storage a = zero;
7577
7578 secp256k1_fe_storage_cmov(&r, &a, 0);
7579 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7580
7581 r = zero; a = max;
7582 secp256k1_fe_storage_cmov(&r, &a, 1);
7583 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7584
7585 a = zero;
7586 secp256k1_fe_storage_cmov(&r, &a, 1);
7587 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7588
7589 a = one;
7590 secp256k1_fe_storage_cmov(&r, &a, 1);
7591 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7592
7593 r = one; a = zero;
7594 secp256k1_fe_storage_cmov(&r, &a, 0);
7595 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7596}
7597
7598static void scalar_cmov_test(void) {
7599 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7600 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
7601 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
7602 );
7603 secp256k1_scalar r = max;
7605
7606 secp256k1_scalar_cmov(&r, &a, 0);
7607 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7608
7609 r = secp256k1_scalar_zero; a = max;
7610 secp256k1_scalar_cmov(&r, &a, 1);
7611 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7612
7614 secp256k1_scalar_cmov(&r, &a, 1);
7615 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0);
7616
7618 secp256k1_scalar_cmov(&r, &a, 1);
7619 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7620
7622 secp256k1_scalar_cmov(&r, &a, 0);
7623 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7624}
7625
7626static void ge_storage_cmov_test(void) {
7627 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7628 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7630 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7631 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7632 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7633 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7634 );
7635 secp256k1_ge_storage r = max;
7636 secp256k1_ge_storage a = zero;
7637
7638 secp256k1_ge_storage_cmov(&r, &a, 0);
7639 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7640
7641 r = zero; a = max;
7642 secp256k1_ge_storage_cmov(&r, &a, 1);
7643 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7644
7645 a = zero;
7646 secp256k1_ge_storage_cmov(&r, &a, 1);
7647 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7648
7649 a = one;
7650 secp256k1_ge_storage_cmov(&r, &a, 1);
7651 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7652
7653 r = one; a = zero;
7654 secp256k1_ge_storage_cmov(&r, &a, 0);
7655 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7656}
7657
7658static void run_cmov_tests(void) {
7659 int_cmov_test();
7660 fe_cmov_test();
7664}
7665
7666/* --------------------------------------------------------- */
7667/* Test Registry */
7668/* --------------------------------------------------------- */
7669
7670/* --- Special test cases that must run before RNG initialization --- */
7671static const struct tf_test_entry tests_no_rng[] = {
7672 CASE(xoshiro256pp_tests),
7673};
7675
7676/* --- Standard test cases start here --- */
7677static const struct tf_test_entry tests_general[] = {
7678 CASE(selftest_tests),
7679 CASE(all_proper_context_tests),
7680 CASE(all_static_context_tests),
7681 CASE(deprecated_context_flags_test),
7682 CASE(scratch_tests),
7683};
7684
7685static const struct tf_test_entry tests_integer[] = {
7686#ifdef SECP256K1_WIDEMUL_INT128
7687 CASE(int128_tests),
7688#endif
7689 CASE(ctz_tests),
7690 CASE(modinv_tests),
7691 CASE(inverse_tests),
7692};
7693
7694static const struct tf_test_entry tests_hash[] = {
7695 CASE(sha256_known_output_tests),
7696 CASE(sha256_counter_tests),
7697 CASE(hmac_sha256_tests),
7698 CASE(rfc6979_hmac_sha256_tests),
7699 CASE(tagged_sha256_tests),
7700};
7701
7702static const struct tf_test_entry tests_scalar[] = {
7703 CASE(scalar_tests),
7704};
7705
7706static const struct tf_test_entry tests_field[] = {
7707 CASE(field_half),
7708 CASE(field_misc),
7709 CASE(field_convert),
7710 CASE(field_be32_overflow),
7711 CASE(fe_mul),
7712 CASE(sqr),
7713 CASE(sqrt),
7714};
7715
7716static const struct tf_test_entry tests_group[] = {
7717 CASE(ge),
7718 CASE(gej),
7719 CASE(group_decompress),
7720};
7721
7722static const struct tf_test_entry tests_ecmult[] = {
7723 CASE(ecmult_pre_g),
7724 CASE(wnaf),
7725 CASE(point_times_order),
7726 CASE(ecmult_near_split_bound),
7727 CASE(ecmult_chain),
7728 CASE(ecmult_constants),
7729 CASE(ecmult_gen_blind),
7730 CASE(ecmult_const_tests),
7731 CASE(ecmult_multi_tests),
7732 CASE(ec_combine),
7733};
7734
7735static const struct tf_test_entry tests_ec[] = {
7736 CASE(endomorphism_tests),
7737 CASE(ec_pubkey_parse_test),
7738 CASE(eckey_edge_case_test),
7739 CASE(eckey_negate_test),
7740};
7741
7742static const struct tf_test_entry tests_ecdsa[] = {
7743 CASE(ec_illegal_argument_tests),
7744 CASE(pubkey_comparison),
7745 CASE(pubkey_sort),
7746 CASE(random_pubkeys),
7747 CASE(ecdsa_der_parse),
7748 CASE(ecdsa_sign_verify),
7749 CASE(ecdsa_end_to_end),
7750 CASE(ecdsa_edge_cases),
7751 CASE(ecdsa_wycheproof),
7752};
7753
7754static const struct tf_test_entry tests_utils[] = {
7755 CASE(hsort_tests),
7756 CASE(secp256k1_memczero_test),
7757 CASE(secp256k1_is_zero_array_test),
7758 CASE(secp256k1_byteorder_tests),
7759 CASE(cmov_tests),
7760};
7761
7762/* Register test modules */
7763static const struct tf_test_module registry_modules[] = {
7764 MAKE_TEST_MODULE(general),
7765 MAKE_TEST_MODULE(integer),
7766 MAKE_TEST_MODULE(hash),
7767 MAKE_TEST_MODULE(scalar),
7768 MAKE_TEST_MODULE(field),
7770 MAKE_TEST_MODULE(ecmult),
7771 MAKE_TEST_MODULE(ec),
7772#ifdef ENABLE_MODULE_ECDH
7773 MAKE_TEST_MODULE(ecdh),
7774#endif
7775 MAKE_TEST_MODULE(ecdsa),
7776#ifdef ENABLE_MODULE_RECOVERY
7777 /* ECDSA pubkey recovery tests */
7778 MAKE_TEST_MODULE(recovery),
7779#endif
7780#ifdef ENABLE_MODULE_EXTRAKEYS
7781 MAKE_TEST_MODULE(extrakeys),
7782#endif
7783#ifdef ENABLE_MODULE_SCHNORRSIG
7784 MAKE_TEST_MODULE(schnorrsig),
7785#endif
7786#ifdef ENABLE_MODULE_MUSIG
7787 MAKE_TEST_MODULE(musig),
7788#endif
7789#ifdef ENABLE_MODULE_ELLSWIFT
7790 MAKE_TEST_MODULE(ellswift),
7791#endif
7792 MAKE_TEST_MODULE(utils),
7793};
7794
7795/* Setup test environment */
7796static int setup(void) {
7797 /* Create a global context available to all tests */
7799 /* Randomize the context only with probability 15/16
7800 to make sure we test without context randomization from time to time.
7801 TODO Reconsider this when recalibrating the tests. */
7802 if (testrand_bits(4)) {
7803 unsigned char rand32[32];
7804 testrand256(rand32);
7806 }
7807 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
7808 that write to the context. The API does not support cloning the static context, so we use
7809 memcpy instead. The user is not supposed to copy a context but we should still ensure that
7810 the API functions handle copies of the static context gracefully. */
7811 STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
7812 CHECK(STATIC_CTX != NULL);
7815 return 0;
7816}
7817
7818/* Shutdown test environment */
7819static int teardown(void) {
7820 free(STATIC_CTX);
7822 return 0;
7823}
7824
7825int main(int argc, char **argv) {
7826 struct tf_framework tf = {0};
7828 tf.num_modules = sizeof(registry_modules) / sizeof(registry_modules[0]);
7830
7831 /* Add context creation/destruction functions */
7832 tf.fn_setup = setup;
7833 tf.fn_teardown = teardown;
7834
7835 /* Init and run framework */
7836 if (tf_init(&tf, argc, argv) != 0) return EXIT_FAILURE;
7837 return tf_run(&tf);
7838}
7839
static void pool cs
int ret
int flags
Definition: bitcoin-tx.cpp:529
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:100
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:102
static const wycheproof_ecdh_testvector testvectors[SECP256K1_ECDH_WYCHEPROOF_NUMBER_TESTVECTORS]
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
static const unsigned char wycheproof_ecdsa_signatures[]
static const unsigned char wycheproof_ecdsa_public_keys[]
static const unsigned char wycheproof_ecdsa_messages[]
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
static const secp256k1_scalar secp256k1_ecmult_const_K
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:610
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:727
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:406
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:421
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:162
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:361
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:581
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:718
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:788
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:648
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:806
volatile double sum
Definition: examples.cpp:10
#define N_PUBKEYS
Definition: tests_impl.h:252
#define secp256k1_fe_cmov
Definition: field.h:95
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:211
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:233
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
#define secp256k1_fe_cmp_var
Definition: field.h:86
#define secp256k1_fe_normalize_weak
Definition: field.h:79
#define secp256k1_fe_is_odd
Definition: field.h:85
#define secp256k1_fe_mul
Definition: field.h:93
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
#define secp256k1_fe_add
Definition: field.h:92
#define secp256k1_fe_normalize_var
Definition: field.h:80
#define secp256k1_fe_half
Definition: field.h:101
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
#define secp256k1_fe_to_storage
Definition: field.h:96
#define secp256k1_fe_inv_var
Definition: field.h:99
#define secp256k1_fe_is_zero
Definition: field.h:84
#define secp256k1_fe_set_b32_limit
Definition: field.h:88
#define secp256k1_fe_is_square_var
Definition: field.h:103
#define secp256k1_fe_get_bounds
Definition: field.h:100
#define secp256k1_fe_from_storage
Definition: field.h:97
#define secp256k1_fe_set_b32_mod
Definition: field.h:87
#define secp256k1_fe_negate_unchecked
Definition: field.h:90
#define secp256k1_fe_get_b32
Definition: field.h:89
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
#define secp256k1_fe_inv
Definition: field.h:98
#define secp256k1_fe_sqr
Definition: field.h:94
#define secp256k1_fe_normalize
Definition: field.h:78
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
#define secp256k1_fe_add_int
Definition: field.h:102
#define secp256k1_fe_set_int
Definition: field.h:83
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
static int secp256k1_ge_eq_var(const secp256k1_ge *a, const secp256k1_ge *b)
Check two group elements (affine) for equality in variable time.
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
static void secp256k1_ge_to_bytes_ext(unsigned char *data, const secp256k1_ge *ge)
Convert a group element (that is allowed to be infinity) to a 64-byte array.
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b)
Check two group elements (jacobian and affine) for equality in variable time.
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
static void secp256k1_ge_from_bytes_ext(secp256k1_ge *ge, const unsigned char *data)
Convert a 64-byte array into a group element.
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static void secp256k1_ge_set_all_gej(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set group elements r[0:len] (affine) equal to group elements a[0:len] (jacobian).
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set group elements r[0:len] (affine) equal to group elements a[0:len] (jacobian).
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
static void secp256k1_ge_to_bytes(unsigned char *buf, const secp256k1_ge *a)
Convert a group element that is not infinity to a 64-byte array.
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static void secp256k1_ge_from_bytes(secp256k1_ge *r, const unsigned char *buf)
Convert a 64-byte array into group element.
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:72
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
static void secp256k1_hsort(void *ptr, size_t count, size_t size, int(*cmp)(const void *, const void *, void *), void *cmp_data)
static SECP256K1_INLINE void secp256k1_heap_swap(unsigned char *arr, size_t i, size_t j, size_t stride)
Definition: hsort_impl.h:34
int128_t secp256k1_int128
Definition: int128_native.h:17
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
unsigned int nonce
Definition: miner_tests.cpp:76
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static int sign(const secp256k1_context *ctx, struct signer_secrets *signer_secrets, struct signer *signer, const secp256k1_musig_keyagg_cache *cache, const unsigned char *msg32, unsigned char *sig64)
Definition: musig.c:106
static const auto ZERO
A stack consisting of a single zero-length element (interpreted as 0 by the script interpreter in num...
Definition: miniscript.h:331
Internal SHA-1 implementation.
Definition: sha1.cpp:16
static std::vector< std::string > split(const std::string &str, const std::string &delims=" \t")
Definition: subprocess.h:315
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
#define WINDOW_G
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:45
const char * prefix
Definition: rest.cpp:1117
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a)
Multiply a scalar with the multiplicative inverse of 2.
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*2^128 = k.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 < count <= 32) from a scalar.
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 < count <= 32) from a scalar.
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:83
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:395
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:268
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:298
#define ALIGNMENT
Definition: util.h:176
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:102
static SECP256K1_INLINE int secp256k1_is_zero_array(const unsigned char *s, size_t len)
Definition: util.h:283
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:413
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:377
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:421
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:441
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:97
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:366
#define VERIFY_CHECK(cond)
Definition: util.h:159
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:354
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:429
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:162
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:208
const secp256k1_context *const secp256k1_context_no_precomp
Definition: secp256k1.c:75
static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition: secp256k1.c:228
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:82
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:359
static secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition: secp256k1.c:223
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:240
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:246
static int secp256k1_ec_pubkey_sort_cmp(const void *pk1, const void *pk2, void *ctx)
Definition: secp256k1.c:317
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:471
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:345
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:187
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:704
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:218
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:747
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:757
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:622
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:385
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:268
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:211
SECP256K1_API int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:637
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:291
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an elliptic curve secret key.
Definition: secp256k1.c:580
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:141
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:199
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:566
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:250
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:214
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:369
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:86
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:604
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:224
struct secp256k1_pubkey secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:450
SECP256K1_API int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:783
SECP256K1_API const secp256k1_context *const secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:245
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:431
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:163
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:687
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:225
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:406
struct secp256k1_ecdsa_signature secp256k1_ecdsa_signature
Opaque data structure that holds a parsed ECDSA signature.
SECP256K1_API int secp256k1_ec_pubkey_sort(const secp256k1_context *ctx, const secp256k1_pubkey **pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Sort public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:323
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:217
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:664
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:724
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:418
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:112
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:176
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:118
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:92
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:152
secp256k1_scalar * sc
Definition: tests.c:4653
secp256k1_ge * pt
Definition: tests.c:4654
void(* fn)(const char *text, void *data)
Definition: util.h:88
const void * data
Definition: util.h:89
secp256k1_callback illegal_callback
Definition: secp256k1.c:63
secp256k1_callback error_callback
Definition: secp256k1.c:64
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:62
Opaque data structure that holds a parsed ECDSA signature.
Definition: secp256k1.h:74
secp256k1_scalar scalar_offset
Definition: ecmult_gen.h:127
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
uint32_t n[10]
Definition: field_10x26.h:22
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
int infinity
Definition: group.h:19
secp256k1_fe x
Definition: group.h:17
secp256k1_fe y
Definition: group.h:18
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_fe y
Definition: group.h:30
secp256k1_fe x
Definition: group.h:29
int infinity
Definition: group.h:32
secp256k1_fe z
Definition: group.h:31
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
uint64_t bytes
Definition: hash.h:16
uint32_t s[8]
Definition: hash.h:14
size_t element_len
Definition: tests.c:3598
teardown_fn fn_teardown
Definition: unit_test.h:104
setup_ctx_fn fn_setup
Definition: unit_test.h:103
const struct tf_test_module * registry_no_rng
Definition: unit_test.h:101
const struct tf_test_module * registry_modules
Definition: unit_test.h:97
int num_modules
Definition: unit_test.h:99
Definition: unit_test.h:51
static void testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
static uint32_t testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
static SECP256K1_INLINE void testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
static void run_random_pubkeys(void)
Definition: tests.c:6768
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:71
static void run_all_proper_context_tests(void)
Definition: tests.c:359
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5272
static void run_inverse_tests(void)
Definition: tests.c:3328
static void counting_callback_fn(const char *str, void *data)
Definition: tests.c:82
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:864
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5699
static const struct tf_test_module registry_modules_no_rng
Definition: tests.c:7674
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6305
static void test_ge(void)
Definition: tests.c:3670
#define CHECK_ERROR_VOID(ctx, expr_or_stmt)
Definition: tests.c:69
static const struct tf_test_entry tests_field[]
Definition: tests.c:7706
static void run_pubkey_comparison(void)
Definition: tests.c:6576
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6332
static void run_field_misc(void)
Definition: tests.c:3012
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5609
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5766
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:190
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6298
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6348
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6356
#define SECP256K1_EC_PARSE_TEST_NINVALID
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4895
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:762
static const struct tf_test_entry tests_group[]
Definition: tests.c:7716
static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar *q, const secp256k1_gej *res)
Definition: tests.c:4526
static void test_sort(void)
Definition: tests.c:6671
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:79
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3649
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:125
static void run_tagged_sha256_tests(void)
Definition: tests.c:718
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:557
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5342
static int test_hsort_cmp(const void *ele1, const void *ele2, void *data)
Definition: tests.c:3602
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:45
static void test_fixed_wnaf_small(void)
Definition: tests.c:5352
int main(int argc, char **argv)
Definition: tests.c:7825
static void run_ecmult_const_tests(void)
Definition: tests.c:4643
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2956
#define SECP256K1_EC_PARSE_TEST_NVALID
static void run_eckey_edge_case_test(void)
Definition: tests.c:6051
static int teardown(void)
Definition: tests.c:7819
static void run_pubkey_sort(void)
Definition: tests.c:6761
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2844
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7485
static void run_ecmult_constants(void)
Definition: tests.c:5552
static void run_field_be32_overflow(void)
Definition: tests.c:2889
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:879
static void run_ecmult_chain(void)
Definition: tests.c:4253
static const struct tf_test_entry tests_utils[]
Definition: tests.c:7754
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3303
static void run_ec_combine(void)
Definition: tests.c:4126
static const struct tf_test_module registry_modules[]
Definition: tests.c:7763
static void run_deprecated_context_flags_test(void)
Definition: tests.c:141
static secp256k1_context * CTX
Definition: tests.c:42
static void run_point_times_order(void)
Definition: tests.c:4424
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6881
static void test_sort_vectors(void)
Definition: tests.c:6717
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:40
static void ecmult_const_commutativity(void)
Definition: tests.c:4472
static void int_cmov_test(void)
Definition: tests.c:7513
static const struct tf_test_entry tests_ecdsa[]
Definition: tests.c:7742
static void test_ge_bytes(void)
Definition: tests.c:4019
static void test_add_neg_y_diff_x(void)
Definition: tests.c:3959
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5433
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4312
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6842
static const struct tf_test_entry tests_ec[]
Definition: tests.c:7735
static void run_hmac_sha256_tests(void)
Definition: tests.c:633
static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2852
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5061
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:855
static void run_secp256k1_is_zero_array_test(void)
Definition: tests.c:7474
static const struct tf_test_entry tests_no_rng[]
Definition: tests.c:7671
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6380
static void run_field_half(void)
Definition: tests.c:2963
static void run_eckey_negate_test(void)
Definition: tests.c:6268
static void scalar_test(void)
Definition: tests.c:2024
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2179
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4672
static void run_hsort_tests(void)
Definition: tests.c:3639
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6340
static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len)
Definition: tests.c:3589
static void run_gej(void)
Definition: tests.c:4065
static const struct tf_test_entry tests_integer[]
Definition: tests.c:7685
static void run_ge(void)
Definition: tests.c:4047
#define MAX_ELEMENT_LEN
Definition: tests.c:3609
static void ge_storage_cmov_test(void)
Definition: tests.c:7626
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3264
static void fe_storage_cmov_test(void)
Definition: tests.c:7568
static void test_ec_combine(void)
Definition: tests.c:4101
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5079
static void test_ecmult_gen_edge_cases(void)
Definition: tests.c:5623
static void test_sha256_tag_midstate(secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen)
Definition: tests.c:627
static void run_ctz_tests(void)
Definition: tests.c:435
static void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk)
Definition: tests.c:6621
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5099
static void run_scalar_tests(void)
Definition: tests.c:2196
static void test_random_pubkeys(void)
Definition: tests.c:6516
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4057
static void test_heap_swap(void)
Definition: tests.c:3576
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3212
static void scalar_cmov_test(void)
Definition: tests.c:7598
static const struct tf_test_entry tests_hash[]
Definition: tests.c:7694
static void run_ecmult_gen_blind(void)
Definition: tests.c:5641
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6385
static const struct tf_test_entry tests_ecmult[]
Definition: tests.c:7722
static void run_sha256_known_output_tests(void)
Definition: tests.c:456
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4374
#define NUM
Definition: tests.c:3608
#define CHECK_ERROR(ctx, expr)
Definition: tests.c:80
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6775
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4657
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4562
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:237
static const struct tf_test_entry tests_general[]
Definition: tests.c:7677
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3119
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4133
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5465
static void run_cmov_tests(void)
Definition: tests.c:7658
static void permute(size_t *arr, size_t n)
Definition: tests.c:6634
static const struct tf_test_entry tests_scalar[]
Definition: tests.c:7702
static void test_initialized_inf(void)
Definition: tests.c:3927
static void run_ecdsa_der_parse(void)
Definition: tests.c:7027
static void ecmult_const_random_mult(void)
Definition: tests.c:4445
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5651
static void run_field_convert(void)
Definition: tests.c:2859
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6782
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:159
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7430
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5509
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5180
static void run_all_static_context_tests(void)
Definition: tests.c:231
static void run_sqrt(void)
Definition: tests.c:3226
static void run_modinv_tests(void)
Definition: tests.c:1060
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4351
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:846
static void run_xoshiro256pp_tests(void)
Definition: tests.c:91
static void run_wnaf(void)
Definition: tests.c:5406
static void run_ecmult_multi_tests(void)
Definition: tests.c:5245
static void run_selftest_tests(void)
Definition: tests.c:120
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1030
static void run_sqr(void)
Definition: tests.c:3183
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:132
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5132
static void run_endomorphism_tests(void)
Definition: tests.c:5678
static void run_scratch_tests(void)
Definition: tests.c:365
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7400
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4412
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7392
static void fe_cmov_test(void)
Definition: tests.c:7538
static void run_group_decompress(void)
Definition: tests.c:4168
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4493
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5425
static void ecmult_const_edges(void)
Definition: tests.c:4535
static void test_ecdsa_edge_cases(void)
Definition: tests.c:7059
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4617
static void run_ecmult_pre_g(void)
Definition: tests.c:4229
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4664
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:618
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4179
static void test_hsort(size_t element_len)
Definition: tests.c:3610
static void test_sort_api(void)
Definition: tests.c:6645
static int setup(void)
Definition: tests.c:7796
static secp256k1_context * STATIC_CTX
Definition: tests.c:43
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5306
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3281
static void test_ecmult_gen_blind(void)
Definition: tests.c:5586
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7458
static void run_fe_mul(void)
Definition: tests.c:3162
#define SECP256K1_EC_PARSE_TEST_NXVALID
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6854
static const secp256k1_fe fe_minus_one
Definition: tests.c:3269
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:677
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:745
static void testutil_random_fe_test(secp256k1_fe *x)
Definition: testutil.h:54
static void testutil_random_pubkey_test(secp256k1_pubkey *pk)
Definition: testutil.h:118
static void testutil_random_gej_y_magnitude(secp256k1_gej *gej)
Definition: testutil.h:82
static const unsigned char secp256k1_group_order_bytes[32]
Definition: testutil.h:15
static void testutil_random_fe_non_zero(secp256k1_fe *nz)
Definition: testutil.h:32
static void testutil_random_scalar_order(secp256k1_scalar *num)
Definition: testutil.h:137
static void testutil_random_gej_test(secp256k1_gej *gej)
Definition: testutil.h:112
static void testutil_random_scalar_order_test(secp256k1_scalar *num)
Definition: testutil.h:124
static void testutil_random_scalar_order_b32(unsigned char *b32)
Definition: testutil.h:150
static void testutil_random_fe(secp256k1_fe *x)
Definition: testutil.h:22
static void testutil_random_fe_non_zero_test(secp256k1_fe *fe)
Definition: testutil.h:64
static void testutil_random_gej_x_magnitude(secp256k1_gej *gej)
Definition: testutil.h:78
static void testutil_random_fe_magnitude(secp256k1_fe *fe, int m)
Definition: testutil.h:38
static void testutil_random_ge_x_magnitude(secp256k1_ge *ge)
Definition: testutil.h:70
static void testutil_random_gej_z_magnitude(secp256k1_gej *gej)
Definition: testutil.h:86
static void testutil_random_ge_test(secp256k1_ge *ge)
Definition: testutil.h:90
static void testutil_random_ge_y_magnitude(secp256k1_ge *ge)
Definition: testutil.h:74
static void testutil_random_ge_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: testutil.h:102
int COUNT
Definition: unit_test.c:23
static int tf_init(struct tf_framework *tf, int argc, char **argv)
Definition: unit_test.c:349
static int tf_run(struct tf_framework *tf)
Definition: unit_test.c:411
#define CASE(name)
Definition: unit_test.h:24
#define MAKE_TEST_MODULE(name)
Definition: unit_test.h:27
#define expect(bit)