Bitcoin Core  24.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "../include/secp256k1.h"
19 #include "../include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
21 #include "util.h"
22 
23 #include "../contrib/lax_der_parsing.c"
24 #include "../contrib/lax_der_privatekey_parsing.c"
25 
26 #include "modinv32_impl.h"
27 #ifdef SECP256K1_WIDEMUL_INT128
28 #include "modinv64_impl.h"
29 #endif
30 
31 #define CONDITIONAL_TEST(cnt, nam) if (count < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
32 
33 static int count = 64;
34 static secp256k1_context *ctx = NULL;
35 
36 static void counting_illegal_callback_fn(const char* str, void* data) {
37  /* Dummy callback function that just counts. */
38  int32_t *p;
39  (void)str;
40  p = data;
41  (*p)++;
42 }
43 
44 static void uncounting_illegal_callback_fn(const char* str, void* data) {
45  /* Dummy callback function that just counts (backwards). */
46  int32_t *p;
47  (void)str;
48  p = data;
49  (*p)--;
50 }
51 
53  do {
54  unsigned char b32[32];
56  if (secp256k1_fe_set_b32(fe, b32)) {
57  break;
58  }
59  } while(1);
60 }
61 
63  secp256k1_fe zero;
64  int n = secp256k1_testrand_int(9);
66  if (n == 0) {
67  return;
68  }
69  secp256k1_fe_clear(&zero);
70  secp256k1_fe_negate(&zero, &zero, 0);
71  secp256k1_fe_mul_int(&zero, n - 1);
72  secp256k1_fe_add(fe, &zero);
73 #ifdef VERIFY
74  CHECK(fe->magnitude == n);
75 #endif
76 }
77 
79  secp256k1_fe fe;
80  do {
84  break;
85  }
86  } while(1);
87  ge->infinity = 0;
88 }
89 
91  secp256k1_fe z2, z3;
92  do {
94  if (!secp256k1_fe_is_zero(&gej->z)) {
95  break;
96  }
97  } while(1);
98  secp256k1_fe_sqr(&z2, &gej->z);
99  secp256k1_fe_mul(&z3, &z2, &gej->z);
100  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
101  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
102  gej->infinity = ge->infinity;
103 }
104 
106  secp256k1_ge ge;
109 }
110 
112  do {
113  unsigned char b32[32];
114  int overflow = 0;
116  secp256k1_scalar_set_b32(num, b32, &overflow);
117  if (overflow || secp256k1_scalar_is_zero(num)) {
118  continue;
119  }
120  break;
121  } while(1);
122 }
123 
125  do {
126  unsigned char b32[32];
127  int overflow = 0;
129  secp256k1_scalar_set_b32(num, b32, &overflow);
130  if (overflow || secp256k1_scalar_is_zero(num)) {
131  continue;
132  }
133  break;
134  } while(1);
135 }
136 
137 void random_scalar_order_b32(unsigned char *b32) {
138  secp256k1_scalar num;
139  random_scalar_order(&num);
140  secp256k1_scalar_get_b32(b32, &num);
141 }
142 
143 void run_context_tests(int use_prealloc) {
144  secp256k1_pubkey pubkey;
145  secp256k1_pubkey zero_pubkey;
147  unsigned char ctmp[32];
148  int32_t ecount;
149  int32_t ecount2;
150  secp256k1_context *none;
151  secp256k1_context *sign;
152  secp256k1_context *vrfy;
153  secp256k1_context *both;
154  secp256k1_context *sttc;
155  void *none_prealloc = NULL;
156  void *sign_prealloc = NULL;
157  void *vrfy_prealloc = NULL;
158  void *both_prealloc = NULL;
159  void *sttc_prealloc = NULL;
160 
161  secp256k1_gej pubj;
162  secp256k1_ge pub;
163  secp256k1_scalar msg, key, nonce;
164  secp256k1_scalar sigr, sigs;
165 
166  if (use_prealloc) {
172  CHECK(none_prealloc != NULL);
173  CHECK(sign_prealloc != NULL);
174  CHECK(vrfy_prealloc != NULL);
175  CHECK(both_prealloc != NULL);
176  CHECK(sttc_prealloc != NULL);
182  } else {
188  }
189 
190  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
191 
192  ecount = 0;
193  ecount2 = 10;
196  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
198  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
200 
201  /* check if sizes for cloning are consistent */
207 
208  /*** clone and destroy all of them to make sure cloning was complete ***/
209  {
210  secp256k1_context *ctx_tmp;
211 
212  if (use_prealloc) {
213  /* clone into a non-preallocated context and then again into a new preallocated one. */
214  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
215  free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
216  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
217 
218  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
219  free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
220  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
221 
222  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
223  free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
224  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
225 
226  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
227  free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
228  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
229  } else {
230  /* clone into a preallocated context and then again into a new non-preallocated one. */
231  void *prealloc_tmp;
232 
233  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
234  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
235  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
236  free(prealloc_tmp);
237 
238  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
239  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
240  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
241  free(prealloc_tmp);
242 
243  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
244  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
245  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
246  free(prealloc_tmp);
247 
248  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
249  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
250  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
251  free(prealloc_tmp);
252  }
253  }
254 
255  /* Verify that the error callback makes it across the clone. */
256  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
258  /* And that it resets back to default. */
259  secp256k1_context_set_error_callback(sign, NULL, NULL);
260  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
261 
262  /*** attempt to use them ***/
265  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
266  secp256k1_ge_set_gej(&pub, &pubj);
267 
268  /* Verify context-type checking illegal-argument errors. */
269  memset(ctmp, 1, 32);
270  CHECK(secp256k1_ec_pubkey_create(sttc, &pubkey, ctmp) == 0);
271  CHECK(ecount == 1);
272  VG_UNDEF(&pubkey, sizeof(pubkey));
273  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
274  VG_CHECK(&pubkey, sizeof(pubkey));
275  CHECK(secp256k1_ecdsa_sign(sttc, &sig, ctmp, ctmp, NULL, NULL) == 0);
276  CHECK(ecount == 2);
277  VG_UNDEF(&sig, sizeof(sig));
278  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
279  VG_CHECK(&sig, sizeof(sig));
280  CHECK(ecount2 == 10);
281  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 1);
282  CHECK(ecount2 == 10);
283  CHECK(secp256k1_ecdsa_verify(sttc, &sig, ctmp, &pubkey) == 1);
284  CHECK(ecount == 2);
285  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 1);
286  CHECK(ecount2 == 10);
287  CHECK(secp256k1_ec_pubkey_tweak_add(sttc, &pubkey, ctmp) == 1);
288  CHECK(ecount == 2);
289  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 1);
290  CHECK(ecount2 == 10);
291  CHECK(secp256k1_ec_pubkey_negate(sttc, &pubkey) == 1);
292  CHECK(ecount == 2);
293  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
294  CHECK(ecount == 2);
295  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
296  CHECK(ecount2 == 11);
297  CHECK(secp256k1_ec_pubkey_negate(sttc, &zero_pubkey) == 0);
298  CHECK(ecount == 3);
299  CHECK(secp256k1_ec_pubkey_tweak_mul(sttc, &pubkey, ctmp) == 1);
300  CHECK(ecount == 3);
301  CHECK(secp256k1_context_randomize(sttc, ctmp) == 1);
302  CHECK(ecount == 3);
303  CHECK(secp256k1_context_randomize(sttc, NULL) == 1);
304  CHECK(ecount == 3);
305  CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
306  CHECK(ecount2 == 11);
307  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
308  CHECK(ecount2 == 11);
309  secp256k1_context_set_illegal_callback(sttc, NULL, NULL);
310  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
311 
312  /* obtain a working nonce */
313  do {
315  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
316 
317  /* try signing */
318  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
319  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
320 
321  /* try verifying */
322  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
323  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
324 
325  /* cleanup */
326  if (use_prealloc) {
332  free(none_prealloc);
333  free(sign_prealloc);
334  free(vrfy_prealloc);
335  free(both_prealloc);
336  free(sttc_prealloc);
337  } else {
343  }
344  /* Defined as no-op. */
347 
348 }
349 
350 void run_scratch_tests(void) {
351  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
352 
353  int32_t ecount = 0;
354  size_t checkpoint;
355  size_t checkpoint_2;
357  secp256k1_scratch_space *scratch;
358  secp256k1_scratch_space local_scratch;
359 
360  /* Test public API */
363 
364  scratch = secp256k1_scratch_space_create(none, 1000);
365  CHECK(scratch != NULL);
366  CHECK(ecount == 0);
367 
368  /* Test internal API */
369  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
370  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
371  CHECK(scratch->alloc_size == 0);
372  CHECK(scratch->alloc_size % ALIGNMENT == 0);
373 
374  /* Allocating 500 bytes succeeds */
375  checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
376  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
377  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
378  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
379  CHECK(scratch->alloc_size != 0);
380  CHECK(scratch->alloc_size % ALIGNMENT == 0);
381 
382  /* Allocating another 501 bytes fails */
383  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
384  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
385  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
386  CHECK(scratch->alloc_size != 0);
387  CHECK(scratch->alloc_size % ALIGNMENT == 0);
388 
389  /* ...but it succeeds once we apply the checkpoint to undo it */
390  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
391  CHECK(scratch->alloc_size == 0);
392  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
393  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
394  CHECK(scratch->alloc_size != 0);
395 
396  /* try to apply a bad checkpoint */
397  checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
398  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
399  CHECK(ecount == 0);
400  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
401  CHECK(ecount == 1);
402  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
403  CHECK(ecount == 2);
404 
405  /* try to use badly initialized scratch space */
406  secp256k1_scratch_space_destroy(none, scratch);
407  memset(&local_scratch, 0, sizeof(local_scratch));
408  scratch = &local_scratch;
410  CHECK(ecount == 3);
411  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
412  CHECK(ecount == 4);
413  secp256k1_scratch_space_destroy(none, scratch);
414  CHECK(ecount == 5);
415 
416  /* Test that large integers do not wrap around in a bad way */
417  scratch = secp256k1_scratch_space_create(none, 1000);
418  /* Try max allocation with a large number of objects. Only makes sense if
419  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
420  * space. */
421  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
422  /* Try allocating SIZE_MAX to test wrap around which only happens if
423  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
424  * space is too small. */
425  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
426  secp256k1_scratch_space_destroy(none, scratch);
427 
428  /* cleanup */
429  secp256k1_scratch_space_destroy(none, NULL); /* no-op */
431 }
432 
433 void run_ctz_tests(void) {
434  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
435  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
436  int shift;
437  unsigned i;
438  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
439  for (shift = 0; shift < 32; ++shift) {
440  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
441  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
442  }
443  }
444  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
445  for (shift = 0; shift < 64; ++shift) {
446  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
447  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
448  }
449  }
450 }
451 
452 /***** HASH TESTS *****/
453 
455  static const char *inputs[] = {
456  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
457  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
458  "For this sample, this 63-byte string will be used as input data",
459  "This is exactly 64 bytes long, not counting the terminating byte",
460  "aaaaa",
461  };
462  static const unsigned int repeat[] = {
463  1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
464  };
465  static const unsigned char outputs[][32] = {
466  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
467  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
468  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
469  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
470  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
471  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
472  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
473  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
474  {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
475  };
476  unsigned int i, ninputs;
477 
478  /* Skip last input vector for low iteration counts */
479  ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
480  CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
481 
482  for (i = 0; i < ninputs; i++) {
483  unsigned char out[32];
484  secp256k1_sha256 hasher;
485  unsigned int j;
486  /* 1. Run: simply write the input bytestrings */
487  j = repeat[i];
489  while (j > 0) {
490  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
491  j--;
492  }
493  secp256k1_sha256_finalize(&hasher, out);
494  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
495  /* 2. Run: split the input bytestrings randomly before writing */
496  if (strlen(inputs[i]) > 0) {
497  int split = secp256k1_testrand_int(strlen(inputs[i]));
499  j = repeat[i];
500  while (j > 0) {
501  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
502  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
503  j--;
504  }
505  secp256k1_sha256_finalize(&hasher, out);
506  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
507  }
508  }
509 }
510 
556  static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
557  static const secp256k1_sha256 midstates[] = {
558  {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
559  {0x00}, 0xfffc0},
560  {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
561  {0x00}, 0x1fffc0},
562  {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
563  {0x00}, 0x3fffc0},
564  {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
565  {0x00}, 0x7fffc0},
566  {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
567  {0x00}, 0xffffc0},
568  {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
569  {0x00}, 0x1ffffc0},
570  {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
571  {0x00}, 0x3ffffc0},
572  {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
573  {0x00}, 0x7ffffc0},
574  {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
575  {0x00}, 0xfffffc0},
576  {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
577  {0x00}, 0x1fffffc0},
578  {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
579  {0x00}, 0x3fffffc0},
580  {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
581  {0x00}, 0x7fffffc0},
582  {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
583  {0x00}, 0xffffffc0},
584  {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
585  {0x00}, 0x1ffffffc0},
586  };
587  static const unsigned char outputs[][32] = {
588  {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
589  {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
590  {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
591  {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
592  {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
593  {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
594  {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
595  {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
596  {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
597  {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
598  {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
599  {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
600  {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
601  {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
602  };
603  unsigned int i;
604  for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
605  unsigned char out[32];
606  secp256k1_sha256 hasher = midstates[i];
607  secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
608  secp256k1_sha256_finalize(&hasher, out);
609  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
610  }
611 }
612 
614  static const char *keys[6] = {
615  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
616  "\x4a\x65\x66\x65",
617  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
618  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
619  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
620  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
621  };
622  static const char *inputs[6] = {
623  "\x48\x69\x20\x54\x68\x65\x72\x65",
624  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
625  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
626  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
627  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
628  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
629  };
630  static const unsigned char outputs[6][32] = {
631  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
632  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
633  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
634  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
635  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
636  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
637  };
638  int i;
639  for (i = 0; i < 6; i++) {
640  secp256k1_hmac_sha256 hasher;
641  unsigned char out[32];
642  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
643  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
644  secp256k1_hmac_sha256_finalize(&hasher, out);
645  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
646  if (strlen(inputs[i]) > 0) {
647  int split = secp256k1_testrand_int(strlen(inputs[i]));
648  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
649  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
650  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
651  secp256k1_hmac_sha256_finalize(&hasher, out);
652  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
653  }
654  }
655 }
656 
658  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
659  static const unsigned char out1[3][32] = {
660  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
661  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
662  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
663  };
664 
665  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
666  static const unsigned char out2[3][32] = {
667  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
668  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
669  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
670  };
671 
673  unsigned char out[32];
674  int i;
675 
677  for (i = 0; i < 3; i++) {
679  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
680  }
682 
684  for (i = 0; i < 3; i++) {
686  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
687  }
689 
691  for (i = 0; i < 3; i++) {
693  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
694  }
696 }
697 
699  int ecount = 0;
701  unsigned char tag[32] = { 0 };
702  unsigned char msg[32] = { 0 };
703  unsigned char hash32[32];
704  unsigned char hash_expected[32] = {
705  0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
706  0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
707  0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
708  0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
709  };
710 
712 
713  /* API test */
714  CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
715  CHECK(secp256k1_tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
716  CHECK(ecount == 1);
717  CHECK(secp256k1_tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0);
718  CHECK(ecount == 2);
719  CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0);
720  CHECK(ecount == 3);
721 
722  /* Static test vector */
723  memcpy(tag, "tag", 3);
724  memcpy(msg, "msg", 3);
725  CHECK(secp256k1_tagged_sha256(none, hash32, tag, 3, msg, 3) == 1);
726  CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
728 }
729 
730 /***** RANDOM TESTS *****/
731 
732 void test_rand_bits(int rand32, int bits) {
733  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
734  * get a false negative chance below once in a billion */
735  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
736  /* We try multiplying the results with various odd numbers, which shouldn't
737  * influence the uniform distribution modulo a power of 2. */
738  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
739  /* We only select up to 6 bits from the output to analyse */
740  unsigned int usebits = bits > 6 ? 6 : bits;
741  unsigned int maxshift = bits - usebits;
742  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
743  number, track all observed outcomes, one per bit in a uint64_t. */
744  uint64_t x[6][27] = {{0}};
745  unsigned int i, shift, m;
746  /* Multiply the output of all rand calls with the odd number m, which
747  should not change the uniformity of its distribution. */
748  for (i = 0; i < rounds[usebits]; i++) {
749  uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
750  CHECK((((uint64_t)r) >> bits) == 0);
751  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
752  uint32_t rm = r * mults[m];
753  for (shift = 0; shift <= maxshift; shift++) {
754  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
755  }
756  }
757  }
758  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
759  for (shift = 0; shift <= maxshift; shift++) {
760  /* Test that the lower usebits bits of x[shift] are 1 */
761  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
762  }
763  }
764 }
765 
766 /* Subrange must be a whole divisor of range, and at most 64 */
767 void test_rand_int(uint32_t range, uint32_t subrange) {
768  /* (1-1/subrange)^rounds < 1/10^9 */
769  int rounds = (subrange * 2073) / 100;
770  int i;
771  uint64_t x = 0;
772  CHECK((range % subrange) == 0);
773  for (i = 0; i < rounds; i++) {
774  uint32_t r = secp256k1_testrand_int(range);
775  CHECK(r < range);
776  r = r % subrange;
777  x |= (((uint64_t)1) << r);
778  }
779  /* Test that the lower subrange bits of x are 1. */
780  CHECK(((~x) << (64 - subrange)) == 0);
781 }
782 
783 void run_rand_bits(void) {
784  size_t b;
785  test_rand_bits(1, 32);
786  for (b = 1; b <= 32; b++) {
787  test_rand_bits(0, b);
788  }
789 }
790 
791 void run_rand_int(void) {
792  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
793  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
794  unsigned int m, s;
795  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
796  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
797  test_rand_int(ms[m] * ss[s], ss[s]);
798  }
799  }
800 }
801 
802 /***** MODINV TESTS *****/
803 
804 /* Compute the modular inverse of (odd) x mod 2^64. */
805 uint64_t modinv2p64(uint64_t x) {
806  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
807  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
808  * why. Start with L=0, for which it is true for every odd x that
809  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
810  int l;
811  uint64_t w = 1;
812  CHECK(x & 1);
813  for (l = 0; l < 6; ++l) w *= (2 - w*x);
814  return w;
815 }
816 
817 /* compute out = (a*b) mod m; if b=NULL, treat b=1.
818  *
819  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
820  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
821 void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
822  uint16_t mul[32];
823  uint64_t c = 0;
824  int i, j;
825  int m_bitlen = 0;
826  int mul_bitlen = 0;
827 
828  if (b != NULL) {
829  /* Compute the product of a and b, and put it in mul. */
830  for (i = 0; i < 32; ++i) {
831  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
832  c += (uint64_t)a[j] * b[i - j];
833  }
834  mul[i] = c & 0xFFFF;
835  c >>= 16;
836  }
837  CHECK(c == 0);
838 
839  /* compute the highest set bit in mul */
840  for (i = 511; i >= 0; --i) {
841  if ((mul[i >> 4] >> (i & 15)) & 1) {
842  mul_bitlen = i;
843  break;
844  }
845  }
846  } else {
847  /* if b==NULL, set mul=a. */
848  memcpy(mul, a, 32);
849  memset(mul + 16, 0, 32);
850  /* compute the highest set bit in mul */
851  for (i = 255; i >= 0; --i) {
852  if ((mul[i >> 4] >> (i & 15)) & 1) {
853  mul_bitlen = i;
854  break;
855  }
856  }
857  }
858 
859  /* Compute the highest set bit in m. */
860  for (i = 255; i >= 0; --i) {
861  if ((m[i >> 4] >> (i & 15)) & 1) {
862  m_bitlen = i;
863  break;
864  }
865  }
866 
867  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
868  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
869  uint16_t mul2[32];
870  int64_t cs;
871 
872  /* Compute mul2 = mul - m<<i. */
873  cs = 0; /* accumulator */
874  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
875  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
876  uint16_t sub = 0;
877  int p;
878  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
879  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
880  if (bitpos >= 0 && bitpos < 256) {
881  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
882  }
883  }
884  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
885  cs += mul[j];
886  cs -= sub;
887  mul2[j] = (cs & 0xFFFF);
888  cs >>= 16;
889  }
890  /* If remainder of subtraction is 0, set mul = mul2. */
891  if (cs == 0) {
892  memcpy(mul, mul2, sizeof(mul));
893  }
894  }
895  /* Sanity check: test that all limbs higher than m's highest are zero */
896  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
897  CHECK(mul[i] == 0);
898  }
899  memcpy(out, mul, 32);
900 }
901 
902 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
903 void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
904  int i;
905  memset(out->v, 0, sizeof(out->v));
906  for (i = 0; i < 256; ++i) {
907  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
908  }
909 }
910 
911 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
912 void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
913  int i;
914  memset(out, 0, 32);
915  for (i = 0; i < 256; ++i) {
916  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
917  }
918 }
919 
920 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
922  int i;
923  for (i = 0; i < 16; ++i) {
924  int pos = secp256k1_testrand_bits(3);
925  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
926  x->v[pos] -= 0x40000000;
927  x->v[pos + 1] += 1;
928  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
929  x->v[pos] += 0x40000000;
930  x->v[pos + 1] -= 1;
931  }
932  }
933 }
934 
935 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
936 void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
937  uint16_t tmp[16];
940  int i, vartime, nonzero;
941 
942  uint16_to_signed30(&x, in);
943  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
944  uint16_to_signed30(&m.modulus, mod);
945  mutate_sign_signed30(&m.modulus);
946 
947  /* compute 1/modulus mod 2^30 */
948  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
949  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
950 
951  for (vartime = 0; vartime < 2; ++vartime) {
952  /* compute inverse */
953  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
954 
955  /* produce output */
956  signed30_to_uint16(out, &x);
957 
958  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
959  mulmod256(tmp, out, in, mod);
960  CHECK(tmp[0] == nonzero);
961  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
962 
963  /* invert again */
964  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
965 
966  /* check if the result is equal to the input */
967  signed30_to_uint16(tmp, &x);
968  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
969  }
970 }
971 
972 #ifdef SECP256K1_WIDEMUL_INT128
973 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
974 void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
975  int i;
976  memset(out->v, 0, sizeof(out->v));
977  for (i = 0; i < 256; ++i) {
978  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
979  }
980 }
981 
982 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
983 void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
984  int i;
985  memset(out, 0, 32);
986  for (i = 0; i < 256; ++i) {
987  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
988  }
989 }
990 
991 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
992 void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
993  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
994  int i;
995  for (i = 0; i < 8; ++i) {
996  int pos = secp256k1_testrand_bits(2);
997  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
998  x->v[pos] -= (M62 + 1);
999  x->v[pos + 1] += 1;
1000  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1001  x->v[pos] += (M62 + 1);
1002  x->v[pos + 1] -= 1;
1003  }
1004  }
1005 }
1006 
1007 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1008 void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1009  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1010  uint16_t tmp[16];
1013  int i, vartime, nonzero;
1014 
1015  uint16_to_signed62(&x, in);
1016  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1017  uint16_to_signed62(&m.modulus, mod);
1018  mutate_sign_signed62(&m.modulus);
1019 
1020  /* compute 1/modulus mod 2^62 */
1021  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1022  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1023 
1024  for (vartime = 0; vartime < 2; ++vartime) {
1025  /* compute inverse */
1026  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1027 
1028  /* produce output */
1029  signed62_to_uint16(out, &x);
1030 
1031  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1032  mulmod256(tmp, out, in, mod);
1033  CHECK(tmp[0] == nonzero);
1034  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1035 
1036  /* invert again */
1037  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1038 
1039  /* check if the result is equal to the input */
1040  signed62_to_uint16(tmp, &x);
1041  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1042  }
1043 }
1044 #endif
1045 
1046 /* test if a and b are coprime */
1047 int coprime(const uint16_t* a, const uint16_t* b) {
1048  uint16_t x[16], y[16], t[16];
1049  int i;
1050  int iszero;
1051  memcpy(x, a, 32);
1052  memcpy(y, b, 32);
1053 
1054  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1055  while (1) {
1056  iszero = 1;
1057  for (i = 0; i < 16; ++i) {
1058  if (x[i] != 0) {
1059  iszero = 0;
1060  break;
1061  }
1062  }
1063  if (iszero) break;
1064  mulmod256(t, y, NULL, x);
1065  memcpy(y, x, 32);
1066  memcpy(x, t, 32);
1067  }
1068 
1069  /* return whether y=1 */
1070  if (y[0] != 1) return 0;
1071  for (i = 1; i < 16; ++i) {
1072  if (y[i] != 0) return 0;
1073  }
1074  return 1;
1075 }
1076 
1077 void run_modinv_tests(void) {
1078  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1079  static const uint16_t CASES[][3][16] = {
1080  /* Test cases triggering edge cases in divsteps */
1081 
1082  /* Test case known to need 713 divsteps */
1083  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1084  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1085  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1086  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1087  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1088  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1089  /* Test case known to need 589 divsteps, reaching delta=-140 and
1090  delta=141. */
1091  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1092  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1093  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1094  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1095  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1096  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1097  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1098  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1099  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1100  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1101  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1102  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1103  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1104  /* example needing 713 divsteps; delta=-2..3 */
1105  {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1106  0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1107  {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1108  0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1109  {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1110  0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1111  /* example needing 713 divsteps; delta=-2..3 */
1112  {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1113  0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1114  {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1115  0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1116  {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1117  0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1118  /* example needing 713 divsteps; delta=-2..3 */
1119  {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1120  0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1121  {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1122  0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1123  {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1124  0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1125  /* example reaching delta=-64..65; 661 divsteps */
1126  {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1127  0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1128  {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1129  0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1130  {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1131  0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1132  /* example reaching delta=-64..65; 661 divsteps */
1133  {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1134  0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1135  {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1136  0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1137  {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1138  0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1139  /* example reaching delta=-64..65; 661 divsteps */
1140  {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1141  0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1142  {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1143  0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1144  {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1145  0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1146  /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1147  {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1148  0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1149  {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1150  0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1151  {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1152  0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1153  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1154  {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1155  0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1156  {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1157  0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1158  {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1159  0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1160  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1161  {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1162  0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1163  {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1164  0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1165  {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1166  0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1167  /* example doing 446 (f,g/2) steps; 523 divsteps */
1168  {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1169  0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1170  {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1171  0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1172  {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1173  0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1174  /* example doing 446 (f,g/2) steps; 523 divsteps */
1175  {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1176  0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1177  {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1178  0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1179  {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1180  0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1181  /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1182  {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1183  0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1184  {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1185  0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1186  {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1187  0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1188  /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1189  {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1190  0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1191  {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1192  0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1193  {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1194  0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1195  /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1196  {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1197  0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1198  {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1199  0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1200  {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1201  0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1202  /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1203  {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1204  0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1205  {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1206  0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1207  {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1208  0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1209 
1210  /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1211 
1212  /* example needing 590 divsteps; delta=-5/2..7/2 */
1213  {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1214  0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1215  {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1216  0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1217  {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1218  0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1219  /* example needing 590 divsteps; delta=-3/2..5/2 */
1220  {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1221  0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1222  {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1223  0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1224  {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1225  0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1226  /* example needing 590 divsteps; delta=-3/2..5/2 */
1227  {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1228  0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1229  {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1230  0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1231  {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1232  0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1233  /* example needing 590 divsteps; delta=-5/2..7/2 */
1234  {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1235  0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1236  {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1237  0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1238  {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1239  0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1240  /* example needing 590 divsteps; delta=-3/2..5/2 */
1241  {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1242  0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1243  {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1244  0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1245  {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1246  0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1247  /* example reaching delta=-127/2..129/2; 571 divsteps */
1248  {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1249  0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1250  {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1251  0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1252  {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1253  0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1254  /* example reaching delta=-127/2..129/2; 571 divsteps */
1255  {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1256  0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1257  {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1258  0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1259  {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1260  0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1261  /* example reaching delta=-127/2..129/2; 571 divsteps */
1262  {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1263  0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1264  {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1265  0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1266  {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1267  0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1268  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1269  {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1270  0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1271  {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1272  0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1273  {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1274  0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1275  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1276  {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1277  0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1278  {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1279  0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1280  {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1281  0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1282  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1283  {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1284  0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1285  {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1286  0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1287  {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1288  0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1289  /* example doing 453 (f,g/2) steps; 514 divsteps */
1290  {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1291  0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1292  {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1293  0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1294  {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1295  0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1296  /* example doing 453 (f,g/2) steps; 514 divsteps */
1297  {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1298  0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1299  {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1300  0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1301  {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1302  0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1303  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1304  {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1305  0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1306  {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1307  0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1308  {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1309  0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1310  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1311  {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1312  0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1313  {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1314  0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1315  {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1316  0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1317  /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1318  {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1319  0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1320  {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1321  0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1322  {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1323  0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1324  /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1325  {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1326  0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1327  {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1328  0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1329  {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1330  0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1331 
1332  /* Test cases with the group order as modulus. */
1333 
1334  /* Test case with the group order as modulus, needing 635 divsteps. */
1335  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1336  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1337  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1338  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1339  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1340  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1341  /* example with group size as modulus needing 631 divsteps */
1342  {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1343  0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1344  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1345  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1346  {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1347  0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1348  /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1349  {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1350  0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1351  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1352  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1353  {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1354  0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1355  /* Test case with the group size as modulus, needing 981 divsteps with
1356  broken eta handling. */
1357  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1358  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1359  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1360  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1361  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1362  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1363  /* Test case with the group size as modulus, input = 0. */
1364  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1365  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1366  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1367  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1368  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1369  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1370  /* Test case with the group size as modulus, input = 1. */
1371  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1372  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1373  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1374  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1375  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1376  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1377  /* Test case with the group size as modulus, input = 2. */
1378  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1379  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1380  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1381  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1382  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1383  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1384  /* Test case with the group size as modulus, input = group - 1. */
1385  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1386  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1387  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1388  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1389  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1390  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1391 
1392  /* Test cases with the field size as modulus. */
1393 
1394  /* Test case with the field size as modulus, needing 637 divsteps. */
1395  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1396  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1397  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1398  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1399  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1400  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1401  /* example with field size as modulus needing 637 divsteps */
1402  {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1403  0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1404  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1405  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1406  {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1407  0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1408  /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1409  {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1410  0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1411  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1412  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1413  {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1414  0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1415  /* Test case with the field size as modulus, needing 935 divsteps with
1416  broken eta handling. */
1417  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1418  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1419  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1420  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1421  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1422  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1423  /* Test case with the field size as modulus, input = 0. */
1424  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1425  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1426  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1427  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1428  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1429  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1430  /* Test case with the field size as modulus, input = 1. */
1431  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1432  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1433  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1434  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1435  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1436  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1437  /* Test case with the field size as modulus, input = 2. */
1438  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1439  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1440  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1441  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1442  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1443  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1444  /* Test case with the field size as modulus, input = field - 1. */
1445  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1446  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1447  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1448  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1449  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1450  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1451 
1452  /* Selected from a large number of random inputs to reach small/large
1453  * d/e values in various configurations. */
1454  {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1455  0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1456  {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1457  0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1458  {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1459  0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1460  {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1461  0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1462  {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1463  0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1464  {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1465  0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1466  {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1467  0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1468  {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1469  0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1470  {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1471  0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1472  {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1473  0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1474  {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1475  0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1476  {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1477  0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1478  {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1479  0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1480  {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1481  0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1482  {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1483  0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1484  {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1485  0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1486  {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1487  0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1488  {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1489  0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1490  {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1491  0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1492  {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1493  0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1494  {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1495  0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1496  {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1497  0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1498  {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1499  0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1500  {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1501  0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1502  {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1503  0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1504  {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1505  0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1506  {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1507  0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1508  {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1509  0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1510  {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1511  0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1512  {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1513  0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1514  {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1515  0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1516  {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1517  0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1518  {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1519  0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1520  {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1521  0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1522  {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1523  0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1524  {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1525  0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1526  {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1527  0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1528  {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1529  0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1530  {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1531  0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1532  {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1533  0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1534  {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1535  0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1536  {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1537  0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1538  {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1539  0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1540  {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1541  0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1542  {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1543  0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1544  {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1545  0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1546  {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1547  0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1548  {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1549  0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1550  {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1551  0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1552  {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1553  0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1554  {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1555  0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1556  {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1557  0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1558  {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1559  0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1560  {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1561  0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1562  {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1563  0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1564  {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1565  0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1566  {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1567  0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1568  {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1569  0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1570  {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1571  0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1572  {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1573  0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1574  {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1575  0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1576  {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1577  0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1578  {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1579  0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1580  {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1581  0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1582  {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1583  0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1584  {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1585  0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1586  {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1587  0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1588  {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1589  0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1590  {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1591  0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1592  {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1593  0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1594  {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1595  0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1596  {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1597  0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1598  {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1599  0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1600  {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1601  0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1602  {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1603  0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1604  {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1605  0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1606  {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1607  0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1608  {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1609  0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1610  {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1611  0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1612  {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1613  0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1614  {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1615  0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1616  {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1617  0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1618  {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1619  0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1620  {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1621  0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1622  {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1623  0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1624  {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1625  0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1626  {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1627  0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1628  {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1629  0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1630  {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1631  0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1632  {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1633  0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1634  {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1635  0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1636  {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1637  0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1638  {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1639  0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1640  {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1641  0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1642  {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1643  0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1644  {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1645  0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1646  {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1647  0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1648  {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1649  0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1650  {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1651  0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1652  {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1653  0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1654  {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1655  0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1656  {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1657  0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1658  {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1659  0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1660  {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1661  0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1662  {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1663  0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1664  };
1665 
1666  int i, j, ok;
1667 
1668  /* Test known inputs/outputs */
1669  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1670  uint16_t out[16];
1671  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1672  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1673 #ifdef SECP256K1_WIDEMUL_INT128
1674  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1675  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1676 #endif
1677  }
1678 
1679  for (i = 0; i < 100 * count; ++i) {
1680  /* 256-bit numbers in 16-uint16_t's notation */
1681  static const uint16_t ZERO[16] = {0};
1682  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1683  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1684  uint16_t id[16]; /* the inverse of xd mod md */
1685 
1686  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1687  do {
1688  /* generate random xd and md (with many subsequent 0s and 1s) */
1689  secp256k1_testrand256_test((unsigned char*)xd);
1690  secp256k1_testrand256_test((unsigned char*)md);
1691  md[0] |= 1; /* modulus must be odd */
1692  /* If modulus is 1, find another one. */
1693  ok = md[0] != 1;
1694  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1695  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1696  } while (!(ok && coprime(xd, md)));
1697 
1698  test_modinv32_uint16(id, xd, md);
1699 #ifdef SECP256K1_WIDEMUL_INT128
1700  test_modinv64_uint16(id, xd, md);
1701 #endif
1702 
1703  /* In a few cases, also test with input=0 */
1704  if (i < count) {
1705  test_modinv32_uint16(id, ZERO, md);
1706 #ifdef SECP256K1_WIDEMUL_INT128
1707  test_modinv64_uint16(id, ZERO, md);
1708 #endif
1709  }
1710  }
1711 }
1712 
1713 /***** SCALAR TESTS *****/
1714 
1715 
1716 void scalar_test(void) {
1717  secp256k1_scalar s;
1718  secp256k1_scalar s1;
1719  secp256k1_scalar s2;
1720  unsigned char c[32];
1721 
1722  /* Set 's' to a random scalar, with value 'snum'. */
1724 
1725  /* Set 's1' to a random scalar, with value 's1num'. */
1727 
1728  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1730  secp256k1_scalar_get_b32(c, &s2);
1731 
1732  {
1733  int i;
1734  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1735  secp256k1_scalar n;
1736  secp256k1_scalar_set_int(&n, 0);
1737  for (i = 0; i < 256; i += 4) {
1739  int j;
1740  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1741  for (j = 0; j < 4; j++) {
1742  secp256k1_scalar_add(&n, &n, &n);
1743  }
1744  secp256k1_scalar_add(&n, &n, &t);
1745  }
1746  CHECK(secp256k1_scalar_eq(&n, &s));
1747  }
1748 
1749  {
1750  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1751  secp256k1_scalar n;
1752  int i = 0;
1753  secp256k1_scalar_set_int(&n, 0);
1754  while (i < 256) {
1756  int j;
1757  int now = secp256k1_testrand_int(15) + 1;
1758  if (now + i > 256) {
1759  now = 256 - i;
1760  }
1761  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1762  for (j = 0; j < now; j++) {
1763  secp256k1_scalar_add(&n, &n, &n);
1764  }
1765  secp256k1_scalar_add(&n, &n, &t);
1766  i += now;
1767  }
1768  CHECK(secp256k1_scalar_eq(&n, &s));
1769  }
1770 
1771  {
1772  /* test secp256k1_scalar_shr_int */
1773  secp256k1_scalar r;
1774  int i;
1776  for (i = 0; i < 100; ++i) {
1777  int low;
1778  int shift = 1 + secp256k1_testrand_int(15);
1779  int expected = r.d[0] % (1 << shift);
1780  low = secp256k1_scalar_shr_int(&r, shift);
1781  CHECK(expected == low);
1782  }
1783  }
1784 
1785  {
1786  /* Test commutativity of add. */
1787  secp256k1_scalar r1, r2;
1788  secp256k1_scalar_add(&r1, &s1, &s2);
1789  secp256k1_scalar_add(&r2, &s2, &s1);
1790  CHECK(secp256k1_scalar_eq(&r1, &r2));
1791  }
1792 
1793  {
1794  secp256k1_scalar r1, r2;
1795  secp256k1_scalar b;
1796  int i;
1797  /* Test add_bit. */
1798  int bit = secp256k1_testrand_bits(8);
1799  secp256k1_scalar_set_int(&b, 1);
1801  for (i = 0; i < bit; i++) {
1802  secp256k1_scalar_add(&b, &b, &b);
1803  }
1804  r1 = s1;
1805  r2 = s1;
1806  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1807  /* No overflow happened. */
1808  secp256k1_scalar_cadd_bit(&r2, bit, 1);
1809  CHECK(secp256k1_scalar_eq(&r1, &r2));
1810  /* cadd is a noop when flag is zero */
1811  secp256k1_scalar_cadd_bit(&r2, bit, 0);
1812  CHECK(secp256k1_scalar_eq(&r1, &r2));
1813  }
1814  }
1815 
1816  {
1817  /* Test commutativity of mul. */
1818  secp256k1_scalar r1, r2;
1819  secp256k1_scalar_mul(&r1, &s1, &s2);
1820  secp256k1_scalar_mul(&r2, &s2, &s1);
1821  CHECK(secp256k1_scalar_eq(&r1, &r2));
1822  }
1823 
1824  {
1825  /* Test associativity of add. */
1826  secp256k1_scalar r1, r2;
1827  secp256k1_scalar_add(&r1, &s1, &s2);
1828  secp256k1_scalar_add(&r1, &r1, &s);
1829  secp256k1_scalar_add(&r2, &s2, &s);
1830  secp256k1_scalar_add(&r2, &s1, &r2);
1831  CHECK(secp256k1_scalar_eq(&r1, &r2));
1832  }
1833 
1834  {
1835  /* Test associativity of mul. */
1836  secp256k1_scalar r1, r2;
1837  secp256k1_scalar_mul(&r1, &s1, &s2);
1838  secp256k1_scalar_mul(&r1, &r1, &s);
1839  secp256k1_scalar_mul(&r2, &s2, &s);
1840  secp256k1_scalar_mul(&r2, &s1, &r2);
1841  CHECK(secp256k1_scalar_eq(&r1, &r2));
1842  }
1843 
1844  {
1845  /* Test distributitivity of mul over add. */
1846  secp256k1_scalar r1, r2, t;
1847  secp256k1_scalar_add(&r1, &s1, &s2);
1848  secp256k1_scalar_mul(&r1, &r1, &s);
1849  secp256k1_scalar_mul(&r2, &s1, &s);
1850  secp256k1_scalar_mul(&t, &s2, &s);
1851  secp256k1_scalar_add(&r2, &r2, &t);
1852  CHECK(secp256k1_scalar_eq(&r1, &r2));
1853  }
1854 
1855  {
1856  /* Test multiplicative identity. */
1857  secp256k1_scalar r1, v1;
1858  secp256k1_scalar_set_int(&v1,1);
1859  secp256k1_scalar_mul(&r1, &s1, &v1);
1860  CHECK(secp256k1_scalar_eq(&r1, &s1));
1861  }
1862 
1863  {
1864  /* Test additive identity. */
1865  secp256k1_scalar r1, v0;
1866  secp256k1_scalar_set_int(&v0,0);
1867  secp256k1_scalar_add(&r1, &s1, &v0);
1868  CHECK(secp256k1_scalar_eq(&r1, &s1));
1869  }
1870 
1871  {
1872  /* Test zero product property. */
1873  secp256k1_scalar r1, v0;
1874  secp256k1_scalar_set_int(&v0,0);
1875  secp256k1_scalar_mul(&r1, &s1, &v0);
1876  CHECK(secp256k1_scalar_eq(&r1, &v0));
1877  }
1878 
1879 }
1880 
1882  unsigned char b32[32];
1883  secp256k1_scalar s1;
1884  secp256k1_scalar s2;
1885 
1886  /* Usually set_b32 and set_b32_seckey give the same result */
1888  secp256k1_scalar_set_b32(&s1, b32, NULL);
1889  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1890  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1891 
1892  memset(b32, 0, sizeof(b32));
1893  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1894  memset(b32, 0xFF, sizeof(b32));
1895  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1896 }
1897 
1898 void run_scalar_tests(void) {
1899  int i;
1900  for (i = 0; i < 128 * count; i++) {
1901  scalar_test();
1902  }
1903  for (i = 0; i < count; i++) {
1905  }
1906 
1907  {
1908  /* (-1)+1 should be zero. */
1909  secp256k1_scalar s, o;
1910  secp256k1_scalar_set_int(&s, 1);
1912  secp256k1_scalar_negate(&o, &s);
1913  secp256k1_scalar_add(&o, &o, &s);
1915  secp256k1_scalar_negate(&o, &o);
1917  }
1918 
1919  {
1920  /* Does check_overflow check catch all ones? */
1921  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1922  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1923  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1924  );
1925  CHECK(secp256k1_scalar_check_overflow(&overflowed));
1926  }
1927 
1928  {
1929  /* Static test vectors.
1930  * These were reduced from ~10^12 random vectors based on comparison-decision
1931  * and edge-case coverage on 32-bit and 64-bit implementations.
1932  * The responses were generated with Sage 5.9.
1933  */
1934  secp256k1_scalar x;
1935  secp256k1_scalar y;
1936  secp256k1_scalar z;
1937  secp256k1_scalar zz;
1938  secp256k1_scalar one;
1939  secp256k1_scalar r1;
1940  secp256k1_scalar r2;
1941  secp256k1_scalar zzv;
1942  int overflow;
1943  unsigned char chal[33][2][32] = {
1944  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1945  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1946  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1947  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1948  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1949  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1950  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1951  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1952  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1953  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1954  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1955  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1956  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1957  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1958  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1959  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1960  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1961  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1962  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1963  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1964  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1965  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1966  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1967  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1968  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1969  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1970  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1971  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1972  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1973  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1974  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1975  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1976  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1977  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1978  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1979  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1980  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1981  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1982  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1983  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1984  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1985  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1986  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1987  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1988  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1989  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1990  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1991  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1992  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1993  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1994  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1995  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1996  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1997  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1998  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1999  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2000  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2001  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2002  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2003  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2004  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2005  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2006  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2007  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2008  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2009  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2010  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2011  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2012  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2013  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2014  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2015  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2016  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2017  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2018  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2019  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2020  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2021  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2022  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2023  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2024  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2025  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2026  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2027  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2028  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2029  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2030  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2031  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2032  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2033  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2034  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2035  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2036  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2037  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2038  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2039  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2040  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2041  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2042  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2043  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2044  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2045  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2046  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2047  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2048  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2049  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2050  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2051  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2052  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2053  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2054  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2055  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2056  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2057  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2058  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2059  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2060  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2061  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2062  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2063  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2064  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2065  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2066  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2067  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2068  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2069  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2070  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2071  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2072  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2073  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2074  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2075  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2076  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2077  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2078  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2079  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2080  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2081  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2082  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2083  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2084  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2085  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2086  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2087  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2088  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2089  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2090  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2091  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2092  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2093  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2094  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2095  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2096  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2097  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2098  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2099  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2100  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2101  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2102  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2103  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2104  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2105  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2106  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2107  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2108  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2109  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2110  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2111  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2112  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2113  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2114  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2115  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2116  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2117  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2118  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2119  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2120  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2121  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2122  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2123  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2124  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2125  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2126  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2127  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2128  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2129  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2130  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2131  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2132  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2133  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2134  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2135  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2136  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2137  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2138  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2139  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2140  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2141  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2142  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2143  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2144  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2145  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2146  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2147  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2148  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2149  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2150  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2151  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2152  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2153  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2154  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2155  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2156  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2157  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2158  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2159  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2160  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2161  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2162  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2163  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2164  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2165  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2166  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2167  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2168  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2169  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2170  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2171  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2172  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2173  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2174  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2175  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2176  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2177  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2178  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2179  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2180  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2181  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2182  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2183  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2184  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2185  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2186  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2187  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2188  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2189  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2190  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2191  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2192  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2193  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2194  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2195  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2196  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2197  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2198  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2199  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2200  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2201  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2202  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2203  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2204  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2205  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2206  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2207  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2208  };
2209  unsigned char res[33][2][32] = {
2210  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2211  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2212  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2213  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2214  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2215  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2216  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2217  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2218  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2219  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2220  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2221  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2222  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2223  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2224  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2225  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2226  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2227  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2228  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2229  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2230  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2231  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2232  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2233  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2234  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2235  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2236  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2237  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2238  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2239  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2240  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2241  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2242  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2243  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2244  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2245  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2246  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2247  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2248  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2249  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2250  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2251  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2252  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2253  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2254  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2255  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2256  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2257  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2258  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2259  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2260  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2261  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2262  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2263  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2264  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2265  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2266  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2267  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2268  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2269  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2270  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2271  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2272  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2273  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2274  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2275  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2276  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2277  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2278  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2279  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2280  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2281  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2282  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2283  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2284  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2285  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2286  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2287  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2288  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2289  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2290  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2291  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2292  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2293  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2294  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2295  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2296  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2297  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2298  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2299  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2300  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2301  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2302  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2303  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2304  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2305  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2306  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2307  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2308  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2309  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2310  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2311  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2312  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2313  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2314  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2315  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2316  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2317  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2318  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2319  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2320  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2321  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2322  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2323  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2324  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2325  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2326  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2327  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2328  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2329  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2330  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2331  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2332  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2333  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2334  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2335  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2336  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2337  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2338  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2339  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2340  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2341  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2342  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2343  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2344  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2345  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2346  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2347  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2348  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2349  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2350  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2351  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2352  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2353  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2354  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2355  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2356  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2357  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2358  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2359  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2360  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2361  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2362  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2363  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2364  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2365  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2366  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2367  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2368  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2369  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2370  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2371  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2372  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2373  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2374  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2375  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2376  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2377  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2378  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2379  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2380  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2381  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2382  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2383  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2384  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2385  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2386  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2387  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2388  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2389  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2390  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2391  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2392  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2393  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2394  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2395  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2396  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2397  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2398  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2399  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2400  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2401  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2402  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2403  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2404  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2405  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2406  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2407  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2408  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2409  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2410  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2411  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2412  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2413  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2414  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2415  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2416  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2417  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2418  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2419  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2420  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2421  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2422  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2423  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2424  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2425  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2426  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2427  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2428  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2429  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2430  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2431  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2432  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2433  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2434  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2435  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2436  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2437  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2438  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2439  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2440  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2441  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2442  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2443  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2444  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2445  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2446  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2447  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2448  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2449  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2450  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2451  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2452  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2453  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2454  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2455  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2456  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2457  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2458  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2459  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2460  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2461  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2462  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2463  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2464  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2465  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2466  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2467  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2468  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2469  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2470  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2471  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2472  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2473  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2474  };
2475  secp256k1_scalar_set_int(&one, 1);
2476  for (i = 0; i < 33; i++) {
2477  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2478  CHECK(!overflow);
2479  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2480  CHECK(!overflow);
2481  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2482  CHECK(!overflow);
2483  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2484  CHECK(!overflow);
2485  secp256k1_scalar_mul(&z, &x, &y);
2487  CHECK(secp256k1_scalar_eq(&r1, &z));
2488  if (!secp256k1_scalar_is_zero(&y)) {
2489  secp256k1_scalar_inverse(&zz, &y);
2491  secp256k1_scalar_inverse_var(&zzv, &y);
2492  CHECK(secp256k1_scalar_eq(&zzv, &zz));
2493  secp256k1_scalar_mul(&z, &z, &zz);
2495  CHECK(secp256k1_scalar_eq(&x, &z));
2496  secp256k1_scalar_mul(&zz, &zz, &y);
2498  CHECK(secp256k1_scalar_eq(&one, &zz));
2499  }
2500  }
2501  }
2502 }
2503 
2504 /***** FIELD TESTS *****/
2505 
2507  unsigned char bin[32];
2508  do {
2509  secp256k1_testrand256(bin);
2510  if (secp256k1_fe_set_b32(x, bin)) {
2511  return;
2512  }
2513  } while(1);
2514 }
2515 
2517  unsigned char bin[32];
2518  do {
2520  if (secp256k1_fe_set_b32(x, bin)) {
2521  return;
2522  }
2523  } while(1);
2524 }
2525 
2527  int tries = 10;
2528  while (--tries >= 0) {
2529  random_fe(nz);
2531  if (!secp256k1_fe_is_zero(nz)) {
2532  break;
2533  }
2534  }
2535  /* Infinitesimal probability of spurious failure here */
2536  CHECK(tries >= 0);
2537 }
2538 
2540  secp256k1_fe r;
2541  random_fe_non_zero(ns);
2542  if (secp256k1_fe_sqrt(&r, ns)) {
2543  secp256k1_fe_negate(ns, ns, 1);
2544  }
2545 }
2546 
2547 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2548  secp256k1_fe an = *a;
2549  secp256k1_fe bn = *b;
2552  return secp256k1_fe_equal_var(&an, &bn);
2553 }
2554 
2555 void run_field_convert(void) {
2556  static const unsigned char b32[32] = {
2557  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2558  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2559  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2560  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2561  };
2563  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2564  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2565  );
2566  static const secp256k1_fe fe = SECP256K1_FE_CONST(
2567  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2568  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2569  );
2570  secp256k1_fe fe2;
2571  unsigned char b322[32];
2572  secp256k1_fe_storage fes2;
2573  /* Check conversions to fe. */
2574  CHECK(secp256k1_fe_set_b32(&fe2, b32));
2575  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2576  secp256k1_fe_from_storage(&fe2, &fes);
2577  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2578  /* Check conversion from fe. */
2579  secp256k1_fe_get_b32(b322, &fe);
2580  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2581  secp256k1_fe_to_storage(&fes2, &fe);
2582  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2583 }
2584 
2585 /* Returns true if two field elements have the same representation. */
2586 int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
2587  int ret = 1;
2588 #ifdef VERIFY
2589  ret &= (a->magnitude == b->magnitude);
2590  ret &= (a->normalized == b->normalized);
2591 #endif
2592  /* Compare the struct member that holds the limbs. */
2593  ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
2594  return ret;
2595 }
2596 
2597 void run_field_half(void) {
2598  secp256k1_fe t, u;
2599  int m;
2600 
2601  /* Check magnitude 0 input */
2603  secp256k1_fe_half(&t);
2604 #ifdef VERIFY
2605  CHECK(t.magnitude == 1);
2606  CHECK(t.normalized == 0);
2607 #endif
2609 
2610  /* Check non-zero magnitudes in the supported range */
2611  for (m = 1; m < 32; m++) {
2612  /* Check max-value input */
2614 
2615  u = t;
2616  secp256k1_fe_half(&u);
2617 #ifdef VERIFY
2618  CHECK(u.magnitude == (m >> 1) + 1);
2619  CHECK(u.normalized == 0);
2620 #endif
2622  secp256k1_fe_add(&u, &u);
2623  CHECK(check_fe_equal(&t, &u));
2624 
2625  /* Check worst-case input: ensure the LSB is 1 so that P will be added,
2626  * which will also cause all carries to be 1, since all limbs that can
2627  * generate a carry are initially even and all limbs of P are odd in
2628  * every existing field implementation. */
2630  CHECK(t.n[0] > 0);
2631  CHECK((t.n[0] & 1) == 0);
2632  --t.n[0];
2633 
2634  u = t;
2635  secp256k1_fe_half(&u);
2636 #ifdef VERIFY
2637  CHECK(u.magnitude == (m >> 1) + 1);
2638  CHECK(u.normalized == 0);
2639 #endif
2641  secp256k1_fe_add(&u, &u);
2642  CHECK(check_fe_equal(&t, &u));
2643  }
2644 }
2645 
2646 void run_field_misc(void) {
2647  secp256k1_fe x;
2648  secp256k1_fe y;
2649  secp256k1_fe z;
2650  secp256k1_fe q;
2651  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2652  int i, j;
2653  for (i = 0; i < 1000 * count; i++) {
2654  secp256k1_fe_storage xs, ys, zs;
2655  if (i & 1) {
2656  random_fe(&x);
2657  } else {
2658  random_fe_test(&x);
2659  }
2660  random_fe_non_zero(&y);
2661  /* Test the fe equality and comparison operations. */
2662  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
2663  CHECK(secp256k1_fe_equal_var(&x, &x));
2664  z = x;
2665  secp256k1_fe_add(&z,&y);
2666  /* Test fe conditional move; z is not normalized here. */
2667  q = x;
2668  secp256k1_fe_cmov(&x, &z, 0);
2669 #ifdef VERIFY
2670  CHECK(x.normalized && x.magnitude == 1);
2671 #endif
2672  secp256k1_fe_cmov(&x, &x, 1);
2673  CHECK(!fe_identical(&x, &z));
2674  CHECK(fe_identical(&x, &q));
2675  secp256k1_fe_cmov(&q, &z, 1);
2676 #ifdef VERIFY
2677  CHECK(!q.normalized && q.magnitude == z.magnitude);
2678 #endif
2679  CHECK(fe_identical(&q, &z));
2682  CHECK(!secp256k1_fe_equal_var(&x, &z));
2684  secp256k1_fe_cmov(&q, &z, (i&1));
2685 #ifdef VERIFY
2686  CHECK(q.normalized && q.magnitude == 1);
2687 #endif
2688  for (j = 0; j < 6; j++) {
2689  secp256k1_fe_negate(&z, &z, j+1);
2691  secp256k1_fe_cmov(&q, &z, (j&1));
2692 #ifdef VERIFY
2693  CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2694 #endif
2695  }
2697  /* Test storage conversion and conditional moves. */
2698  secp256k1_fe_to_storage(&xs, &x);
2699  secp256k1_fe_to_storage(&ys, &y);
2700  secp256k1_fe_to_storage(&zs, &z);
2701  secp256k1_fe_storage_cmov(&zs, &xs, 0);
2702  secp256k1_fe_storage_cmov(&zs, &zs, 1);
2703  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2704  secp256k1_fe_storage_cmov(&ys, &xs, 1);
2705  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2706  secp256k1_fe_from_storage(&x, &xs);
2707  secp256k1_fe_from_storage(&y, &ys);
2708  secp256k1_fe_from_storage(&z, &zs);
2709  /* Test that mul_int, mul, and add agree. */
2710  secp256k1_fe_add(&y, &x);
2711  secp256k1_fe_add(&y, &x);
2712  z = x;
2713  secp256k1_fe_mul_int(&z, 3);
2714  CHECK(check_fe_equal(&y, &z));
2715  secp256k1_fe_add(&y, &x);
2716  secp256k1_fe_add(&z, &x);
2717  CHECK(check_fe_equal(&z, &y));
2718  z = x;
2719  secp256k1_fe_mul_int(&z, 5);
2720  secp256k1_fe_mul(&q, &x, &fe5);
2721  CHECK(check_fe_equal(&z, &q));
2722  secp256k1_fe_negate(&x, &x, 1);
2723  secp256k1_fe_add(&z, &x);
2724  secp256k1_fe_add(&q, &x);
2725  CHECK(check_fe_equal(&y, &z));
2726  CHECK(check_fe_equal(&q, &y));
2727  /* Check secp256k1_fe_half. */
2728  z = x;
2729  secp256k1_fe_half(&z);
2730  secp256k1_fe_add(&z, &z);
2731  CHECK(check_fe_equal(&x, &z));
2732  secp256k1_fe_add(&z, &z);
2733  secp256k1_fe_half(&z);
2734  CHECK(check_fe_equal(&x, &z));
2735  }
2736 }
2737 
2738 void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
2739 {
2740  secp256k1_fe c, an, bn;
2741  /* Variables in BE 32-byte format. */
2742  unsigned char a32[32], b32[32], c32[32];
2743  /* Variables in LE 16x uint16_t format. */
2744  uint16_t a16[16], b16[16], c16[16];
2745  /* Field modulus in LE 16x uint16_t format. */
2746  static const uint16_t m16[16] = {
2747  0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2748  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2749  };
2750  uint16_t t16[32];
2751  int i;
2752 
2753  /* Compute C = A * B in fe format. */
2754  c = *a;
2755  if (use_sqr) {
2756  secp256k1_fe_sqr(&c, &c);
2757  } else {
2758  secp256k1_fe_mul(&c, &c, b);
2759  }
2760 
2761  /* Convert A, B, C into LE 16x uint16_t format. */
2762  an = *a;
2763  bn = *b;
2767  secp256k1_fe_get_b32(a32, &an);
2768  secp256k1_fe_get_b32(b32, &bn);
2769  secp256k1_fe_get_b32(c32, &c);
2770  for (i = 0; i < 16; ++i) {
2771  a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
2772  b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
2773  c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
2774  }
2775  /* Compute T = A * B in LE 16x uint16_t format. */
2776  mulmod256(t16, a16, b16, m16);
2777  /* Compare */
2778  CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
2779 }
2780 
2781 void run_fe_mul(void) {
2782  int i;
2783  for (i = 0; i < 100 * count; ++i) {
2784  secp256k1_fe a, b, c, d;
2785  random_fe(&a);
2787  random_fe(&b);
2789  random_fe_test(&c);
2791  random_fe_test(&d);
2793  test_fe_mul(&a, &a, 1);
2794  test_fe_mul(&c, &c, 1);
2795  test_fe_mul(&a, &b, 0);
2796  test_fe_mul(&a, &c, 0);
2797  test_fe_mul(&c, &b, 0);
2798  test_fe_mul(&c, &d, 0);
2799  }
2800 }
2801 
2802 void run_sqr(void) {
2803  secp256k1_fe x, s;
2804 
2805  {
2806  int i;
2807  secp256k1_fe_set_int(&x, 1);
2808  secp256k1_fe_negate(&x, &x, 1);
2809 
2810  for (i = 1; i <= 512; ++i) {
2811  secp256k1_fe_mul_int(&x, 2);
2813  secp256k1_fe_sqr(&s, &x);
2814  }
2815  }
2816 }
2817 
2818 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2819  secp256k1_fe r1, r2;
2820  int v = secp256k1_fe_sqrt(&r1, a);
2821  CHECK((v == 0) == (k == NULL));
2822 
2823  if (k != NULL) {
2824  /* Check that the returned root is +/- the given known answer */
2825  secp256k1_fe_negate(&r2, &r1, 1);
2826  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2829  }
2830 }
2831 
2832 void run_sqrt(void) {
2833  secp256k1_fe ns, x, s, t;
2834  int i;
2835 
2836  /* Check sqrt(0) is 0 */
2837  secp256k1_fe_set_int(&x, 0);
2838  secp256k1_fe_sqr(&s, &x);
2839  test_sqrt(&s, &x);
2840 
2841  /* Check sqrt of small squares (and their negatives) */
2842  for (i = 1; i <= 100; i++) {
2843  secp256k1_fe_set_int(&x, i);
2844  secp256k1_fe_sqr(&s, &x);
2845  test_sqrt(&s, &x);
2846  secp256k1_fe_negate(&t, &s, 1);
2847  test_sqrt(&t, NULL);
2848  }
2849 
2850  /* Consistency checks for large random values */
2851  for (i = 0; i < 10; i++) {
2852  int j;
2853  random_fe_non_square(&ns);
2854  for (j = 0; j < count; j++) {
2855  random_fe(&x);
2856  secp256k1_fe_sqr(&s, &x);
2857  test_sqrt(&s, &x);
2858  secp256k1_fe_negate(&t, &s, 1);
2859  test_sqrt(&t, NULL);
2860  secp256k1_fe_mul(&t, &s, &ns);
2861  test_sqrt(&t, NULL);
2862  }
2863  }
2864 }
2865 
2866 /***** FIELD/SCALAR INVERSE TESTS *****/
2867 
2869  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2870  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2871 );
2872 
2874  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2875  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2876 );
2877 
2878 /* These tests test the following identities:
2879  *
2880  * for x==0: 1/x == 0
2881  * for x!=0: x*(1/x) == 1
2882  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2883  */
2884 
2886 {
2887  secp256k1_scalar l, r, t;
2888 
2889  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
2890  if (out) *out = l;
2891  if (secp256k1_scalar_is_zero(x)) {
2893  return;
2894  }
2895  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2896  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2897  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2898  if (secp256k1_scalar_is_zero(&r)) return;
2899  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
2900  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2901  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
2902  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2903  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2904  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2905 }
2906 
2907 void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2908 {
2909  secp256k1_fe l, r, t;
2910 
2911  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2912  if (out) *out = l;
2913  t = *x; /* t = x */
2916  return;
2917  }
2918  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2919  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2920  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2921  r = *x; /* r = x */
2922  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2923  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
2924  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2925  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2926  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2927  secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2928  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2929  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
2930 }
2931 
2933 {
2934  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2935  static const secp256k1_fe fe_cases[][2] = {
2936  /* 0 */
2937  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2938  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2939  /* 1 */
2940  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2941  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2942  /* -1 */
2943  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2944  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2945  /* 2 */
2946  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2947  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2948  /* 2**128 */
2949  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2950  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2951  /* Input known to need 637 divsteps */
2952  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2953  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
2954  /* Input known to need 567 divsteps starting with delta=1/2. */
2955  {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
2956  SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
2957  /* Input known to need 566 divsteps starting with delta=1/2. */
2958  {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
2959  SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
2960  /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
2961  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
2962  SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
2963  {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
2964  SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
2965  {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
2966  SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
2967  {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
2968  SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
2969  {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
2970  SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
2971  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
2972  SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
2973  {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
2974  SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
2975  {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
2976  SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
2977  {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
2978  SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
2979  {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
2980  SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
2981  /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
2982  {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
2983  SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
2984  {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
2985  SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
2986  {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
2987  SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
2988  {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
2989  SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
2990  {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
2991  SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
2992  {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
2993  SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
2994  {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
2995  SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
2996  {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
2997  SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
2998  {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
2999  SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3000  {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3001  SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3002  {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3003  SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3004  {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3005  SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3006  {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3007  SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3008  {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3009  SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3010  {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3011  SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3012  {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3013  SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3014  {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3015  SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3016  {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3017  SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3018  {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3019  SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3020  {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3021  SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3022  {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3023  SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3024  {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3025  SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3026  {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3027  SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3028  {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3029  SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3030  {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3031  SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3032  {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3033  SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3034  {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3035  SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3036  {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3037  SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3038  };
3039  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3040  static const secp256k1_scalar scalar_cases[][2] = {
3041  /* 0 */
3042  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3043  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3044  /* 1 */
3045  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3046  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3047  /* -1 */
3048  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3049  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3050  /* 2 */
3051  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3052  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3053  /* 2**128 */
3054  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3055  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3056  /* Input known to need 635 divsteps */
3057  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3058  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3059  /* Input known to need 566 divsteps starting with delta=1/2. */
3060  {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3061  SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3062  /* Input known to need 565 divsteps starting with delta=1/2. */
3063  {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3064  SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3065  /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3066  {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3067  SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3068  {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3069  SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3070  {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3071  SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3072  {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3073  SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3074  {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3075  SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3076  {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3077  SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3078  {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3079  SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3080  {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3081  SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3082  {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3083  SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3084  {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3085  SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3086  {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3087  SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3088  {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3089  SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3090  {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3091  SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3092  {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3093  SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3094  {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3095  SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3096  {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3097  SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3098  {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3099  SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3100  {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3101  SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3102  {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3103  SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3104  {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3105  SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3106  {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3107  SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3108  {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3109  SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3110  {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3111  SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3112  {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3113  SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3114  {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3115  SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3116  {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3117  SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3118  {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3119  SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3120  {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3121  SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3122  {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3123  SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3124  };
3125  int i, var, testrand;
3126  unsigned char b32[32];
3127  secp256k1_fe x_fe;
3128  secp256k1_scalar x_scalar;
3129  memset(b32, 0, sizeof(b32));
3130  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3131  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3132  for (var = 0; var <= 1; ++var) {
3133  test_inverse_field(&x_fe, &fe_cases[i][0], var);
3134  check_fe_equal(&x_fe, &fe_cases[i][1]);
3135  test_inverse_field(&x_fe, &fe_cases[i][1], var);
3136  check_fe_equal(&x_fe, &fe_cases[i][0]);
3137  }
3138  }
3139  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3140  for (var = 0; var <= 1; ++var) {
3141  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3142  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3143  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3144  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3145  }
3146  }
3147  /* Test inputs 0..999 and their respective negations. */
3148  for (i = 0; i < 1000; ++i) {
3149  b32[31] = i & 0xff;
3150  b32[30] = (i >> 8) & 0xff;
3151  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3152  secp256k1_fe_set_b32(&x_fe, b32);
3153  for (var = 0; var <= 1; ++var) {
3154  test_inverse_scalar(NULL, &x_scalar, var);
3155  test_inverse_field(NULL, &x_fe, var);
3156  }
3157  secp256k1_scalar_negate(&x_scalar, &x_scalar);
3158  secp256k1_fe_negate(&x_fe, &x_fe, 1);
3159  for (var = 0; var <= 1; ++var) {
3160  test_inverse_scalar(NULL, &x_scalar, var);
3161  test_inverse_field(NULL, &x_fe, var);
3162  }
3163  }
3164  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3165  for (testrand = 0; testrand <= 1; ++testrand) {
3166  for (i = 0; i < 64 * count; ++i) {
3168  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3169  secp256k1_fe_set_b32(&x_fe, b32);
3170  for (var = 0; var <= 1; ++var) {
3171  test_inverse_scalar(NULL, &x_scalar, var);
3172  test_inverse_field(NULL, &x_fe, var);
3173  }
3174  }
3175  }
3176 }
3177 
3178 /***** GROUP TESTS *****/
3179 
3180 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
3181  CHECK(a->infinity == b->infinity);
3182  if (a->infinity) {
3183  return;
3184  }
3185  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
3186  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
3187 }
3188 
3189 /* This compares jacobian points including their Z, not just their geometric meaning. */
3191  secp256k1_gej a2;
3192  secp256k1_gej b2;
3193  int ret = 1;
3194  ret &= a->infinity == b->infinity;
3195  if (ret && !a->infinity) {
3196  a2 = *a;
3197  b2 = *b;
3204  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3205  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3206  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3207  }
3208  return ret;
3209 }
3210 
3211 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3212  secp256k1_fe z2s;
3213  secp256k1_fe u1, u2, s1, s2;
3214  CHECK(a->infinity == b->infinity);
3215  if (a->infinity) {
3216  return;
3217  }
3218  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3219  secp256k1_fe_sqr(&z2s, &b->z);
3220  secp256k1_fe_mul(&u1, &a->x, &z2s);
3221  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
3222  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3223  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
3224  CHECK(secp256k1_fe_equal_var(&u1, &u2));
3225  CHECK(secp256k1_fe_equal_var(&s1, &s2));
3226 }
3227 
3228 void test_ge(void) {
3229  int i, i1;
3230  int runs = 6;
3231  /* 25 points are used:
3232  * - infinity
3233  * - for each of four random points p1 p2 p3 p4, we add the point, its
3234  * negation, and then those two again but with randomized Z coordinate.
3235  * - The same is then done for lambda*p1 and lambda^2*p1.
3236  */
3237  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3238  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3239  secp256k1_fe zf;
3240  secp256k1_fe zfi2, zfi3;
3241 
3242  secp256k1_gej_set_infinity(&gej[0]);
3243  secp256k1_ge_clear(&ge[0]);
3244  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3245  for (i = 0; i < runs; i++) {
3246  int j;
3247  secp256k1_ge g;
3249  if (i >= runs - 2) {
3250  secp256k1_ge_mul_lambda(&g, &ge[1]);
3251  }
3252  if (i >= runs - 1) {
3254  }
3255  ge[1 + 4 * i] = g;
3256  ge[2 + 4 * i] = g;
3257  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3258  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3259  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3260  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3261  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3262  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3263  for (j = 0; j < 4; j++) {
3264  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
3265  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
3266  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
3267  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
3268  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3269  }
3270  }
3271 
3272  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3273  do {
3275  } while(secp256k1_fe_is_zero(&zf));
3277  secp256k1_fe_inv_var(&zfi3, &zf);
3278  secp256k1_fe_sqr(&zfi2, &zfi3);
3279  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3280 
3281  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3282  int i2;
3283  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3284  /* Compute reference result using gej + gej (var). */
3285  secp256k1_gej refj, resj;
3286  secp256k1_ge ref;
3287  secp256k1_fe zr;
3288  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3289  /* Check Z ratio. */
3290  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3291  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3292  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3293  }
3294  secp256k1_ge_set_gej_var(&ref, &refj);
3295 
3296  /* Test gej + ge with Z ratio result (var). */
3297  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3298  ge_equals_gej(&ref, &resj);
3299  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3300  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3301  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3302  }
3303 
3304  /* Test gej + ge (var, with additional Z factor). */
3305  {
3306  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3307  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3308  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3311  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3312  ge_equals_gej(&ref, &resj);
3313  }
3314 
3315  /* Test gej + ge (const). */
3316  if (i2 != 0) {
3317  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3318  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3319  ge_equals_gej(&ref, &resj);
3320  }
3321 
3322  /* Test doubling (var). */
3323  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3324  secp256k1_fe zr2;
3325  /* Normal doubling with Z ratio result. */
3326  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3327  ge_equals_gej(&ref, &resj);
3328  /* Check Z ratio. */
3329  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3330  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3331  /* Normal doubling. */
3332  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3333  ge_equals_gej(&ref, &resj);
3334  /* Constant-time doubling. */
3335  secp256k1_gej_double(&resj, &gej[i2]);
3336  ge_equals_gej(&ref, &resj);
3337  }
3338 
3339  /* Test adding opposites. */
3340  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3342  }
3343 
3344  /* Test adding infinity. */
3345  if (i1 == 0) {
3346  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3347  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3348  ge_equals_gej(&ref, &gej[i2]);
3349  }
3350  if (i2 == 0) {
3351  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3352  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3353  ge_equals_gej(&ref, &gej[i1]);
3354  }
3355  }
3356  }
3357 
3358  /* Test adding all points together in random order equals infinity. */
3359  {
3361  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3362  for (i = 0; i < 4 * runs + 1; i++) {
3363  gej_shuffled[i] = gej[i];
3364  }
3365  for (i = 0; i < 4 * runs + 1; i++) {
3366  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3367  if (swap != i) {
3368  secp256k1_gej t = gej_shuffled[i];
3369  gej_shuffled[i] = gej_shuffled[swap];
3370  gej_shuffled[swap] = t;
3371  }
3372  }
3373  for (i = 0; i < 4 * runs + 1; i++) {
3374  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3375  }
3377  free(gej_shuffled);
3378  }
3379 
3380  /* Test batch gej -> ge conversion without known z ratios. */
3381  {
3382  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3383  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3384  for (i = 0; i < 4 * runs + 1; i++) {
3385  secp256k1_fe s;
3386  random_fe_non_zero(&s);
3387  secp256k1_gej_rescale(&gej[i], &s);
3388  ge_equals_gej(&ge_set_all[i], &gej[i]);
3389  }
3390  free(ge_set_all);
3391  }
3392 
3393  /* Test batch gej -> ge conversion with many infinities. */
3394  for (i = 0; i < 4 * runs + 1; i++) {
3395  int odd;
3396  random_group_element_test(&ge[i]);
3397  odd = secp256k1_fe_is_odd(&ge[i].x);
3398  CHECK(odd == 0 || odd == 1);
3399  /* randomly set half the points to infinity */
3400  if (odd == i % 2) {
3401  secp256k1_ge_set_infinity(&ge[i]);
3402  }
3403  secp256k1_gej_set_ge(&gej[i], &ge[i]);
3404  }
3405  /* batch convert */
3406  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3407  /* check result */
3408  for (i = 0; i < 4 * runs + 1; i++) {
3409  ge_equals_gej(&ge[i], &gej[i]);
3410  }
3411 
3412  /* Test batch gej -> ge conversion with all infinities. */
3413  for (i = 0; i < 4 * runs + 1; i++) {
3414  secp256k1_gej_set_infinity(&gej[i]);
3415  }
3416  /* batch convert */
3417  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3418  /* check result */
3419  for (i = 0; i < 4 * runs + 1; i++) {
3421  }
3422 
3423  free(ge);
3424  free(gej);
3425 }
3426 
3427 
3429  secp256k1_ge p;
3430  secp256k1_gej pj, npj, infj1, infj2, infj3;
3431  secp256k1_fe zinv;
3432 
3433  /* Test that adding P+(-P) results in a fully initialized infinity*/
3435  secp256k1_gej_set_ge(&pj, &p);
3436  secp256k1_gej_neg(&npj, &pj);
3437 
3438  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3440  CHECK(secp256k1_fe_is_zero(&infj1.x));
3441  CHECK(secp256k1_fe_is_zero(&infj1.y));
3442  CHECK(secp256k1_fe_is_zero(&infj1.z));
3443 
3444  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3446  CHECK(secp256k1_fe_is_zero(&infj2.x));
3447  CHECK(secp256k1_fe_is_zero(&infj2.y));
3448  CHECK(secp256k1_fe_is_zero(&infj2.z));
3449 
3450  secp256k1_fe_set_int(&zinv, 1);
3451  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3453  CHECK(secp256k1_fe_is_zero(&infj3.x));
3454  CHECK(secp256k1_fe_is_zero(&infj3.y));
3455  CHECK(secp256k1_fe_is_zero(&infj3.z));
3456 
3457 
3458 }
3459 
3461  /* The point of this test is to check that we can add two points
3462  * whose y-coordinates are negatives of each other but whose x
3463  * coordinates differ. If the x-coordinates were the same, these
3464  * points would be negatives of each other and their sum is
3465  * infinity. This is cool because it "covers up" any degeneracy
3466  * in the addition algorithm that would cause the xy coordinates
3467  * of the sum to be wrong (since infinity has no xy coordinates).
3468  * HOWEVER, if the x-coordinates are different, infinity is the
3469  * wrong answer, and such degeneracies are exposed. This is the
3470  * root of https://github.com/bitcoin-core/secp256k1/issues/257
3471  * which this test is a regression test for.
3472  *
3473  * These points were generated in sage as
3474  * # secp256k1 params
3475  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3476  * C = EllipticCurve ([F (0), F (7)])
3477  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3478  * N = FiniteField(G.order())
3479  *
3480  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3481  * x = polygen(N)
3482  * lam = (1 - x^3).roots()[1][0]
3483  *
3484  * # random "bad pair"
3485  * P = C.random_element()
3486  * Q = -int(lam) * P
3487  * print " P: %x %x" % P.xy()
3488  * print " Q: %x %x" % Q.xy()
3489  * print "P + Q: %x %x" % (P + Q).xy()
3490  */
3492  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3493  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3494  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3495  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3496  );
3498  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3499  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3500  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3501  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3502  );
3504  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3505  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3506  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3507  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3508  );
3509  secp256k1_ge b;
3510  secp256k1_gej resj;
3511  secp256k1_ge res;
3512  secp256k1_ge_set_gej(&b, &bj);
3513 
3514  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3515  secp256k1_ge_set_gej(&res, &resj);
3516  ge_equals_gej(&res, &sumj);
3517 
3518  secp256k1_gej_add_ge(&resj, &aj, &b);
3519  secp256k1_ge_set_gej(&res, &resj);
3520  ge_equals_gej(&res, &sumj);
3521 
3522  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
3523  secp256k1_ge_set_gej(&res, &resj);
3524  ge_equals_gej(&res, &sumj);
3525 }
3526 
3527 void run_ge(void) {
3528  int i;
3529  for (i = 0; i < count * 32; i++) {
3530  test_ge();
3531  }
3534 }
3535 
3536 void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
3537  secp256k1_gej t = *a;
3538  secp256k1_gej_cmov(&t, b, 0);
3539  CHECK(gej_xyz_equals_gej(&t, a));
3540  secp256k1_gej_cmov(&t, b, 1);
3541  CHECK(gej_xyz_equals_gej(&t, b));
3542 }
3543 
3544 void run_gej(void) {
3545  int i;
3546  secp256k1_gej a, b;
3547 
3548  /* Tests for secp256k1_gej_cmov */
3549  for (i = 0; i < count; i++) {
3552  test_gej_cmov(&a, &b);
3553 
3554  random_gej_test(&a);
3555  test_gej_cmov(&a, &b);
3556  test_gej_cmov(&b, &a);
3557 
3558  b = a;
3559  test_gej_cmov(&a, &b);
3560 
3561  random_gej_test(&b);
3562  test_gej_cmov(&a, &b);
3563  test_gej_cmov(&b, &a);
3564  }
3565 }
3566 
3567 void test_ec_combine(void) {
3568  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3569  secp256k1_pubkey data[6];
3570  const secp256k1_pubkey* d[6];
3571  secp256k1_pubkey sd;
3572  secp256k1_pubkey sd2;
3573  secp256k1_gej Qj;
3574  secp256k1_ge Q;
3575  int i;
3576  for (i = 1; i <= 6; i++) {
3577  secp256k1_scalar s;
3579  secp256k1_scalar_add(&sum, &sum, &s);
3581  secp256k1_ge_set_gej(&Q, &Qj);
3582  secp256k1_pubkey_save(&data[i - 1], &Q);
3583  d[i - 1] = &data[i - 1];
3585  secp256k1_ge_set_gej(&Q, &Qj);
3586  secp256k1_pubkey_save(&sd, &Q);
3587  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
3588  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
3589  }
3590 }
3591 
3592 void run_ec_combine(void) {
3593  int i;
3594  for (i = 0; i < count * 8; i++) {
3595  test_ec_combine();
3596  }
3597 }
3598 
3600  /* The input itself, normalized. */
3601  secp256k1_fe fex = *x;
3602  /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
3603  secp256k1_ge ge_even, ge_odd;
3604  /* Return values of the above calls. */
3605  int res_even, res_odd;
3606 
3608 
3609  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
3610  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
3611 
3612  CHECK(res_even == res_odd);
3613 
3614  if (res_even) {
3615  secp256k1_fe_normalize_var(&ge_odd.x);
3616  secp256k1_fe_normalize_var(&ge_even.x);
3617  secp256k1_fe_normalize_var(&ge_odd.y);
3618  secp256k1_fe_normalize_var(&ge_even.y);
3619 
3620  /* No infinity allowed. */
3621  CHECK(!ge_even.infinity);
3622  CHECK(!ge_odd.infinity);
3623 
3624  /* Check that the x coordinates check out. */
3625  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
3626  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
3627 
3628  /* Check odd/even Y in ge_odd, ge_even. */
3629  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
3630  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
3631  }
3632 }
3633 
3635  int i;
3636  for (i = 0; i < count * 4; i++) {
3637  secp256k1_fe fe;
3638  random_fe_test(&fe);
3639  test_group_decompress(&fe);
3640  }
3641 }
3642 
3643 /***** ECMULT TESTS *****/
3644 
3645 void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
3646  /* Tests the pre_g / pre_g_128 tables for consistency.
3647  * For independent verification we take a "geometric" approach to verification.
3648  * We check that every entry is on-curve.
3649  * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
3650  * (1) p, gg, and -q are colinear.
3651  * (2) p, gg, and -q are all distinct.
3652  * where gg is twice the generator, where the generator is the first table entry.
3653  *
3654  * Checking the table's generators are correct is done in run_ecmult_pre_g.
3655  */
3656  secp256k1_gej g2;
3657  secp256k1_ge p, q, gg;
3658  secp256k1_fe dpx, dpy, dqx, dqy;
3659  size_t i;
3660 
3661  CHECK(0 < n);
3662 
3663  secp256k1_ge_from_storage(&p, &pre_g[0]);
3665 
3666  secp256k1_gej_set_ge(&g2, &p);
3667  secp256k1_gej_double_var(&g2, &g2, NULL);
3668  secp256k1_ge_set_gej_var(&gg, &g2);
3669  for (i = 1; i < n; ++i) {
3670  secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
3671  secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
3672  /* Check that p is not equal to gg */
3674 
3675  secp256k1_ge_from_storage(&q, &pre_g[i]);
3677 
3678  secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); secp256k1_fe_normalize_weak(&dqx);
3679  dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); secp256k1_fe_normalize_weak(&dqy);
3680  /* Check that -q is not equal to gg */
3682 
3683  /* Check that -q is not equal to p */
3684  CHECK(!secp256k1_fe_equal_var(&dpx, &dqx) || !secp256k1_fe_equal_var(&dpy, &dqy));
3685 
3686  /* Check that p, -q and gg are colinear */
3687  secp256k1_fe_mul(&dpx, &dpx, &dqy);
3688  secp256k1_fe_mul(&dpy, &dpy, &dqx);
3689  CHECK(secp256k1_fe_equal_var(&dpx, &dpy));
3690 
3691  p = q;
3692  }
3693 }
3694 
3695 void run_ecmult_pre_g(void) {
3697  secp256k1_gej gj;
3698  secp256k1_ge g;
3699  size_t i;
3700 
3701  /* Check that the pre_g and pre_g_128 tables are consistent. */
3704 
3705  /* Check the first entry from the pre_g table. */
3707  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
3708 
3709  /* Check the first entry from the pre_g_128 table. */
3711  for (i = 0; i < 128; ++i) {
3712  secp256k1_gej_double_var(&gj, &gj, NULL);
3713  }
3714  secp256k1_ge_set_gej(&g, &gj);
3715  secp256k1_ge_to_storage(&gs, &g);
3716  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
3717 }
3718 
3719 void run_ecmult_chain(void) {
3720  /* random starting point A (on the curve) */
3722  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
3723  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
3724  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
3725  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
3726  );
3727  /* two random initial factors xn and gn */
3729  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
3730  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
3731  );
3733  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
3734  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
3735  );
3736  /* two small multipliers to be applied to xn and gn in every iteration: */
3737  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
3738  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
3739  /* accumulators with the resulting coefficients to A and G */
3740  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3741  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3742  /* actual points */
3743  secp256k1_gej x;
3744  secp256k1_gej x2;
3745  int i;
3746 
3747  /* the point being computed */
3748  x = a;
3749  for (i = 0; i < 200*count; i++) {
3750  /* in each iteration, compute X = xn*X + gn*G; */
3751  secp256k1_ecmult(&x, &x, &xn, &gn);
3752  /* also compute ae and ge: the actual accumulated factors for A and G */
3753  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
3754  secp256k1_scalar_mul(&ae, &ae, &xn);
3755  secp256k1_scalar_mul(&ge, &ge, &xn);
3756  secp256k1_scalar_add(&ge, &ge, &gn);
3757  /* modify xn and gn */
3758  secp256k1_scalar_mul(&xn, &xn, &xf);
3759  secp256k1_scalar_mul(&gn, &gn, &gf);
3760 
3761  /* verify */
3762  if (i == 19999) {
3763  /* expected result after 19999 iterations */
3765  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
3766  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
3767  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
3768  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
3769  );
3770 
3771  secp256k1_gej_neg(&rp, &rp);
3772  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
3774  }
3775  }
3776  /* redo the computation, but directly with the resulting ae and ge coefficients: */
3777  secp256k1_ecmult(&x2, &a, &ae, &ge);
3778  secp256k1_gej_neg(&x2, &x2);
3779  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
3781 }
3782 
3784  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
3785  secp256k1_scalar x;
3786  secp256k1_scalar nx;
3787  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3788  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3789  secp256k1_gej res1, res2;
3790  secp256k1_ge res3;
3791  unsigned char pub[65];
3792  size_t psize = 65;
3794  secp256k1_scalar_negate(&nx, &x);
3795  secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
3796  secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
3797  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
3799  secp256k1_ge_set_gej(&res3, &res1);
3801  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
3802  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
3803  psize = 65;
3804  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
3805  /* check zero/one edge cases */
3806  secp256k1_ecmult(&res1, point, &zero, &zero);
3807  secp256k1_ge_set_gej(&res3, &res1);
3809  secp256k1_ecmult(&res1, point, &one, &zero);
3810  secp256k1_ge_set_gej(&res3, &res1);
3811  ge_equals_gej(&res3, point);
3812  secp256k1_ecmult(&res1, point, &zero, &one);
3813  secp256k1_ge_set_gej(&res3, &res1);
3815 }
3816 
3817 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
3818  *
3819  * They are computed as:
3820  * - For a in [-2, -1, 0, 1, 2]:
3821  * - For b in [-3, -1, 1, 3]:
3822  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
3823  */
3825  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
3826  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
3827  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
3828  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
3829  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
3830  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
3831  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
3832  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
3833  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
3834  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
3835  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
3836  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
3837  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
3838  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
3839  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
3840  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
3841  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
3842  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
3843  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
3844  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
3845 };
3846 
3847 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
3848  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
3849  secp256k1_scalar n1, n2;
3850  secp256k1_ge p;
3851  secp256k1_gej pj, p1j, p2j, ptj;
3852  static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3853 
3854  /* Generate random n1,n2 such that n1+n2 = -target. */
3856  secp256k1_scalar_add(&n2, &n1, target);
3857  secp256k1_scalar_negate(&n2, &n2);
3858 
3859  /* Generate a random input point. */
3860  if (mode != 0) {
3862  secp256k1_gej_set_ge(&pj, &p);
3863  }
3864 
3865  /* EC multiplications */
3866  if (mode == 0) {
3867  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
3868  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
3869  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
3870  } else if (mode == 1) {
3871  secp256k1_ecmult(&p1j, &pj, &n1, &zero);
3872  secp256k1_ecmult(&p2j, &pj, &n2, &zero);
3873  secp256k1_ecmult(&ptj, &pj, target, &zero);
3874  } else {
3875  secp256k1_ecmult_const(&p1j, &p, &n1, 256);
3876  secp256k1_ecmult_const(&p2j, &p, &n2, 256);
3877  secp256k1_ecmult_const(&ptj, &p, target, 256);
3878  }
3879 
3880  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
3881  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
3882  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
3884 }
3885 
3887  int i;
3888  unsigned j;
3889  for (i = 0; i < 4*count; ++i) {
3890  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
3894  }
3895  }
3896 }
3897 
3899  int i;
3900  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
3901  static const secp256k1_fe xr = SECP256K1_FE_CONST(
3902  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
3903  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
3904  );
3905  for (i = 0; i < 500; i++) {
3906  secp256k1_ge p;
3907  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
3908  secp256k1_gej j;
3910  secp256k1_gej_set_ge(&j, &p);
3912  }
3913  secp256k1_fe_sqr(&x, &x);
3914  }
3916  CHECK(secp256k1_fe_equal_var(&x, &xr));
3917 }
3918 
3920  /* random starting point A (on the curve) */
3922  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
3923  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
3924  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
3925  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
3926  );
3927  /* random initial factor xn */
3929  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
3930  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
3931  );
3932  /* expected xn * A (from sage) */
3933  secp256k1_ge expected_b = SECP256K1_GE_CONST(
3934  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
3935  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
3936  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
3937  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
3938  );
3939  secp256k1_gej b;
3940  secp256k1_ecmult_const(&b, &a, &xn, 256);
3941 
3943  ge_equals_gej(&expected_b, &b);
3944 }
3945 
3947  secp256k1_scalar a;
3948  secp256k1_scalar b;
3949  secp256k1_gej res1;
3950  secp256k1_gej res2;
3951  secp256k1_ge mid1;
3952  secp256k1_ge mid2;
3955 
3956  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
3957  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
3958  secp256k1_ge_set_gej(&mid1, &res1);
3959  secp256k1_ge_set_gej(&mid2, &res2);
3960  secp256k1_ecmult_const(&res1, &mid1, &b, 256);
3961  secp256k1_ecmult_const(&res2, &mid2, &a, 256);
3962  secp256k1_ge_set_gej(&mid1, &res1);
3963  secp256k1_ge_set_gej(&mid2, &res2);
3964  ge_equals_ge(&mid1, &mid2);
3965 }
3966 
3968  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3969  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3970  secp256k1_scalar negone;
3971  secp256k1_gej res1;
3972  secp256k1_ge res2;
3973  secp256k1_ge point;
3974  secp256k1_scalar_negate(&negone, &one);
3975 
3976  random_group_element_test(&point);
3977  secp256k1_ecmult_const(&res1, &point, &zero, 3);
3978  secp256k1_ge_set_gej(&res2, &res1);
3980  secp256k1_ecmult_const(&res1, &point, &one, 2);
3981  secp256k1_ge_set_gej(&res2, &res1);
3982  ge_equals_ge(&res2, &point);
3983  secp256k1_ecmult_const(&res1, &point, &negone, 256);
3984  secp256k1_gej_neg(&res1, &res1);
3985  secp256k1_ge_set_gej(&res2, &res1);
3986  ge_equals_ge(&res2, &point);
3987 }
3988 
3990  /* Check known result (randomly generated test problem from sage) */
3992  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
3993  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
3994  );
3995  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
3996  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
3997  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
3998  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
3999  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4000  );
4001  secp256k1_gej point;
4002  secp256k1_ge res;
4003  int i;
4004 
4006  for (i = 0; i < 100; ++i) {
4007  secp256k1_ge tmp;
4008  secp256k1_ge_set_gej(&tmp, &point);
4009  secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
4010  }
4011  secp256k1_ge_set_gej(&res, &point);
4012  ge_equals_gej(&res, &expected_point);
4013 }
4014 
4020 }
4021 
4022 typedef struct {
4026 
4027 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4028  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4029  *sc = data->sc[idx];
4030  *pt = data->pt[idx];
4031  return 1;
4032 }
4033 
4034 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4035  (void)sc;
4036  (void)pt;
4037  (void)idx;
4038  (void)cbdata;
4039  return 0;
4040 }
4041 
4043  int ncount;
4044  secp256k1_scalar szero;
4045  secp256k1_scalar sc[32];
4046  secp256k1_ge pt[32];
4047  secp256k1_gej r;
4048  secp256k1_gej r2;
4049  ecmult_multi_data data;
4050 
4051  data.sc = sc;
4052  data.pt = pt;
4053  secp256k1_scalar_set_int(&szero, 0);
4054 
4055  /* No points to multiply */
4056  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4057 
4058  /* Check 1- and 2-point multiplies against ecmult */
4059  for (ncount = 0; ncount < count; ncount++) {
4060  secp256k1_ge ptg;
4061  secp256k1_gej ptgj;
4062  random_scalar_order(&sc[0]);
4063  random_scalar_order(&sc[1]);
4064 
4066  secp256k1_gej_set_ge(&ptgj, &ptg);
4067  pt[0] = ptg;
4068  pt[1] = secp256k1_ge_const_g;
4069 
4070  /* only G scalar */
4071  secp256k1_ecmult(&r2, &ptgj, &szero, &sc[0]);
4072  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4073  secp256k1_gej_neg(&r2, &r2);
4074  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4076 
4077  /* 1-point */
4078  secp256k1_ecmult(&r2, &ptgj, &sc[0], &szero);
4079  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
4080  secp256k1_gej_neg(&r2, &r2);
4081  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4083 
4084  /* Try to multiply 1 point, but callback returns false */
4085  CHECK(!ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
4086 
4087  /* 2-point */
4088  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4089  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
4090  secp256k1_gej_neg(&r2, &r2);
4091  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4093 
4094  /* 2-point with G scalar */
4095  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4096  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4097  secp256k1_gej_neg(&r2, &r2);
4098  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4100  }
4101 
4102  /* Check infinite outputs of various forms */
4103  for (ncount = 0; ncount < count; ncount++) {
4104  secp256k1_ge ptg;
4105  size_t i, j;
4106  size_t sizes[] = { 2, 10, 32 };
4107 
4108  for (j = 0; j < 3; j++) {
4109  for (i = 0; i < 32; i++) {
4110  random_scalar_order(&sc[i]);
4111  secp256k1_ge_set_infinity(&pt[i]);
4112  }
4113  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4115  }
4116 
4117  for (j = 0; j < 3; j++) {
4118  for (i = 0; i < 32; i++) {
4120  pt[i] = ptg;
4121  secp256k1_scalar_set_int(&sc[i], 0);
4122  }
4123  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4125  }
4126 
4127  for (j = 0; j < 3; j++) {
4129  for (i = 0; i < 16; i++) {
4130  random_scalar_order(&sc[2*i]);
4131  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4132  pt[2 * i] = ptg;
4133  pt[2 * i + 1] = ptg;
4134  }
4135 
4136  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4138 
4139  random_scalar_order(&sc[0]);
4140  for (i = 0; i < 16; i++) {
4142 
4143  sc[2*i] = sc[0];
4144  sc[2*i+1] = sc[0];
4145  pt[2 * i] = ptg;
4146  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4147  }
4148 
4149  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4151  }
4152 
4154  secp256k1_scalar_set_int(&sc[0], 0);
4155  pt[0] = ptg;
4156  for (i = 1; i < 32; i++) {
4157  pt[i] = ptg;
4158 
4159  random_scalar_order(&sc[i]);
4160  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4161  secp256k1_scalar_negate(&sc[i], &sc[i]);
4162  }
4163 
4164  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
4166  }
4167 
4168  /* Check random points, constant scalar */
4169  for (ncount = 0; ncount < count; ncount++) {
4170  size_t i;
4172 
4173  random_scalar_order(&sc[0]);
4174  for (i = 0; i < 20; i++) {
4175  secp256k1_ge ptg;
4176  sc[i] = sc[0];
4178  pt[i] = ptg;
4179  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4180  }
4181 
4182  secp256k1_ecmult(&r2, &r, &sc[0], &szero);
4183  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4184  secp256k1_gej_neg(&r2, &r2);
4185  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4187  }
4188 
4189  /* Check random scalars, constant point */
4190  for (ncount = 0; ncount < count; ncount++) {
4191  size_t i;
4192  secp256k1_ge ptg;
4193  secp256k1_gej p0j;
4194  secp256k1_scalar rs;
4195  secp256k1_scalar_set_int(&rs, 0);
4196 
4198  for (i = 0; i < 20; i++) {
4199  random_scalar_order(&sc[i]);
4200  pt[i] = ptg;
4201  secp256k1_scalar_add(&rs, &rs, &sc[i]);
4202  }
4203 
4204  secp256k1_gej_set_ge(&p0j, &pt[0]);
4205  secp256k1_ecmult(&r2, &p0j, &rs, &szero);
4206  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4207  secp256k1_gej_neg(&r2, &r2);
4208  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4210  }
4211 
4212  /* Sanity check that zero scalars don't cause problems */
4213  for (ncount = 0; ncount < 20; ncount++) {
4214  random_scalar_order(&sc[ncount]);
4215  random_group_element_test(&pt[ncount]);
4216  }
4217 
4218  secp256k1_scalar_clear(&sc[0]);
4219  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4220  secp256k1_scalar_clear(&sc[1]);
4221  secp256k1_scalar_clear(&sc[2]);
4222  secp256k1_scalar_clear(&sc[3]);
4223  secp256k1_scalar_clear(&sc[4]);
4224  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
4225  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
4227 
4228  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4229  {
4230  const size_t TOP = 8;
4231  size_t s0i, s1i;
4232  size_t t0i, t1i;
4233  secp256k1_ge ptg;
4234  secp256k1_gej ptgj;
4235 
4237  secp256k1_gej_set_ge(&ptgj, &ptg);
4238 
4239  for(t0i = 0; t0i < TOP; t0i++) {
4240  for(t1i = 0; t1i < TOP; t1i++) {
4241  secp256k1_gej t0p, t1p;
4242  secp256k1_scalar t0, t1;
4243 
4244  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4245  secp256k1_scalar_cond_negate(&t0, t0i & 1);
4246  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4247  secp256k1_scalar_cond_negate(&t1, t1i & 1);
4248 
4249  secp256k1_ecmult(&t0p, &ptgj, &t0, &szero);
4250  secp256k1_ecmult(&t1p, &ptgj, &t1, &szero);
4251 
4252  for(s0i = 0; s0i < TOP; s0i++) {
4253  for(s1i = 0; s1i < TOP; s1i++) {
4254  secp256k1_scalar tmp1, tmp2;
4255  secp256k1_gej expected, actual;
4256 
4257  secp256k1_ge_set_gej(&pt[0], &t0p);
4258  secp256k1_ge_set_gej(&pt[1], &t1p);
4259 
4260  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4261  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4262  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4263  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4264 
4265  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4266  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4267  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4268 
4269  secp256k1_ecmult(&expected, &ptgj, &tmp1, &szero);
4270  CHECK(ecmult_multi(&ctx->error_callback, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
4271  secp256k1_gej_neg(&expected, &expected);
4272  secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
4273  CHECK(secp256k1_gej_is_infinity(&actual));
4274  }
4275  }
4276  }
4277  }
4278  }
4279 }
4280 
4282  /* Large random test for ecmult_multi_* functions which exercises:
4283  * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4284  * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4285  * - Including or excluding an nonzero a*G term (or such a term at all).
4286  * - Final expected result equal to infinity or not (roughly 50%).
4287  * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4288  */
4289 
4290  /* These 4 variables define the eventual input to the ecmult_multi function.
4291  * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4292  * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4293  * which form its normal inputs. */
4294  int filled = 0;
4295  secp256k1_scalar g_scalar = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4296  secp256k1_scalar scalars[128];
4297  secp256k1_gej gejs[128];
4298  /* The expected result, and the computed result. */
4299  secp256k1_gej expected, computed;
4300  /* Temporaries. */
4301  secp256k1_scalar sc_tmp;
4302  secp256k1_ge ge_tmp;
4303  /* Variables needed for the actual input to ecmult_multi. */
4304  secp256k1_ge ges[128];
4305  ecmult_multi_data data;
4306 
4307  int i;
4308  /* Which multiplication function to use */
4309  int fn = secp256k1_testrand_int(3);
4310  secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4313  /* Simulate exponentially distributed num. */
4314  int num_bits = 2 + secp256k1_testrand_int(6);
4315  /* Number of (scalar, point) inputs (excluding g). */
4316  int num = secp256k1_testrand_int((1 << num_bits) + 1);
4317  /* Number of those which are nonzero. */
4318  int num_nonzero = secp256k1_testrand_int(num + 1);
4319  /* Whether we're aiming to create an input with nonzero expected result. */
4320  int nonzero_result = secp256k1_testrand_bits(1);
4321  /* Whether we will provide nonzero g multiplicand. In some cases our hand
4322  * is forced here based on num_nonzero and nonzero_result. */
4323  int g_nonzero = num_nonzero == 0 ? nonzero_result :
4324  num_nonzero == 1 && !nonzero_result ? 1 :
4325  (int)secp256k1_testrand_bits(1);
4326  /* Which g_scalar pointer to pass into ecmult_multi(). */
4327  const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4328  /* How many EC multiplications were performed in this function. */
4329  int mults = 0;
4330  /* How many randomization steps to apply to the input list. */
4331  int rands = (int)secp256k1_testrand_bits(3);
4332  if (rands > num_nonzero) rands = num_nonzero;
4333 
4334  secp256k1_gej_set_infinity(&expected);
4335  secp256k1_gej_set_infinity(&gejs[0]);
4336  secp256k1_scalar_set_int(&scalars[0], 0);
4337 
4338  if (g_nonzero) {
4339  /* If g_nonzero, set g_scalar to nonzero value r. */
4340  random_scalar_order_test(&g_scalar);
4341  if (!nonzero_result) {
4342  /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4343  CHECK(num_nonzero > filled);
4344  random_scalar_order_test(&sc_tmp);
4345  secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4346  secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4347  secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4348  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4349  ++filled;
4350  ++mults;
4351  }
4352  }
4353 
4354  if (nonzero_result && filled < num_nonzero) {
4355  /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4356  random_scalar_order_test(&scalars[filled]);
4357  random_group_element_test(&ge_tmp);
4358  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4359  ++filled;
4360  }
4361 
4362  if (nonzero_result) {
4363  /* Compute the expected result using normal ecmult. */
4364  CHECK(filled <= 1);
4365  secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4366  mults += filled + g_nonzero;
4367  }
4368 
4369  /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4370  CHECK(filled <= 1 + !nonzero_result);
4371  CHECK(filled <= num_nonzero);
4372 
4373  /* Add entries to scalars,gejs so that there are num of them. All the added entries
4374  * either have scalar=0 or point=infinity, so these do not change the expected result. */
4375  while (filled < num) {
4376  if (secp256k1_testrand_bits(1)) {
4377  secp256k1_gej_set_infinity(&gejs[filled]);
4378  random_scalar_order_test(&scalars[filled]);
4379  } else {
4380  secp256k1_scalar_set_int(&scalars[filled], 0);
4381  random_group_element_test(&ge_tmp);
4382  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4383  }
4384  ++filled;
4385  }
4386 
4387  /* Now perform cheapish transformations on gejs and scalars, for indices
4388  * 0..num_nonzero-1, which do not change the expected result, but may
4389  * convert some of them to be both non-0-scalar and non-infinity-point. */
4390  for (i = 0; i < rands; ++i) {
4391  int j;
4392  secp256k1_scalar v, iv;
4393  /* Shuffle the entries. */
4394  for (j = 0; j < num_nonzero; ++j) {
4395  int k = secp256k1_testrand_int(num_nonzero - j);
4396  if (k != 0) {
4397  secp256k1_gej gej = gejs[j];
4398  secp256k1_scalar sc = scalars[j];
4399  gejs[j] = gejs[j + k];
4400  scalars[j] = scalars[j + k];
4401  gejs[j + k] = gej;
4402  scalars[j + k] = sc;
4403  }
4404  }
4405  /* Perturb all consecutive pairs of inputs:
4406  * a*P + b*Q -> (a+b)*P + b*(Q-P). */
4407  for (j = 0; j + 1 < num_nonzero; j += 2) {
4408  secp256k1_gej gej;
4409  secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
4410  secp256k1_gej_neg(&gej, &gejs[j]);
4411  secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
4412  }
4413  /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
4414  CHECK(num_nonzero >= 1);
4416  secp256k1_scalar_inverse(&iv, &v);
4417  secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
4418  secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
4419  ++mults;
4420  }
4421 
4422  /* Shuffle all entries (0..num-1). */
4423  for (i = 0; i < num; ++i) {
4424  int j = secp256k1_testrand_int(num - i);
4425  if (j != 0) {
4426  secp256k1_gej gej = gejs[i];
4427  secp256k1_scalar sc = scalars[i];
4428  gejs[i] = gejs[i + j];
4429  scalars[i] = scalars[i + j];
4430  gejs[i + j] = gej;
4431  scalars[i + j] = sc;
4432  }
4433  }
4434 
4435  /* Compute affine versions of all inputs. */
4436  secp256k1_ge_set_all_gej_var(ges, gejs, filled);
4437  /* Invoke ecmult_multi code. */
4438  data.sc = scalars;
4439  data.pt = ges;
4440  CHECK(ecmult_multi(&ctx->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
4441  mults += num_nonzero + g_nonzero;
4442  /* Compare with expected result. */
4443  secp256k1_gej_neg(&computed, &computed);
4444  secp256k1_gej_add_var(&computed, &computed, &expected, NULL);
4445  CHECK(secp256k1_gej_is_infinity(&computed));
4446  return mults;
4447 }
4448 
4450  secp256k1_scalar szero;
4451  secp256k1_scalar sc;
4452  secp256k1_ge pt;
4453  secp256k1_gej r;
4454  ecmult_multi_data data;
4455  secp256k1_scratch *scratch_empty;
4456 
4458  random_scalar_order(&sc);
4459  data.sc = &sc;
4460  data.pt = &pt;
4461  secp256k1_scalar_set_int(&szero, 0);
4462 
4463  /* Try to multiply 1 point, but scratch space is empty.*/
4464  scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
4465  CHECK(!ecmult_multi(&ctx->error_callback, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
4466  secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
4467 }
4468 
4470  int i;
4471 
4473  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
4474  /* Bucket_window of 8 is not used with endo */
4475  if (i == 8) {
4476  continue;
4477  }
4479  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
4481  }
4482  }
4483 }
4484 
4490  size_t scratch_size = secp256k1_testrand_bits(8);
4492  secp256k1_scratch *scratch;
4493  size_t n_points_supported;
4494  int bucket_window = 0;
4495 
4496  for(; scratch_size < max_size; scratch_size+=256) {
4497  size_t i;
4498  size_t total_alloc;
4499  size_t checkpoint;
4500  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
4501  CHECK(scratch != NULL);
4502  checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
4503  n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
4504  if (n_points_supported == 0) {
4506  continue;
4507  }
4508  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
4509  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
4510  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
4511  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
4513  total_alloc--;
4514  }
4515  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
4516  secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
4518  }
4519  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
4520 }
4521 
4523  size_t n_batches, n_batch_points, max_n_batch_points, n;
4524 
4525  max_n_batch_points = 0;
4526  n = 1;
4527  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
4528 
4529  max_n_batch_points = 1;
4530  n = 0;
4531  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4532  CHECK(n_batches == 0);
4533  CHECK(n_batch_points == 0);
4534 
4535  max_n_batch_points = 2;
4536  n = 5;
4537  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4538  CHECK(n_batches == 3);
4539  CHECK(n_batch_points == 2);
4540 
4541  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
4543  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4544  CHECK(n_batches == 1);
4545  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
4546 
4547  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
4549  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4550  CHECK(n_batches == 2);
4551  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
4552 
4553  max_n_batch_points = 1;
4554  n = SIZE_MAX;
4555  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4556  CHECK(n_batches == SIZE_MAX);
4557  CHECK(n_batch_points == 1);
4558 
4559  max_n_batch_points = 2;
4560  n = SIZE_MAX;
4561  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4562  CHECK(n_batches == SIZE_MAX/2 + 1);
4563  CHECK(n_batch_points == 2);
4564 }
4565 
4571  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
4572  secp256k1_scalar scG;
4573  secp256k1_scalar szero;
4575  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
4576  secp256k1_gej r;
4577  secp256k1_gej r2;
4578  ecmult_multi_data data;
4579  int i;
4580  secp256k1_scratch *scratch;
4581 
4583  secp256k1_scalar_set_int(&szero, 0);
4584 
4585  /* Get random scalars and group elements and compute result */
4586  random_scalar_order(&scG);
4587  secp256k1_ecmult(&r2, &r2, &szero, &scG);
4588  for(i = 0; i < n_points; i++) {
4589  secp256k1_ge ptg;
4590  secp256k1_gej ptgj;
4592  secp256k1_gej_set_ge(&ptgj, &ptg);
4593  pt[i] = ptg;
4594  random_scalar_order(&sc[i]);
4595  secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
4596  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
4597  }
4598  data.sc = sc;
4599  data.pt = pt;
4600  secp256k1_gej_neg(&r2, &r2);
4601 
4602  /* Test with empty scratch space. It should compute the correct result using
4603  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
4605  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4606  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4609 
4610  /* Test with space for 1 point in pippenger. That's not enough because
4611  * ecmult_multi selects strauss which requires more memory. It should
4612  * therefore select the simple algorithm. */
4614  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4615  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4618 
4619  for(i = 1; i <= n_points; i++) {
4620  if (i > ECMULT_PIPPENGER_THRESHOLD) {
4621  int bucket_window = secp256k1_pippenger_bucket_window(i);
4622  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
4624  } else {
4625  size_t scratch_size = secp256k1_strauss_scratch_size(i);
4627  }
4628  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4629  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4632  }
4633  free(sc);
4634  free(pt);
4635 }
4636 
4638  secp256k1_scratch *scratch;
4639  int64_t todo = (int64_t)320 * count;
4640 
4643  scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
4650  while (todo > 0) {
4651  todo -= test_ecmult_multi_random(scratch);
4652  }
4654 
4655  /* Run test_ecmult_multi with space for exactly one point */
4659 
4662 }
4663 
4664 void test_wnaf(const secp256k1_scalar *number, int w) {
4665  secp256k1_scalar x, two, t;
4666  int wnaf[256];
4667  int zeroes = -1;
4668  int i;
4669  int bits;
4670  secp256k1_scalar_set_int(&x, 0);
4671  secp256k1_scalar_set_int(&two, 2);
4672  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
4673  CHECK(bits <= 256);
4674  for (i = bits-1; i >= 0; i--) {
4675  int v = wnaf[i];
4676  secp256k1_scalar_mul(&x, &x, &two);
4677  if (v) {
4678  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4679  zeroes=0;
4680  CHECK((v & 1) == 1); /* check non-zero elements are odd */
4681  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
4682  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4683  } else {
4684  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4685  zeroes++;
4686  }
4687  if (v >= 0) {
4689  } else {
4692  }
4693  secp256k1_scalar_add(&x, &x, &t);
4694  }
4695  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4696 }
4697 
4699  secp256k1_scalar neg1 = *number;
4700  secp256k1_scalar neg2 = *number;
4701  int sign1 = 1;
4702  int sign2 = 1;
4703 
4704  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
4705  secp256k1_scalar_negate(&neg1, &neg1);
4706  sign1 = -1;
4707  }
4709  CHECK(sign1 == sign2);
4710  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
4711 }
4712 
4713 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
4714  secp256k1_scalar x, shift;
4715  int wnaf[256] = {0};
4716  int i;
4717  int skew;
4718  int bits = 256;
4719  secp256k1_scalar num = *number;
4720  secp256k1_scalar scalar_skew;
4721 
4722  secp256k1_scalar_set_int(&x, 0);
4723  secp256k1_scalar_set_int(&shift, 1 << w);
4724  for (i = 0; i < 16; ++i) {
4725  secp256k1_scalar_shr_int(&num, 8);
4726  }
4727  bits = 128;
4728  skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
4729 
4730  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
4732  int v = wnaf[i];
4733  CHECK(v != 0); /* check nonzero */
4734  CHECK(v & 1); /* check parity */
4735  CHECK(v > -(1 << w)); /* check range above */
4736  CHECK(v < (1 << w)); /* check range below */
4737 
4738  secp256k1_scalar_mul(&x, &x, &shift);
4739  if (v >= 0) {
4741  } else {
4744  }
4745  secp256k1_scalar_add(&x, &x, &t);
4746  }
4747  /* Skew num because when encoding numbers as odd we use an offset */
4748  secp256k1_scalar_set_int(&scalar_skew, skew);
4749  secp256k1_scalar_add(&num, &num, &scalar_skew);
4750  CHECK(secp256k1_scalar_eq(&x, &num));
4751 }
4752 
4753 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
4754  secp256k1_scalar x, shift;
4755  int wnaf[256] = {0};
4756  int i;
4757  int skew;
4758  secp256k1_scalar num = *number;
4759 
4760  secp256k1_scalar_set_int(&x, 0);
4761  secp256k1_scalar_set_int(&shift, 1 << w);
4762  for (i = 0; i < 16; ++i) {
4763  secp256k1_scalar_shr_int(&num, 8);
4764  }
4765  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4766 
4767  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4769  int v = wnaf[i];
4770  CHECK(v == 0 || v & 1); /* check parity */
4771  CHECK(v > -(1 << w)); /* check range above */
4772  CHECK(v < (1 << w)); /* check range below */
4773 
4774  secp256k1_scalar_mul(&x, &x, &shift);
4775  if (v >= 0) {
4777  } else {
4780  }
4781  secp256k1_scalar_add(&x, &x, &t);
4782  }
4783  /* If skew is 1 then add 1 to num */
4784  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
4785  CHECK(secp256k1_scalar_eq(&x, &num));
4786 }
4787 
4788 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
4789  * rest is 0.*/
4790 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
4791  int i;
4792  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
4793  CHECK(wnaf[i] == 0);
4794  }
4795  for (i = 7; i >= 0; --i) {
4796  CHECK(wnaf[i] == wnaf_expected[i]);
4797  }
4798 }
4799 
4801  int w = 4;
4802  int wnaf[256] = {0};
4803  int i;
4804  int skew;
4805  secp256k1_scalar num;
4806 
4807  secp256k1_scalar_set_int(&num, 0);
4808  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4809  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4810  int v = wnaf[i];
4811  CHECK(v == 0);
4812  }
4813  CHECK(skew == 0);
4814 
4815  secp256k1_scalar_set_int(&num, 1);
4816  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4817  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
4818  int v = wnaf[i];
4819  CHECK(v == 0);
4820  }
4821  CHECK(wnaf[0] == 1);
4822  CHECK(skew == 0);
4823 
4824  {
4825  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
4826  secp256k1_scalar_set_int(&num, 0xffffffff);
4827  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4828  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4829  CHECK(skew == 0);
4830  }
4831  {
4832  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
4833  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
4834  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4835  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4836  CHECK(skew == 1);
4837  }
4838  {
4839  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
4840  secp256k1_scalar_set_int(&num, 0x01010101);
4841  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4842  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4843  CHECK(skew == 0);
4844  }
4845  {
4846  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
4847  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
4848  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4849  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4850  CHECK(skew == 0);
4851  }
4852 }
4853 
4854 void run_wnaf(void) {
4855  int i;
4856  secp256k1_scalar n = {{0}};
4857 
4858  test_constant_wnaf(&n, 4);
4859  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
4860  * have easier-to-diagnose failure modes */
4861  n.d[0] = 1;
4862  test_constant_wnaf(&n, 4);
4863  n.d[0] = 2;
4864  test_constant_wnaf(&n, 4);
4865  /* Test -1, because it's a special case in wnaf_const */
4867  secp256k1_scalar_negate(&n, &n);
4868  test_constant_wnaf(&n, 4);
4869 
4870  /* Test -2, which may not lead to overflows in wnaf_const */
4872  secp256k1_scalar_negate(&n, &n);
4873  test_constant_wnaf(&n, 4);
4874 
4875  /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
4876  as corner cases of negation handling in wnaf_const */
4877  secp256k1_scalar_inverse(&n, &n);
4878  test_constant_wnaf(&n, 4);
4879 
4881  test_constant_wnaf(&n, 4);
4882 
4883  /* Test 0 for fixed wnaf */
4885  /* Random tests */
4886  for (i = 0; i < count; i++) {
4887  random_scalar_order(&n);
4888  test_wnaf(&n, 4+(i%10));
4890  test_constant_wnaf(&n, 4 + (i % 10));
4891  test_fixed_wnaf(&n, 4 + (i % 10));
4892  }
4893  secp256k1_scalar_set_int(&n, 0);
4894  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
4896  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
4898 }
4899 
4900 static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
4901  const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
4902  *sc = *indata;
4903  *pt = secp256k1_ge_const_g;
4904  CHECK(idx == 0);
4905  return 1;
4906 }
4907 
4909  /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
4910  secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
4911  secp256k1_ge r;
4912  const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4913  unsigned char bytes[65];
4914  size_t size = 65;
4918  secp256k1_ecmult(&rj2, &gj, x, &zero);
4919  secp256k1_ecmult(&rj3, &infj, &zero, x);
4920  secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
4921  secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &zero, test_ecmult_accumulate_cb, (void*)x, 1);
4923  secp256k1_ge_set_gej_var(&r, &rj1);
4924  ge_equals_gej(&r, &rj2);
4925  ge_equals_gej(&r, &rj3);
4926  ge_equals_gej(&r, &rj4);
4927  ge_equals_gej(&r, &rj5);
4928  ge_equals_gej(&r, &rj6);
4929  if (secp256k1_ge_is_infinity(&r)) {
4930  /* Store infinity as 0x00 */
4931  const unsigned char zerobyte[1] = {0};
4932  secp256k1_sha256_write(acc, zerobyte, 1);
4933  } else {
4934  /* Store other points using their uncompressed serialization. */
4935  secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
4936  CHECK(size == 65);
4937  secp256k1_sha256_write(acc, bytes, size);
4938  }
4939 }
4940 
4942  /* Using test_ecmult_accumulate, test ecmult for:
4943  * - For i in 0..36:
4944  * - Key i
4945  * - Key -i
4946  * - For i in 0..255:
4947  * - For j in 1..255 (only odd values):
4948  * - Key (j*2^i) mod order
4949  */
4950  secp256k1_scalar x;
4951  secp256k1_sha256 acc;
4952  unsigned char b32[32];
4953  int i, j;
4955 
4956  /* Expected hash of all the computed points; created with an independent
4957  * implementation. */
4958  static const unsigned char expected32[32] = {
4959  0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
4960  0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
4961  0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
4962  0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
4963  };
4965  for (i = 0; i <= 36; ++i) {
4966  secp256k1_scalar_set_int(&x, i);
4967  test_ecmult_accumulate(&acc, &x, scratch);
4968  secp256k1_scalar_negate(&x, &x);
4969  test_ecmult_accumulate(&acc, &x, scratch);
4970  };
4971  for (i = 0; i < 256; ++i) {
4972  for (j = 1; j < 256; j += 2) {
4973  int k;
4974  secp256k1_scalar_set_int(&x, j);
4975  for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
4976  test_ecmult_accumulate(&acc, &x, scratch);
4977  }
4978  }
4979  secp256k1_sha256_finalize(&acc, b32);
4980  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
4981 
4983 }
4984 
4985 void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
4986  /* Using test_ecmult_accumulate, test ecmult for:
4987  * - Key 0
4988  * - Key 1
4989  * - Key -1
4990  * - For i in range(iter):
4991  * - Key SHA256(LE32(prefix) || LE16(i))
4992  */
4993  secp256k1_scalar x;
4994  secp256k1_sha256 acc;
4995  unsigned char b32[32];
4996  unsigned char inp[6];
4997  size_t i;
4999 
5000  inp[0] = prefix & 0xFF;
5001  inp[1] = (prefix >> 8) & 0xFF;
5002  inp[2] = (prefix >> 16) & 0xFF;
5003  inp[3] = (prefix >> 24) & 0xFF;
5005  secp256k1_scalar_set_int(&x, 0);
5006  test_ecmult_accumulate(&acc, &x, scratch);
5007  secp256k1_scalar_set_int(&x, 1);
5008  test_ecmult_accumulate(&acc, &x, scratch);
5009  secp256k1_scalar_negate(&x, &x);
5010  test_ecmult_accumulate(&acc, &x, scratch);
5011 
5012  for (i = 0; i < iter; ++i) {
5013  secp256k1_sha256 gen;
5014  inp[4] = i & 0xff;
5015  inp[5] = (i >> 8) & 0xff;
5017  secp256k1_sha256_write(&gen, inp, sizeof(inp));
5018  secp256k1_sha256_finalize(&gen, b32);
5019  secp256k1_scalar_set_b32(&x, b32, NULL);
5020  test_ecmult_accumulate(&acc, &x, scratch);
5021  }
5022  secp256k1_sha256_finalize(&acc, b32);
5023  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5024 
5026 }
5027 
5029  /* Expected hashes of all points in the tests below. Computed using an
5030  * independent implementation. */
5031  static const unsigned char expected32_6bit20[32] = {
5032  0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5033  0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5034  0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5035  0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5036  };
5037  static const unsigned char expected32_8bit8[32] = {
5038  0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5039  0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5040  0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5041  0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5042  };
5043  /* For every combination of 6 bit positions out of 256, restricted to
5044  * 20-bit windows (i.e., the first and last bit position are no more than
5045  * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5046  * this test. */
5047  CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5048  test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5049  }
5050 
5051  /* For every combination of 8 consecutive bit positions, all 256 bit
5052  * patterns occur in the input scalars used in this test. */
5053  CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5054  test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5055  }
5056 
5057  CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5059  }
5060 }
5061 
5063  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5064  secp256k1_scalar key;
5065  secp256k1_scalar b;
5066  unsigned char seed32[32];
5067  secp256k1_gej pgej;
5068  secp256k1_gej pgej2;
5069  secp256k1_gej i;
5070  secp256k1_ge pge;
5072  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
5073  secp256k1_testrand256(seed32);
5074  b = ctx->ecmult_gen_ctx.blind;
5075  i = ctx->ecmult_gen_ctx.initial;
5078  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
5079  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5081  secp256k1_ge_set_gej(&pge, &pgej);
5082  ge_equals_gej(&pge, &pgej2);
5083 }
5084 
5086  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5087  secp256k1_scalar b;
5088  secp256k1_gej initial;
5090  b = ctx->ecmult_gen_ctx.blind;
5091  initial = ctx->ecmult_gen_ctx.initial;
5095 }
5096 
5098  int i;
5100  for (i = 0; i < 10; i++) {
5102  }
5103 }
5104 
5105 /***** ENDOMORPHISH TESTS *****/
5107  secp256k1_scalar s, s1, slam;
5108  const unsigned char zero[32] = {0};
5109  unsigned char tmp[32];
5110 
5111  secp256k1_scalar_split_lambda(&s1, &slam, full);
5112 
5113  /* check slam*lambda + s1 == full */
5115  secp256k1_scalar_add(&s, &s, &s1);
5116  CHECK(secp256k1_scalar_eq(&s, full));
5117 
5118  /* check that both are <= 128 bits in size */
5119  if (secp256k1_scalar_is_high(&s1)) {
5120  secp256k1_scalar_negate(&s1, &s1);
5121  }
5122  if (secp256k1_scalar_is_high(&slam)) {
5123  secp256k1_scalar_negate(&slam, &slam);
5124  }
5125 
5126  secp256k1_scalar_get_b32(tmp, &s1);
5127  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5128  secp256k1_scalar_get_b32(tmp, &slam);
5129  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5130 }
5131 
5132 
5134  unsigned i;
5135  static secp256k1_scalar s;
5139  test_scalar_split(&s);
5142  test_scalar_split(&s);
5143 
5144  for (i = 0; i < 100U * count; ++i) {
5145  secp256k1_scalar full;
5146  random_scalar_order_test(&full);
5147  test_scalar_split(&full);
5148  }
5149  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5151  }
5152 }
5153 
5154 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5155  unsigned char pubkeyc[65];
5156  secp256k1_pubkey pubkey;
5157  secp256k1_ge ge;
5158  size_t pubkeyclen;
5159  int32_t ecount;
5160  ecount = 0;
5162  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5163  /* Smaller sizes are tested exhaustively elsewhere. */
5164  int32_t i;
5165  memcpy(&pubkeyc[1], input, 64);
5166  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5167  for (i = 0; i < 256; i++) {
5168  /* Try all type bytes. */
5169  int xpass;
5170  int ypass;
5171  int ysign;
5172  pubkeyc[0] = i;
5173  /* What sign does this point have? */
5174  ysign = (input[63] & 1) + 2;
5175  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5176  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5177  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5178  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5179  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5180  if (xpass || ypass) {
5181  /* These cases must parse. */
5182  unsigned char pubkeyo[65];
5183  size_t outl;
5184  memset(&pubkey, 0, sizeof(pubkey));
5185  VG_UNDEF(&pubkey, sizeof(pubkey));
5186  ecount = 0;
5187  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5188  VG_CHECK(&pubkey, sizeof(pubkey));
5189  outl = 65;
5190  VG_UNDEF(pubkeyo, 65);
5191  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5192  VG_CHECK(pubkeyo, outl);
5193  CHECK(outl == 33);
5194  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5195  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5196  if (ypass) {
5197  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5198  CHECK(pubkeyo[0] == ysign);
5199  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
5200  memset(&pubkey, 0, sizeof(pubkey));
5201  VG_UNDEF(&pubkey, sizeof(pubkey));
5202  secp256k1_pubkey_save(&pubkey, &ge);
5203  VG_CHECK(&pubkey, sizeof(pubkey));
5204  outl = 65;
5205  VG_UNDEF(pubkeyo, 65);
5206  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5207  VG_CHECK(pubkeyo, outl);
5208  CHECK(outl == 65);
5209  CHECK(pubkeyo[0] == 4);
5210  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5211  }
5212  CHECK(ecount == 0);
5213  } else {
5214  /* These cases must fail to parse. */
5215  memset(&pubkey, 0xfe, sizeof(pubkey));
5216  ecount = 0;
5217  VG_UNDEF(&pubkey, sizeof(pubkey));
5218  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
5219  VG_CHECK(&pubkey, sizeof(pubkey));
5220  CHECK(ecount == 0);
5221  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5222  CHECK(ecount == 1);
5223  }
5224  }
5225  }
5227 }
5228 
5230 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
5231  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5232  {
5233  /* Point with leading and trailing zeros in x and y serialization. */
5234  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5235  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5236  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5237  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5238  },
5239  {
5240  /* Point with x equal to a 3rd root of unity.*/
5241  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5242  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5243  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5244  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5245  },
5246  {
5247  /* Point with largest x. (1/2) */
5248  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5249  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5250  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5251  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5252  },
5253  {
5254  /* Point with largest x. (2/2) */
5255  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5256  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5257  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5258  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5259  },
5260  {
5261  /* Point with smallest x. (1/2) */
5262  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5263  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5264  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5265  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5266  },
5267  {
5268  /* Point with smallest x. (2/2) */
5269  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5270  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5271  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5272  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5273  },
5274  {
5275  /* Point with largest y. (1/3) */
5276  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5277  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5278  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5279  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5280  },
5281  {
5282  /* Point with largest y. (2/3) */
5283  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5284  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5285  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5286  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5287  },
5288  {
5289  /* Point with largest y. (3/3) */
5290  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5291  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5292  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5293  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5294  },
5295  {
5296  /* Point with smallest y. (1/3) */
5297  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5298  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5299  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5300  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5301  },
5302  {
5303  /* Point with smallest y. (2/3) */
5304  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5305  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5306  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5307  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5308  },
5309  {
5310  /* Point with smallest y. (3/3) */
5311  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5312  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5313  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5314  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5315  }
5316  };
5317 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5318  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5319  {
5320  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5321  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5322  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5323  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5324  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5325  },
5326  {
5327  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5328  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5329  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5330  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5331  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5332  },
5333  {
5334  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5335  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5336  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5337  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5338  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5339  },
5340  {
5341  /* x on curve, y is from y^2 = x^3 + 8. */
5342  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5343  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5344  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5345  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5346  }
5347  };
5348 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5349  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5350  {
5351  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5352  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5353  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5354  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5355  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5356  },
5357  {
5358  /* Valid if x overflow ignored (x = 1 mod p). */
5359  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5360  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5361  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5362  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5363  },
5364  {
5365  /* Valid if x overflow ignored (x = 1 mod p). */
5366  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5367  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5368  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5369  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5370  },
5371  {
5372  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5373  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5374  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5375  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5376  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5377  },
5378  {
5379  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5380  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5381  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5382  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5383  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5384  },
5385  {
5386  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5387  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5388  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5389  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5390  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5391  },
5392  {
5393  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5394  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5395  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5396  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5397  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5398  }
5399  };
5400  const unsigned char pubkeyc[66] = {
5401  /* Serialization of G. */
5402  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5403  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5404  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5405  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5406  0xB8, 0x00
5407  };
5408  unsigned char sout[65];
5409  unsigned char shortkey[2];
5410  secp256k1_ge ge;
5411  secp256k1_pubkey pubkey;
5412  size_t len;
5413  int32_t i;
5414  int32_t ecount;
5415  int32_t ecount2;
5416  ecount = 0;
5417  /* Nothing should be reading this far into pubkeyc. */
5418  VG_UNDEF(&pubkeyc[65], 1);
5420  /* Zero length claimed, fail, zeroize, no illegal arg error. */
5421  memset(&pubkey, 0xfe, sizeof(pubkey));
5422  ecount = 0;
5423  VG_UNDEF(shortkey, 2);
5424  VG_UNDEF(&pubkey, sizeof(pubkey));
5425  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
5426  VG_CHECK(&pubkey, sizeof(pubkey));
5427  CHECK(ecount == 0);
5428  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5429  CHECK(ecount == 1);
5430  /* Length one claimed, fail, zeroize, no illegal arg error. */
5431  for (i = 0; i < 256 ; i++) {
5432  memset(&pubkey, 0xfe, sizeof(pubkey));
5433  ecount = 0;
5434  shortkey[0] = i;
5435  VG_UNDEF(&shortkey[1], 1);
5436  VG_UNDEF(&pubkey, sizeof(pubkey));
5437  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
5438  VG_CHECK(&pubkey, sizeof(pubkey));
5439  CHECK(ecount == 0);
5440  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5441  CHECK(ecount == 1);
5442  }
5443  /* Length two claimed, fail, zeroize, no illegal arg error. */
5444  for (i = 0; i < 65536 ; i++) {
5445  memset(&pubkey, 0xfe, sizeof(pubkey));
5446  ecount = 0;
5447  shortkey[0] = i & 255;
5448  shortkey[1] = i >> 8;
5449  VG_UNDEF(&pubkey, sizeof(pubkey));
5450  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
5451  VG_CHECK(&pubkey, sizeof(pubkey));
5452  CHECK(ecount == 0);
5453  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5454  CHECK(ecount == 1);
5455  }
5456  memset(&pubkey, 0xfe, sizeof(pubkey));
5457  ecount = 0;
5458  VG_UNDEF(&pubkey, sizeof(pubkey));
5459  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5460  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
5461  VG_CHECK(&pubkey, sizeof(pubkey));
5462  CHECK(ecount == 0);
5463  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5464  CHECK(ecount == 1);
5465  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5466  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
5467  CHECK(ecount == 2);
5468  /* NULL input string. Illegal arg and zeroize output. */
5469  memset(&pubkey, 0xfe, sizeof(pubkey));
5470  ecount = 0;
5471  VG_UNDEF(&pubkey, sizeof(pubkey));
5472  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
5473  VG_CHECK(&pubkey, sizeof(pubkey));
5474  CHECK(ecount == 1);
5475  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5476