Bitcoin Core  27.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <string.h>
10 
11 #include <time.h>
12 
13 #ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14  #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15  #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16 #endif
17 #if defined(VERIFY) && defined(COVERAGE)
18  #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19 #endif
20 #include "secp256k1.c"
21 
22 #include "../include/secp256k1.h"
23 #include "../include/secp256k1_preallocated.h"
24 #include "testrand_impl.h"
25 #include "checkmem.h"
26 #include "testutil.h"
27 #include "util.h"
28 
29 #include "../contrib/lax_der_parsing.c"
30 #include "../contrib/lax_der_privatekey_parsing.c"
31 
32 #include "modinv32_impl.h"
33 #ifdef SECP256K1_WIDEMUL_INT128
34 #include "modinv64_impl.h"
35 #include "int128_impl.h"
36 #endif
37 
38 #define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
39 
40 static int COUNT = 64;
41 static secp256k1_context *CTX = NULL;
43 
44 static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
45  const unsigned char *p = s;
46  size_t i;
47 
48  for (i = 0; i < n; i++) {
49  if (p[i] != value) {
50  return 0;
51  }
52  }
53  return 1;
54 }
55 
56 #define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \
57  int32_t _calls_to_callback = 0; \
58  secp256k1_callback _saved_callback = ctx->callback; \
59  callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \
60  { expr_or_stmt; } \
61  ctx->callback = _saved_callback; \
62  CHECK(_calls_to_callback == 1); \
63 } while(0);
64 
65 /* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once
66  *
67  * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */
68 #define CHECK_ERROR_VOID(ctx, expr_or_stmt) \
69  CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback)
70 #define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \
71  CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback)
72 
73 /* CHECK that
74  * - expr calls the illegal callback of ctx exactly once and,
75  * - expr == 0 (or equivalently, expr == NULL)
76  *
77  * Useful for checking functions that return an integer or a pointer. */
78 #define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
79 #define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0))
80 
81 static void counting_callback_fn(const char* str, void* data) {
82  /* Dummy callback function that just counts. */
83  int32_t *p;
84  (void)str;
85  p = data;
86  CHECK(*p != INT32_MAX);
87  (*p)++;
88 }
89 
90 static void uncounting_illegal_callback_fn(const char* str, void* data) {
91  /* Dummy callback function that just counts (backwards). */
92  int32_t *p;
93  (void)str;
94  p = data;
95  CHECK(*p != INT32_MIN);
96  (*p)--;
97 }
98 
100  secp256k1_fe zero;
101  int n = secp256k1_testrand_int(m + 1);
103  if (n == 0) {
104  return;
105  }
106  secp256k1_fe_clear(&zero);
107  secp256k1_fe_negate(&zero, &zero, 0);
108  secp256k1_fe_mul_int_unchecked(&zero, n - 1);
109  secp256k1_fe_add(fe, &zero);
110 #ifdef VERIFY
111  CHECK(fe->magnitude == n);
112 #endif
113 }
114 
115 static void random_fe_test(secp256k1_fe *x) {
116  unsigned char bin[32];
117  do {
119  if (secp256k1_fe_set_b32_limit(x, bin)) {
120  return;
121  }
122  } while(1);
123 }
124 
126  do {
127  random_fe_test(fe);
128  } while(secp256k1_fe_is_zero(fe));
129 }
130 
133 }
134 
137 }
138 
141 }
142 
145 }
146 
149 }
150 
153 }
154 
156  secp256k1_fe fe;
157  do {
158  random_fe_test(&fe);
161  break;
162  }
163  } while(1);
164  ge->infinity = 0;
165 }
166 
168  secp256k1_fe z2, z3;
169  random_fe_non_zero_test(&gej->z);
170  secp256k1_fe_sqr(&z2, &gej->z);
171  secp256k1_fe_mul(&z3, &z2, &gej->z);
172  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
173  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
174  gej->infinity = ge->infinity;
175 }
176 
177 static void random_gej_test(secp256k1_gej *gej) {
178  secp256k1_ge ge;
181 }
182 
184  do {
185  unsigned char b32[32];
186  int overflow = 0;
188  secp256k1_scalar_set_b32(num, b32, &overflow);
189  if (overflow || secp256k1_scalar_is_zero(num)) {
190  continue;
191  }
192  break;
193  } while(1);
194 }
195 
197  do {
198  unsigned char b32[32];
199  int overflow = 0;
201  secp256k1_scalar_set_b32(num, b32, &overflow);
202  if (overflow || secp256k1_scalar_is_zero(num)) {
203  continue;
204  }
205  break;
206  } while(1);
207 }
208 
209 static void random_scalar_order_b32(unsigned char *b32) {
210  secp256k1_scalar num;
211  random_scalar_order(&num);
212  secp256k1_scalar_get_b32(b32, &num);
213 }
214 
215 static void run_xoshiro256pp_tests(void) {
216  {
217  size_t i;
218  /* Sanity check that we run before the actual seeding. */
219  for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
220  CHECK(secp256k1_test_state[i] == 0);
221  }
222  }
223  {
224  int i;
225  unsigned char buf32[32];
226  unsigned char seed16[16] = {
227  'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
228  'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
229  };
230  unsigned char buf32_expected[32] = {
231  0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
232  0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
233  0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
234  0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
235  };
236  secp256k1_testrand_seed(seed16);
237  for (i = 0; i < 17; i++) {
238  secp256k1_testrand256(buf32);
239  }
240  CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
241  }
242 }
243 
244 static void run_selftest_tests(void) {
245  /* Test public API */
247 }
248 
250  return a->built == b->built
251  && secp256k1_scalar_eq(&a->blind, &b->blind)
252  && secp256k1_gej_eq_var(&a->initial, &b->initial);
253 }
254 
255 static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
256  return a->declassify == b->declassify
260  && a->error_callback.fn == b->error_callback.fn
262 }
263 
265  /* Check that a context created with any of the flags in the flags array is
266  * identical to the NONE context. */
267  unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
271  int i;
272  for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
273  secp256k1_context *tmp_ctx;
275  tmp_ctx = secp256k1_context_create(flags[i]);
276  CHECK(context_eq(none_ctx, tmp_ctx));
277  secp256k1_context_destroy(tmp_ctx);
278  }
279  secp256k1_context_destroy(none_ctx);
280 }
281 
282 static void run_ec_illegal_argument_tests(void) {
283  secp256k1_pubkey pubkey;
284  secp256k1_pubkey zero_pubkey;
286  unsigned char ctmp[32];
287 
288  /* Setup */
289  memset(ctmp, 1, 32);
290  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
291 
292  /* Verify context-type checking illegal-argument errors. */
294  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
295  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
296  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
297  CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL));
298  SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
299  CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
300  SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
301  CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
302  CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
303  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
304  CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
305  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
307  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
310  CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
311 }
312 
313 static void run_static_context_tests(int use_prealloc) {
314  /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
316 
317  {
318  unsigned char seed[32] = {0x17};
319 
320  /* Randomizing secp256k1_context_static is not supported. */
323 
324  /* Destroying or cloning secp256k1_context_static is not supported. */
325  if (use_prealloc) {
327  {
328  secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
329  CHECK(my_static_ctx != NULL);
330  memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
332  CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
333  free(my_static_ctx);
334  }
336  } else {
339  }
340  }
341 
342  {
343  /* Verify that setting and resetting illegal callback works */
344  int32_t dummy = 0;
351  }
352 }
353 
354 static void run_proper_context_tests(int use_prealloc) {
355  int32_t dummy = 0;
356  secp256k1_context *my_ctx, *my_ctx_fresh;
357  void *my_ctx_prealloc = NULL;
358  unsigned char seed[32] = {0x17};
359 
360  secp256k1_gej pubj;
361  secp256k1_ge pub;
362  secp256k1_scalar msg, key, nonce;
363  secp256k1_scalar sigr, sigs;
364 
365  /* Fresh reference context for comparison */
367 
368  if (use_prealloc) {
370  CHECK(my_ctx_prealloc != NULL);
372  } else {
374  }
375 
376  /* Randomize and reset randomization */
377  CHECK(context_eq(my_ctx, my_ctx_fresh));
378  CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
379  CHECK(!context_eq(my_ctx, my_ctx_fresh));
380  CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
381  CHECK(context_eq(my_ctx, my_ctx_fresh));
382 
383  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
387 
388  /* check if sizes for cloning are consistent */
390 
391  /*** clone and destroy all of them to make sure cloning was complete ***/
392  {
393  secp256k1_context *ctx_tmp;
394 
395  if (use_prealloc) {
396  /* clone into a non-preallocated context and then again into a new preallocated one. */
397  ctx_tmp = my_ctx;
398  my_ctx = secp256k1_context_clone(my_ctx);
399  CHECK(context_eq(ctx_tmp, my_ctx));
401 
402  free(my_ctx_prealloc);
404  CHECK(my_ctx_prealloc != NULL);
405  ctx_tmp = my_ctx;
406  my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
407  CHECK(context_eq(ctx_tmp, my_ctx));
408  secp256k1_context_destroy(ctx_tmp);
409  } else {
410  /* clone into a preallocated context and then again into a new non-preallocated one. */
411  void *prealloc_tmp;
412 
414  CHECK(prealloc_tmp != NULL);
415  ctx_tmp = my_ctx;
416  my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
417  CHECK(context_eq(ctx_tmp, my_ctx));
418  secp256k1_context_destroy(ctx_tmp);
419 
420  ctx_tmp = my_ctx;
421  my_ctx = secp256k1_context_clone(my_ctx);
422  CHECK(context_eq(ctx_tmp, my_ctx));
424  free(prealloc_tmp);
425  }
426  }
427 
428  /* Verify that the error callback makes it across the clone. */
431  /* And that it resets back to default. */
432  secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
434  CHECK(context_eq(my_ctx, my_ctx_fresh));
435 
436  /* Verify that setting and resetting illegal callback works */
439  CHECK(my_ctx->illegal_callback.data == &dummy);
440  secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
442  CHECK(my_ctx->illegal_callback.data == NULL);
443  CHECK(context_eq(my_ctx, my_ctx_fresh));
444 
445  /*** attempt to use them ***/
448  secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
449  secp256k1_ge_set_gej(&pub, &pubj);
450 
451  /* obtain a working nonce */
452  do {
454  } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
455 
456  /* try signing */
457  CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
458 
459  /* try verifying */
460  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
461 
462  /* cleanup */
463  if (use_prealloc) {
465  free(my_ctx_prealloc);
466  } else {
468  }
469  secp256k1_context_destroy(my_ctx_fresh);
470 
471  /* Defined as no-op. */
474 }
475 
476 static void run_scratch_tests(void) {
477  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
478 
479  size_t checkpoint;
480  size_t checkpoint_2;
481  secp256k1_scratch_space *scratch;
482  secp256k1_scratch_space local_scratch;
483 
484  /* Test public API */
485  scratch = secp256k1_scratch_space_create(CTX, 1000);
486  CHECK(scratch != NULL);
487 
488  /* Test internal API */
490  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
491  CHECK(scratch->alloc_size == 0);
492  CHECK(scratch->alloc_size % ALIGNMENT == 0);
493 
494  /* Allocating 500 bytes succeeds */
495  checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
496  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
497  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
498  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
499  CHECK(scratch->alloc_size != 0);
500  CHECK(scratch->alloc_size % ALIGNMENT == 0);
501 
502  /* Allocating another 501 bytes fails */
503  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
504  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
505  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
506  CHECK(scratch->alloc_size != 0);
507  CHECK(scratch->alloc_size % ALIGNMENT == 0);
508 
509  /* ...but it succeeds once we apply the checkpoint to undo it */
510  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
511  CHECK(scratch->alloc_size == 0);
513  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
514  CHECK(scratch->alloc_size != 0);
515 
516  /* try to apply a bad checkpoint */
517  checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
518  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
519  CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */
520  CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */
521 
522  /* try to use badly initialized scratch space */
524  memset(&local_scratch, 0, sizeof(local_scratch));
525  scratch = &local_scratch;
529 
530  /* Test that large integers do not wrap around in a bad way */
531  scratch = secp256k1_scratch_space_create(CTX, 1000);
532  /* Try max allocation with a large number of objects. Only makes sense if
533  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
534  * space. */
535  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
536  /* Try allocating SIZE_MAX to test wrap around which only happens if
537  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
538  * space is too small. */
539  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
541 
542  /* cleanup */
543  secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
544 }
545 
546 static void run_ctz_tests(void) {
547  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
548  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
549  int shift;
550  unsigned i;
551  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
552  for (shift = 0; shift < 32; ++shift) {
553  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
554  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
555  }
556  }
557  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
558  for (shift = 0; shift < 64; ++shift) {
559  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
560  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
561  }
562  }
563 }
564 
565 /***** HASH TESTS *****/
566 
567 static void run_sha256_known_output_tests(void) {
568  static const char *inputs[] = {
569  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
570  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
571  "For this sample, this 63-byte string will be used as input data",
572  "This is exactly 64 bytes long, not counting the terminating byte",
573  "aaaaa",
574  };
575  static const unsigned int repeat[] = {
576  1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
577  };
578  static const unsigned char outputs[][32] = {
579  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
580  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
581  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
582  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
583  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
584  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
585  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
586  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
587  {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
588  };
589  unsigned int i, ninputs;
590 
591  /* Skip last input vector for low iteration counts */
592  ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
593  CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
594 
595  for (i = 0; i < ninputs; i++) {
596  unsigned char out[32];
597  secp256k1_sha256 hasher;
598  unsigned int j;
599  /* 1. Run: simply write the input bytestrings */
600  j = repeat[i];
602  while (j > 0) {
603  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
604  j--;
605  }
606  secp256k1_sha256_finalize(&hasher, out);
607  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
608  /* 2. Run: split the input bytestrings randomly before writing */
609  if (strlen(inputs[i]) > 0) {
610  int split = secp256k1_testrand_int(strlen(inputs[i]));
612  j = repeat[i];
613  while (j > 0) {
614  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
615  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
616  j--;
617  }
618  secp256k1_sha256_finalize(&hasher, out);
619  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
620  }
621  }
622 }
623 
668 static void run_sha256_counter_tests(void) {
669  static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
670  static const secp256k1_sha256 midstates[] = {
671  {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
672  {0x00}, 0xfffc0},
673  {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
674  {0x00}, 0x1fffc0},
675  {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
676  {0x00}, 0x3fffc0},
677  {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
678  {0x00}, 0x7fffc0},
679  {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
680  {0x00}, 0xffffc0},
681  {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
682  {0x00}, 0x1ffffc0},
683  {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
684  {0x00}, 0x3ffffc0},
685  {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
686  {0x00}, 0x7ffffc0},
687  {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
688  {0x00}, 0xfffffc0},
689  {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
690  {0x00}, 0x1fffffc0},
691  {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
692  {0x00}, 0x3fffffc0},
693  {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
694  {0x00}, 0x7fffffc0},
695  {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
696  {0x00}, 0xffffffc0},
697  {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
698  {0x00}, 0x1ffffffc0},
699  };
700  static const unsigned char outputs[][32] = {
701  {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
702  {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
703  {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
704  {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
705  {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
706  {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
707  {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
708  {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
709  {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
710  {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
711  {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
712  {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
713  {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
714  {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
715  };
716  unsigned int i;
717  for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
718  unsigned char out[32];
719  secp256k1_sha256 hasher = midstates[i];
720  secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
721  secp256k1_sha256_finalize(&hasher, out);
722  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
723  }
724 }
725 
726 /* Tests for the equality of two sha256 structs. This function only produces a
727  * correct result if an integer multiple of 64 many bytes have been written
728  * into the hash functions. This function is used by some module tests. */
729 static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
730  /* Is buffer fully consumed? */
731  CHECK((sha1->bytes & 0x3F) == 0);
732 
733  CHECK(sha1->bytes == sha2->bytes);
734  CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
735 }
736 
737 static void run_hmac_sha256_tests(void) {
738  static const char *keys[6] = {
739  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
740  "\x4a\x65\x66\x65",
741  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
742  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
743  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
744  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
745  };
746  static const char *inputs[6] = {
747  "\x48\x69\x20\x54\x68\x65\x72\x65",
748  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
749  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
750  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
751  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
752  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
753  };
754  static const unsigned char outputs[6][32] = {
755  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
756  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
757  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
758  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
759  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
760  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
761  };
762  int i;
763  for (i = 0; i < 6; i++) {
764  secp256k1_hmac_sha256 hasher;
765  unsigned char out[32];
766  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
767  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
769  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
770  if (strlen(inputs[i]) > 0) {
771  int split = secp256k1_testrand_int(strlen(inputs[i]));
772  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
773  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
774  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
776  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
777  }
778  }
779 }
780 
781 static void run_rfc6979_hmac_sha256_tests(void) {
782  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
783  static const unsigned char out1[3][32] = {
784  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
785  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
786  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
787  };
788 
789  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
790  static const unsigned char out2[3][32] = {
791  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
792  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
793  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
794  };
795 
797  unsigned char out[32];
798  int i;
799 
801  for (i = 0; i < 3; i++) {
803  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
804  }
806 
808  for (i = 0; i < 3; i++) {
810  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
811  }
813 
815  for (i = 0; i < 3; i++) {
817  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
818  }
820 }
821 
822 static void run_tagged_sha256_tests(void) {
823  unsigned char tag[32] = { 0 };
824  unsigned char msg[32] = { 0 };
825  unsigned char hash32[32];
826  unsigned char hash_expected[32] = {
827  0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
828  0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
829  0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
830  0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
831  };
832 
833  /* API test */
834  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
835  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)));
836  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)));
837  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0));
838 
839  /* Static test vector */
840  memcpy(tag, "tag", 3);
841  memcpy(msg, "msg", 3);
842  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
843  CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
844 }
845 
846 /***** MODINV TESTS *****/
847 
848 /* Compute the modular inverse of (odd) x mod 2^64. */
849 static uint64_t modinv2p64(uint64_t x) {
850  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
851  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
852  * why. Start with L=0, for which it is true for every odd x that
853  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
854  int l;
855  uint64_t w = 1;
856  CHECK(x & 1);
857  for (l = 0; l < 6; ++l) w *= (2 - w*x);
858  return w;
859 }
860 
861 
862 /* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
863  *
864  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
865  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
866 static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
867  uint16_t mul[32];
868  uint64_t c = 0;
869  int i, j;
870  int m_bitlen = 0;
871  int mul_bitlen = 0;
872 
873  if (b != NULL) {
874  /* Compute the product of a and b, and put it in mul. */
875  for (i = 0; i < 32; ++i) {
876  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
877  c += (uint64_t)a[j] * b[i - j];
878  }
879  mul[i] = c & 0xFFFF;
880  c >>= 16;
881  }
882  CHECK(c == 0);
883 
884  /* compute the highest set bit in mul */
885  for (i = 511; i >= 0; --i) {
886  if ((mul[i >> 4] >> (i & 15)) & 1) {
887  mul_bitlen = i;
888  break;
889  }
890  }
891  } else {
892  /* if b==NULL, set mul=a. */
893  memcpy(mul, a, 32);
894  memset(mul + 16, 0, 32);
895  /* compute the highest set bit in mul */
896  for (i = 255; i >= 0; --i) {
897  if ((mul[i >> 4] >> (i & 15)) & 1) {
898  mul_bitlen = i;
899  break;
900  }
901  }
902  }
903 
904  if (m) {
905  /* Compute the highest set bit in m. */
906  for (i = 255; i >= 0; --i) {
907  if ((m[i >> 4] >> (i & 15)) & 1) {
908  m_bitlen = i;
909  break;
910  }
911  }
912 
913  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
914  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
915  uint16_t mul2[32];
916  int64_t cs;
917 
918  /* Compute mul2 = mul - m<<i. */
919  cs = 0; /* accumulator */
920  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
921  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
922  uint16_t sub = 0;
923  int p;
924  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
925  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
926  if (bitpos >= 0 && bitpos < 256) {
927  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
928  }
929  }
930  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
931  cs += mul[j];
932  cs -= sub;
933  mul2[j] = (cs & 0xFFFF);
934  cs >>= 16;
935  }
936  /* If remainder of subtraction is 0, set mul = mul2. */
937  if (cs == 0) {
938  memcpy(mul, mul2, sizeof(mul));
939  }
940  }
941  /* Sanity check: test that all limbs higher than m's highest are zero */
942  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
943  CHECK(mul[i] == 0);
944  }
945  }
946  memcpy(out, mul, 32);
947 }
948 
949 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
950 static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
951  int i;
952  memset(out->v, 0, sizeof(out->v));
953  for (i = 0; i < 256; ++i) {
954  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
955  }
956 }
957 
958 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
959 static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
960  int i;
961  memset(out, 0, 32);
962  for (i = 0; i < 256; ++i) {
963  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
964  }
965 }
966 
967 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
969  int i;
970  for (i = 0; i < 16; ++i) {
971  int pos = secp256k1_testrand_bits(3);
972  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
973  x->v[pos] -= 0x40000000;
974  x->v[pos + 1] += 1;
975  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
976  x->v[pos] += 0x40000000;
977  x->v[pos + 1] -= 1;
978  }
979  }
980 }
981 
982 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
983 static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
984  uint16_t tmp[16];
987  int i, vartime, nonzero;
988 
989  uint16_to_signed30(&x, in);
990  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
991  uint16_to_signed30(&m.modulus, mod);
992 
993  /* compute 1/modulus mod 2^30 */
994  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
995  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
996 
997  /* Test secp256k1_jacobi32_maybe_var. */
998  if (nonzero) {
999  int jac;
1000  uint16_t sqr[16], negone[16];
1001  mulmod256(sqr, in, in, mod);
1002  uint16_to_signed30(&x, sqr);
1003  /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1004  jac = secp256k1_jacobi32_maybe_var(&x, &m);
1005  CHECK(jac == 0 || jac == 1);
1006  /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1007  * jacobi symbols if and only if (mod % 4) == 3. */
1008  negone[0] = mod[0] - 1;
1009  for (i = 1; i < 16; ++i) negone[i] = mod[i];
1010  mulmod256(sqr, sqr, negone, mod);
1011  uint16_to_signed30(&x, sqr);
1012  jac = secp256k1_jacobi32_maybe_var(&x, &m);
1013  CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1014  }
1015 
1016  uint16_to_signed30(&x, in);
1017  mutate_sign_signed30(&m.modulus);
1018  for (vartime = 0; vartime < 2; ++vartime) {
1019  /* compute inverse */
1020  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1021 
1022  /* produce output */
1023  signed30_to_uint16(out, &x);
1024 
1025  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1026  mulmod256(tmp, out, in, mod);
1027  CHECK(tmp[0] == nonzero);
1028  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1029 
1030  /* invert again */
1031  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1032 
1033  /* check if the result is equal to the input */
1034  signed30_to_uint16(tmp, &x);
1035  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1036  }
1037 }
1038 
1039 #ifdef SECP256K1_WIDEMUL_INT128
1040 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1041 static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1042  int i;
1043  memset(out->v, 0, sizeof(out->v));
1044  for (i = 0; i < 256; ++i) {
1045  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1046  }
1047 }
1048 
1049 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1050 static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1051  int i;
1052  memset(out, 0, 32);
1053  for (i = 0; i < 256; ++i) {
1054  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1055  }
1056 }
1057 
1058 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1059 static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1060  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1061  int i;
1062  for (i = 0; i < 8; ++i) {
1063  int pos = secp256k1_testrand_bits(2);
1064  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1065  x->v[pos] -= (M62 + 1);
1066  x->v[pos + 1] += 1;
1067  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1068  x->v[pos] += (M62 + 1);
1069  x->v[pos + 1] -= 1;
1070  }
1071  }
1072 }
1073 
1074 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1075 static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1076  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1077  uint16_t tmp[16];
1080  int i, vartime, nonzero;
1081 
1082  uint16_to_signed62(&x, in);
1083  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1084  uint16_to_signed62(&m.modulus, mod);
1085 
1086  /* compute 1/modulus mod 2^62 */
1087  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1088  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1089 
1090  /* Test secp256k1_jacobi64_maybe_var. */
1091  if (nonzero) {
1092  int jac;
1093  uint16_t sqr[16], negone[16];
1094  mulmod256(sqr, in, in, mod);
1095  uint16_to_signed62(&x, sqr);
1096  /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1097  jac = secp256k1_jacobi64_maybe_var(&x, &m);
1098  CHECK(jac == 0 || jac == 1);
1099  /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1100  * jacobi symbols if and only if (mod % 4) == 3. */
1101  negone[0] = mod[0] - 1;
1102  for (i = 1; i < 16; ++i) negone[i] = mod[i];
1103  mulmod256(sqr, sqr, negone, mod);
1104  uint16_to_signed62(&x, sqr);
1105  jac = secp256k1_jacobi64_maybe_var(&x, &m);
1106  CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1107  }
1108 
1109  uint16_to_signed62(&x, in);
1110  mutate_sign_signed62(&m.modulus);
1111  for (vartime = 0; vartime < 2; ++vartime) {
1112  /* compute inverse */
1113  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1114 
1115  /* produce output */
1116  signed62_to_uint16(out, &x);
1117 
1118  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1119  mulmod256(tmp, out, in, mod);
1120  CHECK(tmp[0] == nonzero);
1121  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1122 
1123  /* invert again */
1124  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1125 
1126  /* check if the result is equal to the input */
1127  signed62_to_uint16(tmp, &x);
1128  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1129  }
1130 }
1131 #endif
1132 
1133 /* test if a and b are coprime */
1134 static int coprime(const uint16_t* a, const uint16_t* b) {
1135  uint16_t x[16], y[16], t[16];
1136  int i;
1137  int iszero;
1138  memcpy(x, a, 32);
1139  memcpy(y, b, 32);
1140 
1141  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1142  while (1) {
1143  iszero = 1;
1144  for (i = 0; i < 16; ++i) {
1145  if (x[i] != 0) {
1146  iszero = 0;
1147  break;
1148  }
1149  }
1150  if (iszero) break;
1151  mulmod256(t, y, NULL, x);
1152  memcpy(y, x, 32);
1153  memcpy(x, t, 32);
1154  }
1155 
1156  /* return whether y=1 */
1157  if (y[0] != 1) return 0;
1158  for (i = 1; i < 16; ++i) {
1159  if (y[i] != 0) return 0;
1160  }
1161  return 1;
1162 }
1163 
1164 static void run_modinv_tests(void) {
1165  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1166  static const uint16_t CASES[][3][16] = {
1167  /* Test cases triggering edge cases in divsteps */
1168 
1169  /* Test case known to need 713 divsteps */
1170  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1171  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1172  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1173  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1174  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1175  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1176  /* Test case known to need 589 divsteps, reaching delta=-140 and
1177  delta=141. */
1178  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1179  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1180  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1181  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1182  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1183  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1184  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1185  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1186  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1187  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1188  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1189  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1190  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1191  /* example needing 713 divsteps; delta=-2..3 */
1192  {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1193  0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1194  {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1195  0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1196  {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1197  0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1198  /* example needing 713 divsteps; delta=-2..3 */
1199  {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1200  0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1201  {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1202  0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1203  {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1204  0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1205  /* example needing 713 divsteps; delta=-2..3 */
1206  {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1207  0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1208  {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1209  0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1210  {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1211  0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1212  /* example reaching delta=-64..65; 661 divsteps */
1213  {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1214  0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1215  {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1216  0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1217  {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1218  0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1219  /* example reaching delta=-64..65; 661 divsteps */
1220  {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1221  0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1222  {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1223  0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1224  {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1225  0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1226  /* example reaching delta=-64..65; 661 divsteps */
1227  {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1228  0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1229  {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1230  0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1231  {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1232  0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1233  /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1234  {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1235  0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1236  {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1237  0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1238  {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1239  0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1240  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1241  {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1242  0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1243  {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1244  0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1245  {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1246  0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1247  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1248  {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1249  0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1250  {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1251  0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1252  {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1253  0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1254  /* example doing 446 (f,g/2) steps; 523 divsteps */
1255  {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1256  0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1257  {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1258  0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1259  {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1260  0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1261  /* example doing 446 (f,g/2) steps; 523 divsteps */
1262  {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1263  0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1264  {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1265  0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1266  {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1267  0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1268  /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1269  {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1270  0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1271  {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1272  0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1273  {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1274  0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1275  /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1276  {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1277  0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1278  {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1279  0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1280  {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1281  0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1282  /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1283  {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1284  0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1285  {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1286  0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1287  {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1288  0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1289  /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1290  {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1291  0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1292  {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1293  0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1294  {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1295  0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1296 
1297  /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1298 
1299  /* example needing 590 divsteps; delta=-5/2..7/2 */
1300  {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1301  0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1302  {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1303  0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1304  {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1305  0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1306  /* example needing 590 divsteps; delta=-3/2..5/2 */
1307  {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1308  0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1309  {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1310  0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1311  {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1312  0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1313  /* example needing 590 divsteps; delta=-3/2..5/2 */
1314  {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1315  0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1316  {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1317  0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1318  {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1319  0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1320  /* example needing 590 divsteps; delta=-5/2..7/2 */
1321  {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1322  0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1323  {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1324  0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1325  {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1326  0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1327  /* example needing 590 divsteps; delta=-3/2..5/2 */
1328  {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1329  0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1330  {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1331  0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1332  {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1333  0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1334  /* example reaching delta=-127/2..129/2; 571 divsteps */
1335  {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1336  0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1337  {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1338  0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1339  {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1340  0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1341  /* example reaching delta=-127/2..129/2; 571 divsteps */
1342  {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1343  0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1344  {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1345  0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1346  {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1347  0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1348  /* example reaching delta=-127/2..129/2; 571 divsteps */
1349  {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1350  0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1351  {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1352  0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1353  {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1354  0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1355  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1356  {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1357  0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1358  {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1359  0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1360  {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1361  0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1362  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1363  {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1364  0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1365  {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1366  0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1367  {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1368  0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1369  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1370  {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1371  0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1372  {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1373  0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1374  {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1375  0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1376  /* example doing 453 (f,g/2) steps; 514 divsteps */
1377  {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1378  0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1379  {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1380  0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1381  {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1382  0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1383  /* example doing 453 (f,g/2) steps; 514 divsteps */
1384  {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1385  0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1386  {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1387  0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1388  {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1389  0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1390  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1391  {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1392  0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1393  {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1394  0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1395  {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1396  0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1397  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1398  {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1399  0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1400  {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1401  0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1402  {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1403  0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1404  /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1405  {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1406  0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1407  {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1408  0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1409  {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1410  0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1411  /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1412  {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1413  0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1414  {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1415  0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1416  {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1417  0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1418 
1419  /* Test cases with the group order as modulus. */
1420 
1421  /* Test case with the group order as modulus, needing 635 divsteps. */
1422  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1423  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1424  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1425  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1426  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1427  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1428  /* example with group size as modulus needing 631 divsteps */
1429  {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1430  0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1431  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1432  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1433  {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1434  0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1435  /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1436  {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1437  0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1438  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1439  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1440  {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1441  0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1442  /* Test case with the group size as modulus, needing 981 divsteps with
1443  broken eta handling. */
1444  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1445  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1446  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1447  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1448  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1449  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1450  /* Test case with the group size as modulus, input = 0. */
1451  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1452  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1453  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1454  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1455  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1456  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1457  /* Test case with the group size as modulus, input = 1. */
1458  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1459  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1460  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1461  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1462  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1463  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1464  /* Test case with the group size as modulus, input = 2. */
1465  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1466  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1467  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1468  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1469  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1470  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1471  /* Test case with the group size as modulus, input = group - 1. */
1472  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1473  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1474  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1475  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1476  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1477  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1478 
1479  /* Test cases with the field size as modulus. */
1480 
1481  /* Test case with the field size as modulus, needing 637 divsteps. */
1482  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1483  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1484  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1485  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1486  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1487  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1488  /* example with field size as modulus needing 637 divsteps */
1489  {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1490  0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1491  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1492  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1493  {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1494  0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1495  /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1496  {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1497  0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1498  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1499  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1500  {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1501  0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1502  /* Test case with the field size as modulus, needing 935 divsteps with
1503  broken eta handling. */
1504  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1505  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1506  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1507  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1508  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1509  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1510  /* Test case with the field size as modulus, input = 0. */
1511  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1512  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1513  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1514  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1515  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1516  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1517  /* Test case with the field size as modulus, input = 1. */
1518  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1519  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1520  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1521  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1522  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1523  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1524  /* Test case with the field size as modulus, input = 2. */
1525  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1526  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1527  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1528  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1529  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1530  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1531  /* Test case with the field size as modulus, input = field - 1. */
1532  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1533  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1534  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1535  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1536  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1537  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1538 
1539  /* Selected from a large number of random inputs to reach small/large
1540  * d/e values in various configurations. */
1541  {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1542  0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1543  {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1544  0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1545  {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1546  0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1547  {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1548  0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1549  {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1550  0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1551  {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1552  0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1553  {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1554  0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1555  {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1556  0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1557  {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1558  0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1559  {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1560  0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1561  {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1562  0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1563  {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1564  0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1565  {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1566  0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1567  {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1568  0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1569  {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1570  0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1571  {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1572  0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1573  {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1574  0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1575  {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1576  0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1577  {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1578  0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1579  {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1580  0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1581  {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1582  0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1583  {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1584  0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1585  {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1586  0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1587  {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1588  0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1589  {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1590  0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1591  {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1592  0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1593  {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1594  0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1595  {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1596  0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1597  {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1598  0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1599  {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1600  0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1601  {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1602  0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1603  {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1604  0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1605  {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1606  0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1607  {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1608  0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1609  {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1610  0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1611  {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1612  0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1613  {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1614  0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1615  {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1616  0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1617  {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1618  0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1619  {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1620  0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1621  {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1622  0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1623  {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1624  0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1625  {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1626  0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1627  {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1628  0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1629  {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1630  0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1631  {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1632  0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1633  {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1634  0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1635  {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1636  0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1637  {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1638  0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1639  {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1640  0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1641  {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1642  0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1643  {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1644  0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1645  {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1646  0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1647  {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1648  0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1649  {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1650  0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1651  {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1652  0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1653  {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1654  0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1655  {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1656  0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1657  {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1658  0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1659  {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1660  0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1661  {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1662  0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1663  {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1664  0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1665  {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1666  0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1667  {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1668  0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1669  {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1670  0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1671  {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1672  0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1673  {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1674  0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1675  {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1676  0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1677  {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1678  0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1679  {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1680  0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1681  {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1682  0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1683  {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1684  0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1685  {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1686  0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1687  {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1688  0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1689  {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1690  0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1691  {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1692  0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1693  {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1694  0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1695  {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1696  0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1697  {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1698  0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1699  {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1700  0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1701  {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1702  0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1703  {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1704  0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1705  {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1706  0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1707  {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1708  0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1709  {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1710  0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1711  {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1712  0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1713  {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1714  0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1715  {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1716  0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1717  {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1718  0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1719  {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1720  0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1721  {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1722  0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1723  {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1724  0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1725  {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1726  0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1727  {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1728  0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1729  {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1730  0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1731  {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1732  0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1733  {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1734  0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1735  {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1736  0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1737  {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1738  0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1739  {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1740  0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1741  {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1742  0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1743  {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1744  0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1745  {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1746  0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1747  {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1748  0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1749  {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1750  0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1751  };
1752 
1753  int i, j, ok;
1754 
1755  /* Test known inputs/outputs */
1756  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1757  uint16_t out[16];
1758  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1759  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1760 #ifdef SECP256K1_WIDEMUL_INT128
1761  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1762  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1763 #endif
1764  }
1765 
1766  for (i = 0; i < 100 * COUNT; ++i) {
1767  /* 256-bit numbers in 16-uint16_t's notation */
1768  static const uint16_t ZERO[16] = {0};
1769  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1770  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1771  uint16_t id[16]; /* the inverse of xd mod md */
1772 
1773  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1774  do {
1775  /* generate random xd and md (with many subsequent 0s and 1s) */
1776  secp256k1_testrand256_test((unsigned char*)xd);
1777  secp256k1_testrand256_test((unsigned char*)md);
1778  md[0] |= 1; /* modulus must be odd */
1779  /* If modulus is 1, find another one. */
1780  ok = md[0] != 1;
1781  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1782  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1783  } while (!(ok && coprime(xd, md)));
1784 
1785  test_modinv32_uint16(id, xd, md);
1786 #ifdef SECP256K1_WIDEMUL_INT128
1787  test_modinv64_uint16(id, xd, md);
1788 #endif
1789 
1790  /* In a few cases, also test with input=0 */
1791  if (i < COUNT) {
1792  test_modinv32_uint16(id, ZERO, md);
1793 #ifdef SECP256K1_WIDEMUL_INT128
1794  test_modinv64_uint16(id, ZERO, md);
1795 #endif
1796  }
1797  }
1798 }
1799 
1800 /***** INT128 TESTS *****/
1801 
1802 #ifdef SECP256K1_WIDEMUL_INT128
1803 /* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1804 static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1805  int i;
1806  uint32_t carry = 0;
1807  for (i = 0; i < 16; ++i) {
1808  carry += a[i];
1809  carry += b[i];
1810  out[i] = carry;
1811  carry >>= 16;
1812  }
1813 }
1814 
1815 /* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1816 static void neg256(uint16_t* out, const uint16_t* a) {
1817  int i;
1818  uint32_t carry = 1;
1819  for (i = 0; i < 16; ++i) {
1820  carry += (uint16_t)~a[i];
1821  out[i] = carry;
1822  carry >>= 16;
1823  }
1824 }
1825 
1826 /* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1827 static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1828  uint16_t sign = sign_extend && (a[15] >> 15);
1829  int i, j;
1830  for (i = 15; i >= 0; --i) {
1831  uint16_t v = 0;
1832  for (j = 0; j < 16; ++j) {
1833  int frompos = i*16 + j + n;
1834  if (frompos >= 256) {
1835  v |= sign << j;
1836  } else {
1837  v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1838  }
1839  }
1840  out[i] = v;
1841  }
1842 }
1843 
1844 /* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1845 static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1846  int i;
1847  uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1848  for (i = 0; i < 4; ++i) {
1849  out[i] = v >> (16 * i);
1850  }
1851  for (i = 4; i < 16; ++i) {
1852  out[i] = sign;
1853  }
1854 }
1855 
1856 /* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1857 static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1858  int i;
1859  uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1860  for (i = 0; i < 4; ++i) {
1861  out[i] = lo >> (16 * i);
1862  }
1863  for (i = 4; i < 8; ++i) {
1864  out[i] = hi >> (16 * (i - 4));
1865  }
1866  for (i = 8; i < 16; ++i) {
1867  out[i] = sign;
1868  }
1869 }
1870 
1871 /* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1872 static int int256is127(const uint16_t* v) {
1873  int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1874  int i;
1875  for (i = 8; i < 16; ++i) {
1876  if (v[i] != 0) all_0 = 0;
1877  if (v[i] != 0xffff) all_1 = 0;
1878  }
1879  return all_0 || all_1;
1880 }
1881 
1882 static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1883  uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1884  load256two64(out, hi, lo, 0);
1885 }
1886 
1887 static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1888  uint64_t lo;
1889  int64_t hi;
1890  secp256k1_int128 c = *v;
1891  lo = secp256k1_i128_to_u64(&c);
1892  secp256k1_i128_rshift(&c, 64);
1893  hi = secp256k1_i128_to_i64(&c);
1894  load256two64(out, hi, lo, 1);
1895 }
1896 
1897 static void run_int128_test_case(void) {
1898  unsigned char buf[32];
1899  uint64_t v[4];
1900  secp256k1_int128 swa, swz;
1901  secp256k1_uint128 uwa, uwz;
1902  uint64_t ub, uc;
1903  int64_t sb, sc;
1904  uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1905  uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1906  int i;
1907 
1908  /* Generate 32-byte random value. */
1910  /* Convert into 4 64-bit integers. */
1911  for (i = 0; i < 4; ++i) {
1912  uint64_t vi = 0;
1913  int j;
1914  for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1915  v[i] = vi;
1916  }
1917  /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1918  secp256k1_u128_load(&uwa, v[1], v[0]);
1919  secp256k1_i128_load(&swa, v[1], v[0]);
1920  ub = v[2];
1921  sb = v[2];
1922  uc = v[3];
1923  sc = v[3];
1924  /* Load those also into 16-bit array representations. */
1925  load256u128(ruwa, &uwa);
1926  load256i128(rswa, &swa);
1927  load256u64(rub, ub, 0);
1928  load256u64(rsb, sb, 1);
1929  load256u64(ruc, uc, 0);
1930  load256u64(rsc, sc, 1);
1931  /* test secp256k1_u128_mul */
1932  mulmod256(ruwr, rub, ruc, NULL);
1933  secp256k1_u128_mul(&uwz, ub, uc);
1934  load256u128(ruwz, &uwz);
1935  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1936  /* test secp256k1_u128_accum_mul */
1937  mulmod256(ruwr, rub, ruc, NULL);
1938  add256(ruwr, ruwr, ruwa);
1939  uwz = uwa;
1940  secp256k1_u128_accum_mul(&uwz, ub, uc);
1941  load256u128(ruwz, &uwz);
1942  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1943  /* test secp256k1_u128_accum_u64 */
1944  add256(ruwr, rub, ruwa);
1945  uwz = uwa;
1946  secp256k1_u128_accum_u64(&uwz, ub);
1947  load256u128(ruwz, &uwz);
1948  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1949  /* test secp256k1_u128_rshift */
1950  rshift256(ruwr, ruwa, uc % 128, 0);
1951  uwz = uwa;
1952  secp256k1_u128_rshift(&uwz, uc % 128);
1953  load256u128(ruwz, &uwz);
1954  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1955  /* test secp256k1_u128_to_u64 */
1956  CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1957  /* test secp256k1_u128_hi_u64 */
1958  CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1959  /* test secp256k1_u128_from_u64 */
1960  secp256k1_u128_from_u64(&uwz, ub);
1961  load256u128(ruwz, &uwz);
1962  CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1963  /* test secp256k1_u128_check_bits */
1964  {
1965  int uwa_bits = 0;
1966  int j;
1967  for (j = 0; j < 128; ++j) {
1968  if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1969  }
1970  for (j = 0; j < 128; ++j) {
1971  CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1972  }
1973  }
1974  /* test secp256k1_i128_mul */
1975  mulmod256(rswr, rsb, rsc, NULL);
1976  secp256k1_i128_mul(&swz, sb, sc);
1977  load256i128(rswz, &swz);
1978  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1979  /* test secp256k1_i128_accum_mul */
1980  mulmod256(rswr, rsb, rsc, NULL);
1981  add256(rswr, rswr, rswa);
1982  if (int256is127(rswr)) {
1983  swz = swa;
1984  secp256k1_i128_accum_mul(&swz, sb, sc);
1985  load256i128(rswz, &swz);
1986  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1987  }
1988  /* test secp256k1_i128_det */
1989  {
1990  uint16_t rsd[16], rse[16], rst[32];
1991  int64_t sd = v[0], se = v[1];
1992  load256u64(rsd, sd, 1);
1993  load256u64(rse, se, 1);
1994  mulmod256(rst, rsc, rsd, NULL);
1995  neg256(rst, rst);
1996  mulmod256(rswr, rsb, rse, NULL);
1997  add256(rswr, rswr, rst);
1998  secp256k1_i128_det(&swz, sb, sc, sd, se);
1999  load256i128(rswz, &swz);
2000  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2001  }
2002  /* test secp256k1_i128_rshift */
2003  rshift256(rswr, rswa, uc % 127, 1);
2004  swz = swa;
2005  secp256k1_i128_rshift(&swz, uc % 127);
2006  load256i128(rswz, &swz);
2007  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2008  /* test secp256k1_i128_to_u64 */
2009  CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2010  /* test secp256k1_i128_from_i64 */
2011  secp256k1_i128_from_i64(&swz, sb);
2012  load256i128(rswz, &swz);
2013  CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2014  /* test secp256k1_i128_to_i64 */
2015  CHECK(secp256k1_i128_to_i64(&swz) == sb);
2016  /* test secp256k1_i128_eq_var */
2017  {
2018  int expect = (uc & 1);
2019  swz = swa;
2020  if (!expect) {
2021  /* Make sure swz != swa */
2022  uint64_t v0c = v[0], v1c = v[1];
2023  if (ub & 64) {
2024  v1c ^= (((uint64_t)1) << (ub & 63));
2025  } else {
2026  v0c ^= (((uint64_t)1) << (ub & 63));
2027  }
2028  secp256k1_i128_load(&swz, v1c, v0c);
2029  }
2030  CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2031  }
2032  /* test secp256k1_i128_check_pow2 (sign == 1) */
2033  {
2034  int expect = (uc & 1);
2035  int pos = ub % 127;
2036  if (expect) {
2037  /* If expect==1, set swz to exactly 2^pos. */
2038  uint64_t hi = 0;
2039  uint64_t lo = 0;
2040  if (pos >= 64) {
2041  hi = (((uint64_t)1) << (pos & 63));
2042  } else {
2043  lo = (((uint64_t)1) << (pos & 63));
2044  }
2045  secp256k1_i128_load(&swz, hi, lo);
2046  } else {
2047  /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2048  if (pos >= 64) {
2049  if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2050  } else {
2051  if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2052  }
2053  swz = swa;
2054  }
2055  CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2056  }
2057  /* test secp256k1_i128_check_pow2 (sign == -1) */
2058  {
2059  int expect = (uc & 1);
2060  int pos = ub % 127;
2061  if (expect) {
2062  /* If expect==1, set swz to exactly -2^pos. */
2063  uint64_t hi = ~(uint64_t)0;
2064  uint64_t lo = ~(uint64_t)0;
2065  if (pos >= 64) {
2066  hi <<= (pos & 63);
2067  lo = 0;
2068  } else {
2069  lo <<= (pos & 63);
2070  }
2071  secp256k1_i128_load(&swz, hi, lo);
2072  } else {
2073  /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2074  if (pos >= 64) {
2075  if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2076  } else {
2077  if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2078  }
2079  swz = swa;
2080  }
2081  CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2082  }
2083 }
2084 
2085 static void run_int128_tests(void) {
2086  { /* secp256k1_u128_accum_mul */
2087  secp256k1_uint128 res;
2088 
2089  /* Check secp256k1_u128_accum_mul overflow */
2090  secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2091  secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2092  CHECK(secp256k1_u128_to_u64(&res) == 2);
2093  CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2094  }
2095  { /* secp256k1_u128_accum_mul */
2096  secp256k1_int128 res;
2097 
2098  /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2099  secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2100  secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2101  CHECK(secp256k1_i128_to_u64(&res) == 2);
2102  secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2103  secp256k1_i128_accum_mul(&res, 1, 1);
2104  CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2105  secp256k1_i128_rshift(&res, 64);
2106  CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2107 
2108  /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2109  secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2110  CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2111  secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2112  CHECK(secp256k1_i128_to_u64(&res) == 0);
2113  secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2114  CHECK(secp256k1_i128_to_u64(&res) == 0);
2115  secp256k1_i128_rshift(&res, 64);
2116  CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2117  }
2118  {
2119  /* Randomized tests. */
2120  int i;
2121  for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2122  }
2123 }
2124 #endif
2125 
2126 /***** SCALAR TESTS *****/
2127 
2128 static void scalar_test(void) {
2129  secp256k1_scalar s;
2130  secp256k1_scalar s1;
2131  secp256k1_scalar s2;
2132  unsigned char c[32];
2133 
2134  /* Set 's' to a random scalar, with value 'snum'. */
2136 
2137  /* Set 's1' to a random scalar, with value 's1num'. */
2139 
2140  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2142  secp256k1_scalar_get_b32(c, &s2);
2143 
2144  {
2145  int i;
2146  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2147  secp256k1_scalar n;
2148  secp256k1_scalar_set_int(&n, 0);
2149  for (i = 0; i < 256; i += 4) {
2151  int j;
2152  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
2153  for (j = 0; j < 4; j++) {
2154  secp256k1_scalar_add(&n, &n, &n);
2155  }
2156  secp256k1_scalar_add(&n, &n, &t);
2157  }
2158  CHECK(secp256k1_scalar_eq(&n, &s));
2159  }
2160 
2161  {
2162  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2163  secp256k1_scalar n;
2164  int i = 0;
2165  secp256k1_scalar_set_int(&n, 0);
2166  while (i < 256) {
2168  int j;
2169  int now = secp256k1_testrand_int(15) + 1;
2170  if (now + i > 256) {
2171  now = 256 - i;
2172  }
2173  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2174  for (j = 0; j < now; j++) {
2175  secp256k1_scalar_add(&n, &n, &n);
2176  }
2177  secp256k1_scalar_add(&n, &n, &t);
2178  i += now;
2179  }
2180  CHECK(secp256k1_scalar_eq(&n, &s));
2181  }
2182 
2183  {
2184  /* Test commutativity of add. */
2185  secp256k1_scalar r1, r2;
2186  secp256k1_scalar_add(&r1, &s1, &s2);
2187  secp256k1_scalar_add(&r2, &s2, &s1);
2188  CHECK(secp256k1_scalar_eq(&r1, &r2));
2189  }
2190 
2191  {
2192  secp256k1_scalar r1, r2;
2193  secp256k1_scalar b;
2194  int i;
2195  /* Test add_bit. */
2196  int bit = secp256k1_testrand_bits(8);
2197  secp256k1_scalar_set_int(&b, 1);
2199  for (i = 0; i < bit; i++) {
2200  secp256k1_scalar_add(&b, &b, &b);
2201  }
2202  r1 = s1;
2203  r2 = s1;
2204  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2205  /* No overflow happened. */
2206  secp256k1_scalar_cadd_bit(&r2, bit, 1);
2207  CHECK(secp256k1_scalar_eq(&r1, &r2));
2208  /* cadd is a noop when flag is zero */
2209  secp256k1_scalar_cadd_bit(&r2, bit, 0);
2210  CHECK(secp256k1_scalar_eq(&r1, &r2));
2211  }
2212  }
2213 
2214  {
2215  /* Test commutativity of mul. */
2216  secp256k1_scalar r1, r2;
2217  secp256k1_scalar_mul(&r1, &s1, &s2);
2218  secp256k1_scalar_mul(&r2, &s2, &s1);
2219  CHECK(secp256k1_scalar_eq(&r1, &r2));
2220  }
2221 
2222  {
2223  /* Test associativity of add. */
2224  secp256k1_scalar r1, r2;
2225  secp256k1_scalar_add(&r1, &s1, &s2);
2226  secp256k1_scalar_add(&r1, &r1, &s);
2227  secp256k1_scalar_add(&r2, &s2, &s);
2228  secp256k1_scalar_add(&r2, &s1, &r2);
2229  CHECK(secp256k1_scalar_eq(&r1, &r2));
2230  }
2231 
2232  {
2233  /* Test associativity of mul. */
2234  secp256k1_scalar r1, r2;
2235  secp256k1_scalar_mul(&r1, &s1, &s2);
2236  secp256k1_scalar_mul(&r1, &r1, &s);
2237  secp256k1_scalar_mul(&r2, &s2, &s);
2238  secp256k1_scalar_mul(&r2, &s1, &r2);
2239  CHECK(secp256k1_scalar_eq(&r1, &r2));
2240  }
2241 
2242  {
2243  /* Test distributitivity of mul over add. */
2244  secp256k1_scalar r1, r2, t;
2245  secp256k1_scalar_add(&r1, &s1, &s2);
2246  secp256k1_scalar_mul(&r1, &r1, &s);
2247  secp256k1_scalar_mul(&r2, &s1, &s);
2248  secp256k1_scalar_mul(&t, &s2, &s);
2249  secp256k1_scalar_add(&r2, &r2, &t);
2250  CHECK(secp256k1_scalar_eq(&r1, &r2));
2251  }
2252 
2253  {
2254  /* Test multiplicative identity. */
2255  secp256k1_scalar r1;
2257  CHECK(secp256k1_scalar_eq(&r1, &s1));
2258  }
2259 
2260  {
2261  /* Test additive identity. */
2262  secp256k1_scalar r1;
2264  CHECK(secp256k1_scalar_eq(&r1, &s1));
2265  }
2266 
2267  {
2268  /* Test zero product property. */
2269  secp256k1_scalar r1;
2272  }
2273 
2274  {
2275  /* Test halving. */
2276  secp256k1_scalar r;
2277  secp256k1_scalar_add(&r, &s, &s);
2278  secp256k1_scalar_half(&r, &r);
2279  CHECK(secp256k1_scalar_eq(&r, &s));
2280  }
2281 }
2282 
2284  unsigned char b32[32];
2285  secp256k1_scalar s1;
2286  secp256k1_scalar s2;
2287 
2288  /* Usually set_b32 and set_b32_seckey give the same result */
2290  secp256k1_scalar_set_b32(&s1, b32, NULL);
2291  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2292  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2293 
2294  memset(b32, 0, sizeof(b32));
2295  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2296  memset(b32, 0xFF, sizeof(b32));
2297  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2298 }
2299 
2300 static void run_scalar_tests(void) {
2301  int i;
2302  for (i = 0; i < 128 * COUNT; i++) {
2303  scalar_test();
2304  }
2305  for (i = 0; i < COUNT; i++) {
2307  }
2308 
2309  {
2310  /* Check that the scalar constants secp256k1_scalar_zero and
2311  secp256k1_scalar_one contain the expected values. */
2312  secp256k1_scalar zero, one;
2313 
2315  secp256k1_scalar_set_int(&zero, 0);
2317 
2319  secp256k1_scalar_set_int(&one, 1);
2321  }
2322 
2323  {
2324  /* (-1)+1 should be zero. */
2325  secp256k1_scalar o;
2329  secp256k1_scalar_negate(&o, &o);
2331  }
2332 
2333  {
2334  /* Test that halving and doubling roundtrips on some fixed values. */
2335  static const secp256k1_scalar HALF_TESTS[] = {
2336  /* 0 */
2337  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2338  /* 1 */
2339  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2340  /* -1 */
2341  SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul),
2342  /* -2 (largest odd value) */
2343  SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful),
2344  /* Half the secp256k1 order */
2345  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul),
2346  /* Half the secp256k1 order + 1 */
2347  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul),
2348  /* 2^255 */
2349  SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0),
2350  /* 2^255 - 1 */
2351  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful),
2352  };
2353  unsigned n;
2354  for (n = 0; n < sizeof(HALF_TESTS) / sizeof(HALF_TESTS[0]); ++n) {
2355  secp256k1_scalar s;
2356  secp256k1_scalar_half(&s, &HALF_TESTS[n]);
2357  secp256k1_scalar_add(&s, &s, &s);
2358  CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2359  secp256k1_scalar_add(&s, &s, &s);
2360  secp256k1_scalar_half(&s, &s);
2361  CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2362  }
2363  }
2364 
2365  {
2366  /* Does check_overflow check catch all ones? */
2367  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2368  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2369  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2370  );
2371  CHECK(secp256k1_scalar_check_overflow(&overflowed));
2372  }
2373 
2374  {
2375  /* Static test vectors.
2376  * These were reduced from ~10^12 random vectors based on comparison-decision
2377  * and edge-case coverage on 32-bit and 64-bit implementations.
2378  * The responses were generated with Sage 5.9.
2379  */
2380  secp256k1_scalar x;
2381  secp256k1_scalar y;
2382  secp256k1_scalar z;
2383  secp256k1_scalar zz;
2384  secp256k1_scalar r1;
2385  secp256k1_scalar r2;
2386  secp256k1_scalar zzv;
2387  int overflow;
2388  unsigned char chal[33][2][32] = {
2389  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2390  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2391  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2392  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2393  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2394  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2395  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2396  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2397  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2398  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2399  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2400  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2401  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2402  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2403  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2404  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2405  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2406  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2407  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2408  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2409  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2410  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2411  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2412  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2413  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2414  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2415  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2416  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2417  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2418  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2419  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2420  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2421  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2422  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2423  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2424  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2425  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2426  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2427  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2428  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2429  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2430  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2431  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2432  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2433  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2434  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2435  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2436  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2437  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2438  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2439  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2440  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2441  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2442  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2443  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2444  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2445  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2446  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2447  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2448  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2449  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2450  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2451  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2452  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2453  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2454  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2455  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2456  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2457  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2458  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2459  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2460  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2461  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2462  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2463  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2464  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2465  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2466  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2467  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2468  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2469  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2470  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2471  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2472  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2473  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2474  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2475  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2476  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2477  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2478  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2479  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2480  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2481  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2482  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2483  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2484  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2485  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2486  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2487  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2488  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2489  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2490  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2491  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2492  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2493  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2494  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2495  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2496  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2497  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2498  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2499  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2500  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2501  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2502  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2503  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2504  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2505  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2506  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2507  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2508  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2509  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2510  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2511  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2512  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2513  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2514  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2515  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2516  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2517  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2518  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2519  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2520  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2521  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2522  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2523  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2524  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2525  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2526  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2527  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2528  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2529  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2530  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2531  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2532  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2533  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2534  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2535  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2536  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2537  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2538  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2539  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2540  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2541  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2542  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2543  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2544  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2545  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2546  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2547  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2548  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2549  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2550  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2551  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2552  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2553  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2554  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2555  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2556  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2557  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2558  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2559  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2560  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2561  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2562  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2563  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2564  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2565  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2566  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2567  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2568  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2569  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2570  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2571  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2572  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2573  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2574  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2575  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2576  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2577  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2578  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2579  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2580  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2581  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2582  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2583  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2584  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2585  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2586  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2587  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2588  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2589  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2590  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2591  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2592  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2593  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2594  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2595  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2596  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2597  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2598  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2599  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2600  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2601  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2602  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2603  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2604  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2605  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2606  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2607  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2608  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2609  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2610  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2611  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2612  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2613  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2614  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2615  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2616  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2617  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2618  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2619  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2620  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2621  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2622  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2623  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2624  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2625  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2626  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2627  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2628  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2629  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2630  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2631  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2632  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2633  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2634  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2635  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2636  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2637  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2638  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2639  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2640  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2641  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2642  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2643  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2644  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2645  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2646  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2647  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2648  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2649  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2650  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2651  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2652  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2653  };
2654  unsigned char res[33][2][32] = {
2655  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2656  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2657  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2658  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2659  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2660  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2661  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2662  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2663  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2664  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2665  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2666  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2667  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2668  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2669  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2670  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2671  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2672  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2673  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2674  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2675  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2676  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2677  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2678  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2679  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2680  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2681  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2682  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2683  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2684  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2685  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2686  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2687  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2688  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2689  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2690  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2691  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2692  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2693  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2694  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2695  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2696  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2697  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2698  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2699  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2700  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2701  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2702  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2703  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2704  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2705  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2706  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2707  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2708  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2709  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2710  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2711  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2712  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2713  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2714  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2715  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2716  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2717  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2718  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2719  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2720  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2721  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2722  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2723  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2724  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2725  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2726  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2727  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2728  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2729  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2730  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2731  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2732  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2733  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2734  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2735  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2736  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2737  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2738  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2739  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2740  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2741  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2742  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2743  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2744  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2745  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2746  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2747  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2748  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2749  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2750  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2751  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2752  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2753  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2754  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2755  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2756  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2757  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2758  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2759  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2760  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2761  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2762  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2763  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2764  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2765  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2766  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2767  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2768  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2769  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2770  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2771  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2772  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2773  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2774  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2775  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2776  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2777  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2778  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2779  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2780  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2781  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2782  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2783  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2784  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2785  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2786  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2787  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2788  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2789  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2790  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2791  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2792  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2793  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2794  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2795  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2796  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2797  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2798  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2799  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2800  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2801  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2802  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2803  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2804  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2805  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2806  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2807  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2808  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2809  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2810  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2811  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2812  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2813  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2814  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2815  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2816  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2817  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2818  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2819  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2820  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2821  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2822  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2823  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2824  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2825  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2826  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2827  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2828  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2829  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2830  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2831  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2832  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2833  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2834  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2835  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2836  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2837  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2838  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2839  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2840  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2841  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2842  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2843  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2844  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2845  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2846  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2847  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2848  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2849  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2850  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2851  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2852  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2853  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2854  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2855  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2856  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2857  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2858  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2859  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2860  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2861  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2862  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2863  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2864  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2865  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2866  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2867  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2868  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2869  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2870  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2871  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2872  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2873  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2874  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2875  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2876  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2877  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2878  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2879  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2880  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2881  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2882  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2883  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2884  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2885  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2886  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2887  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2888  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2889  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2890  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2891  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2892  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2893  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2894  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2895  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2896  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2897  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2898  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2899  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2900  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2901  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2902  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2903  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2904  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2905  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2906  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2907  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2908  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2909  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2910  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2911  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2912  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2913  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2914  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2915  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2916  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2917  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2918  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2919  };
2920  for (i = 0; i < 33; i++) {
2921  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2922  CHECK(!overflow);
2923  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2924  CHECK(!overflow);
2925  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2926  CHECK(!overflow);
2927  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2928  CHECK(!overflow);
2929  secp256k1_scalar_mul(&z, &x, &y);
2930  CHECK(secp256k1_scalar_eq(&r1, &z));
2931  if (!secp256k1_scalar_is_zero(&y)) {
2932  secp256k1_scalar_inverse(&zz, &y);
2933  secp256k1_scalar_inverse_var(&zzv, &y);
2934  CHECK(secp256k1_scalar_eq(&zzv, &zz));
2935  secp256k1_scalar_mul(&z, &z, &zz);
2936  CHECK(secp256k1_scalar_eq(&x, &z));
2937  secp256k1_scalar_mul(&zz, &zz, &y);
2939  }
2940  secp256k1_scalar_mul(&z, &x, &x);
2941  CHECK(secp256k1_scalar_eq(&r2, &z));
2942  }
2943  }
2944 }
2945 
2946 /***** FIELD TESTS *****/
2947 
2949  secp256k1_fe r;
2950  random_fe_non_zero(ns);
2951  if (secp256k1_fe_sqrt(&r, ns)) {
2952  secp256k1_fe_negate(ns, ns, 1);
2953  }
2954 }
2955 
2956 static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2957  secp256k1_fe an = *a;
2958  secp256k1_fe bn = *b;
2960  return secp256k1_fe_equal(&an, &bn);
2961 }
2962 
2963 static void run_field_convert(void) {
2964  static const unsigned char b32[32] = {
2965  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2966  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2967  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2968  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2969  };
2971  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2972  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2973  );
2974  static const secp256k1_fe fe = SECP256K1_FE_CONST(
2975  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2976  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2977  );
2978  secp256k1_fe fe2;
2979  unsigned char b322[32];
2980  secp256k1_fe_storage fes2;
2981  /* Check conversions to fe. */
2982  CHECK(secp256k1_fe_set_b32_limit(&fe2, b32));
2983  CHECK(secp256k1_fe_equal(&fe, &fe2));
2984  secp256k1_fe_from_storage(&fe2, &fes);
2985  CHECK(secp256k1_fe_equal(&fe, &fe2));
2986  /* Check conversion from fe. */
2987  secp256k1_fe_get_b32(b322, &fe);
2988  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2989  secp256k1_fe_to_storage(&fes2, &fe);
2990  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2991 }
2992 
2993 static void run_field_be32_overflow(void) {
2994  {
2995  static const unsigned char zero_overflow[32] = {
2996  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2997  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2998  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2999  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3000  };
3001  static const unsigned char zero[32] = { 0x00 };
3002  unsigned char out[32];
3003  secp256k1_fe fe;
3004  CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3005  secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3008  CHECK(secp256k1_fe_is_zero(&fe) == 1);
3009  secp256k1_fe_get_b32(out, &fe);
3010  CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3011  }
3012  {
3013  static const unsigned char one_overflow[32] = {
3014  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3015  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3016  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3017  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3018  };
3019  static const unsigned char one[32] = {
3020  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3021  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3022  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3023  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3024  };
3025  unsigned char out[32];
3026  secp256k1_fe fe;
3027  CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3028  secp256k1_fe_set_b32_mod(&fe, one_overflow);
3031  secp256k1_fe_get_b32(out, &fe);
3032  CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3033  }
3034  {
3035  static const unsigned char ff_overflow[32] = {
3036  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3037  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3038  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3039  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3040  };
3041  static const unsigned char ff[32] = {
3042  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3043  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3044  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3045  0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3046  };
3047  unsigned char out[32];
3048  secp256k1_fe fe;
3049  const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3050  CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3051  secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3053  CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3054  secp256k1_fe_get_b32(out, &fe);
3055  CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3056  }
3057 }
3058 
3059 /* Returns true if two field elements have the same representation. */
3060 static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3061  int ret = 1;
3062  /* Compare the struct member that holds the limbs. */
3063  ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3064  return ret;
3065 }
3066 
3067 static void run_field_half(void) {
3068  secp256k1_fe t, u;
3069  int m;
3070 
3071  /* Check magnitude 0 input */
3073  secp256k1_fe_half(&t);
3074 #ifdef VERIFY
3075  CHECK(t.magnitude == 1);
3076  CHECK(t.normalized == 0);
3077 #endif
3079 
3080  /* Check non-zero magnitudes in the supported range */
3081  for (m = 1; m < 32; m++) {
3082  /* Check max-value input */
3084 
3085  u = t;
3086  secp256k1_fe_half(&u);
3087 #ifdef VERIFY
3088  CHECK(u.magnitude == (m >> 1) + 1);
3089  CHECK(u.normalized == 0);
3090 #endif
3092  secp256k1_fe_add(&u, &u);
3093  CHECK(fe_equal(&t, &u));
3094 
3095  /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3096  * which will also cause all carries to be 1, since all limbs that can
3097  * generate a carry are initially even and all limbs of P are odd in
3098  * every existing field implementation. */
3100  CHECK(t.n[0] > 0);
3101  CHECK((t.n[0] & 1) == 0);
3102  --t.n[0];
3103 
3104  u = t;
3105  secp256k1_fe_half(&u);
3106 #ifdef VERIFY
3107  CHECK(u.magnitude == (m >> 1) + 1);
3108  CHECK(u.normalized == 0);
3109 #endif
3111  secp256k1_fe_add(&u, &u);
3112  CHECK(fe_equal(&t, &u));
3113  }
3114 }
3115 
3116 static void run_field_misc(void) {
3117  secp256k1_fe x;
3118  secp256k1_fe y;
3119  secp256k1_fe z;
3120  secp256k1_fe q;
3121  int v;
3122  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3123  int i, j;
3124  for (i = 0; i < 1000 * COUNT; i++) {
3125  secp256k1_fe_storage xs, ys, zs;
3126  if (i & 1) {
3127  random_fe(&x);
3128  } else {
3129  random_fe_test(&x);
3130  }
3131  random_fe_non_zero(&y);
3132  v = secp256k1_testrand_bits(15);
3133  /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3134  secp256k1_fe_set_int(&q, v); /* q = v */
3135  z = x; /* z = x */
3136  secp256k1_fe_add(&z, &q); /* z = x+v */
3137  q = x; /* q = x */
3138  secp256k1_fe_add_int(&q, v); /* q = x+v */
3139  CHECK(fe_equal(&q, &z));
3140  /* Test the fe equality and comparison operations. */
3141  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3142  CHECK(secp256k1_fe_equal(&x, &x));
3143  z = x;
3144  secp256k1_fe_add(&z,&y);
3145  /* Test fe conditional move; z is not normalized here. */
3146  q = x;
3147  secp256k1_fe_cmov(&x, &z, 0);
3148 #ifdef VERIFY
3149  CHECK(!x.normalized);
3150  CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3151  CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3152 #endif
3153  x = q;
3154  secp256k1_fe_cmov(&x, &x, 1);
3155  CHECK(!fe_identical(&x, &z));
3156  CHECK(fe_identical(&x, &q));
3157  secp256k1_fe_cmov(&q, &z, 1);
3158 #ifdef VERIFY
3159  CHECK(!q.normalized);
3160  CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3161  CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3162 #endif
3163  CHECK(fe_identical(&q, &z));
3164  q = z;
3167  CHECK(!secp256k1_fe_equal(&x, &z));
3169  secp256k1_fe_cmov(&q, &z, (i&1));
3170 #ifdef VERIFY
3171  CHECK(q.normalized && q.magnitude == 1);
3172 #endif
3173  for (j = 0; j < 6; j++) {
3174  secp256k1_fe_negate_unchecked(&z, &z, j+1);
3176  secp256k1_fe_cmov(&q, &z, (j&1));
3177 #ifdef VERIFY
3178  CHECK(!q.normalized && q.magnitude == z.magnitude);
3179 #endif
3180  }
3182  /* Test storage conversion and conditional moves. */
3183  secp256k1_fe_to_storage(&xs, &x);
3184  secp256k1_fe_to_storage(&ys, &y);
3185  secp256k1_fe_to_storage(&zs, &z);
3186  secp256k1_fe_storage_cmov(&zs, &xs, 0);
3187  secp256k1_fe_storage_cmov(&zs, &zs, 1);
3188  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3189  secp256k1_fe_storage_cmov(&ys, &xs, 1);
3190  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3191  secp256k1_fe_from_storage(&x, &xs);
3192  secp256k1_fe_from_storage(&y, &ys);
3193  secp256k1_fe_from_storage(&z, &zs);
3194  /* Test that mul_int, mul, and add agree. */
3195  secp256k1_fe_add(&y, &x);
3196  secp256k1_fe_add(&y, &x);
3197  z = x;
3198  secp256k1_fe_mul_int(&z, 3);
3199  CHECK(fe_equal(&y, &z));
3200  secp256k1_fe_add(&y, &x);
3201  secp256k1_fe_add(&z, &x);
3202  CHECK(fe_equal(&z, &y));
3203  z = x;
3204  secp256k1_fe_mul_int(&z, 5);
3205  secp256k1_fe_mul(&q, &x, &fe5);
3206  CHECK(fe_equal(&z, &q));
3207  secp256k1_fe_negate(&x, &x, 1);
3208  secp256k1_fe_add(&z, &x);
3209  secp256k1_fe_add(&q, &x);
3210  CHECK(fe_equal(&y, &z));
3211  CHECK(fe_equal(&q, &y));
3212  /* Check secp256k1_fe_half. */
3213  z = x;
3214  secp256k1_fe_half(&z);
3215  secp256k1_fe_add(&z, &z);
3216  CHECK(fe_equal(&x, &z));
3217  secp256k1_fe_add(&z, &z);
3218  secp256k1_fe_half(&z);
3219  CHECK(fe_equal(&x, &z));
3220  }
3221 }
3222 
3223 static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3224 {
3225  secp256k1_fe c, an, bn;
3226  /* Variables in BE 32-byte format. */
3227  unsigned char a32[32], b32[32], c32[32];
3228  /* Variables in LE 16x uint16_t format. */
3229  uint16_t a16[16], b16[16], c16[16];
3230  /* Field modulus in LE 16x uint16_t format. */
3231  static const uint16_t m16[16] = {
3232  0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3233  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3234  };
3235  uint16_t t16[32];
3236  int i;
3237 
3238  /* Compute C = A * B in fe format. */
3239  c = *a;
3240  if (use_sqr) {
3241  secp256k1_fe_sqr(&c, &c);
3242  } else {
3243  secp256k1_fe_mul(&c, &c, b);
3244  }
3245 
3246  /* Convert A, B, C into LE 16x uint16_t format. */
3247  an = *a;
3248  bn = *b;
3252  secp256k1_fe_get_b32(a32, &an);
3253  secp256k1_fe_get_b32(b32, &bn);
3254  secp256k1_fe_get_b32(c32, &c);
3255  for (i = 0; i < 16; ++i) {
3256  a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3257  b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3258  c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3259  }
3260  /* Compute T = A * B in LE 16x uint16_t format. */
3261  mulmod256(t16, a16, b16, m16);
3262  /* Compare */
3263  CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3264 }
3265 
3266 static void run_fe_mul(void) {
3267  int i;
3268  for (i = 0; i < 100 * COUNT; ++i) {
3269  secp256k1_fe a, b, c, d;
3270  random_fe(&a);
3271  random_fe_magnitude(&a);
3272  random_fe(&b);
3273  random_fe_magnitude(&b);
3274  random_fe_test(&c);
3275  random_fe_magnitude(&c);
3276  random_fe_test(&d);
3277  random_fe_magnitude(&d);
3278  test_fe_mul(&a, &a, 1);
3279  test_fe_mul(&c, &c, 1);
3280  test_fe_mul(&a, &b, 0);
3281  test_fe_mul(&a, &c, 0);
3282  test_fe_mul(&c, &b, 0);
3283  test_fe_mul(&c, &d, 0);
3284  }
3285 }
3286 
3287 static void run_sqr(void) {
3288  int i;
3289  secp256k1_fe x, y, lhs, rhs, tmp;
3290 
3291  secp256k1_fe_set_int(&x, 1);
3292  secp256k1_fe_negate(&x, &x, 1);
3293 
3294  for (i = 1; i <= 512; ++i) {
3295  secp256k1_fe_mul_int(&x, 2);
3297 
3298  /* Check that (x+y)*(x-y) = x^2 - y*2 for some random values y */
3299  random_fe_test(&y);
3300 
3301  lhs = x;
3302  secp256k1_fe_add(&lhs, &y); /* lhs = x+y */
3303  secp256k1_fe_negate(&tmp, &y, 1); /* tmp = -y */
3304  secp256k1_fe_add(&tmp, &x); /* tmp = x-y */
3305  secp256k1_fe_mul(&lhs, &lhs, &tmp); /* lhs = (x+y)*(x-y) */
3306 
3307  secp256k1_fe_sqr(&rhs, &x); /* rhs = x^2 */
3308  secp256k1_fe_sqr(&tmp, &y); /* tmp = y^2 */
3309  secp256k1_fe_negate(&tmp, &tmp, 1); /* tmp = -y^2 */
3310  secp256k1_fe_add(&rhs, &tmp); /* rhs = x^2 - y^2 */
3311 
3312  CHECK(fe_equal(&lhs, &rhs));
3313  }
3314 }
3315 
3316 static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3317  secp256k1_fe r1, r2;
3318  int v = secp256k1_fe_sqrt(&r1, a);
3319  CHECK((v == 0) == (k == NULL));
3320 
3321  if (k != NULL) {
3322  /* Check that the returned root is +/- the given known answer */
3323  secp256k1_fe_negate(&r2, &r1, 1);
3324  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3327  }
3328 }
3329 
3330 static void run_sqrt(void) {
3331  secp256k1_fe ns, x, s, t;
3332  int i;
3333 
3334  /* Check sqrt(0) is 0 */
3335  secp256k1_fe_set_int(&x, 0);
3336  secp256k1_fe_sqr(&s, &x);
3337  test_sqrt(&s, &x);
3338 
3339  /* Check sqrt of small squares (and their negatives) */
3340  for (i = 1; i <= 100; i++) {
3341  secp256k1_fe_set_int(&x, i);
3342  secp256k1_fe_sqr(&s, &x);
3343  test_sqrt(&s, &x);
3344  secp256k1_fe_negate(&t, &s, 1);
3345  test_sqrt(&t, NULL);
3346  }
3347 
3348  /* Consistency checks for large random values */
3349  for (i = 0; i < 10; i++) {
3350  int j;
3351  random_fe_non_square(&ns);
3352  for (j = 0; j < COUNT; j++) {
3353  random_fe(&x);
3354  secp256k1_fe_sqr(&s, &x);
3356  test_sqrt(&s, &x);
3357  secp256k1_fe_negate(&t, &s, 1);
3359  test_sqrt(&t, NULL);
3360  secp256k1_fe_mul(&t, &s, &ns);
3361  test_sqrt(&t, NULL);
3362  }
3363  }
3364 }
3365 
3366 /***** FIELD/SCALAR INVERSE TESTS *****/
3367 
3369  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3370  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3371 );
3372 
3374  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3375  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3376 );
3377 
3378 /* These tests test the following identities:
3379  *
3380  * for x==0: 1/x == 0
3381  * for x!=0: x*(1/x) == 1
3382  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3383  */
3384 
3386 {
3387  secp256k1_scalar l, r, t;
3388 
3389  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3390  if (out) *out = l;
3391  if (secp256k1_scalar_is_zero(x)) {
3393  return;
3394  }
3395  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3396  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3397  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3398  if (secp256k1_scalar_is_zero(&r)) return;
3399  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3400  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3401  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3402  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3403  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3404  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3405 }
3406 
3407 static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3408 {
3409  secp256k1_fe l, r, t;
3410 
3411  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3412  if (out) *out = l;
3413  t = *x; /* t = x */
3416  return;
3417  }
3418  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3419  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3420  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3421  r = *x; /* r = x */
3422  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3423  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3424  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3425  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3426  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3427  secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3428  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3429  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3430 }
3431 
3432 static void run_inverse_tests(void)
3433 {
3434  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3435  static const secp256k1_fe fe_cases[][2] = {
3436  /* 0 */
3437  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3438  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3439  /* 1 */
3440  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3441  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3442  /* -1 */
3443  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3444  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3445  /* 2 */
3446  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3447  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3448  /* 2**128 */
3449  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3450  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3451  /* Input known to need 637 divsteps */
3452  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3453  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3454  /* Input known to need 567 divsteps starting with delta=1/2. */
3455  {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3456  SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3457  /* Input known to need 566 divsteps starting with delta=1/2. */
3458  {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3459  SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3460  /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3461  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3462  SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3463  {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3464  SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3465  {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3466  SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3467  {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3468  SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3469  {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3470  SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3471  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3472  SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3473  {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3474  SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3475  {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3476  SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3477  {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3478  SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3479  {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3480  SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3481  /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3482  {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3483  SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3484  {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3485  SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3486  {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3487  SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3488  {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3489  SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3490  {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3491  SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3492  {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3493  SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3494  {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3495  SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3496  {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3497  SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3498  {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3499  SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3500  {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3501  SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3502  {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3503  SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3504  {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3505  SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3506  {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3507  SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3508  {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3509  SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3510  {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3511  SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3512  {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3513  SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3514  {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3515  SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3516  {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3517  SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3518  {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3519  SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3520  {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3521  SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3522  {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3523  SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3524  {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3525  SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3526  {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3527  SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3528  {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3529  SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3530  {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3531  SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3532  {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3533  SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3534  {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3535  SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3536  {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3537  SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3538  };
3539  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3540  static const secp256k1_scalar scalar_cases[][2] = {
3541  /* 0 */
3542  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3543  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3544  /* 1 */
3545  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3546  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3547  /* -1 */
3548  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3549  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3550  /* 2 */
3551  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3552  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3553  /* 2**128 */
3554  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3555  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3556  /* Input known to need 635 divsteps */
3557  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3558  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3559  /* Input known to need 566 divsteps starting with delta=1/2. */
3560  {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3561  SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3562  /* Input known to need 565 divsteps starting with delta=1/2. */
3563  {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3564  SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3565  /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3566  {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3567  SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3568  {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3569  SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3570  {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3571  SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3572  {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3573  SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3574  {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3575  SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3576  {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3577  SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3578  {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3579  SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3580  {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3581  SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3582  {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3583  SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3584  {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3585  SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3586  {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3587  SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3588  {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3589  SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3590  {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3591  SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3592  {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3593  SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3594  {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3595  SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3596  {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3597  SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3598  {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3599  SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3600  {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3601  SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3602  {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3603  SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3604  {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3605  SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3606  {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3607  SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3608  {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3609  SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3610  {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3611  SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3612  {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3613  SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3614  {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3615  SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3616  {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3617  SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3618  {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3619  SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3620  {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3621  SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3622  {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3623  SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3624  };
3625  int i, var, testrand;
3626  unsigned char b32[32];
3627  secp256k1_fe x_fe;
3628  secp256k1_scalar x_scalar;
3629  memset(b32, 0, sizeof(b32));
3630  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3631  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3632  for (var = 0; var <= 1; ++var) {
3633  test_inverse_field(&x_fe, &fe_cases[i][0], var);
3634  CHECK(fe_equal(&x_fe, &fe_cases[i][1]));
3635  test_inverse_field(&x_fe, &fe_cases[i][1], var);
3636  CHECK(fe_equal(&x_fe, &fe_cases[i][0]));
3637  }
3638  }
3639  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3640  for (var = 0; var <= 1; ++var) {
3641  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3642  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3643  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3644  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3645  }
3646  }
3647  /* Test inputs 0..999 and their respective negations. */
3648  for (i = 0; i < 1000; ++i) {
3649  b32[31] = i & 0xff;
3650  b32[30] = (i >> 8) & 0xff;
3651  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3652  secp256k1_fe_set_b32_mod(&x_fe, b32);
3653  for (var = 0; var <= 1; ++var) {
3654  test_inverse_scalar(NULL, &x_scalar, var);
3655  test_inverse_field(NULL, &x_fe, var);
3656  }
3657  secp256k1_scalar_negate(&x_scalar, &x_scalar);
3658  secp256k1_fe_negate(&x_fe, &x_fe, 1);
3659  for (var = 0; var <= 1; ++var) {
3660  test_inverse_scalar(NULL, &x_scalar, var);
3661  test_inverse_field(NULL, &x_fe, var);
3662  }
3663  }
3664  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3665  for (testrand = 0; testrand <= 1; ++testrand) {
3666  for (i = 0; i < 64 * COUNT; ++i) {
3668  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3669  secp256k1_fe_set_b32_mod(&x_fe, b32);
3670  for (var = 0; var <= 1; ++var) {
3671  test_inverse_scalar(NULL, &x_scalar, var);
3672  test_inverse_field(NULL, &x_fe, var);
3673  }
3674  }
3675  }
3676 }
3677 
3678 /***** GROUP TESTS *****/
3679 
3680 /* This compares jacobian points including their Z, not just their geometric meaning. */
3681 static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3682  secp256k1_gej a2;
3683  secp256k1_gej b2;
3684  int ret = 1;
3685  ret &= a->infinity == b->infinity;
3686  if (ret && !a->infinity) {
3687  a2 = *a;
3688  b2 = *b;
3695  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3696  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3697  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3698  }
3699  return ret;
3700 }
3701 
3702 static void test_ge(void) {
3703  int i, i1;
3704  int runs = 6;
3705  /* 25 points are used:
3706  * - infinity
3707  * - for each of four random points p1 p2 p3 p4, we add the point, its
3708  * negation, and then those two again but with randomized Z coordinate.
3709  * - The same is then done for lambda*p1 and lambda^2*p1.
3710  */
3711  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3712  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3713  secp256k1_fe zf, r;
3714  secp256k1_fe zfi2, zfi3;
3715 
3716  secp256k1_gej_set_infinity(&gej[0]);
3717  secp256k1_ge_clear(&ge[0]);
3718  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3719  for (i = 0; i < runs; i++) {
3720  int j, k;
3721  secp256k1_ge g;
3723  if (i >= runs - 2) {
3724  secp256k1_ge_mul_lambda(&g, &ge[1]);
3725  CHECK(!secp256k1_ge_eq_var(&g, &ge[1]));
3726  }
3727  if (i >= runs - 1) {
3729  }
3730  ge[1 + 4 * i] = g;
3731  ge[2 + 4 * i] = g;
3732  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3733  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3734  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3735  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3736  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3737  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3738  for (j = 0; j < 4; j++) {
3739  random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3740  random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3741  random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3742  random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3743  random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3744  }
3745 
3746  for (j = 0; j < 4; ++j) {
3747  for (k = 0; k < 4; ++k) {
3748  int expect_equal = (j >> 1) == (k >> 1);
3749  CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3750  CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal);
3751  CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3752  CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal);
3753  }
3754  }
3755  }
3756 
3757  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3759  random_fe_magnitude(&zf);
3760  secp256k1_fe_inv_var(&zfi3, &zf);
3761  secp256k1_fe_sqr(&zfi2, &zfi3);
3762  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3763 
3764  /* Generate random r */
3766 
3767  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3768  int i2;
3769  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3770  /* Compute reference result using gej + gej (var). */
3771  secp256k1_gej refj, resj;
3772  secp256k1_ge ref;
3773  secp256k1_fe zr;
3774  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3775  /* Check Z ratio. */
3776  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3777  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3778  CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3779  }
3780  secp256k1_ge_set_gej_var(&ref, &refj);
3781 
3782  /* Test gej + ge with Z ratio result (var). */
3783  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3784  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3785  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3786  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3787  CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3788  }
3789 
3790  /* Test gej + ge (var, with additional Z factor). */
3791  {
3792  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3793  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3794  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3795  random_ge_x_magnitude(&ge2_zfi);
3796  random_ge_y_magnitude(&ge2_zfi);
3797  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3798  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3799  }
3800 
3801  /* Test gej + ge (const). */
3802  if (i2 != 0) {
3803  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3804  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3805  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3806  }
3807 
3808  /* Test doubling (var). */
3809  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3810  secp256k1_fe zr2;
3811  /* Normal doubling with Z ratio result. */
3812  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3813  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3814  /* Check Z ratio. */
3815  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3816  CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3817  /* Normal doubling. */
3818  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3819  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3820  /* Constant-time doubling. */
3821  secp256k1_gej_double(&resj, &gej[i2]);
3822  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3823  }
3824 
3825  /* Test adding opposites. */
3826  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3828  }
3829 
3830  /* Test adding infinity. */
3831  if (i1 == 0) {
3832  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3833  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3834  CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref));
3835  }
3836  if (i2 == 0) {
3837  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3838  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3839  CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref));
3840  }
3841  }
3842  }
3843 
3844  /* Test adding all points together in random order equals infinity. */
3845  {
3847  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3848  for (i = 0; i < 4 * runs + 1; i++) {
3849  gej_shuffled[i] = gej[i];
3850  }
3851  for (i = 0; i < 4 * runs + 1; i++) {
3852  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3853  if (swap != i) {
3854  secp256k1_gej t = gej_shuffled[i];
3855  gej_shuffled[i] = gej_shuffled[swap];
3856  gej_shuffled[swap] = t;
3857  }
3858  }
3859  for (i = 0; i < 4 * runs + 1; i++) {
3860  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3861  }
3863  free(gej_shuffled);
3864  }
3865 
3866  /* Test batch gej -> ge conversion without known z ratios. */
3867  {
3868  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3869  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3870  for (i = 0; i < 4 * runs + 1; i++) {
3871  secp256k1_fe s;
3872  random_fe_non_zero(&s);
3873  secp256k1_gej_rescale(&gej[i], &s);
3874  CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i]));
3875  }
3876  free(ge_set_all);
3877  }
3878 
3879  /* Test that all elements have X coordinates on the curve. */
3880  for (i = 1; i < 4 * runs + 1; i++) {
3881  secp256k1_fe n;
3883  /* And the same holds after random rescaling. */
3884  secp256k1_fe_mul(&n, &zf, &ge[i].x);
3886  }
3887 
3888  /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3889  {
3890  secp256k1_fe n;
3891  secp256k1_ge q;
3892  int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3893  secp256k1_fe_mul(&n, &zf, &r);
3894  ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3895  ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3896  ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3897  CHECK(ret_on_curve == ret_frac_on_curve);
3898  CHECK(ret_on_curve == ret_set_xo);
3899  if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
3900  }
3901 
3902  /* Test batch gej -> ge conversion with many infinities. */
3903  for (i = 0; i < 4 * runs + 1; i++) {
3904  int odd;
3905  random_group_element_test(&ge[i]);
3906  odd = secp256k1_fe_is_odd(&ge[i].x);
3907  CHECK(odd == 0 || odd == 1);
3908  /* randomly set half the points to infinity */
3909  if (odd == i % 2) {
3910  secp256k1_ge_set_infinity(&ge[i]);
3911  }
3912  secp256k1_gej_set_ge(&gej[i], &ge[i]);
3913  }
3914  /* batch convert */
3915  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3916  /* check result */
3917  for (i = 0; i < 4 * runs + 1; i++) {
3918  CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i]));
3919  }
3920 
3921  /* Test batch gej -> ge conversion with all infinities. */
3922  for (i = 0; i < 4 * runs + 1; i++) {
3923  secp256k1_gej_set_infinity(&gej[i]);
3924  }
3925  /* batch convert */
3926  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3927  /* check result */
3928  for (i = 0; i < 4 * runs + 1; i++) {
3930  }
3931 
3932  free(ge);
3933  free(gej);
3934 }
3935 
3936 static void test_intialized_inf(void) {
3937  secp256k1_ge p;
3938  secp256k1_gej pj, npj, infj1, infj2, infj3;
3939  secp256k1_fe zinv;
3940 
3941  /* Test that adding P+(-P) results in a fully initialized infinity*/
3943  secp256k1_gej_set_ge(&pj, &p);
3944  secp256k1_gej_neg(&npj, &pj);
3945 
3946  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3948  CHECK(secp256k1_fe_is_zero(&infj1.x));
3949  CHECK(secp256k1_fe_is_zero(&infj1.y));
3950  CHECK(secp256k1_fe_is_zero(&infj1.z));
3951 
3952  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3954  CHECK(secp256k1_fe_is_zero(&infj2.x));
3955  CHECK(secp256k1_fe_is_zero(&infj2.y));
3956  CHECK(secp256k1_fe_is_zero(&infj2.z));
3957 
3958  secp256k1_fe_set_int(&zinv, 1);
3959  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3961  CHECK(secp256k1_fe_is_zero(&infj3.x));
3962  CHECK(secp256k1_fe_is_zero(&infj3.y));
3963  CHECK(secp256k1_fe_is_zero(&infj3.z));
3964 
3965 
3966 }
3967 
3968 static void test_add_neg_y_diff_x(void) {
3969  /* The point of this test is to check that we can add two points
3970  * whose y-coordinates are negatives of each other but whose x
3971  * coordinates differ. If the x-coordinates were the same, these
3972  * points would be negatives of each other and their sum is
3973  * infinity. This is cool because it "covers up" any degeneracy
3974  * in the addition algorithm that would cause the xy coordinates
3975  * of the sum to be wrong (since infinity has no xy coordinates).
3976  * HOWEVER, if the x-coordinates are different, infinity is the
3977  * wrong answer, and such degeneracies are exposed. This is the
3978  * root of https://github.com/bitcoin-core/secp256k1/issues/257
3979  * which this test is a regression test for.
3980  *
3981  * These points were generated in sage as
3982  *
3983  * load("secp256k1_params.sage")
3984  *
3985  * # random "bad pair"
3986  * P = C.random_element()
3987  * Q = -int(LAMBDA) * P
3988  * print(" P: %x %x" % P.xy())
3989  * print(" Q: %x %x" % Q.xy())
3990  * print("P + Q: %x %x" % (P + Q).xy())
3991  */
3993  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3994  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3995  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3996  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3997  );
3999  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
4000  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
4001  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
4002  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
4003  );
4005  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
4006  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
4007  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
4008  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
4009  );
4010  secp256k1_ge b;
4011  secp256k1_gej resj;
4012  secp256k1_ge res;
4013  secp256k1_ge_set_gej(&b, &bj);
4014 
4015  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4016  secp256k1_ge_set_gej(&res, &resj);
4017  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4018 
4019  secp256k1_gej_add_ge(&resj, &aj, &b);
4020  secp256k1_ge_set_gej(&res, &resj);
4021  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4022 
4023  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4024  secp256k1_ge_set_gej(&res, &resj);
4025  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4026 }
4027 
4028 static void run_ge(void) {
4029  int i;
4030  for (i = 0; i < COUNT * 32; i++) {
4031  test_ge();
4032  }
4035 }
4036 
4037 static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4038  secp256k1_gej t = *a;
4039  secp256k1_gej_cmov(&t, b, 0);
4040  CHECK(gej_xyz_equals_gej(&t, a));
4041  secp256k1_gej_cmov(&t, b, 1);
4042  CHECK(gej_xyz_equals_gej(&t, b));
4043 }
4044 
4045 static void run_gej(void) {
4046  int i;
4047  secp256k1_gej a, b;
4048 
4049  /* Tests for secp256k1_gej_cmov */
4050  for (i = 0; i < COUNT; i++) {
4053  test_gej_cmov(&a, &b);
4054 
4055  random_gej_test(&a);
4056  test_gej_cmov(&a, &b);
4057  test_gej_cmov(&b, &a);
4058 
4059  b = a;
4060  test_gej_cmov(&a, &b);
4061 
4062  random_gej_test(&b);
4063  test_gej_cmov(&a, &b);
4064  test_gej_cmov(&b, &a);
4065  }
4066 
4067  /* Tests for secp256k1_gej_eq_var */
4068  for (i = 0; i < COUNT; i++) {
4069  secp256k1_fe fe;
4070  random_gej_test(&a);
4071  random_gej_test(&b);
4072  CHECK(!secp256k1_gej_eq_var(&a, &b));
4073 
4074  b = a;
4076  secp256k1_gej_rescale(&a, &fe);
4077  CHECK(secp256k1_gej_eq_var(&a, &b));
4078  }
4079 }
4080 
4081 static void test_ec_combine(void) {
4083  secp256k1_pubkey data[6];
4084  const secp256k1_pubkey* d[6];
4085  secp256k1_pubkey sd;
4086  secp256k1_pubkey sd2;
4087  secp256k1_gej Qj;
4088  secp256k1_ge Q;
4089  int i;
4090  for (i = 1; i <= 6; i++) {
4091  secp256k1_scalar s;
4093  secp256k1_scalar_add(&sum, &sum, &s);
4095  secp256k1_ge_set_gej(&Q, &Qj);
4096  secp256k1_pubkey_save(&data[i - 1], &Q);
4097  d[i - 1] = &data[i - 1];
4099  secp256k1_ge_set_gej(&Q, &Qj);
4100  secp256k1_pubkey_save(&sd, &Q);
4101  CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4102  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4103  }
4104 }
4105 
4106 static void run_ec_combine(void) {
4107  int i;
4108  for (i = 0; i < COUNT * 8; i++) {
4109  test_ec_combine();
4110  }
4111 }
4112 
4113 static void test_group_decompress(const secp256k1_fe* x) {
4114  /* The input itself, normalized. */
4115  secp256k1_fe fex = *x;
4116  /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
4117  secp256k1_ge ge_even, ge_odd;
4118  /* Return values of the above calls. */
4119  int res_even, res_odd;
4120 
4122 
4123  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4124  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4125 
4126  CHECK(res_even == res_odd);
4127 
4128  if (res_even) {
4129  secp256k1_fe_normalize_var(&ge_odd.x);
4130  secp256k1_fe_normalize_var(&ge_even.x);
4131  secp256k1_fe_normalize_var(&ge_odd.y);
4132  secp256k1_fe_normalize_var(&ge_even.y);
4133 
4134  /* No infinity allowed. */
4135  CHECK(!ge_even.infinity);
4136  CHECK(!ge_odd.infinity);
4137 
4138  /* Check that the x coordinates check out. */
4139  CHECK(secp256k1_fe_equal(&ge_even.x, x));
4140  CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4141 
4142  /* Check odd/even Y in ge_odd, ge_even. */
4143  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4144  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4145  }
4146 }
4147 
4148 static void run_group_decompress(void) {
4149  int i;
4150  for (i = 0; i < COUNT * 4; i++) {
4151  secp256k1_fe fe;
4152  random_fe_test(&fe);
4153  test_group_decompress(&fe);
4154  }
4155 }
4156 
4157 /***** ECMULT TESTS *****/
4158 
4159 static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4160  /* Tests the pre_g / pre_g_128 tables for consistency.
4161  * For independent verification we take a "geometric" approach to verification.
4162  * We check that every entry is on-curve.
4163  * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4164  * (1) p, gg, and -q are colinear.
4165  * (2) p, gg, and -q are all distinct.
4166  * where gg is twice the generator, where the generator is the first table entry.
4167  *
4168  * Checking the table's generators are correct is done in run_ecmult_pre_g.
4169  */
4170  secp256k1_gej g2;
4171  secp256k1_ge p, q, gg;
4172  secp256k1_fe dpx, dpy, dqx, dqy;
4173  size_t i;
4174 
4175  CHECK(0 < n);
4176 
4177  secp256k1_ge_from_storage(&p, &pre_g[0]);
4179 
4180  secp256k1_gej_set_ge(&g2, &p);
4181  secp256k1_gej_double_var(&g2, &g2, NULL);
4182  secp256k1_ge_set_gej_var(&gg, &g2);
4183  for (i = 1; i < n; ++i) {
4184  secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4185  secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4186  /* Check that p is not equal to gg */
4188 
4189  secp256k1_ge_from_storage(&q, &pre_g[i]);
4191 
4192  secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4193  dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4194  /* Check that -q is not equal to gg */
4196 
4197  /* Check that -q is not equal to p */
4198  CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4199 
4200  /* Check that p, -q and gg are colinear */
4201  secp256k1_fe_mul(&dpx, &dpx, &dqy);
4202  secp256k1_fe_mul(&dpy, &dpy, &dqx);
4203  CHECK(secp256k1_fe_equal(&dpx, &dpy));
4204 
4205  p = q;
4206  }
4207 }
4208 
4209 static void run_ecmult_pre_g(void) {
4211  secp256k1_gej gj;
4212  secp256k1_ge g;
4213  size_t i;
4214 
4215  /* Check that the pre_g and pre_g_128 tables are consistent. */
4218 
4219  /* Check the first entry from the pre_g table. */
4221  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4222 
4223  /* Check the first entry from the pre_g_128 table. */
4225  for (i = 0; i < 128; ++i) {
4226  secp256k1_gej_double_var(&gj, &gj, NULL);
4227  }
4228  secp256k1_ge_set_gej(&g, &gj);
4229  secp256k1_ge_to_storage(&gs, &g);
4230  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4231 }
4232 
4233 static void run_ecmult_chain(void) {
4234  /* random starting point A (on the curve) */
4236  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4237  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4238  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4239  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4240  );
4241  /* two random initial factors xn and gn */
4243  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4244  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4245  );
4247  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4248  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4249  );
4250  /* two small multipliers to be applied to xn and gn in every iteration: */
4251  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4252  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4253  /* accumulators with the resulting coefficients to A and G */
4256  /* actual points */
4257  secp256k1_gej x;
4258  secp256k1_gej x2;
4259  int i;
4260 
4261  /* the point being computed */
4262  x = a;
4263  for (i = 0; i < 200*COUNT; i++) {
4264  /* in each iteration, compute X = xn*X + gn*G; */
4265  secp256k1_ecmult(&x, &x, &xn, &gn);
4266  /* also compute ae and ge: the actual accumulated factors for A and G */
4267  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4268  secp256k1_scalar_mul(&ae, &ae, &xn);
4269  secp256k1_scalar_mul(&ge, &ge, &xn);
4270  secp256k1_scalar_add(&ge, &ge, &gn);
4271  /* modify xn and gn */
4272  secp256k1_scalar_mul(&xn, &xn, &xf);
4273  secp256k1_scalar_mul(&gn, &gn, &gf);
4274 
4275  /* verify */
4276  if (i == 19999) {
4277  /* expected result after 19999 iterations */
4279  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4280  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4281  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4282  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4283  );
4284  CHECK(secp256k1_gej_eq_var(&rp, &x));
4285  }
4286  }
4287  /* redo the computation, but directly with the resulting ae and ge coefficients: */
4288  secp256k1_ecmult(&x2, &a, &ae, &ge);
4289  CHECK(secp256k1_gej_eq_var(&x, &x2));
4290 }
4291 
4292 static void test_point_times_order(const secp256k1_gej *point) {
4293  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4294  secp256k1_scalar x;
4295  secp256k1_scalar nx;
4296  secp256k1_gej res1, res2;
4297  secp256k1_ge res3;
4298  unsigned char pub[65];
4299  size_t psize = 65;
4301  secp256k1_scalar_negate(&nx, &x);
4302  secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4303  secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4304  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4306  secp256k1_ge_set_gej(&res3, &res1);
4308  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4309  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4310  psize = 65;
4311  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4312  /* check zero/one edge cases */
4314  secp256k1_ge_set_gej(&res3, &res1);
4317  secp256k1_ge_set_gej(&res3, &res1);
4318  CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4320  secp256k1_ge_set_gej(&res3, &res1);
4322 }
4323 
4324 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4325  *
4326  * They are computed as:
4327  * - For a in [-2, -1, 0, 1, 2]:
4328  * - For b in [-3, -1, 1, 3]:
4329  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4330  */
4332  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4333  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4334  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4335  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4336  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4337  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4338  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4339  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4340  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4341  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4342  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4343  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4344  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4345  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4346  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4347  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4348  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4349  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4350  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4351  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4352 };
4353 
4354 static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4355  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4356  secp256k1_scalar n1, n2;
4357  secp256k1_ge p;
4358  secp256k1_gej pj, p1j, p2j, ptj;
4359 
4360  /* Generate random n1,n2 such that n1+n2 = -target. */
4362  secp256k1_scalar_add(&n2, &n1, target);
4363  secp256k1_scalar_negate(&n2, &n2);
4364 
4365  /* Generate a random input point. */
4366  if (mode != 0) {
4368  secp256k1_gej_set_ge(&pj, &p);
4369  }
4370 
4371  /* EC multiplications */
4372  if (mode == 0) {
4373  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1);
4374  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2);
4375  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4376  } else if (mode == 1) {
4377  secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4378  secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4379  secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4380  } else {
4381  secp256k1_ecmult_const(&p1j, &p, &n1);
4382  secp256k1_ecmult_const(&p2j, &p, &n2);
4383  secp256k1_ecmult_const(&ptj, &p, target);
4384  }
4385 
4386  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4387  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4388  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4390 }
4391 
4392 static void run_ecmult_near_split_bound(void) {
4393  int i;
4394  unsigned j;
4395  for (i = 0; i < 4*COUNT; ++i) {
4396  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4400  }
4401  }
4402 }
4403 
4404 static void run_point_times_order(void) {
4405  int i;
4406  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4407  static const secp256k1_fe xr = SECP256K1_FE_CONST(
4408  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4409  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4410  );
4411  for (i = 0; i < 500; i++) {
4412  secp256k1_ge p;
4413  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4414  secp256k1_gej j;
4416  secp256k1_gej_set_ge(&j, &p);
4418  }
4419  secp256k1_fe_sqr(&x, &x);
4420  }
4422  CHECK(secp256k1_fe_equal(&x, &xr));
4423 }
4424 
4425 static void ecmult_const_random_mult(void) {
4426  /* random starting point A (on the curve) */
4428  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4429  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4430  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4431  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4432  );
4433  /* random initial factor xn */
4435  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4436  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4437  );
4438  /* expected xn * A (from sage) */
4439  secp256k1_ge expected_b = SECP256K1_GE_CONST(
4440  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4441  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4442  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4443  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4444  );
4445  secp256k1_gej b;
4446  secp256k1_ecmult_const(&b, &a, &xn);
4447 
4449  CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b));
4450 }
4451 
4452 static void ecmult_const_commutativity(void) {
4453  secp256k1_scalar a;
4454  secp256k1_scalar b;
4455  secp256k1_gej res1;
4456  secp256k1_gej res2;
4457  secp256k1_ge mid1;
4458  secp256k1_ge mid2;
4461 
4464  secp256k1_ge_set_gej(&mid1, &res1);
4465  secp256k1_ge_set_gej(&mid2, &res2);
4466  secp256k1_ecmult_const(&res1, &mid1, &b);
4467  secp256k1_ecmult_const(&res2, &mid2, &a);
4468  secp256k1_ge_set_gej(&mid1, &res1);
4469  secp256k1_ge_set_gej(&mid2, &res2);
4470  CHECK(secp256k1_ge_eq_var(&mid1, &mid2));
4471 }
4472 
4473 static void ecmult_const_mult_zero_one(void) {
4474  secp256k1_scalar s;
4475  secp256k1_scalar negone;
4476  secp256k1_gej res1;
4477  secp256k1_ge res2;
4478  secp256k1_ge point;
4479  secp256k1_ge inf;
4480 
4483  random_group_element_test(&point);
4485 
4486  /* 0*point */
4489 
4490  /* s*inf */
4491  secp256k1_ecmult_const(&res1, &inf, &s);
4493 
4494  /* 1*point */
4496  secp256k1_ge_set_gej(&res2, &res1);
4497  CHECK(secp256k1_ge_eq_var(&res2, &point));
4498 
4499  /* -1*point */
4500  secp256k1_ecmult_const(&res1, &point, &negone);
4501  secp256k1_gej_neg(&res1, &res1);
4502  secp256k1_ge_set_gej(&res2, &res1);
4503  CHECK(secp256k1_ge_eq_var(&res2, &point));
4504 }
4505 
4506 static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) {
4507  secp256k1_gej pointj, res2j;
4508  secp256k1_ge res2;
4509  secp256k1_gej_set_ge(&pointj, A);
4510  secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero);
4511  secp256k1_ge_set_gej(&res2, &res2j);
4512  CHECK(secp256k1_gej_eq_ge_var(res, &res2));
4513 }
4514 
4515 static void ecmult_const_edges(void) {
4516  secp256k1_scalar q;
4517  secp256k1_ge point;
4518  secp256k1_gej res;
4519  size_t i;
4520  size_t cases = 1 + sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]);
4521 
4522  /* We are trying to reach the following edge cases (variables are defined as
4523  * in ecmult_const_impl.h):
4524  * 1. i = 0: s = 0 <=> q = -K
4525  * 2. i > 0: v1, v2 large values
4526  * <=> s1, s2 large values
4527  * <=> s = scalars_near_split_bounds[i]
4528  * <=> q = 2*scalars_near_split_bounds[i] - K
4529  */
4530  for (i = 0; i < cases; ++i) {
4532  if (i > 0) {
4535  }
4536  random_group_element_test(&point);
4537  secp256k1_ecmult_const(&res, &point, &q);
4538  ecmult_const_check_result(&point, &q, &res);
4539  }
4540 }
4541 
4542 static void ecmult_const_mult_xonly(void) {
4543  int i;
4544 
4545  /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4546  for (i = 0; i < 2*COUNT; ++i) {
4547  secp256k1_ge base;
4548  secp256k1_gej basej, resj;
4549  secp256k1_fe n, d, resx, v;
4550  secp256k1_scalar q;
4551  int res;
4552  /* Random base point. */
4554  /* Random scalar to multiply it with. */
4556  /* If i is odd, n=d*base.x for random non-zero d */
4557  if (i & 1) {
4559  secp256k1_fe_mul(&n, &base.x, &d);
4560  } else {
4561  n = base.x;
4562  }
4563  /* Perform x-only multiplication. */
4564  res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4565  CHECK(res);
4566  /* Perform normal multiplication. */
4567  secp256k1_gej_set_ge(&basej, &base);
4568  secp256k1_ecmult(&resj, &basej, &q, NULL);
4569  /* Check that resj's X coordinate corresponds with resx. */
4570  secp256k1_fe_sqr(&v, &resj.z);
4571  secp256k1_fe_mul(&v, &v, &resx);
4572  CHECK(fe_equal(&v, &resj.x));
4573  }
4574 
4575  /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4576  for (i = 0; i < 2*COUNT; ++i) {
4577  secp256k1_fe x, n, d, r;
4578  int res;
4579  secp256k1_scalar q;
4581  /* Generate random X coordinate not on the curve. */
4582  do {
4583  random_fe_test(&x);
4584  } while (secp256k1_ge_x_on_curve_var(&x));
4585  /* If i is odd, n=d*x for random non-zero d. */
4586  if (i & 1) {
4588  secp256k1_fe_mul(&n, &x, &d);
4589  } else {
4590  n = x;
4591  }
4592  res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4593  CHECK(res == 0);
4594  }
4595 }
4596 
4597 static void ecmult_const_chain_multiply(void) {
4598  /* Check known result (randomly generated test problem from sage) */
4600  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4601  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4602  );
4603  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4604  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4605  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4606  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4607  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4608  );
4609  secp256k1_gej point;
4610  secp256k1_ge res;
4611  int i;
4612 
4614  for (i = 0; i < 100; ++i) {
4615  secp256k1_ge tmp;
4616  secp256k1_ge_set_gej(&tmp, &point);
4617  secp256k1_ecmult_const(&point, &tmp, &scalar);
4618  }
4619  secp256k1_ge_set_gej(&res, &point);
4620  CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res));
4621 }
4622 
4623 static void run_ecmult_const_tests(void) {
4630 }
4631 
4632 typedef struct {
4636 
4637 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4638  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4639  *sc = data->sc[idx];
4640  *pt = data->pt[idx];
4641  return 1;
4642 }
4643 
4644 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4645  (void)sc;
4646  (void)pt;
4647  (void)idx;
4648  (void)cbdata;
4649  return 0;
4650 }
4651 
4653  int ncount;
4654  secp256k1_scalar sc[32];
4655  secp256k1_ge pt[32];
4656  secp256k1_gej r;
4657  secp256k1_gej r2;
4658  ecmult_multi_data data;
4659 
4660  data.sc = sc;
4661  data.pt = pt;
4662 
4663  /* No points to multiply */
4664  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4665 
4666  /* Check 1- and 2-point multiplies against ecmult */
4667  for (ncount = 0; ncount < COUNT; ncount++) {
4668  secp256k1_ge ptg;
4669  secp256k1_gej ptgj;
4670  random_scalar_order(&sc[0]);
4671  random_scalar_order(&sc[1]);
4672 
4674  secp256k1_gej_set_ge(&ptgj, &ptg);
4675  pt[0] = ptg;
4676  pt[1] = secp256k1_ge_const_g;
4677 
4678  /* only G scalar */
4679  secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4680  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4681  CHECK(secp256k1_gej_eq_var(&r, &r2));
4682 
4683  /* 1-point */
4684  secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4685  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4686  CHECK(secp256k1_gej_eq_var(&r, &r2));
4687 
4688  /* Try to multiply 1 point, but callback returns false */
4689  CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4690 
4691  /* 2-point */
4692  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4693  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4694  CHECK(secp256k1_gej_eq_var(&r, &r2));
4695 
4696  /* 2-point with G scalar */
4697  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4698  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4699  CHECK(secp256k1_gej_eq_var(&r, &r2));
4700  }
4701 
4702  /* Check infinite outputs of various forms */
4703  for (ncount = 0; ncount < COUNT; ncount++) {
4704  secp256k1_ge ptg;
4705  size_t i, j;
4706  size_t sizes[] = { 2, 10, 32 };
4707 
4708  for (j = 0; j < 3; j++) {
4709  for (i = 0; i < 32; i++) {
4710  random_scalar_order(&sc[i]);
4711  secp256k1_ge_set_infinity(&pt[i]);
4712  }
4713  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4715  }
4716 
4717  for (j = 0; j < 3; j++) {
4718  for (i = 0; i < 32; i++) {
4720  pt[i] = ptg;
4721  secp256k1_scalar_set_int(&sc[i], 0);
4722  }
4723  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4725  }
4726 
4727  for (j = 0; j < 3; j++) {
4729  for (i = 0; i < 16; i++) {
4730  random_scalar_order(&sc[2*i]);
4731  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4732  pt[2 * i] = ptg;
4733  pt[2 * i + 1] = ptg;
4734  }
4735 
4736  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4738 
4739  random_scalar_order(&sc[0]);
4740  for (i = 0; i < 16; i++) {
4742 
4743  sc[2*i] = sc[0];
4744  sc[2*i+1] = sc[0];
4745  pt[2 * i] = ptg;
4746  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4747  }
4748 
4749  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4751  }
4752 
4754  secp256k1_scalar_set_int(&sc[0], 0);
4755  pt[0] = ptg;
4756  for (i = 1; i < 32; i++) {
4757  pt[i] = ptg;
4758 
4759  random_scalar_order(&sc[i]);
4760  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4761  secp256k1_scalar_negate(&sc[i], &sc[i]);
4762  }
4763 
4764  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4766  }
4767 
4768  /* Check random points, constant scalar */
4769  for (ncount = 0; ncount < COUNT; ncount++) {
4770  size_t i;
4772 
4773  random_scalar_order(&sc[0]);
4774  for (i = 0; i < 20; i++) {
4775  secp256k1_ge ptg;
4776  sc[i] = sc[0];
4778  pt[i] = ptg;
4779  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4780  }
4781 
4782  secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4783  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4784  CHECK(secp256k1_gej_eq_var(&r, &r2));
4785  }
4786 
4787  /* Check random scalars, constant point */
4788  for (ncount = 0; ncount < COUNT; ncount++) {
4789  size_t i;
4790  secp256k1_ge ptg;
4791  secp256k1_gej p0j;
4792  secp256k1_scalar rs;
4793  secp256k1_scalar_set_int(&rs, 0);
4794 
4796  for (i = 0; i < 20; i++) {
4797  random_scalar_order(&sc[i]);
4798  pt[i] = ptg;
4799  secp256k1_scalar_add(&rs, &rs, &sc[i]);
4800  }
4801 
4802  secp256k1_gej_set_ge(&p0j, &pt[0]);
4803  secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4804  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4805  CHECK(secp256k1_gej_eq_var(&r, &r2));
4806  }
4807 
4808  /* Sanity check that zero scalars don't cause problems */
4809  for (ncount = 0; ncount < 20; ncount++) {
4810  random_scalar_order(&sc[ncount]);
4811  random_group_element_test(&pt[ncount]);
4812  }
4813 
4814  secp256k1_scalar_clear(&sc[0]);
4815  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4816  secp256k1_scalar_clear(&sc[1]);
4817  secp256k1_scalar_clear(&sc[2]);
4818  secp256k1_scalar_clear(&sc[3]);
4819  secp256k1_scalar_clear(&sc[4]);
4820  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4821  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4823 
4824  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4825  {
4826  const size_t TOP = 8;
4827  size_t s0i, s1i;
4828  size_t t0i, t1i;
4829  secp256k1_ge ptg;
4830  secp256k1_gej ptgj;
4831 
4833  secp256k1_gej_set_ge(&ptgj, &ptg);
4834 
4835  for(t0i = 0; t0i < TOP; t0i++) {
4836  for(t1i = 0; t1i < TOP; t1i++) {
4837  secp256k1_gej t0p, t1p;
4838  secp256k1_scalar t0, t1;
4839 
4840  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4841  secp256k1_scalar_cond_negate(&t0, t0i & 1);
4842  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4843  secp256k1_scalar_cond_negate(&t1, t1i & 1);
4844 
4845  secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4846  secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4847 
4848  for(s0i = 0; s0i < TOP; s0i++) {
4849  for(s1i = 0; s1i < TOP; s1i++) {
4850  secp256k1_scalar tmp1, tmp2;
4851  secp256k1_gej expected, actual;
4852 
4853  secp256k1_ge_set_gej(&pt[0], &t0p);
4854  secp256k1_ge_set_gej(&pt[1], &t1p);
4855 
4856  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4857  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4858  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4859  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4860 
4861  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4862  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4863  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4864 
4865  secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4866  CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4867  CHECK(secp256k1_gej_eq_var(&actual, &expected));
4868  }
4869  }
4870  }
4871  }
4872  }
4873 }
4874 
4876  /* Large random test for ecmult_multi_* functions which exercises:
4877  * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4878  * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4879  * - Including or excluding an nonzero a*G term (or such a term at all).
4880  * - Final expected result equal to infinity or not (roughly 50%).
4881  * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4882  */
4883 
4884  /* These 4 variables define the eventual input to the ecmult_multi function.
4885  * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4886  * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4887  * which form its normal inputs. */
4888  int filled = 0;
4890  secp256k1_scalar scalars[128];
4891  secp256k1_gej gejs[128];
4892  /* The expected result, and the computed result. */
4893  secp256k1_gej expected, computed;
4894  /* Temporaries. */
4895  secp256k1_scalar sc_tmp;
4896  secp256k1_ge ge_tmp;
4897  /* Variables needed for the actual input to ecmult_multi. */
4898  secp256k1_ge ges[128];
4899  ecmult_multi_data data;
4900 
4901  int i;
4902  /* Which multiplication function to use */
4903  int fn = secp256k1_testrand_int(3);
4904  secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4907  /* Simulate exponentially distributed num. */
4908  int num_bits = 2 + secp256k1_testrand_int(6);
4909  /* Number of (scalar, point) inputs (excluding g). */
4910  int num = secp256k1_testrand_int((1 << num_bits) + 1);
4911  /* Number of those which are nonzero. */
4912  int num_nonzero = secp256k1_testrand_int(num + 1);
4913  /* Whether we're aiming to create an input with nonzero expected result. */
4914  int nonzero_result = secp256k1_testrand_bits(1);
4915  /* Whether we will provide nonzero g multiplicand. In some cases our hand
4916  * is forced here based on num_nonzero and nonzero_result. */
4917  int g_nonzero = num_nonzero == 0 ? nonzero_result :
4918  num_nonzero == 1 && !nonzero_result ? 1 :
4919  (int)secp256k1_testrand_bits(1);
4920  /* Which g_scalar pointer to pass into ecmult_multi(). */
4921  const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4922  /* How many EC multiplications were performed in this function. */
4923  int mults = 0;
4924  /* How many randomization steps to apply to the input list. */
4925  int rands = (int)secp256k1_testrand_bits(3);
4926  if (rands > num_nonzero) rands = num_nonzero;
4927 
4928  secp256k1_gej_set_infinity(&expected);
4929  secp256k1_gej_set_infinity(&gejs[0]);
4930  secp256k1_scalar_set_int(&scalars[0], 0);
4931 
4932  if (g_nonzero) {
4933  /* If g_nonzero, set g_scalar to nonzero value r. */
4934  random_scalar_order_test(&g_scalar);
4935  if (!nonzero_result) {
4936  /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4937  CHECK(num_nonzero > filled);
4938  random_scalar_order_test(&sc_tmp);
4939  secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4940  secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4941  secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4942  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4943  ++filled;
4944  ++mults;
4945  }
4946  }
4947 
4948  if (nonzero_result && filled < num_nonzero) {
4949  /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4950  random_scalar_order_test(&scalars[filled]);
4951  random_group_element_test(&ge_tmp);
4952  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4953  ++filled;
4954  }
4955 
4956  if (nonzero_result) {
4957  /* Compute the expected result using normal ecmult. */
4958  CHECK(filled <= 1);
4959  secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4960  mults += filled + g_nonzero;
4961  }
4962 
4963  /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4964  CHECK(filled <= 1 + !nonzero_result);
4965  CHECK(filled <= num_nonzero);
4966 
4967  /* Add entries to scalars,gejs so that there are num of them. All the added entries
4968  * either have scalar=0 or point=infinity, so these do not change the expected result. */
4969  while (filled < num) {
4970  if (secp256k1_testrand_bits(1)) {
4971  secp256k1_gej_set_infinity(&gejs[filled]);
4972  random_scalar_order_test(&scalars[filled]);
4973  } else {
4974  secp256k1_scalar_set_int(&scalars[filled], 0);
4975  random_group_element_test(&ge_tmp);
4976  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4977  }
4978  ++filled;
4979  }
4980 
4981  /* Now perform cheapish transformations on gejs and scalars, for indices
4982  * 0..num_nonzero-1, which do not change the expected result, but may
4983  * convert some of them to be both non-0-scalar and non-infinity-point. */
4984  for (i = 0; i < rands; ++i) {
4985  int j;
4986  secp256k1_scalar v, iv;
4987  /* Shuffle the entries. */
4988  for (j = 0; j < num_nonzero; ++j) {
4989  int k = secp256k1_testrand_int(num_nonzero - j);
4990  if (k != 0) {
4991  secp256k1_gej gej = gejs[j];
4992  secp256k1_scalar sc = scalars[j];
4993  gejs[j] = gejs[j + k];
4994  scalars[j] = scalars[j + k];
4995  gejs[j + k] = gej;
4996  scalars[j + k] = sc;
4997  }
4998  }
4999  /* Perturb all consecutive pairs of inputs:
5000  * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5001  for (j = 0; j + 1 < num_nonzero; j += 2) {
5002  secp256k1_gej gej;
5003  secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5004  secp256k1_gej_neg(&gej, &gejs[j]);
5005  secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5006  }
5007  /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5008  CHECK(num_nonzero >= 1);
5010  secp256k1_scalar_inverse(&iv, &v);
5011  secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5012  secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5013  ++mults;
5014  }
5015 
5016  /* Shuffle all entries (0..num-1). */
5017  for (i = 0; i < num; ++i) {
5018  int j = secp256k1_testrand_int(num - i);
5019  if (j != 0) {
5020  secp256k1_gej gej = gejs[i];
5021  secp256k1_scalar sc = scalars[i];
5022  gejs[i] = gejs[i + j];
5023  scalars[i] = scalars[i + j];
5024  gejs[i + j] = gej;
5025  scalars[i + j] = sc;
5026  }
5027  }
5028 
5029  /* Compute affine versions of all inputs. */
5030  secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5031  /* Invoke ecmult_multi code. */
5032  data.sc = scalars;
5033  data.pt = ges;
5034  CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5035  mults += num_nonzero + g_nonzero;
5036  /* Compare with expected result. */
5037  CHECK(secp256k1_gej_eq_var(&computed, &expected));
5038  return mults;
5039 }
5040 
5042  secp256k1_scalar sc;
5043  secp256k1_ge pt;
5044  secp256k1_gej r;
5045  ecmult_multi_data data;
5046  secp256k1_scratch *scratch_empty;
5047 
5049  random_scalar_order(&sc);
5050  data.sc = &sc;
5051  data.pt = &pt;
5052 
5053  /* Try to multiply 1 point, but scratch space is empty.*/
5054  scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5055  CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5056  secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty);
5057 }
5058 
5060  int i;
5061 
5063  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5064  /* Bucket_window of 8 is not used with endo */
5065  if (i == 8) {
5066  continue;
5067  }
5069  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5071  }
5072  }
5073 }
5074 
5080  size_t scratch_size = secp256k1_testrand_bits(8);
5082  secp256k1_scratch *scratch;
5083  size_t n_points_supported;
5084  int bucket_window = 0;
5085 
5086  for(; scratch_size < max_size; scratch_size+=256) {
5087  size_t i;
5088  size_t total_alloc;
5089  size_t checkpoint;
5090  scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5091  CHECK(scratch != NULL);
5092  checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5093  n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5094  if (n_points_supported == 0) {
5096  continue;
5097  }
5098  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5099  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5100  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5101  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5103  total_alloc--;
5104  }
5105  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5106  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
5108  }
5109  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5110 }
5111 
5113  size_t n_batches, n_batch_points, max_n_batch_points, n;
5114 
5115  max_n_batch_points = 0;
5116  n = 1;
5117  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5118 
5119  max_n_batch_points = 1;
5120  n = 0;
5121  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5122  CHECK(n_batches == 0);
5123  CHECK(n_batch_points == 0);
5124 
5125  max_n_batch_points = 2;
5126  n = 5;
5127  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5128  CHECK(n_batches == 3);
5129  CHECK(n_batch_points == 2);
5130 
5131  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5133  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5134  CHECK(n_batches == 1);
5135  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5136 
5137  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5139  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5140  CHECK(n_batches == 2);
5141  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5142 
5143  max_n_batch_points = 1;
5144  n = SIZE_MAX;
5145  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5146  CHECK(n_batches == SIZE_MAX);
5147  CHECK(n_batch_points == 1);
5148 
5149  max_n_batch_points = 2;
5150  n = SIZE_MAX;
5151  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5152  CHECK(n_batches == SIZE_MAX/2 + 1);
5153  CHECK(n_batch_points == 2);
5154 }
5155 
5160 static void test_ecmult_multi_batching(void) {
5161  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5162  secp256k1_scalar scG;
5164  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5165  secp256k1_gej r;
5166  secp256k1_gej r2;
5167  ecmult_multi_data data;
5168  int i;
5169  secp256k1_scratch *scratch;
5170 
5172 
5173  /* Get random scalars and group elements and compute result */
5174  random_scalar_order(&scG);
5175  secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5176  for(i = 0; i < n_points; i++) {
5177  secp256k1_ge ptg;
5178  secp256k1_gej ptgj;
5180  secp256k1_gej_set_ge(&ptgj, &ptg);
5181  pt[i] = ptg;
5182  random_scalar_order(&sc[i]);
5183  secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5184  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5185  }
5186  data.sc = sc;
5187  data.pt = pt;
5188  secp256k1_gej_neg(&r2, &r2);
5189 
5190  /* Test with empty scratch space. It should compute the correct result using
5191  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5193  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5194  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5197 
5198  /* Test with space for 1 point in pippenger. That's not enough because
5199  * ecmult_multi selects strauss which requires more memory. It should
5200  * therefore select the simple algorithm. */
5202  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5203  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5206 
5207  for(i = 1; i <= n_points; i++) {
5208  if (i > ECMULT_PIPPENGER_THRESHOLD) {
5209  int bucket_window = secp256k1_pippenger_bucket_window(i);
5210  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5212  } else {
5213  size_t scratch_size = secp256k1_strauss_scratch_size(i);
5215  }
5216  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5217  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5220  }
5221  free(sc);
5222  free(pt);
5223 }
5224 
5225 static void run_ecmult_multi_tests(void) {
5226  secp256k1_scratch *scratch;
5227  int64_t todo = (int64_t)320 * COUNT;
5228 
5231  scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5238  while (todo > 0) {
5239  todo -= test_ecmult_multi_random(scratch);
5240  }
5242 
5243  /* Run test_ecmult_multi with space for exactly one point */
5247 
5250 }
5251 
5252 static void test_wnaf(const secp256k1_scalar *number, int w) {
5253  secp256k1_scalar x, two, t;
5254  int wnaf[256];
5255  int zeroes = -1;
5256  int i;
5257  int bits;
5258  secp256k1_scalar_set_int(&x, 0);
5259  secp256k1_scalar_set_int(&two, 2);
5260  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5261  CHECK(bits <= 256);
5262  for (i = bits-1; i >= 0; i--) {
5263  int v = wnaf[i];
5264  secp256k1_scalar_mul(&x, &x, &two);
5265  if (v) {
5266  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5267  zeroes=0;
5268  CHECK((v & 1) == 1); /* check non-zero elements are odd */
5269  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5270  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5271  } else {
5272  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5273  zeroes++;
5274  }
5275  if (v >= 0) {
5277  } else {
5280  }
5281  secp256k1_scalar_add(&x, &x, &t);
5282  }
5283  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5284 }
5285 
5286 static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5287  secp256k1_scalar x, shift;
5288  int wnaf[256] = {0};
5289  int i;
5290  int skew;
5291  secp256k1_scalar num, unused;
5292 
5293  secp256k1_scalar_set_int(&x, 0);
5294  secp256k1_scalar_set_int(&shift, 1 << w);
5295  /* Make num a 128-bit scalar. */
5296  secp256k1_scalar_split_128(&num, &unused, number);
5297  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5298 
5299  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5301  int v = wnaf[i];
5302  CHECK(v == 0 || v & 1); /* check parity */
5303  CHECK(v > -(1 << w)); /* check range above */
5304  CHECK(v < (1 << w)); /* check range below */
5305 
5306  secp256k1_scalar_mul(&x, &x, &shift);
5307  if (v >= 0) {
5309  } else {
5312  }
5313  secp256k1_scalar_add(&x, &x, &t);
5314  }
5315  /* If skew is 1 then add 1 to num */
5316  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5317  CHECK(secp256k1_scalar_eq(&x, &num));
5318 }
5319 
5320 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5321  * rest is 0.*/
5322 static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5323  int i;
5324  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5325  CHECK(wnaf[i] == 0);
5326  }
5327  for (i = 7; i >= 0; --i) {
5328  CHECK(wnaf[i] == wnaf_expected[i]);
5329  }
5330 }
5331 
5332 static void test_fixed_wnaf_small(void) {
5333  int w = 4;
5334  int wnaf[256] = {0};
5335  int i;
5336  int skew;
5337  secp256k1_scalar num;
5338 
5339  secp256k1_scalar_set_int(&num, 0);
5340  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5341  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5342  int v = wnaf[i];
5343  CHECK(v == 0);
5344  }
5345  CHECK(skew == 0);
5346 
5347  secp256k1_scalar_set_int(&num, 1);
5348  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5349  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5350  int v = wnaf[i];
5351  CHECK(v == 0);
5352  }
5353  CHECK(wnaf[0] == 1);
5354  CHECK(skew == 0);
5355 
5356  {
5357  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5358  secp256k1_scalar_set_int(&num, 0xffffffff);
5359  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5360  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5361  CHECK(skew == 0);
5362  }
5363  {
5364  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5365  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5366  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5367  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5368  CHECK(skew == 1);
5369  }
5370  {
5371  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5372  secp256k1_scalar_set_int(&num, 0x01010101);
5373  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5374  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5375  CHECK(skew == 0);
5376  }
5377  {
5378  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5379  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5380  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5381  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5382  CHECK(skew == 0);
5383  }
5384 }
5385 
5386 static void run_wnaf(void) {
5387  int i;
5388  secp256k1_scalar n;
5389 
5390  /* Test 0 for fixed wnaf */
5392  /* Random tests */
5393  for (i = 0; i < COUNT; i++) {
5394  random_scalar_order(&n);
5395  test_wnaf(&n, 4+(i%10));
5396  test_fixed_wnaf(&n, 4 + (i % 10));
5397  }
5398  secp256k1_scalar_set_int(&n, 0);
5399  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5401  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5403 }
5404 
5405 static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5406  const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5407  *sc = *indata;
5408  *pt = secp256k1_ge_const_g;
5409  CHECK(idx == 0);
5410  return 1;
5411 }
5412 
5414  /* Compute x*G in 6 different ways, serialize it uncompress