Bitcoin Core  27.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <string.h>
10 
11 #include <time.h>
12 
13 #ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14  #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15  #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16 #endif
17 #if defined(VERIFY) && defined(COVERAGE)
18  #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19 #endif
20 #include "secp256k1.c"
21 
22 #include "../include/secp256k1.h"
23 #include "../include/secp256k1_preallocated.h"
24 #include "testrand_impl.h"
25 #include "checkmem.h"
26 #include "testutil.h"
27 #include "util.h"
28 
29 #include "../contrib/lax_der_parsing.c"
30 #include "../contrib/lax_der_privatekey_parsing.c"
31 
32 #include "modinv32_impl.h"
33 #ifdef SECP256K1_WIDEMUL_INT128
34 #include "modinv64_impl.h"
35 #include "int128_impl.h"
36 #endif
37 
38 #define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
39 
40 static int COUNT = 64;
41 static secp256k1_context *CTX = NULL;
42 static secp256k1_context *STATIC_CTX = NULL;
43 
44 static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
45  const unsigned char *p = s;
46  size_t i;
47 
48  for (i = 0; i < n; i++) {
49  if (p[i] != value) {
50  return 0;
51  }
52  }
53  return 1;
54 }
55 
56 #define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \
57  int32_t _calls_to_callback = 0; \
58  secp256k1_callback _saved_callback = ctx->callback; \
59  callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \
60  { expr_or_stmt; } \
61  ctx->callback = _saved_callback; \
62  CHECK(_calls_to_callback == 1); \
63 } while(0);
64 
65 /* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once
66  *
67  * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */
68 #define CHECK_ERROR_VOID(ctx, expr_or_stmt) \
69  CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback)
70 #define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \
71  CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback)
72 
73 /* CHECK that
74  * - expr calls the illegal callback of ctx exactly once and,
75  * - expr == 0 (or equivalently, expr == NULL)
76  *
77  * Useful for checking functions that return an integer or a pointer. */
78 #define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
79 #define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0))
80 
81 static void counting_callback_fn(const char* str, void* data) {
82  /* Dummy callback function that just counts. */
83  int32_t *p;
84  (void)str;
85  p = data;
86  CHECK(*p != INT32_MAX);
87  (*p)++;
88 }
89 
90 static void uncounting_illegal_callback_fn(const char* str, void* data) {
91  /* Dummy callback function that just counts (backwards). */
92  int32_t *p;
93  (void)str;
94  p = data;
95  CHECK(*p != INT32_MIN);
96  (*p)--;
97 }
98 
99 static void random_field_element_magnitude(secp256k1_fe *fe, int m) {
100  secp256k1_fe zero;
101  int n = secp256k1_testrand_int(m + 1);
102  secp256k1_fe_normalize(fe);
103  if (n == 0) {
104  return;
105  }
106  secp256k1_fe_clear(&zero);
107  secp256k1_fe_negate(&zero, &zero, 0);
108  secp256k1_fe_mul_int_unchecked(&zero, n - 1);
109  secp256k1_fe_add(fe, &zero);
110 #ifdef VERIFY
111  CHECK(fe->magnitude == n);
112 #endif
113 }
114 
115 static void random_fe_test(secp256k1_fe *x) {
116  unsigned char bin[32];
117  do {
118  secp256k1_testrand256_test(bin);
119  if (secp256k1_fe_set_b32_limit(x, bin)) {
120  return;
121  }
122  } while(1);
123 }
124 
125 static void random_fe_non_zero_test(secp256k1_fe *fe) {
126  do {
127  random_fe_test(fe);
128  } while(secp256k1_fe_is_zero(fe));
129 }
130 
131 static void random_fe_magnitude(secp256k1_fe *fe) {
132  random_field_element_magnitude(fe, 8);
133 }
134 
135 static void random_ge_x_magnitude(secp256k1_ge *ge) {
136  random_field_element_magnitude(&ge->x, SECP256K1_GE_X_MAGNITUDE_MAX);
137 }
138 
139 static void random_ge_y_magnitude(secp256k1_ge *ge) {
140  random_field_element_magnitude(&ge->y, SECP256K1_GE_Y_MAGNITUDE_MAX);
141 }
142 
143 static void random_gej_x_magnitude(secp256k1_gej *gej) {
144  random_field_element_magnitude(&gej->x, SECP256K1_GEJ_X_MAGNITUDE_MAX);
145 }
146 
147 static void random_gej_y_magnitude(secp256k1_gej *gej) {
148  random_field_element_magnitude(&gej->y, SECP256K1_GEJ_Y_MAGNITUDE_MAX);
149 }
150 
151 static void random_gej_z_magnitude(secp256k1_gej *gej) {
152  random_field_element_magnitude(&gej->z, SECP256K1_GEJ_Z_MAGNITUDE_MAX);
153 }
154 
155 static void random_group_element_test(secp256k1_ge *ge) {
156  secp256k1_fe fe;
157  do {
158  random_fe_test(&fe);
159  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
160  secp256k1_fe_normalize(&ge->y);
161  break;
162  }
163  } while(1);
164  ge->infinity = 0;
165 }
166 
167 static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
168  secp256k1_fe z2, z3;
169  random_fe_non_zero_test(&gej->z);
170  secp256k1_fe_sqr(&z2, &gej->z);
171  secp256k1_fe_mul(&z3, &z2, &gej->z);
172  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
173  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
174  gej->infinity = ge->infinity;
175 }
176 
177 static void random_gej_test(secp256k1_gej *gej) {
178  secp256k1_ge ge;
179  random_group_element_test(&ge);
180  random_group_element_jacobian_test(gej, &ge);
181 }
182 
183 static void random_scalar_order_test(secp256k1_scalar *num) {
184  do {
185  unsigned char b32[32];
186  int overflow = 0;
187  secp256k1_testrand256_test(b32);
188  secp256k1_scalar_set_b32(num, b32, &overflow);
189  if (overflow || secp256k1_scalar_is_zero(num)) {
190  continue;
191  }
192  break;
193  } while(1);
194 }
195 
196 static void random_scalar_order(secp256k1_scalar *num) {
197  do {
198  unsigned char b32[32];
199  int overflow = 0;
200  secp256k1_testrand256(b32);
201  secp256k1_scalar_set_b32(num, b32, &overflow);
202  if (overflow || secp256k1_scalar_is_zero(num)) {
203  continue;
204  }
205  break;
206  } while(1);
207 }
208 
209 static void random_scalar_order_b32(unsigned char *b32) {
210  secp256k1_scalar num;
211  random_scalar_order(&num);
212  secp256k1_scalar_get_b32(b32, &num);
213 }
214 
215 static void run_xoshiro256pp_tests(void) {
216  {
217  size_t i;
218  /* Sanity check that we run before the actual seeding. */
219  for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
220  CHECK(secp256k1_test_state[i] == 0);
221  }
222  }
223  {
224  int i;
225  unsigned char buf32[32];
226  unsigned char seed16[16] = {
227  'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
228  'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
229  };
230  unsigned char buf32_expected[32] = {
231  0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
232  0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
233  0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
234  0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
235  };
236  secp256k1_testrand_seed(seed16);
237  for (i = 0; i < 17; i++) {
238  secp256k1_testrand256(buf32);
239  }
240  CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
241  }
242 }
243 
244 static void run_selftest_tests(void) {
245  /* Test public API */
246  secp256k1_selftest();
247 }
248 
249 static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
250  return a->built == b->built
251  && secp256k1_scalar_eq(&a->blind, &b->blind)
252  && secp256k1_gej_eq_var(&a->initial, &b->initial);
253 }
254 
255 static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
256  return a->declassify == b->declassify
257  && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx)
258  && a->illegal_callback.fn == b->illegal_callback.fn
259  && a->illegal_callback.data == b->illegal_callback.data
260  && a->error_callback.fn == b->error_callback.fn
261  && a->error_callback.data == b->error_callback.data;
262 }
263 
264 static void run_deprecated_context_flags_test(void) {
265  /* Check that a context created with any of the flags in the flags array is
266  * identical to the NONE context. */
267  unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
268  SECP256K1_CONTEXT_VERIFY,
269  SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY };
270  secp256k1_context *none_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
271  int i;
272  for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
273  secp256k1_context *tmp_ctx;
274  CHECK(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE) == secp256k1_context_preallocated_size(flags[i]));
275  tmp_ctx = secp256k1_context_create(flags[i]);
276  CHECK(context_eq(none_ctx, tmp_ctx));
277  secp256k1_context_destroy(tmp_ctx);
278  }
279  secp256k1_context_destroy(none_ctx);
280 }
281 
282 static void run_ec_illegal_argument_tests(void) {
283  secp256k1_pubkey pubkey;
284  secp256k1_pubkey zero_pubkey;
285  secp256k1_ecdsa_signature sig;
286  unsigned char ctmp[32];
287 
288  /* Setup */
289  memset(ctmp, 1, 32);
290  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
291 
292  /* Verify context-type checking illegal-argument errors. */
293  CHECK_ILLEGAL(STATIC_CTX, secp256k1_ec_pubkey_create(STATIC_CTX, &pubkey, ctmp));
294  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
295  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
296  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
297  CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL));
298  SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
299  CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
300  SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
301  CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
302  CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
303  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
304  CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
305  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
306  CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &pubkey) == 1);
307  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
308  CHECK_ILLEGAL(STATIC_CTX, secp256k1_ec_pubkey_negate(STATIC_CTX, &zero_pubkey));
309  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_negate(CTX, NULL));
310  CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
311 }
312 
313 static void run_static_context_tests(int use_prealloc) {
314  /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
315  CHECK(secp256k1_context_no_precomp == secp256k1_context_static);
316 
317  {
318  unsigned char seed[32] = {0x17};
319 
320  /* Randomizing secp256k1_context_static is not supported. */
321  CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, seed));
322  CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, NULL));
323 
324  /* Destroying or cloning secp256k1_context_static is not supported. */
325  if (use_prealloc) {
326  CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone_size(STATIC_CTX));
327  {
328  secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
329  CHECK(my_static_ctx != NULL);
330  memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
331  CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone(STATIC_CTX, my_static_ctx));
332  CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
333  free(my_static_ctx);
334  }
335  CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_preallocated_destroy(STATIC_CTX));
336  } else {
337  CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_clone(STATIC_CTX));
338  CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_destroy(STATIC_CTX));
339  }
340  }
341 
342  {
343  /* Verify that setting and resetting illegal callback works */
344  int32_t dummy = 0;
345  secp256k1_context_set_illegal_callback(STATIC_CTX, counting_callback_fn, &dummy);
346  CHECK(STATIC_CTX->illegal_callback.fn == counting_callback_fn);
347  CHECK(STATIC_CTX->illegal_callback.data == &dummy);
348  secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
349  CHECK(STATIC_CTX->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
350  CHECK(STATIC_CTX->illegal_callback.data == NULL);
351  }
352 }
353 
354 static void run_proper_context_tests(int use_prealloc) {
355  int32_t dummy = 0;
356  secp256k1_context *my_ctx, *my_ctx_fresh;
357  void *my_ctx_prealloc = NULL;
358  unsigned char seed[32] = {0x17};
359 
360  secp256k1_gej pubj;
361  secp256k1_ge pub;
362  secp256k1_scalar msg, key, nonce;
363  secp256k1_scalar sigr, sigs;
364 
365  /* Fresh reference context for comparison */
366  my_ctx_fresh = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
367 
368  if (use_prealloc) {
369  my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
370  CHECK(my_ctx_prealloc != NULL);
371  my_ctx = secp256k1_context_preallocated_create(my_ctx_prealloc, SECP256K1_CONTEXT_NONE);
372  } else {
373  my_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
374  }
375 
376  /* Randomize and reset randomization */
377  CHECK(context_eq(my_ctx, my_ctx_fresh));
378  CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
379  CHECK(!context_eq(my_ctx, my_ctx_fresh));
380  CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
381  CHECK(context_eq(my_ctx, my_ctx_fresh));
382 
383  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
384  secp256k1_context_set_error_callback(my_ctx, secp256k1_default_illegal_callback_fn, NULL);
385  CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
386  CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
387 
388  /* check if sizes for cloning are consistent */
389  CHECK(secp256k1_context_preallocated_clone_size(my_ctx) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
390 
391  /*** clone and destroy all of them to make sure cloning was complete ***/
392  {
393  secp256k1_context *ctx_tmp;
394 
395  if (use_prealloc) {
396  /* clone into a non-preallocated context and then again into a new preallocated one. */
397  ctx_tmp = my_ctx;
398  my_ctx = secp256k1_context_clone(my_ctx);
399  CHECK(context_eq(ctx_tmp, my_ctx));
400  secp256k1_context_preallocated_destroy(ctx_tmp);
401 
402  free(my_ctx_prealloc);
403  my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
404  CHECK(my_ctx_prealloc != NULL);
405  ctx_tmp = my_ctx;
406  my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
407  CHECK(context_eq(ctx_tmp, my_ctx));
408  secp256k1_context_destroy(ctx_tmp);
409  } else {
410  /* clone into a preallocated context and then again into a new non-preallocated one. */
411  void *prealloc_tmp;
412 
413  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
414  CHECK(prealloc_tmp != NULL);
415  ctx_tmp = my_ctx;
416  my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
417  CHECK(context_eq(ctx_tmp, my_ctx));
418  secp256k1_context_destroy(ctx_tmp);
419 
420  ctx_tmp = my_ctx;
421  my_ctx = secp256k1_context_clone(my_ctx);
422  CHECK(context_eq(ctx_tmp, my_ctx));
423  secp256k1_context_preallocated_destroy(ctx_tmp);
424  free(prealloc_tmp);
425  }
426  }
427 
428  /* Verify that the error callback makes it across the clone. */
429  CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
430  CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
431  /* And that it resets back to default. */
432  secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
433  CHECK(my_ctx->error_callback.fn == secp256k1_default_error_callback_fn);
434  CHECK(context_eq(my_ctx, my_ctx_fresh));
435 
436  /* Verify that setting and resetting illegal callback works */
437  secp256k1_context_set_illegal_callback(my_ctx, counting_callback_fn, &dummy);
438  CHECK(my_ctx->illegal_callback.fn == counting_callback_fn);
439  CHECK(my_ctx->illegal_callback.data == &dummy);
440  secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
441  CHECK(my_ctx->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
442  CHECK(my_ctx->illegal_callback.data == NULL);
443  CHECK(context_eq(my_ctx, my_ctx_fresh));
444 
445  /*** attempt to use them ***/
446  random_scalar_order_test(&msg);
447  random_scalar_order_test(&key);
448  secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
449  secp256k1_ge_set_gej(&pub, &pubj);
450 
451  /* obtain a working nonce */
452  do {
453  random_scalar_order_test(&nonce);
454  } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
455 
456  /* try signing */
457  CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
458 
459  /* try verifying */
460  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
461 
462  /* cleanup */
463  if (use_prealloc) {
464  secp256k1_context_preallocated_destroy(my_ctx);
465  free(my_ctx_prealloc);
466  } else {
467  secp256k1_context_destroy(my_ctx);
468  }
469  secp256k1_context_destroy(my_ctx_fresh);
470 
471  /* Defined as no-op. */
472  secp256k1_context_destroy(NULL);
473  secp256k1_context_preallocated_destroy(NULL);
474 }
475 
476 static void run_scratch_tests(void) {
477  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
478 
479  size_t checkpoint;
480  size_t checkpoint_2;
481  secp256k1_scratch_space *scratch;
482  secp256k1_scratch_space local_scratch;
483 
484  /* Test public API */
485  scratch = secp256k1_scratch_space_create(CTX, 1000);
486  CHECK(scratch != NULL);
487 
488  /* Test internal API */
489  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
490  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
491  CHECK(scratch->alloc_size == 0);
492  CHECK(scratch->alloc_size % ALIGNMENT == 0);
493 
494  /* Allocating 500 bytes succeeds */
495  checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
496  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
497  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
498  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
499  CHECK(scratch->alloc_size != 0);
500  CHECK(scratch->alloc_size % ALIGNMENT == 0);
501 
502  /* Allocating another 501 bytes fails */
503  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
504  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
505  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
506  CHECK(scratch->alloc_size != 0);
507  CHECK(scratch->alloc_size % ALIGNMENT == 0);
508 
509  /* ...but it succeeds once we apply the checkpoint to undo it */
510  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
511  CHECK(scratch->alloc_size == 0);
512  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
513  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
514  CHECK(scratch->alloc_size != 0);
515 
516  /* try to apply a bad checkpoint */
517  checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
518  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
519  CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */
520  CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */
521 
522  /* try to use badly initialized scratch space */
523  secp256k1_scratch_space_destroy(CTX, scratch);
524  memset(&local_scratch, 0, sizeof(local_scratch));
525  scratch = &local_scratch;
526  CHECK_ERROR(CTX, secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0));
527  CHECK_ERROR(CTX, secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500));
528  CHECK_ERROR_VOID(CTX, secp256k1_scratch_space_destroy(CTX, scratch));
529 
530  /* Test that large integers do not wrap around in a bad way */
531  scratch = secp256k1_scratch_space_create(CTX, 1000);
532  /* Try max allocation with a large number of objects. Only makes sense if
533  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
534  * space. */
535  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
536  /* Try allocating SIZE_MAX to test wrap around which only happens if
537  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
538  * space is too small. */
539  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
540  secp256k1_scratch_space_destroy(CTX, scratch);
541 
542  /* cleanup */
543  secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
544 }
545 
546 static void run_ctz_tests(void) {
547  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
548  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
549  int shift;
550  unsigned i;
551  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
552  for (shift = 0; shift < 32; ++shift) {
553  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
554  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
555  }
556  }
557  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
558  for (shift = 0; shift < 64; ++shift) {
559  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
560  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
561  }
562  }
563 }
564 
565 /***** HASH TESTS *****/
566 
567 static void run_sha256_known_output_tests(void) {
568  static const char *inputs[] = {
569  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
570  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
571  "For this sample, this 63-byte string will be used as input data",
572  "This is exactly 64 bytes long, not counting the terminating byte",
573  "aaaaa",
574  };
575  static const unsigned int repeat[] = {
576  1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
577  };
578  static const unsigned char outputs[][32] = {
579  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
580  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
581  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
582  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
583  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
584  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
585  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
586  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
587  {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
588  };
589  unsigned int i, ninputs;
590 
591  /* Skip last input vector for low iteration counts */
592  ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
593  CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
594 
595  for (i = 0; i < ninputs; i++) {
596  unsigned char out[32];
597  secp256k1_sha256 hasher;
598  unsigned int j;
599  /* 1. Run: simply write the input bytestrings */
600  j = repeat[i];
601  secp256k1_sha256_initialize(&hasher);
602  while (j > 0) {
603  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
604  j--;
605  }
606  secp256k1_sha256_finalize(&hasher, out);
607  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
608  /* 2. Run: split the input bytestrings randomly before writing */
609  if (strlen(inputs[i]) > 0) {
610  int split = secp256k1_testrand_int(strlen(inputs[i]));
611  secp256k1_sha256_initialize(&hasher);
612  j = repeat[i];
613  while (j > 0) {
614  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
615  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
616  j--;
617  }
618  secp256k1_sha256_finalize(&hasher, out);
619  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
620  }
621  }
622 }
623 
668 static void run_sha256_counter_tests(void) {
669  static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
670  static const secp256k1_sha256 midstates[] = {
671  {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
672  {0x00}, 0xfffc0},
673  {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
674  {0x00}, 0x1fffc0},
675  {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
676  {0x00}, 0x3fffc0},
677  {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
678  {0x00}, 0x7fffc0},
679  {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
680  {0x00}, 0xffffc0},
681  {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
682  {0x00}, 0x1ffffc0},
683  {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
684  {0x00}, 0x3ffffc0},
685  {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
686  {0x00}, 0x7ffffc0},
687  {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
688  {0x00}, 0xfffffc0},
689  {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
690  {0x00}, 0x1fffffc0},
691  {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
692  {0x00}, 0x3fffffc0},
693  {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
694  {0x00}, 0x7fffffc0},
695  {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
696  {0x00}, 0xffffffc0},
697  {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
698  {0x00}, 0x1ffffffc0},
699  };
700  static const unsigned char outputs[][32] = {
701  {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
702  {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
703  {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
704  {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
705  {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
706  {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
707  {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
708  {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
709  {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
710  {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
711  {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
712  {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
713  {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
714  {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
715  };
716  unsigned int i;
717  for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
718  unsigned char out[32];
719  secp256k1_sha256 hasher = midstates[i];
720  secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
721  secp256k1_sha256_finalize(&hasher, out);
722  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
723  }
724 }
725 
726 /* Tests for the equality of two sha256 structs. This function only produces a
727  * correct result if an integer multiple of 64 many bytes have been written
728  * into the hash functions. This function is used by some module tests. */
729 static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
730  /* Is buffer fully consumed? */
731  CHECK((sha1->bytes & 0x3F) == 0);
732 
733  CHECK(sha1->bytes == sha2->bytes);
734  CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
735 }
736 
737 static void run_hmac_sha256_tests(void) {
738  static const char *keys[6] = {
739  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
740  "\x4a\x65\x66\x65",
741  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
742  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
743  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
744  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
745  };
746  static const char *inputs[6] = {
747  "\x48\x69\x20\x54\x68\x65\x72\x65",
748  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
749  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
750  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
751  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
752  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
753  };
754  static const unsigned char outputs[6][32] = {
755  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
756  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
757  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
758  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
759  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
760  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
761  };
762  int i;
763  for (i = 0; i < 6; i++) {
764  secp256k1_hmac_sha256 hasher;
765  unsigned char out[32];
766  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
767  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
768  secp256k1_hmac_sha256_finalize(&hasher, out);
769  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
770  if (strlen(inputs[i]) > 0) {
771  int split = secp256k1_testrand_int(strlen(inputs[i]));
772  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
773  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
774  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
775  secp256k1_hmac_sha256_finalize(&hasher, out);
776  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
777  }
778  }
779 }
780 
781 static void run_rfc6979_hmac_sha256_tests(void) {
782  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
783  static const unsigned char out1[3][32] = {
784  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
785  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
786  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
787  };
788 
789  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
790  static const unsigned char out2[3][32] = {
791  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
792  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
793  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
794  };
795 
796  secp256k1_rfc6979_hmac_sha256 rng;
797  unsigned char out[32];
798  int i;
799 
800  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
801  for (i = 0; i < 3; i++) {
802  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
803  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
804  }
805  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
806 
807  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
808  for (i = 0; i < 3; i++) {
809  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
810  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
811  }
812  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
813 
814  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
815  for (i = 0; i < 3; i++) {
816  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
817  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
818  }
819  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
820 }
821 
822 static void run_tagged_sha256_tests(void) {
823  unsigned char tag[32] = { 0 };
824  unsigned char msg[32] = { 0 };
825  unsigned char hash32[32];
826  unsigned char hash_expected[32] = {
827  0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
828  0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
829  0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
830  0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
831  };
832 
833  /* API test */
834  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
835  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)));
836  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)));
837  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0));
838 
839  /* Static test vector */
840  memcpy(tag, "tag", 3);
841  memcpy(msg, "msg", 3);
842  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
843  CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
844 }
845 
846 /***** MODINV TESTS *****/
847 
848 /* Compute the modular inverse of (odd) x mod 2^64. */
849 static uint64_t modinv2p64(uint64_t x) {
850  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
851  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
852  * why. Start with L=0, for which it is true for every odd x that
853  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
854  int l;
855  uint64_t w = 1;
856  CHECK(x & 1);
857  for (l = 0; l < 6; ++l) w *= (2 - w*x);
858  return w;
859 }
860 
861 
862 /* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
863  *
864  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
865  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
866 static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
867  uint16_t mul[32];
868  uint64_t c = 0;
869  int i, j;
870  int m_bitlen = 0;
871  int mul_bitlen = 0;
872 
873  if (b != NULL) {
874  /* Compute the product of a and b, and put it in mul. */
875  for (i = 0; i < 32; ++i) {
876  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
877  c += (uint64_t)a[j] * b[i - j];
878  }
879  mul[i] = c & 0xFFFF;
880  c >>= 16;
881  }
882  CHECK(c == 0);
883 
884  /* compute the highest set bit in mul */
885  for (i = 511; i >= 0; --i) {
886  if ((mul[i >> 4] >> (i & 15)) & 1) {
887  mul_bitlen = i;
888  break;
889  }
890  }
891  } else {
892  /* if b==NULL, set mul=a. */
893  memcpy(mul, a, 32);
894  memset(mul + 16, 0, 32);
895  /* compute the highest set bit in mul */
896  for (i = 255; i >= 0; --i) {
897  if ((mul[i >> 4] >> (i & 15)) & 1) {
898  mul_bitlen = i;
899  break;
900  }
901  }
902  }
903 
904  if (m) {
905  /* Compute the highest set bit in m. */
906  for (i = 255; i >= 0; --i) {
907  if ((m[i >> 4] >> (i & 15)) & 1) {
908  m_bitlen = i;
909  break;
910  }
911  }
912 
913  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
914  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
915  uint16_t mul2[32];
916  int64_t cs;
917 
918  /* Compute mul2 = mul - m<<i. */
919  cs = 0; /* accumulator */
920  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
921  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
922  uint16_t sub = 0;
923  int p;
924  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
925  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
926  if (bitpos >= 0 && bitpos < 256) {
927  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
928  }
929  }
930  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
931  cs += mul[j];
932  cs -= sub;
933  mul2[j] = (cs & 0xFFFF);
934  cs >>= 16;
935  }
936  /* If remainder of subtraction is 0, set mul = mul2. */
937  if (cs == 0) {
938  memcpy(mul, mul2, sizeof(mul));
939  }
940  }
941  /* Sanity check: test that all limbs higher than m's highest are zero */
942  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
943  CHECK(mul[i] == 0);
944  }
945  }
946  memcpy(out, mul, 32);
947 }
948 
949 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
950 static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
951  int i;
952  memset(out->v, 0, sizeof(out->v));
953  for (i = 0; i < 256; ++i) {
954  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
955  }
956 }
957 
958 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
959 static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
960  int i;
961  memset(out, 0, 32);
962  for (i = 0; i < 256; ++i) {
963  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
964  }
965 }
966 
967 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
968 static void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
969  int i;
970  for (i = 0; i < 16; ++i) {
971  int pos = secp256k1_testrand_bits(3);
972  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
973  x->v[pos] -= 0x40000000;
974  x->v[pos + 1] += 1;
975  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
976  x->v[pos] += 0x40000000;
977  x->v[pos + 1] -= 1;
978  }
979  }
980 }
981 
982 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
983 static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
984  uint16_t tmp[16];
985  secp256k1_modinv32_signed30 x;
986  secp256k1_modinv32_modinfo m;
987  int i, vartime, nonzero;
988 
989  uint16_to_signed30(&x, in);
990  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
991  uint16_to_signed30(&m.modulus, mod);
992 
993  /* compute 1/modulus mod 2^30 */
994  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
995  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
996 
997  /* Test secp256k1_jacobi32_maybe_var. */
998  if (nonzero) {
999  int jac;
1000  uint16_t sqr[16], negone[16];
1001  mulmod256(sqr, in, in, mod);
1002  uint16_to_signed30(&x, sqr);
1003  /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1004  jac = secp256k1_jacobi32_maybe_var(&x, &m);
1005  CHECK(jac == 0 || jac == 1);
1006  /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1007  * jacobi symbols if and only if (mod % 4) == 3. */
1008  negone[0] = mod[0] - 1;
1009  for (i = 1; i < 16; ++i) negone[i] = mod[i];
1010  mulmod256(sqr, sqr, negone, mod);
1011  uint16_to_signed30(&x, sqr);
1012  jac = secp256k1_jacobi32_maybe_var(&x, &m);
1013  CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1014  }
1015 
1016  uint16_to_signed30(&x, in);
1017  mutate_sign_signed30(&m.modulus);
1018  for (vartime = 0; vartime < 2; ++vartime) {
1019  /* compute inverse */
1020  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1021 
1022  /* produce output */
1023  signed30_to_uint16(out, &x);
1024 
1025  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1026  mulmod256(tmp, out, in, mod);
1027  CHECK(tmp[0] == nonzero);
1028  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1029 
1030  /* invert again */
1031  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1032 
1033  /* check if the result is equal to the input */
1034  signed30_to_uint16(tmp, &x);
1035  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1036  }
1037 }
1038 
1039 #ifdef SECP256K1_WIDEMUL_INT128
1040 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1041 static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1042  int i;
1043  memset(out->v, 0, sizeof(out->v));
1044  for (i = 0; i < 256; ++i) {
1045  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1046  }
1047 }
1048 
1049 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1050 static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1051  int i;
1052  memset(out, 0, 32);
1053  for (i = 0; i < 256; ++i) {
1054  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1055  }
1056 }
1057 
1058 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1059 static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1060  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1061  int i;
1062  for (i = 0; i < 8; ++i) {
1063  int pos = secp256k1_testrand_bits(2);
1064  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1065  x->v[pos] -= (M62 + 1);
1066  x->v[pos + 1] += 1;
1067  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1068  x->v[pos] += (M62 + 1);
1069  x->v[pos + 1] -= 1;
1070  }
1071  }
1072 }
1073 
1074 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1075 static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1076  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1077  uint16_t tmp[16];
1078  secp256k1_modinv64_signed62 x;
1079  secp256k1_modinv64_modinfo m;
1080  int i, vartime, nonzero;
1081 
1082  uint16_to_signed62(&x, in);
1083  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1084  uint16_to_signed62(&m.modulus, mod);
1085 
1086  /* compute 1/modulus mod 2^62 */
1087  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1088  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1089 
1090  /* Test secp256k1_jacobi64_maybe_var. */
1091  if (nonzero) {
1092  int jac;
1093  uint16_t sqr[16], negone[16];
1094  mulmod256(sqr, in, in, mod);
1095  uint16_to_signed62(&x, sqr);
1096  /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1097  jac = secp256k1_jacobi64_maybe_var(&x, &m);
1098  CHECK(jac == 0 || jac == 1);
1099  /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1100  * jacobi symbols if and only if (mod % 4) == 3. */
1101  negone[0] = mod[0] - 1;
1102  for (i = 1; i < 16; ++i) negone[i] = mod[i];
1103  mulmod256(sqr, sqr, negone, mod);
1104  uint16_to_signed62(&x, sqr);
1105  jac = secp256k1_jacobi64_maybe_var(&x, &m);
1106  CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1107  }
1108 
1109  uint16_to_signed62(&x, in);
1110  mutate_sign_signed62(&m.modulus);
1111  for (vartime = 0; vartime < 2; ++vartime) {
1112  /* compute inverse */
1113  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1114 
1115  /* produce output */
1116  signed62_to_uint16(out, &x);
1117 
1118  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1119  mulmod256(tmp, out, in, mod);
1120  CHECK(tmp[0] == nonzero);
1121  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1122 
1123  /* invert again */
1124  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1125 
1126  /* check if the result is equal to the input */
1127  signed62_to_uint16(tmp, &x);
1128  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1129  }
1130 }
1131 #endif
1132 
1133 /* test if a and b are coprime */
1134 static int coprime(const uint16_t* a, const uint16_t* b) {
1135  uint16_t x[16], y[16], t[16];
1136  int i;
1137  int iszero;
1138  memcpy(x, a, 32);
1139  memcpy(y, b, 32);
1140 
1141  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1142  while (1) {
1143  iszero = 1;
1144  for (i = 0; i < 16; ++i) {
1145  if (x[i] != 0) {
1146  iszero = 0;
1147  break;
1148  }
1149  }
1150  if (iszero) break;
1151  mulmod256(t, y, NULL, x);
1152  memcpy(y, x, 32);
1153  memcpy(x, t, 32);
1154  }
1155 
1156  /* return whether y=1 */
1157  if (y[0] != 1) return 0;
1158  for (i = 1; i < 16; ++i) {
1159  if (y[i] != 0) return 0;
1160  }
1161  return 1;
1162 }
1163 
1164 static void run_modinv_tests(void) {
1165  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1166  static const uint16_t CASES[][3][16] = {
1167  /* Test cases triggering edge cases in divsteps */
1168 
1169  /* Test case known to need 713 divsteps */
1170  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1171  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1172  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1173  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1174  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1175  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1176  /* Test case known to need 589 divsteps, reaching delta=-140 and
1177  delta=141. */
1178  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1179  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1180  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1181  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1182  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1183  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1184  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1185  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1186  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1187  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1188  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1189  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1190  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1191  /* example needing 713 divsteps; delta=-2..3 */
1192  {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1193  0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1194  {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1195  0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1196  {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1197  0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1198  /* example needing 713 divsteps; delta=-2..3 */
1199  {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1200  0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1201  {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1202  0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1203  {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1204  0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1205  /* example needing 713 divsteps; delta=-2..3 */
1206  {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1207  0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1208  {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1209  0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1210  {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1211  0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1212  /* example reaching delta=-64..65; 661 divsteps */
1213  {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1214  0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1215  {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1216  0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1217  {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1218  0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1219  /* example reaching delta=-64..65; 661 divsteps */
1220  {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1221  0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1222  {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1223  0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1224  {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1225  0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1226  /* example reaching delta=-64..65; 661 divsteps */
1227  {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1228  0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1229  {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1230  0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1231  {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1232  0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1233  /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1234  {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1235  0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1236  {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1237  0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1238  {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1239  0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1240  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1241  {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1242  0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1243  {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1244  0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1245  {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1246  0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1247  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1248  {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1249  0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1250  {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1251  0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1252  {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1253  0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1254  /* example doing 446 (f,g/2) steps; 523 divsteps */
1255  {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1256  0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1257  {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1258  0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1259  {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1260  0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1261  /* example doing 446 (f,g/2) steps; 523 divsteps */
1262  {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1263  0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1264  {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1265  0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1266  {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1267  0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1268  /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1269  {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1270  0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1271  {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1272  0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1273  {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1274  0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1275  /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1276  {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1277  0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1278  {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1279  0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1280  {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1281  0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1282  /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1283  {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1284  0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1285  {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1286  0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1287  {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1288  0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1289  /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1290  {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1291  0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1292  {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1293  0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1294  {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1295  0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1296 
1297  /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1298 
1299  /* example needing 590 divsteps; delta=-5/2..7/2 */
1300  {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1301  0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1302  {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1303  0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1304  {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1305  0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1306  /* example needing 590 divsteps; delta=-3/2..5/2 */
1307  {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1308  0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1309  {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1310  0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1311  {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1312  0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1313  /* example needing 590 divsteps; delta=-3/2..5/2 */
1314  {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1315  0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1316  {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1317  0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1318  {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1319  0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1320  /* example needing 590 divsteps; delta=-5/2..7/2 */
1321  {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1322  0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1323  {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1324  0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1325  {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1326  0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1327  /* example needing 590 divsteps; delta=-3/2..5/2 */
1328  {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1329  0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1330  {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1331  0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1332  {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1333  0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1334  /* example reaching delta=-127/2..129/2; 571 divsteps */
1335  {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1336  0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1337  {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1338  0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1339  {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1340  0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1341  /* example reaching delta=-127/2..129/2; 571 divsteps */
1342  {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1343  0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1344  {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1345  0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1346  {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1347  0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1348  /* example reaching delta=-127/2..129/2; 571 divsteps */
1349  {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1350  0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1351  {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1352  0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1353  {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1354  0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1355  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1356  {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1357  0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1358  {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1359  0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1360  {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1361  0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1362  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1363  {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1364  0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1365  {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1366  0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1367  {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1368  0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1369  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1370  {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1371  0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1372  {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1373  0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1374  {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1375  0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1376  /* example doing 453 (f,g/2) steps; 514 divsteps */
1377  {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1378  0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1379  {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1380  0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1381  {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1382  0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1383  /* example doing 453 (f,g/2) steps; 514 divsteps */
1384  {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1385  0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1386  {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1387  0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1388  {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1389  0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1390  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1391  {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1392  0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1393  {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1394  0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1395  {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1396  0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1397  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1398  {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1399  0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1400  {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1401  0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1402  {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1403  0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1404  /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1405  {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1406  0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1407  {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1408  0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1409  {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1410  0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1411  /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1412  {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1413  0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1414  {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1415  0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1416  {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1417  0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1418 
1419  /* Test cases with the group order as modulus. */
1420 
1421  /* Test case with the group order as modulus, needing 635 divsteps. */
1422  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1423  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1424  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1425  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1426  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1427  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1428  /* example with group size as modulus needing 631 divsteps */
1429  {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1430  0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1431  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1432  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1433  {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1434  0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1435  /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1436  {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1437  0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1438  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1439  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1440  {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1441  0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1442  /* Test case with the group size as modulus, needing 981 divsteps with
1443  broken eta handling. */
1444  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1445  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1446  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1447  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1448  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1449  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1450  /* Test case with the group size as modulus, input = 0. */
1451  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1452  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1453  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1454  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1455  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1456  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1457  /* Test case with the group size as modulus, input = 1. */
1458  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1459  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1460  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1461  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1462  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1463  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1464  /* Test case with the group size as modulus, input = 2. */
1465  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1466  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1467  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1468  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1469  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1470  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1471  /* Test case with the group size as modulus, input = group - 1. */
1472  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1473  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1474  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1475  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1476  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1477  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1478 
1479  /* Test cases with the field size as modulus. */
1480 
1481  /* Test case with the field size as modulus, needing 637 divsteps. */
1482  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1483  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1484  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1485  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1486  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1487  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1488  /* example with field size as modulus needing 637 divsteps */
1489  {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1490  0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1491  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1492  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1493  {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1494  0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1495  /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1496  {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1497  0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1498  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1499  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1500  {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1501  0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1502  /* Test case with the field size as modulus, needing 935 divsteps with
1503  broken eta handling. */
1504  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1505  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1506  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1507  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1508  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1509  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1510  /* Test case with the field size as modulus, input = 0. */
1511  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1512  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1513  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1514  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1515  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1516  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1517  /* Test case with the field size as modulus, input = 1. */
1518  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1519  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1520  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1521  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1522  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1523  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1524  /* Test case with the field size as modulus, input = 2. */
1525  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1526  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1527  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1528  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1529  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1530  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1531  /* Test case with the field size as modulus, input = field - 1. */
1532  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1533  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1534  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1535  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1536  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1537  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1538 
1539  /* Selected from a large number of random inputs to reach small/large
1540  * d/e values in various configurations. */
1541  {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1542  0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1543  {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1544  0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1545  {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1546  0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1547  {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1548  0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1549  {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1550  0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1551  {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1552  0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1553  {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1554  0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1555  {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1556  0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1557  {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1558  0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1559  {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1560  0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1561  {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1562  0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1563  {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1564  0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1565  {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1566  0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1567  {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1568  0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1569  {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1570  0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1571  {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1572  0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1573  {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1574  0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1575  {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1576  0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1577  {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1578  0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1579  {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1580  0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1581  {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1582  0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1583  {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1584  0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1585  {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1586  0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1587  {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1588  0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1589  {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1590  0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1591  {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1592  0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1593  {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1594  0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1595  {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1596  0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1597  {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1598  0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1599  {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1600  0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1601  {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1602  0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1603  {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1604  0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1605  {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1606  0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1607  {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1608  0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1609  {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1610  0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1611  {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1612  0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1613  {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1614  0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1615  {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1616  0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1617  {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1618  0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1619  {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1620  0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1621  {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1622  0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1623  {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1624  0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1625  {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1626  0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1627  {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1628  0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1629  {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1630  0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1631  {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1632  0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1633  {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1634  0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1635  {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1636  0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1637  {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1638  0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1639  {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1640  0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1641  {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1642  0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1643  {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1644  0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1645  {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1646  0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1647  {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1648  0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1649  {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1650  0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1651  {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1652  0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1653  {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1654  0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1655  {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1656  0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1657  {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1658  0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1659  {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1660  0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1661  {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1662  0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1663  {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1664  0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1665  {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1666  0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1667  {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1668  0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1669  {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1670  0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1671  {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1672  0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1673  {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1674  0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1675  {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1676  0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1677  {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1678  0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1679  {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1680  0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1681  {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1682  0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1683  {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1684  0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1685  {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1686  0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1687  {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1688  0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1689  {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1690  0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1691  {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1692  0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1693  {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1694  0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1695  {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1696  0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1697  {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1698  0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1699  {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1700  0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1701  {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1702  0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1703  {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1704  0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1705  {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1706  0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1707  {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1708  0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1709  {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1710  0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1711  {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1712  0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1713  {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1714  0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1715  {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1716  0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1717  {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1718  0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1719  {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1720  0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1721  {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1722  0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1723  {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1724  0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1725  {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1726  0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1727  {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1728  0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1729  {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1730  0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1731  {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1732  0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1733  {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1734  0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1735  {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1736  0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1737  {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1738  0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1739  {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1740  0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1741  {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1742  0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1743  {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1744  0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1745  {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1746  0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1747  {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1748  0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1749  {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1750  0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1751  };
1752 
1753  int i, j, ok;
1754 
1755  /* Test known inputs/outputs */
1756  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1757  uint16_t out[16];
1758  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1759  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1760 #ifdef SECP256K1_WIDEMUL_INT128
1761  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1762  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1763 #endif
1764  }
1765 
1766  for (i = 0; i < 100 * COUNT; ++i) {
1767  /* 256-bit numbers in 16-uint16_t's notation */
1768  static const uint16_t ZERO[16] = {0};
1769  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1770  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1771  uint16_t id[16]; /* the inverse of xd mod md */
1772 
1773  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1774  do {
1775  /* generate random xd and md (with many subsequent 0s and 1s) */
1776  secp256k1_testrand256_test((unsigned char*)xd);
1777  secp256k1_testrand256_test((unsigned char*)md);
1778  md[0] |= 1; /* modulus must be odd */
1779  /* If modulus is 1, find another one. */
1780  ok = md[0] != 1;
1781  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1782  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1783  } while (!(ok && coprime(xd, md)));
1784 
1785  test_modinv32_uint16(id, xd, md);
1786 #ifdef SECP256K1_WIDEMUL_INT128
1787  test_modinv64_uint16(id, xd, md);
1788 #endif
1789 
1790  /* In a few cases, also test with input=0 */
1791  if (i < COUNT) {
1792  test_modinv32_uint16(id, ZERO, md);
1793 #ifdef SECP256K1_WIDEMUL_INT128
1794  test_modinv64_uint16(id, ZERO, md);
1795 #endif
1796  }
1797  }
1798 }
1799 
1800 /***** INT128 TESTS *****/
1801 
1802 #ifdef SECP256K1_WIDEMUL_INT128
1803 /* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1804 static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1805  int i;
1806  uint32_t carry = 0;
1807  for (i = 0; i < 16; ++i) {
1808  carry += a[i];
1809  carry += b[i];
1810  out[i] = carry;
1811  carry >>= 16;
1812  }
1813 }
1814 
1815 /* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1816 static void neg256(uint16_t* out, const uint16_t* a) {
1817  int i;
1818  uint32_t carry = 1;
1819  for (i = 0; i < 16; ++i) {
1820  carry += (uint16_t)~a[i];
1821  out[i] = carry;
1822  carry >>= 16;
1823  }
1824 }
1825 
1826 /* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1827 static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1828  uint16_t sign = sign_extend && (a[15] >> 15);
1829  int i, j;
1830  for (i = 15; i >= 0; --i) {
1831  uint16_t v = 0;
1832  for (j = 0; j < 16; ++j) {
1833  int frompos = i*16 + j + n;
1834  if (frompos >= 256) {
1835  v |= sign << j;
1836  } else {
1837  v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1838  }
1839  }
1840  out[i] = v;
1841  }
1842 }
1843 
1844 /* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1845 static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1846  int i;
1847  uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1848  for (i = 0; i < 4; ++i) {
1849  out[i] = v >> (16 * i);
1850  }
1851  for (i = 4; i < 16; ++i) {
1852  out[i] = sign;
1853  }
1854 }
1855 
1856 /* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1857 static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1858  int i;
1859  uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1860  for (i = 0; i < 4; ++i) {
1861  out[i] = lo >> (16 * i);
1862  }
1863  for (i = 4; i < 8; ++i) {
1864  out[i] = hi >> (16 * (i - 4));
1865  }
1866  for (i = 8; i < 16; ++i) {
1867  out[i] = sign;
1868  }
1869 }
1870 
1871 /* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1872 static int int256is127(const uint16_t* v) {
1873  int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1874  int i;
1875  for (i = 8; i < 16; ++i) {
1876  if (v[i] != 0) all_0 = 0;
1877  if (v[i] != 0xffff) all_1 = 0;
1878  }
1879  return all_0 || all_1;
1880 }
1881 
1882 static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1883  uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1884  load256two64(out, hi, lo, 0);
1885 }
1886 
1887 static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1888  uint64_t lo;
1889  int64_t hi;
1890  secp256k1_int128 c = *v;
1891  lo = secp256k1_i128_to_u64(&c);
1892  secp256k1_i128_rshift(&c, 64);
1893  hi = secp256k1_i128_to_i64(&c);
1894  load256two64(out, hi, lo, 1);
1895 }
1896 
1897 static void run_int128_test_case(void) {
1898  unsigned char buf[32];
1899  uint64_t v[4];
1900  secp256k1_int128 swa, swz;
1901  secp256k1_uint128 uwa, uwz;
1902  uint64_t ub, uc;
1903  int64_t sb, sc;
1904  uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1905  uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1906  int i;
1907 
1908  /* Generate 32-byte random value. */
1909  secp256k1_testrand256_test(buf);
1910  /* Convert into 4 64-bit integers. */
1911  for (i = 0; i < 4; ++i) {
1912  uint64_t vi = 0;
1913  int j;
1914  for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1915  v[i] = vi;
1916  }
1917  /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1918  secp256k1_u128_load(&uwa, v[1], v[0]);
1919  secp256k1_i128_load(&swa, v[1], v[0]);
1920  ub = v[2];
1921  sb = v[2];
1922  uc = v[3];
1923  sc = v[3];
1924  /* Load those also into 16-bit array representations. */
1925  load256u128(ruwa, &uwa);
1926  load256i128(rswa, &swa);
1927  load256u64(rub, ub, 0);
1928  load256u64(rsb, sb, 1);
1929  load256u64(ruc, uc, 0);
1930  load256u64(rsc, sc, 1);
1931  /* test secp256k1_u128_mul */
1932  mulmod256(ruwr, rub, ruc, NULL);
1933  secp256k1_u128_mul(&uwz, ub, uc);
1934  load256u128(ruwz, &uwz);
1935  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1936  /* test secp256k1_u128_accum_mul */
1937  mulmod256(ruwr, rub, ruc, NULL);
1938  add256(ruwr, ruwr, ruwa);
1939  uwz = uwa;
1940  secp256k1_u128_accum_mul(&uwz, ub, uc);
1941  load256u128(ruwz, &uwz);
1942  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1943  /* test secp256k1_u128_accum_u64 */
1944  add256(ruwr, rub, ruwa);
1945  uwz = uwa;
1946  secp256k1_u128_accum_u64(&uwz, ub);
1947  load256u128(ruwz, &uwz);
1948  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1949  /* test secp256k1_u128_rshift */
1950  rshift256(ruwr, ruwa, uc % 128, 0);
1951  uwz = uwa;
1952  secp256k1_u128_rshift(&uwz, uc % 128);
1953  load256u128(ruwz, &uwz);
1954  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1955  /* test secp256k1_u128_to_u64 */
1956  CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1957  /* test secp256k1_u128_hi_u64 */
1958  CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1959  /* test secp256k1_u128_from_u64 */
1960  secp256k1_u128_from_u64(&uwz, ub);
1961  load256u128(ruwz, &uwz);
1962  CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1963  /* test secp256k1_u128_check_bits */
1964  {
1965  int uwa_bits = 0;
1966  int j;
1967  for (j = 0; j < 128; ++j) {
1968  if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1969  }
1970  for (j = 0; j < 128; ++j) {
1971  CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1972  }
1973  }
1974  /* test secp256k1_i128_mul */
1975  mulmod256(rswr, rsb, rsc, NULL);
1976  secp256k1_i128_mul(&swz, sb, sc);
1977  load256i128(rswz, &swz);
1978  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1979  /* test secp256k1_i128_accum_mul */
1980  mulmod256(rswr, rsb, rsc, NULL);
1981  add256(rswr, rswr, rswa);
1982  if (int256is127(rswr)) {
1983  swz = swa;
1984  secp256k1_i128_accum_mul(&swz, sb, sc);
1985  load256i128(rswz, &swz);
1986  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1987  }
1988  /* test secp256k1_i128_det */
1989  {
1990  uint16_t rsd[16], rse[16], rst[32];
1991  int64_t sd = v[0], se = v[1];
1992  load256u64(rsd, sd, 1);
1993  load256u64(rse, se, 1);
1994  mulmod256(rst, rsc, rsd, NULL);
1995  neg256(rst, rst);
1996  mulmod256(rswr, rsb, rse, NULL);
1997  add256(rswr, rswr, rst);
1998  secp256k1_i128_det(&swz, sb, sc, sd, se);
1999  load256i128(rswz, &swz);
2000  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2001  }
2002  /* test secp256k1_i128_rshift */
2003  rshift256(rswr, rswa, uc % 127, 1);
2004  swz = swa;
2005  secp256k1_i128_rshift(&swz, uc % 127);
2006  load256i128(rswz, &swz);
2007  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2008  /* test secp256k1_i128_to_u64 */
2009  CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2010  /* test secp256k1_i128_from_i64 */
2011  secp256k1_i128_from_i64(&swz, sb);
2012  load256i128(rswz, &swz);
2013  CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2014  /* test secp256k1_i128_to_i64 */
2015  CHECK(secp256k1_i128_to_i64(&swz) == sb);
2016  /* test secp256k1_i128_eq_var */
2017  {
2018  int expect = (uc & 1);
2019  swz = swa;
2020  if (!expect) {
2021  /* Make sure swz != swa */
2022  uint64_t v0c = v[0], v1c = v[1];
2023  if (ub & 64) {
2024  v1c ^= (((uint64_t)1) << (ub & 63));
2025  } else {
2026  v0c ^= (((uint64_t)1) << (ub & 63));
2027  }
2028  secp256k1_i128_load(&swz, v1c, v0c);
2029  }
2030  CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2031  }
2032  /* test secp256k1_i128_check_pow2 (sign == 1) */
2033  {
2034  int expect = (uc & 1);
2035  int pos = ub % 127;
2036  if (expect) {
2037  /* If expect==1, set swz to exactly 2^pos. */
2038  uint64_t hi = 0;
2039  uint64_t lo = 0;
2040  if (pos >= 64) {
2041  hi = (((uint64_t)1) << (pos & 63));
2042  } else {
2043  lo = (((uint64_t)1) << (pos & 63));
2044  }
2045  secp256k1_i128_load(&swz, hi, lo);
2046  } else {
2047  /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2048  if (pos >= 64) {
2049  if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2050  } else {
2051  if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2052  }
2053  swz = swa;
2054  }
2055  CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2056  }
2057  /* test secp256k1_i128_check_pow2 (sign == -1) */
2058  {
2059  int expect = (uc & 1);
2060  int pos = ub % 127;
2061  if (expect) {
2062  /* If expect==1, set swz to exactly -2^pos. */
2063  uint64_t hi = ~(uint64_t)0;
2064  uint64_t lo = ~(uint64_t)0;
2065  if (pos >= 64) {
2066  hi <<= (pos & 63);
2067  lo = 0;
2068  } else {
2069  lo <<= (pos & 63);
2070  }
2071  secp256k1_i128_load(&swz, hi, lo);
2072  } else {
2073  /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2074  if (pos >= 64) {
2075  if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2076  } else {
2077  if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2078  }
2079  swz = swa;
2080  }
2081  CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2082  }
2083 }
2084 
2085 static void run_int128_tests(void) {
2086  { /* secp256k1_u128_accum_mul */
2087  secp256k1_uint128 res;
2088 
2089  /* Check secp256k1_u128_accum_mul overflow */
2090  secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2091  secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2092  CHECK(secp256k1_u128_to_u64(&res) == 2);
2093  CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2094  }
2095  { /* secp256k1_u128_accum_mul */
2096  secp256k1_int128 res;
2097 
2098  /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2099  secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2100  secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2101  CHECK(secp256k1_i128_to_u64(&res) == 2);
2102  secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2103  secp256k1_i128_accum_mul(&res, 1, 1);
2104  CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2105  secp256k1_i128_rshift(&res, 64);
2106  CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2107 
2108  /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2109  secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2110  CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2111  secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2112  CHECK(secp256k1_i128_to_u64(&res) == 0);
2113  secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2114  CHECK(secp256k1_i128_to_u64(&res) == 0);
2115  secp256k1_i128_rshift(&res, 64);
2116  CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2117  }
2118  {
2119  /* Randomized tests. */
2120  int i;
2121  for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2122  }
2123 }
2124 #endif
2125 
2126 /***** SCALAR TESTS *****/
2127 
2128 static void scalar_test(void) {
2129  secp256k1_scalar s;
2130  secp256k1_scalar s1;
2131  secp256k1_scalar s2;
2132  unsigned char c[32];
2133 
2134  /* Set 's' to a random scalar, with value 'snum'. */
2135  random_scalar_order_test(&s);
2136 
2137  /* Set 's1' to a random scalar, with value 's1num'. */
2138  random_scalar_order_test(&s1);
2139 
2140  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2141  random_scalar_order_test(&s2);
2142  secp256k1_scalar_get_b32(c, &s2);
2143 
2144  {
2145  int i;
2146  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2147  secp256k1_scalar n;
2148  secp256k1_scalar_set_int(&n, 0);
2149  for (i = 0; i < 256; i += 4) {
2150  secp256k1_scalar t;
2151  int j;
2152  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
2153  for (j = 0; j < 4; j++) {
2154  secp256k1_scalar_add(&n, &n, &n);
2155  }
2156  secp256k1_scalar_add(&n, &n, &t);
2157  }
2158  CHECK(secp256k1_scalar_eq(&n, &s));
2159  }
2160 
2161  {
2162  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2163  secp256k1_scalar n;
2164  int i = 0;
2165  secp256k1_scalar_set_int(&n, 0);
2166  while (i < 256) {
2167  secp256k1_scalar t;
2168  int j;
2169  int now = secp256k1_testrand_int(15) + 1;
2170  if (now + i > 256) {
2171  now = 256 - i;
2172  }
2173  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2174  for (j = 0; j < now; j++) {
2175  secp256k1_scalar_add(&n, &n, &n);
2176  }
2177  secp256k1_scalar_add(&n, &n, &t);
2178  i += now;
2179  }
2180  CHECK(secp256k1_scalar_eq(&n, &s));
2181  }
2182 
2183  {
2184  /* Test commutativity of add. */
2185  secp256k1_scalar r1, r2;
2186  secp256k1_scalar_add(&r1, &s1, &s2);
2187  secp256k1_scalar_add(&r2, &s2, &s1);
2188  CHECK(secp256k1_scalar_eq(&r1, &r2));
2189  }
2190 
2191  {
2192  secp256k1_scalar r1, r2;
2193  secp256k1_scalar b;
2194  int i;
2195  /* Test add_bit. */
2196  int bit = secp256k1_testrand_bits(8);
2197  secp256k1_scalar_set_int(&b, 1);
2198  CHECK(secp256k1_scalar_is_one(&b));
2199  for (i = 0; i < bit; i++) {
2200  secp256k1_scalar_add(&b, &b, &b);
2201  }
2202  r1 = s1;
2203  r2 = s1;
2204  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2205  /* No overflow happened. */
2206  secp256k1_scalar_cadd_bit(&r2, bit, 1);
2207  CHECK(secp256k1_scalar_eq(&r1, &r2));
2208  /* cadd is a noop when flag is zero */
2209  secp256k1_scalar_cadd_bit(&r2, bit, 0);
2210  CHECK(secp256k1_scalar_eq(&r1, &r2));
2211  }
2212  }
2213 
2214  {
2215  /* Test commutativity of mul. */
2216  secp256k1_scalar r1, r2;
2217  secp256k1_scalar_mul(&r1, &s1, &s2);
2218  secp256k1_scalar_mul(&r2, &s2, &s1);
2219  CHECK(secp256k1_scalar_eq(&r1, &r2));
2220  }
2221 
2222  {
2223  /* Test associativity of add. */
2224  secp256k1_scalar r1, r2;
2225  secp256k1_scalar_add(&r1, &s1, &s2);
2226  secp256k1_scalar_add(&r1, &r1, &s);
2227  secp256k1_scalar_add(&r2, &s2, &s);
2228  secp256k1_scalar_add(&r2, &s1, &r2);
2229  CHECK(secp256k1_scalar_eq(&r1, &r2));
2230  }
2231 
2232  {
2233  /* Test associativity of mul. */
2234  secp256k1_scalar r1, r2;
2235  secp256k1_scalar_mul(&r1, &s1, &s2);
2236  secp256k1_scalar_mul(&r1, &r1, &s);
2237  secp256k1_scalar_mul(&r2, &s2, &s);
2238  secp256k1_scalar_mul(&r2, &s1, &r2);
2239  CHECK(secp256k1_scalar_eq(&r1, &r2));
2240  }
2241 
2242  {
2243  /* Test distributitivity of mul over add. */
2244  secp256k1_scalar r1, r2, t;
2245  secp256k1_scalar_add(&r1, &s1, &s2);
2246  secp256k1_scalar_mul(&r1, &r1, &s);
2247  secp256k1_scalar_mul(&r2, &s1, &s);
2248  secp256k1_scalar_mul(&t, &s2, &s);
2249  secp256k1_scalar_add(&r2, &r2, &t);
2250  CHECK(secp256k1_scalar_eq(&r1, &r2));
2251  }
2252 
2253  {
2254  /* Test multiplicative identity. */
2255  secp256k1_scalar r1;
2256  secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_one);
2257  CHECK(secp256k1_scalar_eq(&r1, &s1));
2258  }
2259 
2260  {
2261  /* Test additive identity. */
2262  secp256k1_scalar r1;
2263  secp256k1_scalar_add(&r1, &s1, &secp256k1_scalar_zero);
2264  CHECK(secp256k1_scalar_eq(&r1, &s1));
2265  }
2266 
2267  {
2268  /* Test zero product property. */
2269  secp256k1_scalar r1;
2270  secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_zero);
2271  CHECK(secp256k1_scalar_eq(&r1, &secp256k1_scalar_zero));
2272  }
2273 
2274  {
2275  /* Test halving. */
2276  secp256k1_scalar r;
2277  secp256k1_scalar_add(&r, &s, &s);
2278  secp256k1_scalar_half(&r, &r);
2279  CHECK(secp256k1_scalar_eq(&r, &s));
2280  }
2281 }
2282 
2283 static void run_scalar_set_b32_seckey_tests(void) {
2284  unsigned char b32[32];
2285  secp256k1_scalar s1;
2286  secp256k1_scalar s2;
2287 
2288  /* Usually set_b32 and set_b32_seckey give the same result */
2289  random_scalar_order_b32(b32);
2290  secp256k1_scalar_set_b32(&s1, b32, NULL);
2291  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2292  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2293 
2294  memset(b32, 0, sizeof(b32));
2295  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2296  memset(b32, 0xFF, sizeof(b32));
2297  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2298 }
2299 
2300 static void run_scalar_tests(void) {
2301  int i;
2302  for (i = 0; i < 128 * COUNT; i++) {
2303  scalar_test();
2304  }
2305  for (i = 0; i < COUNT; i++) {
2306  run_scalar_set_b32_seckey_tests();
2307  }
2308 
2309  {
2310  /* Check that the scalar constants secp256k1_scalar_zero and
2311  secp256k1_scalar_one contain the expected values. */
2312  secp256k1_scalar zero, one;
2313 
2314  CHECK(secp256k1_scalar_is_zero(&secp256k1_scalar_zero));
2315  secp256k1_scalar_set_int(&zero, 0);
2316  CHECK(secp256k1_scalar_eq(&zero, &secp256k1_scalar_zero));
2317 
2318  CHECK(secp256k1_scalar_is_one(&secp256k1_scalar_one));
2319  secp256k1_scalar_set_int(&one, 1);
2320  CHECK(secp256k1_scalar_eq(&one, &secp256k1_scalar_one));
2321  }
2322 
2323  {
2324  /* (-1)+1 should be zero. */
2325  secp256k1_scalar o;
2326  secp256k1_scalar_negate(&o, &secp256k1_scalar_one);
2327  secp256k1_scalar_add(&o, &o, &secp256k1_scalar_one);
2328  CHECK(secp256k1_scalar_is_zero(&o));
2329  secp256k1_scalar_negate(&o, &o);
2330  CHECK(secp256k1_scalar_is_zero(&o));
2331  }
2332 
2333  {
2334  /* Test that halving and doubling roundtrips on some fixed values. */
2335  static const secp256k1_scalar HALF_TESTS[] = {
2336  /* 0 */
2337  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2338  /* 1 */
2339  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2340  /* -1 */
2341  SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul),
2342  /* -2 (largest odd value) */
2343  SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful),
2344  /* Half the secp256k1 order */
2345  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul),
2346  /* Half the secp256k1 order + 1 */
2347  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul),
2348  /* 2^255 */
2349  SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0),
2350  /* 2^255 - 1 */
2351  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful),
2352  };
2353  unsigned n;
2354  for (n = 0; n < sizeof(HALF_TESTS) / sizeof(HALF_TESTS[0]); ++n) {
2355  secp256k1_scalar s;
2356  secp256k1_scalar_half(&s, &HALF_TESTS[n]);
2357  secp256k1_scalar_add(&s, &s, &s);
2358  CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2359  secp256k1_scalar_add(&s, &s, &s);
2360  secp256k1_scalar_half(&s, &s);
2361  CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2362  }
2363  }
2364 
2365  {
2366  /* Does check_overflow check catch all ones? */
2367  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2368  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2369  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2370  );
2371  CHECK(secp256k1_scalar_check_overflow(&overflowed));
2372  }
2373 
2374  {
2375  /* Static test vectors.
2376  * These were reduced from ~10^12 random vectors based on comparison-decision
2377  * and edge-case coverage on 32-bit and 64-bit implementations.
2378  * The responses were generated with Sage 5.9.
2379  */
2380  secp256k1_scalar x;
2381  secp256k1_scalar y;
2382  secp256k1_scalar z;
2383  secp256k1_scalar zz;
2384  secp256k1_scalar r1;
2385  secp256k1_scalar r2;
2386  secp256k1_scalar zzv;
2387  int overflow;
2388  unsigned char chal[33][2][32] = {
2389  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2390  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2391  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2392  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2393  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2394  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2395  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2396  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2397  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2398  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2399  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2400  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2401  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2402  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2403  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2404  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2405  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2406  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2407  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2408  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2409  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2410  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2411  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2412  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2413  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2414  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2415  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2416  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2417  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2418  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2419  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2420  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2421  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2422  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2423  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2424  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2425  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2426  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2427  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2428  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2429  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2430  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2431  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2432  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2433  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2434  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2435  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2436  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2437  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2438  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2439  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2440  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2441  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2442  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2443  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2444  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2445  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2446  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2447  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2448  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2449  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2450  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2451  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2452  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2453  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2454  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2455  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2456  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2457  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2458  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2459  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2460  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2461  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2462  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2463  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2464  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2465  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2466  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2467  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2468  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2469  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2470  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2471  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2472  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2473  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2474  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2475  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2476  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2477  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2478  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2479  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2480  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2481  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2482  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2483  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2484  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2485  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2486  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2487  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2488  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2489  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2490  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2491  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2492  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2493  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2494  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2495  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2496  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2497  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2498  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2499  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2500  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2501  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2502  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2503  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2504  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2505  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2506  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2507  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2508  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2509  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2510  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2511  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2512  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2513  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2514  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2515  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2516  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2517  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2518  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2519  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2520  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2521  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2522  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2523  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2524  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2525  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2526  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2527  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2528  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2529  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2530  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2531  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2532  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2533  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2534  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2535  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2536  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2537  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2538  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2539  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2540  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2541  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2542  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2543  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2544  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2545  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2546  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2547  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2548  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2549  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2550  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2551  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2552  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2553  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2554  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2555  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2556  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2557  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2558  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2559  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2560  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2561  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2562  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2563  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2564  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2565  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2566  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2567  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2568  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2569  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2570  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2571  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2572  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2573  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2574  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2575  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2576  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2577  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2578  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2579  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2580  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2581  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2582  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2583  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2584  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2585  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2586  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2587  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2588  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2589  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2590  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2591  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2592  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2593  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2594  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2595  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2596  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2597  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2598  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2599  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2600  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2601  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2602  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2603  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2604  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2605  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2606  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2607  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2608  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2609  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2610  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2611  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2612  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2613  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2614  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2615  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2616  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2617  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2618  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2619  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2620  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2621  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2622  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2623  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2624  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2625  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2626  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2627  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2628  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2629  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2630  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2631  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2632  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2633  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2634  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2635  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2636  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2637  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2638  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2639  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2640  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2641  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2642  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2643  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2644  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2645  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2646  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2647  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2648  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2649  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2650  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2651  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2652  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2653  };
2654  unsigned char res[33][2][32] = {
2655  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2656  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2657  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2658  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2659  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2660  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2661  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2662  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2663  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2664  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2665  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2666  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2667  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2668  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2669  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2670  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2671  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2672  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2673  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2674  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2675  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2676  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2677  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2678  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2679  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2680  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2681  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2682  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2683  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2684  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2685  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2686  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2687  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2688  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2689  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2690  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2691  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2692  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2693  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2694  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2695  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2696  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2697  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2698  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2699  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2700  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2701  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2702  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2703  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2704  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2705  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2706  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2707  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2708  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2709  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2710  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2711  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2712  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2713  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2714  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2715  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2716  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2717  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2718  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2719  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2720  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2721  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2722  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2723  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2724  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2725  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2726  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2727  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2728  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2729  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2730  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2731  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2732  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2733  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2734  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2735  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2736  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2737  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2738  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2739  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2740  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2741  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2742  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2743  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2744  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2745  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2746  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2747  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2748  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2749  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2750  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2751  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2752  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2753  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2754  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2755  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2756  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2757  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2758  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2759  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2760  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2761  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2762  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2763  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2764  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2765  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2766  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2767  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2768  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2769  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2770  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2771  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2772  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2773  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2774  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2775  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2776  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2777  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2778  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2779  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2780  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2781  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2782  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2783  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2784  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2785  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2786  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2787  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2788  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2789  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2790  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2791  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2792  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2793  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2794  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2795  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2796  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2797  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2798  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2799  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2800  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2801  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2802  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2803  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2804  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2805  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2806  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2807  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2808  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2809  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2810  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2811  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2812  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2813  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2814  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2815  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2816  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2817  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2818  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2819  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2820  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2821  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2822  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2823  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2824  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2825  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2826  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2827  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2828  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2829  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2830  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2831  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2832  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2833  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2834  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2835  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2836  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2837  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2838  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2839  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2840  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2841  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2842  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2843  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2844  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2845  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2846  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2847  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2848  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2849  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2850  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2851  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2852  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2853  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2854  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2855  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2856  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2857  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2858  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2859  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2860  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2861  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2862  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2863  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2864  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2865  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2866  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2867  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2868  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2869  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2870  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2871  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2872  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2873  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2874  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2875  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2876  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2877  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2878  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2879  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2880  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2881  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2882  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2883  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2884  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2885  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2886  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2887  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2888  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2889  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2890  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2891  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2892  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2893  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2894  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2895  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2896  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2897  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2898  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2899  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2900  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2901  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2902  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2903  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2904  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2905  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2906  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2907  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2908  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2909  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2910  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2911  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2912  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2913  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2914  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2915  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2916  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2917  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2918  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2919  };
2920  for (i = 0; i < 33; i++) {
2921  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2922  CHECK(!overflow);
2923  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2924  CHECK(!overflow);
2925  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2926  CHECK(!overflow);
2927  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2928  CHECK(!overflow);
2929  secp256k1_scalar_mul(&z, &x, &y);
2930  CHECK(secp256k1_scalar_eq(&r1, &z));
2931  if (!secp256k1_scalar_is_zero(&y)) {
2932  secp256k1_scalar_inverse(&zz, &y);
2933  secp256k1_scalar_inverse_var(&zzv, &y);
2934  CHECK(secp256k1_scalar_eq(&zzv, &zz));
2935  secp256k1_scalar_mul(&z, &z, &zz);
2936  CHECK(secp256k1_scalar_eq(&x, &z));
2937  secp256k1_scalar_mul(&zz, &zz, &y);
2938  CHECK(secp256k1_scalar_eq(&secp256k1_scalar_one, &zz));
2939  }
2940  secp256k1_scalar_mul(&z, &x, &x);
2941  CHECK(secp256k1_scalar_eq(&r2, &z));
2942  }
2943  }
2944 }
2945 
2946 /***** FIELD TESTS *****/
2947 
2948 static void random_fe_non_square(secp256k1_fe *ns) {
2949  secp256k1_fe r;
2950  random_fe_non_zero(ns);
2951  if (secp256k1_fe_sqrt(&r, ns)) {
2952  secp256k1_fe_negate(ns, ns, 1);
2953  }
2954 }
2955 
2956 static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2957  secp256k1_fe an = *a;
2958  secp256k1_fe bn = *b;
2959  secp256k1_fe_normalize_weak(&an);
2960  return secp256k1_fe_equal(&an, &bn);
2961 }
2962 
2963 static void run_field_convert(void) {
2964  static const unsigned char b32[32] = {
2965  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2966  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2967  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2968  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2969  };
2970  static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
2971  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2972  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2973  );
2974  static const secp256k1_fe fe = SECP256K1_FE_CONST(
2975  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2976  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2977  );
2978  secp256k1_fe fe2;
2979  unsigned char b322[32];
2980  secp256k1_fe_storage fes2;
2981  /* Check conversions to fe. */
2982  CHECK(secp256k1_fe_set_b32_limit(&fe2, b32));
2983  CHECK(secp256k1_fe_equal(&fe, &fe2));
2984  secp256k1_fe_from_storage(&fe2, &fes);
2985  CHECK(secp256k1_fe_equal(&fe, &fe2));
2986  /* Check conversion from fe. */
2987  secp256k1_fe_get_b32(b322, &fe);
2988  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2989  secp256k1_fe_to_storage(&fes2, &fe);
2990  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2991 }
2992 
2993 static void run_field_be32_overflow(void) {
2994  {
2995  static const unsigned char zero_overflow[32] = {
2996  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2997  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2998  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2999  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3000  };
3001  static const unsigned char zero[32] = { 0x00 };
3002  unsigned char out[32];
3003  secp256k1_fe fe;
3004  CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3005  secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3006  CHECK(secp256k1_fe_normalizes_to_zero(&fe) == 1);
3007  secp256k1_fe_normalize(&fe);
3008  CHECK(secp256k1_fe_is_zero(&fe) == 1);
3009  secp256k1_fe_get_b32(out, &fe);
3010  CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3011  }
3012  {
3013  static const unsigned char one_overflow[32] = {
3014  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3015  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3016  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3017  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3018  };
3019  static const unsigned char one[32] = {
3020  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3021  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3022  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3023  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3024  };
3025  unsigned char out[32];
3026  secp256k1_fe fe;
3027  CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3028  secp256k1_fe_set_b32_mod(&fe, one_overflow);
3029  secp256k1_fe_normalize(&fe);
3030  CHECK(secp256k1_fe_cmp_var(&fe, &secp256k1_fe_one) == 0);
3031  secp256k1_fe_get_b32(out, &fe);
3032  CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3033  }
3034  {
3035  static const unsigned char ff_overflow[32] = {
3036  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3037  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3038  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3039  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3040  };
3041  static const unsigned char ff[32] = {
3042  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3043  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3044  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3045  0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3046  };
3047  unsigned char out[32];
3048  secp256k1_fe fe;
3049  const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3050  CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3051  secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3052  secp256k1_fe_normalize(&fe);
3053  CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3054  secp256k1_fe_get_b32(out, &fe);
3055  CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3056  }
3057 }
3058 
3059 /* Returns true if two field elements have the same representation. */
3060 static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3061  int ret = 1;
3062  /* Compare the struct member that holds the limbs. */
3063  ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3064  return ret;
3065 }
3066 
3067 static void run_field_half(void) {
3068  secp256k1_fe t, u;
3069  int m;
3070 
3071  /* Check magnitude 0 input */
3072  secp256k1_fe_get_bounds(&t, 0);
3073  secp256k1_fe_half(&t);
3074 #ifdef VERIFY
3075  CHECK(t.magnitude == 1);
3076  CHECK(t.normalized == 0);
3077 #endif
3078  CHECK(secp256k1_fe_normalizes_to_zero(&t));
3079 
3080  /* Check non-zero magnitudes in the supported range */
3081  for (m = 1; m < 32; m++) {
3082  /* Check max-value input */
3083  secp256k1_fe_get_bounds(&t, m);
3084 
3085  u = t;
3086  secp256k1_fe_half(&u);
3087 #ifdef VERIFY
3088  CHECK(u.magnitude == (m >> 1) + 1);
3089  CHECK(u.normalized == 0);
3090 #endif
3091  secp256k1_fe_normalize_weak(&u);
3092  secp256k1_fe_add(&u, &u);
3093  CHECK(fe_equal(&t, &u));
3094 
3095  /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3096  * which will also cause all carries to be 1, since all limbs that can
3097  * generate a carry are initially even and all limbs of P are odd in
3098  * every existing field implementation. */
3099  secp256k1_fe_get_bounds(&t, m);
3100  CHECK(t.n[0] > 0);
3101  CHECK((t.n[0] & 1) == 0);
3102  --t.n[0];
3103 
3104  u = t;
3105  secp256k1_fe_half(&u);
3106 #ifdef VERIFY
3107  CHECK(u.magnitude == (m >> 1) + 1);
3108  CHECK(u.normalized == 0);
3109 #endif
3110  secp256k1_fe_normalize_weak(&u);
3111  secp256k1_fe_add(&u, &u);
3112  CHECK(fe_equal(&t, &u));
3113  }
3114 }
3115 
3116 static void run_field_misc(void) {
3117  secp256k1_fe x;
3118  secp256k1_fe y;
3119  secp256k1_fe z;
3120  secp256k1_fe q;
3121  int v;
3122  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3123  int i, j;
3124  for (i = 0; i < 1000 * COUNT; i++) {
3125  secp256k1_fe_storage xs, ys, zs;
3126  if (i & 1) {
3127  random_fe(&x);
3128  } else {
3129  random_fe_test(&x);
3130  }
3131  random_fe_non_zero(&y);
3132  v = secp256k1_testrand_bits(15);
3133  /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3134  secp256k1_fe_set_int(&q, v); /* q = v */
3135  z = x; /* z = x */
3136  secp256k1_fe_add(&z, &q); /* z = x+v */
3137  q = x; /* q = x */
3138  secp256k1_fe_add_int(&q, v); /* q = x+v */
3139  CHECK(fe_equal(&q, &z));
3140  /* Test the fe equality and comparison operations. */
3141  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3142  CHECK(secp256k1_fe_equal(&x, &x));
3143  z = x;
3144  secp256k1_fe_add(&z,&y);
3145  /* Test fe conditional move; z is not normalized here. */
3146  q = x;
3147  secp256k1_fe_cmov(&x, &z, 0);
3148 #ifdef VERIFY
3149  CHECK(!x.normalized);
3150  CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3151  CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3152 #endif
3153  x = q;
3154  secp256k1_fe_cmov(&x, &x, 1);
3155  CHECK(!fe_identical(&x, &z));
3156  CHECK(fe_identical(&x, &q));
3157  secp256k1_fe_cmov(&q, &z, 1);
3158 #ifdef VERIFY
3159  CHECK(!q.normalized);
3160  CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3161  CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3162 #endif
3163  CHECK(fe_identical(&q, &z));
3164  q = z;
3165  secp256k1_fe_normalize_var(&x);
3166  secp256k1_fe_normalize_var(&z);
3167  CHECK(!secp256k1_fe_equal(&x, &z));
3168  secp256k1_fe_normalize_var(&q);
3169  secp256k1_fe_cmov(&q, &z, (i&1));
3170 #ifdef VERIFY
3171  CHECK(q.normalized && q.magnitude == 1);
3172 #endif
3173  for (j = 0; j < 6; j++) {
3174  secp256k1_fe_negate_unchecked(&z, &z, j+1);
3175  secp256k1_fe_normalize_var(&q);
3176  secp256k1_fe_cmov(&q, &z, (j&1));
3177 #ifdef VERIFY
3178  CHECK(!q.normalized && q.magnitude == z.magnitude);
3179 #endif
3180  }
3181  secp256k1_fe_normalize_var(&z);
3182  /* Test storage conversion and conditional moves. */
3183  secp256k1_fe_to_storage(&xs, &x);
3184  secp256k1_fe_to_storage(&ys, &y);
3185  secp256k1_fe_to_storage(&zs, &z);
3186  secp256k1_fe_storage_cmov(&zs, &xs, 0);
3187  secp256k1_fe_storage_cmov(&zs, &zs, 1);
3188  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3189  secp256k1_fe_storage_cmov(&ys, &xs, 1);
3190  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3191  secp256k1_fe_from_storage(&x, &xs);
3192  secp256k1_fe_from_storage(&y, &ys);
3193  secp256k1_fe_from_storage(&z, &zs);
3194  /* Test that mul_int, mul, and add agree. */
3195  secp256k1_fe_add(&y, &x);
3196  secp256k1_fe_add(&y, &x);
3197  z = x;
3198  secp256k1_fe_mul_int(&z, 3);
3199  CHECK(fe_equal(&y, &z));
3200  secp256k1_fe_add(&y, &x);
3201  secp256k1_fe_add(&z, &x);
3202  CHECK(fe_equal(&z, &y));
3203  z = x;
3204  secp256k1_fe_mul_int(&z, 5);
3205  secp256k1_fe_mul(&q, &x, &fe5);
3206  CHECK(fe_equal(&z, &q));
3207  secp256k1_fe_negate(&x, &x, 1);
3208  secp256k1_fe_add(&z, &x);
3209  secp256k1_fe_add(&q, &x);
3210  CHECK(fe_equal(&y, &z));
3211  CHECK(fe_equal(&q, &y));
3212  /* Check secp256k1_fe_half. */
3213  z = x;
3214  secp256k1_fe_half(&z);
3215  secp256k1_fe_add(&z, &z);
3216  CHECK(fe_equal(&x, &z));
3217  secp256k1_fe_add(&z, &z);
3218  secp256k1_fe_half(&z);
3219  CHECK(fe_equal(&x, &z));
3220  }
3221 }
3222 
3223 static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3224 {
3225  secp256k1_fe c, an, bn;
3226  /* Variables in BE 32-byte format. */
3227  unsigned char a32[32], b32[32], c32[32];
3228  /* Variables in LE 16x uint16_t format. */
3229  uint16_t a16[16], b16[16], c16[16];
3230  /* Field modulus in LE 16x uint16_t format. */
3231  static const uint16_t m16[16] = {
3232  0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3233  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3234  };
3235  uint16_t t16[32];
3236  int i;
3237 
3238  /* Compute C = A * B in fe format. */
3239  c = *a;
3240  if (use_sqr) {
3241  secp256k1_fe_sqr(&c, &c);
3242  } else {
3243  secp256k1_fe_mul(&c, &c, b);
3244  }
3245 
3246  /* Convert A, B, C into LE 16x uint16_t format. */
3247  an = *a;
3248  bn = *b;
3249  secp256k1_fe_normalize_var(&c);
3250  secp256k1_fe_normalize_var(&an);
3251  secp256k1_fe_normalize_var(&bn);
3252  secp256k1_fe_get_b32(a32, &an);
3253  secp256k1_fe_get_b32(b32, &bn);
3254  secp256k1_fe_get_b32(c32, &c);
3255  for (i = 0; i < 16; ++i) {
3256  a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3257  b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3258  c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3259  }
3260  /* Compute T = A * B in LE 16x uint16_t format. */
3261  mulmod256(t16, a16, b16, m16);
3262  /* Compare */
3263  CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3264 }
3265 
3266 static void run_fe_mul(void) {
3267  int i;
3268  for (i = 0; i < 100 * COUNT; ++i) {
3269  secp256k1_fe a, b, c, d;
3270  random_fe(&a);
3271  random_fe_magnitude(&a);
3272  random_fe(&b);
3273  random_fe_magnitude(&b);
3274  random_fe_test(&c);
3275  random_fe_magnitude(&c);
3276  random_fe_test(&d);
3277  random_fe_magnitude(&d);
3278  test_fe_mul(&a, &a, 1);
3279  test_fe_mul(&c, &c, 1);
3280  test_fe_mul(&a, &b, 0);
3281  test_fe_mul(&a, &c, 0);
3282  test_fe_mul(&c, &b, 0);
3283  test_fe_mul(&c, &d, 0);
3284  }
3285 }
3286 
3287 static void run_sqr(void) {
3288  int i;
3289  secp256k1_fe x, y, lhs, rhs, tmp;
3290 
3291  secp256k1_fe_set_int(&x, 1);
3292  secp256k1_fe_negate(&x, &x, 1);
3293 
3294  for (i = 1; i <= 512; ++i) {
3295  secp256k1_fe_mul_int(&x, 2);
3296  secp256k1_fe_normalize(&x);
3297 
3298  /* Check that (x+y)*(x-y) = x^2 - y*2 for some random values y */
3299  random_fe_test(&y);
3300 
3301  lhs = x;
3302  secp256k1_fe_add(&lhs, &y); /* lhs = x+y */
3303  secp256k1_fe_negate(&tmp, &y, 1); /* tmp = -y */
3304  secp256k1_fe_add(&tmp, &x); /* tmp = x-y */
3305  secp256k1_fe_mul(&lhs, &lhs, &tmp); /* lhs = (x+y)*(x-y) */
3306 
3307  secp256k1_fe_sqr(&rhs, &x); /* rhs = x^2 */
3308  secp256k1_fe_sqr(&tmp, &y); /* tmp = y^2 */
3309  secp256k1_fe_negate(&tmp, &tmp, 1); /* tmp = -y^2 */
3310  secp256k1_fe_add(&rhs, &tmp); /* rhs = x^2 - y^2 */
3311 
3312  CHECK(fe_equal(&lhs, &rhs));
3313  }
3314 }
3315 
3316 static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3317  secp256k1_fe r1, r2;
3318  int v = secp256k1_fe_sqrt(&r1, a);
3319  CHECK((v == 0) == (k == NULL));
3320 
3321  if (k != NULL) {
3322  /* Check that the returned root is +/- the given known answer */
3323  secp256k1_fe_negate(&r2, &r1, 1);
3324  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3325  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
3326  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
3327  }
3328 }
3329 
3330 static void run_sqrt(void) {
3331  secp256k1_fe ns, x, s, t;
3332  int i;
3333 
3334  /* Check sqrt(0) is 0 */
3335  secp256k1_fe_set_int(&x, 0);
3336  secp256k1_fe_sqr(&s, &x);
3337  test_sqrt(&s, &x);
3338 
3339  /* Check sqrt of small squares (and their negatives) */
3340  for (i = 1; i <= 100; i++) {
3341  secp256k1_fe_set_int(&x, i);
3342  secp256k1_fe_sqr(&s, &x);
3343  test_sqrt(&s, &x);
3344  secp256k1_fe_negate(&t, &s, 1);
3345  test_sqrt(&t, NULL);
3346  }
3347 
3348  /* Consistency checks for large random values */
3349  for (i = 0; i < 10; i++) {
3350  int j;
3351  random_fe_non_square(&ns);
3352  for (j = 0; j < COUNT; j++) {
3353  random_fe(&x);
3354  secp256k1_fe_sqr(&s, &x);
3355  CHECK(secp256k1_fe_is_square_var(&s));
3356  test_sqrt(&s, &x);
3357  secp256k1_fe_negate(&t, &s, 1);
3358  CHECK(!secp256k1_fe_is_square_var(&t));
3359  test_sqrt(&t, NULL);
3360  secp256k1_fe_mul(&t, &s, &ns);
3361  test_sqrt(&t, NULL);
3362  }
3363  }
3364 }
3365 
3366 /***** FIELD/SCALAR INVERSE TESTS *****/
3367 
3368 static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
3369  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3370  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3371 );
3372 
3373 static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
3374  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3375  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3376 );
3377 
3378 /* These tests test the following identities:
3379  *
3380  * for x==0: 1/x == 0
3381  * for x!=0: x*(1/x) == 1
3382  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3383  */
3384 
3385 static void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
3386 {
3387  secp256k1_scalar l, r, t;
3388 
3389  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3390  if (out) *out = l;
3391  if (secp256k1_scalar_is_zero(x)) {
3392  CHECK(secp256k1_scalar_is_zero(&l));
3393  return;
3394  }
3395  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3396  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3397  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3398  if (secp256k1_scalar_is_zero(&r)) return;
3399  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3400  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3401  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3402  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3403  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3404  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3405 }
3406 
3407 static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3408 {
3409  secp256k1_fe l, r, t;
3410 
3411  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3412  if (out) *out = l;
3413  t = *x; /* t = x */
3414  if (secp256k1_fe_normalizes_to_zero_var(&t)) {
3415  CHECK(secp256k1_fe_normalizes_to_zero(&l));
3416  return;
3417  }
3418  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3419  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3420  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3421  r = *x; /* r = x */
3422  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3423  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3424  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3425  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3426  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3427  secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3428  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3429  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3430 }
3431 
3432 static void run_inverse_tests(void)
3433 {
3434  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3435  static const secp256k1_fe fe_cases[][2] = {
3436  /* 0 */
3437  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3438  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3439  /* 1 */
3440  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3441  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3442  /* -1 */
3443  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3444  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3445  /* 2 */
3446  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3447  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3448  /* 2**128 */
3449  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3450  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3451  /* Input known to need 637 divsteps */
3452  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3453  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3454  /* Input known to need 567 divsteps starting with delta=1/2. */
3455  {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3456  SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3457  /* Input known to need 566 divsteps starting with delta=1/2. */
3458  {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3459  SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3460  /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3461  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3462  SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3463  {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3464  SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3465  {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3466  SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3467  {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3468  SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3469  {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3470  SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3471  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3472  SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3473  {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3474  SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3475  {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3476  SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3477  {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3478  SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3479  {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3480  SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3481  /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3482  {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3483  SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3484  {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3485  SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3486  {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3487  SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3488  {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3489  SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3490  {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3491  SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3492  {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3493  SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3494  {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3495  SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3496  {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3497  SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3498  {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3499  SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3500  {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3501  SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3502  {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3503  SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3504  {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3505  SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3506  {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3507  SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3508  {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3509  SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3510  {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3511  SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3512  {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3513  SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3514  {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3515  SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3516  {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3517  SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3518  {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3519  SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3520  {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3521  SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3522  {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3523  SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3524  {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3525  SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3526  {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3527  SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3528  {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3529  SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3530  {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3531  SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3532  {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3533  SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3534  {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3535  SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3536  {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3537  SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3538  };
3539  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3540  static const secp256k1_scalar scalar_cases[][2] = {
3541  /* 0 */
3542  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3543  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3544  /* 1 */
3545  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3546  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3547  /* -1 */
3548  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3549  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3550  /* 2 */
3551  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3552  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3553  /* 2**128 */
3554  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3555  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3556  /* Input known to need 635 divsteps */
3557  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3558  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3559  /* Input known to need 566 divsteps starting with delta=1/2. */
3560  {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3561  SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3562  /* Input known to need 565 divsteps starting with delta=1/2. */
3563  {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3564  SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3565  /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3566  {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3567  SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3568  {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3569  SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3570  {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3571  SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3572  {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3573  SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3574  {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3575  SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3576  {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3577  SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3578  {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3579  SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3580  {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3581  SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3582  {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3583  SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3584  {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3585  SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3586  {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3587  SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3588  {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3589  SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3590  {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3591  SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3592  {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3593  SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3594  {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3595  SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3596  {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3597  SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3598  {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3599  SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3600  {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3601  SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3602  {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3603  SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3604  {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3605  SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3606  {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3607  SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3608  {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3609  SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3610  {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3611  SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3612  {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3613  SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3614  {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3615  SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3616  {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3617  SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3618  {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3619  SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3620  {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3621  SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3622  {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3623  SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3624  };
3625  int i, var, testrand;
3626  unsigned char b32[32];
3627  secp256k1_fe x_fe;
3628  secp256k1_scalar x_scalar;
3629  memset(b32, 0, sizeof(b32));
3630  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3631  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3632  for (var = 0; var <= 1; ++var) {
3633  test_inverse_field(&x_fe, &fe_cases[i][0], var);
3634  CHECK(fe_equal(&x_fe, &fe_cases[i][1]));
3635  test_inverse_field(&x_fe, &fe_cases[i][1], var);
3636  CHECK(fe_equal(&x_fe, &fe_cases[i][0]));
3637  }
3638  }
3639  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3640  for (var = 0; var <= 1; ++var) {
3641  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3642  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3643  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3644  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3645  }
3646  }
3647  /* Test inputs 0..999 and their respective negations. */
3648  for (i = 0; i < 1000; ++i) {
3649  b32[31] = i & 0xff;
3650  b32[30] = (i >> 8) & 0xff;
3651  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3652  secp256k1_fe_set_b32_mod(&x_fe, b32);
3653  for (var = 0; var <= 1; ++var) {
3654  test_inverse_scalar(NULL, &x_scalar, var);
3655  test_inverse_field(NULL, &x_fe, var);
3656  }
3657  secp256k1_scalar_negate(&x_scalar, &x_scalar);
3658  secp256k1_fe_negate(&x_fe, &x_fe, 1);
3659  for (var = 0; var <= 1; ++var) {
3660  test_inverse_scalar(NULL, &x_scalar, var);
3661  test_inverse_field(NULL, &x_fe, var);
3662  }
3663  }
3664  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3665  for (testrand = 0; testrand <= 1; ++testrand) {
3666  for (i = 0; i < 64 * COUNT; ++i) {
3667  (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
3668  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3669  secp256k1_fe_set_b32_mod(&x_fe, b32);
3670  for (var = 0; var <= 1; ++var) {
3671  test_inverse_scalar(NULL, &x_scalar, var);
3672  test_inverse_field(NULL, &x_fe, var);
3673  }
3674  }
3675  }
3676 }
3677 
3678 /***** GROUP TESTS *****/
3679 
3680 /* This compares jacobian points including their Z, not just their geometric meaning. */
3681 static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3682  secp256k1_gej a2;
3683  secp256k1_gej b2;
3684  int ret = 1;
3685  ret &= a->infinity == b->infinity;
3686  if (ret && !a->infinity) {
3687  a2 = *a;
3688  b2 = *b;
3689  secp256k1_fe_normalize(&a2.x);
3690  secp256k1_fe_normalize(&a2.y);
3691  secp256k1_fe_normalize(&a2.z);
3692  secp256k1_fe_normalize(&b2.x);
3693  secp256k1_fe_normalize(&b2.y);
3694  secp256k1_fe_normalize(&b2.z);
3695  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3696  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3697  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3698  }
3699  return ret;
3700 }
3701 
3702 static void test_ge(void) {
3703  int i, i1;
3704  int runs = 6;
3705  /* 25 points are used:
3706  * - infinity
3707  * - for each of four random points p1 p2 p3 p4, we add the point, its
3708  * negation, and then those two again but with randomized Z coordinate.
3709  * - The same is then done for lambda*p1 and lambda^2*p1.
3710  */
3711  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3712  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3713  secp256k1_fe zf, r;
3714  secp256k1_fe zfi2, zfi3;
3715 
3716  secp256k1_gej_set_infinity(&gej[0]);
3717  secp256k1_ge_clear(&ge[0]);
3718  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3719  for (i = 0; i < runs; i++) {
3720  int j, k;
3721  secp256k1_ge g;
3722  random_group_element_test(&g);
3723  if (i >= runs - 2) {
3724  secp256k1_ge_mul_lambda(&g, &ge[1]);
3725  CHECK(!secp256k1_ge_eq_var(&g, &ge[1]));
3726  }
3727  if (i >= runs - 1) {
3728  secp256k1_ge_mul_lambda(&g, &g);
3729  }
3730  ge[1 + 4 * i] = g;
3731  ge[2 + 4 * i] = g;
3732  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3733  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3734  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3735  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3736  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3737  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3738  for (j = 0; j < 4; j++) {
3739  random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3740  random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3741  random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3742  random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3743  random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3744  }
3745 
3746  for (j = 0; j < 4; ++j) {
3747  for (k = 0; k < 4; ++k) {
3748  int expect_equal = (j >> 1) == (k >> 1);
3749  CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3750  CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal);
3751  CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3752  CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal);
3753  }
3754  }
3755  }
3756 
3757  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3758  random_fe_non_zero_test(&zf);
3759  random_fe_magnitude(&zf);
3760  secp256k1_fe_inv_var(&zfi3, &zf);
3761  secp256k1_fe_sqr(&zfi2, &zfi3);
3762  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3763 
3764  /* Generate random r */
3765  random_fe_non_zero_test(&r);
3766 
3767  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3768  int i2;
3769  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3770  /* Compute reference result using gej + gej (var). */
3771  secp256k1_gej refj, resj;
3772  secp256k1_ge ref;
3773  secp256k1_fe zr;
3774  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3775  /* Check Z ratio. */
3776  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3777  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3778  CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3779  }
3780  secp256k1_ge_set_gej_var(&ref, &refj);
3781 
3782  /* Test gej + ge with Z ratio result (var). */
3783  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3784  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3785  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3786  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3787  CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3788  }
3789 
3790  /* Test gej + ge (var, with additional Z factor). */
3791  {
3792  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3793  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3794  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3795  random_ge_x_magnitude(&ge2_zfi);
3796  random_ge_y_magnitude(&ge2_zfi);
3797  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3798  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3799  }
3800 
3801  /* Test gej + ge (const). */
3802  if (i2 != 0) {
3803  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3804  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3805  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3806  }
3807 
3808  /* Test doubling (var). */
3809  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3810  secp256k1_fe zr2;
3811  /* Normal doubling with Z ratio result. */
3812  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3813  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3814  /* Check Z ratio. */
3815  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3816  CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3817  /* Normal doubling. */
3818  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3819  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3820  /* Constant-time doubling. */
3821  secp256k1_gej_double(&resj, &gej[i2]);
3822  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3823  }
3824 
3825  /* Test adding opposites. */
3826  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3827  CHECK(secp256k1_ge_is_infinity(&ref));
3828  }
3829 
3830  /* Test adding infinity. */
3831  if (i1 == 0) {
3832  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3833  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3834  CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref));
3835  }
3836  if (i2 == 0) {
3837  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3838  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3839  CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref));
3840  }
3841  }
3842  }
3843 
3844  /* Test adding all points together in random order equals infinity. */
3845  {
3846  secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3847  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3848  for (i = 0; i < 4 * runs + 1; i++) {
3849  gej_shuffled[i] = gej[i];
3850  }
3851  for (i = 0; i < 4 * runs + 1; i++) {
3852  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3853  if (swap != i) {
3854  secp256k1_gej t = gej_shuffled[i];
3855  gej_shuffled[i] = gej_shuffled[swap];
3856  gej_shuffled[swap] = t;
3857  }
3858  }
3859  for (i = 0; i < 4 * runs + 1; i++) {
3860  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3861  }
3862  CHECK(secp256k1_gej_is_infinity(&sum));
3863  free(gej_shuffled);
3864  }
3865 
3866  /* Test batch gej -> ge conversion without known z ratios. */
3867  {
3868  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3869  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3870  for (i = 0; i < 4 * runs + 1; i++) {
3871  secp256k1_fe s;
3872  random_fe_non_zero(&s);
3873  secp256k1_gej_rescale(&gej[i], &s);
3874  CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i]));
3875  }
3876  free(ge_set_all);
3877  }
3878 
3879  /* Test that all elements have X coordinates on the curve. */
3880  for (i = 1; i < 4 * runs + 1; i++) {
3881  secp256k1_fe n;
3882  CHECK(secp256k1_ge_x_on_curve_var(&ge[i].x));
3883  /* And the same holds after random rescaling. */
3884  secp256k1_fe_mul(&n, &zf, &ge[i].x);
3885  CHECK(secp256k1_ge_x_frac_on_curve_var(&n, &zf));
3886  }
3887 
3888  /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3889  {
3890  secp256k1_fe n;
3891  secp256k1_ge q;
3892  int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3893  secp256k1_fe_mul(&n, &zf, &r);
3894  ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3895  ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3896  ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3897  CHECK(ret_on_curve == ret_frac_on_curve);
3898  CHECK(ret_on_curve == ret_set_xo);
3899  if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
3900  }
3901 
3902  /* Test batch gej -> ge conversion with many infinities. */
3903  for (i = 0; i < 4 * runs + 1; i++) {
3904  int odd;
3905  random_group_element_test(&ge[i]);
3906  odd = secp256k1_fe_is_odd(&ge[i].x);
3907  CHECK(odd == 0 || odd == 1);
3908  /* randomly set half the points to infinity */
3909  if (odd == i % 2) {
3910  secp256k1_ge_set_infinity(&ge[i]);
3911  }
3912  secp256k1_gej_set_ge(&gej[i], &ge[i]);
3913  }
3914  /* batch convert */
3915  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3916  /* check result */
3917  for (i = 0; i < 4 * runs + 1; i++) {
3918  CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i]));
3919  }
3920 
3921  /* Test batch gej -> ge conversion with all infinities. */
3922  for (i = 0; i < 4 * runs + 1; i++) {
3923  secp256k1_gej_set_infinity(&gej[i]);
3924  }
3925  /* batch convert */
3926  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3927  /* check result */
3928  for (i = 0; i < 4 * runs + 1; i++) {
3929  CHECK(secp256k1_ge_is_infinity(&ge[i]));
3930  }
3931 
3932  free(ge);
3933  free(gej);
3934 }
3935 
3936 static void test_intialized_inf(void) {
3937  secp256k1_ge p;
3938  secp256k1_gej pj, npj, infj1, infj2, infj3;
3939  secp256k1_fe zinv;
3940 
3941  /* Test that adding P+(-P) results in a fully initialized infinity*/
3942  random_group_element_test(&p);
3943  secp256k1_gej_set_ge(&pj, &p);
3944  secp256k1_gej_neg(&npj, &pj);
3945 
3946  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3947  CHECK(secp256k1_gej_is_infinity(&infj1));
3948  CHECK(secp256k1_fe_is_zero(&infj1.x));
3949  CHECK(secp256k1_fe_is_zero(&infj1.y));
3950  CHECK(secp256k1_fe_is_zero(&infj1.z));
3951 
3952  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3953  CHECK(secp256k1_gej_is_infinity(&infj2));
3954  CHECK(secp256k1_fe_is_zero(&infj2.x));
3955  CHECK(secp256k1_fe_is_zero(&infj2.y));
3956  CHECK(secp256k1_fe_is_zero(&infj2.z));
3957 
3958  secp256k1_fe_set_int(&zinv, 1);
3959  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3960  CHECK(secp256k1_gej_is_infinity(&infj3));
3961  CHECK(secp256k1_fe_is_zero(&infj3.x));
3962  CHECK(secp256k1_fe_is_zero(&infj3.y));
3963  CHECK(secp256k1_fe_is_zero(&infj3.z));
3964 
3965 
3966 }
3967 
3968 static void test_add_neg_y_diff_x(void) {
3969  /* The point of this test is to check that we can add two points
3970  * whose y-coordinates are negatives of each other but whose x
3971  * coordinates differ. If the x-coordinates were the same, these
3972  * points would be negatives of each other and their sum is
3973  * infinity. This is cool because it "covers up" any degeneracy
3974  * in the addition algorithm that would cause the xy coordinates
3975  * of the sum to be wrong (since infinity has no xy coordinates).
3976  * HOWEVER, if the x-coordinates are different, infinity is the
3977  * wrong answer, and such degeneracies are exposed. This is the
3978  * root of https://github.com/bitcoin-core/secp256k1/issues/257
3979  * which this test is a regression test for.
3980  *
3981  * These points were generated in sage as
3982  *
3983  * load("secp256k1_params.sage")
3984  *
3985  * # random "bad pair"
3986  * P = C.random_element()
3987  * Q = -int(LAMBDA) * P
3988  * print(" P: %x %x" % P.xy())
3989  * print(" Q: %x %x" % Q.xy())
3990  * print("P + Q: %x %x" % (P + Q).xy())
3991  */
3992  secp256k1_gej aj = SECP256K1_GEJ_CONST(
3993  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3994  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3995  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3996  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3997  );
3998  secp256k1_gej bj = SECP256K1_GEJ_CONST(
3999  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
4000  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
4001  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
4002  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
4003  );
4004  secp256k1_gej sumj = SECP256K1_GEJ_CONST(
4005  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
4006  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
4007  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
4008  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
4009  );
4010  secp256k1_ge b;
4011  secp256k1_gej resj;
4012  secp256k1_ge res;
4013  secp256k1_ge_set_gej(&b, &bj);
4014 
4015  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4016  secp256k1_ge_set_gej(&res, &resj);
4017  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4018 
4019  secp256k1_gej_add_ge(&resj, &aj, &b);
4020  secp256k1_ge_set_gej(&res, &resj);
4021  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4022 
4023  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4024  secp256k1_ge_set_gej(&res, &resj);
4025  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4026 }
4027 
4028 static void run_ge(void) {
4029  int i;
4030  for (i = 0; i < COUNT * 32; i++) {
4031  test_ge();
4032  }
4033  test_add_neg_y_diff_x();
4034  test_intialized_inf();
4035 }
4036 
4037 static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4038  secp256k1_gej t = *a;
4039  secp256k1_gej_cmov(&t, b, 0);
4040  CHECK(gej_xyz_equals_gej(&t, a));
4041  secp256k1_gej_cmov(&t, b, 1);
4042  CHECK(gej_xyz_equals_gej(&t, b));
4043 }
4044 
4045 static void run_gej(void) {
4046  int i;
4047  secp256k1_gej a, b;
4048 
4049  /* Tests for secp256k1_gej_cmov */
4050  for (i = 0; i < COUNT; i++) {
4051  secp256k1_gej_set_infinity(&a);
4052  secp256k1_gej_set_infinity(&b);
4053  test_gej_cmov(&a, &b);
4054 
4055  random_gej_test(&a);
4056  test_gej_cmov(&a, &b);
4057  test_gej_cmov(&b, &a);
4058 
4059  b = a;
4060  test_gej_cmov(&a, &b);
4061 
4062  random_gej_test(&b);
4063  test_gej_cmov(&a, &b);
4064  test_gej_cmov(&b, &a);
4065  }
4066 
4067  /* Tests for secp256k1_gej_eq_var */
4068  for (i = 0; i < COUNT; i++) {
4069  secp256k1_fe fe;
4070  random_gej_test(&a);
4071  random_gej_test(&b);
4072  CHECK(!secp256k1_gej_eq_var(&a, &b));
4073 
4074  b = a;
4075  random_fe_non_zero_test(&fe);
4076  secp256k1_gej_rescale(&a, &fe);
4077  CHECK(secp256k1_gej_eq_var(&a, &b));
4078  }
4079 }
4080 
4081 static void test_ec_combine(void) {
4082  secp256k1_scalar sum = secp256k1_scalar_zero;
4083  secp256k1_pubkey data[6];
4084  const secp256k1_pubkey* d[6];
4085  secp256k1_pubkey sd;
4086  secp256k1_pubkey sd2;
4087  secp256k1_gej Qj;
4088  secp256k1_ge Q;
4089  int i;
4090  for (i = 1; i <= 6; i++) {
4091  secp256k1_scalar s;
4092  random_scalar_order_test(&s);
4093  secp256k1_scalar_add(&sum, &sum, &s);
4094  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &s);
4095  secp256k1_ge_set_gej(&Q, &Qj);
4096  secp256k1_pubkey_save(&data[i - 1], &Q);
4097  d[i - 1] = &data[i - 1];
4098  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &sum);
4099  secp256k1_ge_set_gej(&Q, &Qj);
4100  secp256k1_pubkey_save(&sd, &Q);
4101  CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4102  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4103  }
4104 }
4105 
4106 static void run_ec_combine(void) {
4107  int i;
4108  for (i = 0; i < COUNT * 8; i++) {
4109  test_ec_combine();
4110  }
4111 }
4112 
4113 static void test_group_decompress(const secp256k1_fe* x) {
4114  /* The input itself, normalized. */
4115  secp256k1_fe fex = *x;
4116  /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
4117  secp256k1_ge ge_even, ge_odd;
4118  /* Return values of the above calls. */
4119  int res_even, res_odd;
4120 
4121  secp256k1_fe_normalize_var(&fex);
4122 
4123  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4124  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4125 
4126  CHECK(res_even == res_odd);
4127 
4128  if (res_even) {
4129  secp256k1_fe_normalize_var(&ge_odd.x);
4130  secp256k1_fe_normalize_var(&ge_even.x);
4131  secp256k1_fe_normalize_var(&ge_odd.y);
4132  secp256k1_fe_normalize_var(&ge_even.y);
4133 
4134  /* No infinity allowed. */
4135  CHECK(!ge_even.infinity);
4136  CHECK(!ge_odd.infinity);
4137 
4138  /* Check that the x coordinates check out. */
4139  CHECK(secp256k1_fe_equal(&ge_even.x, x));
4140  CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4141 
4142  /* Check odd/even Y in ge_odd, ge_even. */
4143  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4144  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4145  }
4146 }
4147 
4148 static void run_group_decompress(void) {
4149  int i;
4150  for (i = 0; i < COUNT * 4; i++) {
4151  secp256k1_fe fe;
4152  random_fe_test(&fe);
4153  test_group_decompress(&fe);
4154  }
4155 }
4156 
4157 /***** ECMULT TESTS *****/
4158 
4159 static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4160  /* Tests the pre_g / pre_g_128 tables for consistency.
4161  * For independent verification we take a "geometric" approach to verification.
4162  * We check that every entry is on-curve.
4163  * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4164  * (1) p, gg, and -q are colinear.
4165  * (2) p, gg, and -q are all distinct.
4166  * where gg is twice the generator, where the generator is the first table entry.
4167  *
4168  * Checking the table's generators are correct is done in run_ecmult_pre_g.
4169  */
4170  secp256k1_gej g2;
4171  secp256k1_ge p, q, gg;
4172  secp256k1_fe dpx, dpy, dqx, dqy;
4173  size_t i;
4174 
4175  CHECK(0 < n);
4176 
4177  secp256k1_ge_from_storage(&p, &pre_g[0]);
4178  CHECK(secp256k1_ge_is_valid_var(&p));
4179 
4180  secp256k1_gej_set_ge(&g2, &p);
4181  secp256k1_gej_double_var(&g2, &g2, NULL);
4182  secp256k1_ge_set_gej_var(&gg, &g2);
4183  for (i = 1; i < n; ++i) {
4184  secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4185  secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4186  /* Check that p is not equal to gg */
4187  CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
4188 
4189  secp256k1_ge_from_storage(&q, &pre_g[i]);
4190  CHECK(secp256k1_ge_is_valid_var(&q));
4191 
4192  secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4193  dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4194  /* Check that -q is not equal to gg */
4195  CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
4196 
4197  /* Check that -q is not equal to p */
4198  CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4199 
4200  /* Check that p, -q and gg are colinear */
4201  secp256k1_fe_mul(&dpx, &dpx, &dqy);
4202  secp256k1_fe_mul(&dpy, &dpy, &dqx);
4203  CHECK(secp256k1_fe_equal(&dpx, &dpy));
4204 
4205  p = q;
4206  }
4207 }
4208 
4209 static void run_ecmult_pre_g(void) {
4210  secp256k1_ge_storage gs;
4211  secp256k1_gej gj;
4212  secp256k1_ge g;
4213  size_t i;
4214 
4215  /* Check that the pre_g and pre_g_128 tables are consistent. */
4216  test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
4217  test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
4218 
4219  /* Check the first entry from the pre_g table. */
4220  secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
4221  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4222 
4223  /* Check the first entry from the pre_g_128 table. */
4224  secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
4225  for (i = 0; i < 128; ++i) {
4226  secp256k1_gej_double_var(&gj, &gj, NULL);
4227  }
4228  secp256k1_ge_set_gej(&g, &gj);
4229  secp256k1_ge_to_storage(&gs, &g);
4230  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4231 }
4232 
4233 static void run_ecmult_chain(void) {
4234  /* random starting point A (on the curve) */
4235  secp256k1_gej a = SECP256K1_GEJ_CONST(
4236  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4237  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4238  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4239  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4240  );
4241  /* two random initial factors xn and gn */
4242  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4243  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4244  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4245  );
4246  secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
4247  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4248  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4249  );
4250  /* two small multipliers to be applied to xn and gn in every iteration: */
4251  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4252  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4253  /* accumulators with the resulting coefficients to A and G */
4254  secp256k1_scalar ae = secp256k1_scalar_one;
4255  secp256k1_scalar ge = secp256k1_scalar_zero;
4256  /* actual points */
4257  secp256k1_gej x;
4258  secp256k1_gej x2;
4259  int i;
4260 
4261  /* the point being computed */
4262  x = a;
4263  for (i = 0; i < 200*COUNT; i++) {
4264  /* in each iteration, compute X = xn*X + gn*G; */
4265  secp256k1_ecmult(&x, &x, &xn, &gn);
4266  /* also compute ae and ge: the actual accumulated factors for A and G */
4267  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4268  secp256k1_scalar_mul(&ae, &ae, &xn);
4269  secp256k1_scalar_mul(&ge, &ge, &xn);
4270  secp256k1_scalar_add(&ge, &ge, &gn);
4271  /* modify xn and gn */
4272  secp256k1_scalar_mul(&xn, &xn, &xf);
4273  secp256k1_scalar_mul(&gn, &gn, &gf);
4274 
4275  /* verify */
4276  if (i == 19999) {
4277  /* expected result after 19999 iterations */
4278  secp256k1_gej rp = SECP256K1_GEJ_CONST(
4279  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4280  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4281  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4282  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4283  );
4284  CHECK(secp256k1_gej_eq_var(&rp, &x));
4285  }
4286  }
4287  /* redo the computation, but directly with the resulting ae and ge coefficients: */
4288  secp256k1_ecmult(&x2, &a, &ae, &ge);
4289  CHECK(secp256k1_gej_eq_var(&x, &x2));
4290 }
4291 
4292 static void test_point_times_order(const secp256k1_gej *point) {
4293  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4294  secp256k1_scalar x;
4295  secp256k1_scalar nx;
4296  secp256k1_gej res1, res2;
4297  secp256k1_ge res3;
4298  unsigned char pub[65];
4299  size_t psize = 65;
4300  random_scalar_order_test(&x);
4301  secp256k1_scalar_negate(&nx, &x);
4302  secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4303  secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4304  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4305  CHECK(secp256k1_gej_is_infinity(&res1));
4306  secp256k1_ge_set_gej(&res3, &res1);
4307  CHECK(secp256k1_ge_is_infinity(&res3));
4308  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4309  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4310  psize = 65;
4311  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4312  /* check zero/one edge cases */
4313  secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_zero);
4314  secp256k1_ge_set_gej(&res3, &res1);
4315  CHECK(secp256k1_ge_is_infinity(&res3));
4316  secp256k1_ecmult(&res1, point, &secp256k1_scalar_one, &secp256k1_scalar_zero);
4317  secp256k1_ge_set_gej(&res3, &res1);
4318  CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4319  secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_one);
4320  secp256k1_ge_set_gej(&res3, &res1);
4321  CHECK(secp256k1_ge_eq_var(&secp256k1_ge_const_g, &res3));
4322 }
4323 
4324 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4325  *
4326  * They are computed as:
4327  * - For a in [-2, -1, 0, 1, 2]:
4328  * - For b in [-3, -1, 1, 3]:
4329  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4330  */
4331 static const secp256k1_scalar scalars_near_split_bounds[20] = {
4332  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4333  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4334  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4335  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4336  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4337  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4338  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4339  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4340  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4341  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4342  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4343  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4344  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4345  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4346  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4347  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4348  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4349  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4350  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4351  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4352 };
4353 
4354 static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4355  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4356  secp256k1_scalar n1, n2;
4357  secp256k1_ge p;
4358  secp256k1_gej pj, p1j, p2j, ptj;
4359 
4360  /* Generate random n1,n2 such that n1+n2 = -target. */
4361  random_scalar_order_test(&n1);
4362  secp256k1_scalar_add(&n2, &n1, target);
4363  secp256k1_scalar_negate(&n2, &n2);
4364 
4365  /* Generate a random input point. */
4366  if (mode != 0) {
4367  random_group_element_test(&p);
4368  secp256k1_gej_set_ge(&pj, &p);
4369  }
4370 
4371  /* EC multiplications */
4372  if (mode == 0) {
4373  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1);
4374  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2);
4375  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4376  } else if (mode == 1) {
4377  secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4378  secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4379  secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4380  } else {
4381  secp256k1_ecmult_const(&p1j, &p, &n1);
4382  secp256k1_ecmult_const(&p2j, &p, &n2);
4383  secp256k1_ecmult_const(&ptj, &p, target);
4384  }
4385 
4386  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4387  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4388  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4389  CHECK(secp256k1_gej_is_infinity(&ptj));
4390 }
4391 
4392 static void run_ecmult_near_split_bound(void) {
4393  int i;
4394  unsigned j;
4395  for (i = 0; i < 4*COUNT; ++i) {
4396  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4397  test_ecmult_target(&scalars_near_split_bounds[j], 0);
4398  test_ecmult_target(&scalars_near_split_bounds[j], 1);
4399  test_ecmult_target(&scalars_near_split_bounds[j], 2);
4400  }
4401  }
4402 }
4403 
4404 static void run_point_times_order(void) {
4405  int i;
4406  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4407  static const secp256k1_fe xr = SECP256K1_FE_CONST(
4408  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4409  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4410  );
4411  for (i = 0; i < 500; i++) {
4412  secp256k1_ge p;
4413  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4414  secp256k1_gej j;
4415  CHECK(secp256k1_ge_is_valid_var(&p));
4416  secp256k1_gej_set_ge(&j, &p);
4417  test_point_times_order(&j);
4418  }
4419  secp256k1_fe_sqr(&x, &x);
4420  }
4421  secp256k1_fe_normalize_var(&x);
4422  CHECK(secp256k1_fe_equal(&x, &xr));
4423 }
4424 
4425 static void ecmult_const_random_mult(void) {
4426  /* random starting point A (on the curve) */
4427  secp256k1_ge a = SECP256K1_GE_CONST(
4428  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4429  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4430  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4431  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4432  );
4433  /* random initial factor xn */
4434  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4435  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4436  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4437  );
4438  /* expected xn * A (from sage) */
4439  secp256k1_ge expected_b = SECP256K1_GE_CONST(
4440  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4441  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4442  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4443  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4444  );
4445  secp256k1_gej b;
4446  secp256k1_ecmult_const(&b, &a, &xn);
4447 
4448  CHECK(secp256k1_ge_is_valid_var(&a));
4449  CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b));
4450 }
4451 
4452 static void ecmult_const_commutativity(void) {
4453  secp256k1_scalar a;
4454  secp256k1_scalar b;
4455  secp256k1_gej res1;
4456  secp256k1_gej res2;
4457  secp256k1_ge mid1;
4458  secp256k1_ge mid2;
4459  random_scalar_order_test(&a);
4460  random_scalar_order_test(&b);
4461 
4462  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
4463  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
4464  secp256k1_ge_set_gej(&mid1, &res1);
4465  secp256k1_ge_set_gej(&mid2, &res2);
4466  secp256k1_ecmult_const(&res1, &mid1, &b);
4467  secp256k1_ecmult_const(&res2, &mid2, &a);
4468  secp256k1_ge_set_gej(&mid1, &res1);
4469  secp256k1_ge_set_gej(&mid2, &res2);
4470  CHECK(secp256k1_ge_eq_var(&mid1, &mid2));
4471 }
4472 
4473 static void ecmult_const_mult_zero_one(void) {
4474  secp256k1_scalar s;
4475  secp256k1_scalar negone;
4476  secp256k1_gej res1;
4477  secp256k1_ge res2;
4478  secp256k1_ge point;
4479  secp256k1_ge inf;
4480 
4481  random_scalar_order_test(&s);
4482  secp256k1_scalar_negate(&negone, &secp256k1_scalar_one);
4483  random_group_element_test(&point);
4484  secp256k1_ge_set_infinity(&inf);
4485 
4486  /* 0*point */
4487  secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_zero);
4488  CHECK(secp256k1_gej_is_infinity(&res1));
4489 
4490  /* s*inf */
4491  secp256k1_ecmult_const(&res1, &inf, &s);
4492  CHECK(secp256k1_gej_is_infinity(&res1));
4493 
4494  /* 1*point */
4495  secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_one);
4496  secp256k1_ge_set_gej(&res2, &res1);
4497  CHECK(secp256k1_ge_eq_var(&res2, &point));
4498 
4499  /* -1*point */
4500  secp256k1_ecmult_const(&res1, &point, &negone);
4501  secp256k1_gej_neg(&res1, &res1);
4502  secp256k1_ge_set_gej(&res2, &res1);
4503  CHECK(secp256k1_ge_eq_var(&res2, &point));
4504 }
4505 
4506 static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) {
4507  secp256k1_gej pointj, res2j;
4508  secp256k1_ge res2;
4509  secp256k1_gej_set_ge(&pointj, A);
4510  secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero);
4511  secp256k1_ge_set_gej(&res2, &res2j);
4512  CHECK(secp256k1_gej_eq_ge_var(res, &res2));
4513 }
4514 
4515 static void ecmult_const_edges(void) {
4516  secp256k1_scalar q;
4517  secp256k1_ge point;
4518  secp256k1_gej res;
4519  size_t i;
4520  size_t cases = 1 + sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]);
4521 
4522  /* We are trying to reach the following edge cases (variables are defined as
4523  * in ecmult_const_impl.h):
4524  * 1. i = 0: s = 0 <=> q = -K
4525  * 2. i > 0: v1, v2 large values
4526  * <=> s1, s2 large values
4527  * <=> s = scalars_near_split_bounds[i]
4528  * <=> q = 2*scalars_near_split_bounds[i] - K
4529  */
4530  for (i = 0; i < cases; ++i) {
4531  secp256k1_scalar_negate(&q, &secp256k1_ecmult_const_K);
4532  if (i > 0) {
4533  secp256k1_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]);
4534  secp256k1_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]);
4535  }
4536  random_group_element_test(&point);
4537  secp256k1_ecmult_const(&res, &point, &q);
4538  ecmult_const_check_result(&point, &q, &res);
4539  }
4540 }
4541 
4542 static void ecmult_const_mult_xonly(void) {
4543  int i;
4544 
4545  /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4546  for (i = 0; i < 2*COUNT; ++i) {
4547  secp256k1_ge base;
4548  secp256k1_gej basej, resj;
4549  secp256k1_fe n, d, resx, v;
4550  secp256k1_scalar q;
4551  int res;
4552  /* Random base point. */
4553  random_group_element_test(&base);
4554  /* Random scalar to multiply it with. */
4555  random_scalar_order_test(&q);
4556  /* If i is odd, n=d*base.x for random non-zero d */
4557  if (i & 1) {
4558  random_fe_non_zero_test(&d);
4559  secp256k1_fe_mul(&n, &base.x, &d);
4560  } else {
4561  n = base.x;
4562  }
4563  /* Perform x-only multiplication. */
4564  res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4565  CHECK(res);
4566  /* Perform normal multiplication. */
4567  secp256k1_gej_set_ge(&basej, &base);
4568  secp256k1_ecmult(&resj, &basej, &q, NULL);
4569  /* Check that resj's X coordinate corresponds with resx. */
4570  secp256k1_fe_sqr(&v, &resj.z);
4571  secp256k1_fe_mul(&v, &v, &resx);
4572  CHECK(fe_equal(&v, &resj.x));
4573  }
4574 
4575  /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4576  for (i = 0; i < 2*COUNT; ++i) {
4577  secp256k1_fe x, n, d, r;
4578  int res;
4579  secp256k1_scalar q;
4580  random_scalar_order_test(&q);
4581  /* Generate random X coordinate not on the curve. */
4582  do {
4583  random_fe_test(&x);
4584  } while (secp256k1_ge_x_on_curve_var(&x));
4585  /* If i is odd, n=d*x for random non-zero d. */
4586  if (i & 1) {
4587  random_fe_non_zero_test(&d);
4588  secp256k1_fe_mul(&n, &x, &d);
4589  } else {
4590  n = x;
4591  }
4592  res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4593  CHECK(res == 0);
4594  }
4595 }
4596 
4597 static void ecmult_const_chain_multiply(void) {
4598  /* Check known result (randomly generated test problem from sage) */
4599  const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
4600  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4601  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4602  );
4603  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4604  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4605  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4606  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4607  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4608  );
4609  secp256k1_gej point;
4610  secp256k1_ge res;
4611  int i;
4612 
4613  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4614  for (i = 0; i < 100; ++i) {
4615  secp256k1_ge tmp;
4616  secp256k1_ge_set_gej(&tmp, &point);
4617  secp256k1_ecmult_const(&point, &tmp, &scalar);
4618  }
4619  secp256k1_ge_set_gej(&res, &point);
4620  CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res));
4621 }
4622 
4623 static void run_ecmult_const_tests(void) {
4624  ecmult_const_mult_zero_one();
4625  ecmult_const_edges();
4626  ecmult_const_random_mult();
4627  ecmult_const_commutativity();
4628  ecmult_const_chain_multiply();
4629  ecmult_const_mult_xonly();
4630 }
4631 
4632 typedef struct {
4633  secp256k1_scalar *sc;
4634  secp256k1_ge *pt;
4635 } ecmult_multi_data;
4636 
4637 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4638  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4639  *sc = data->sc[idx];
4640  *pt = data->pt[idx];
4641  return 1;
4642 }
4643 
4644 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4645  (void)sc;
4646  (void)pt;
4647  (void)idx;
4648  (void)cbdata;
4649  return 0;
4650 }
4651 
4652 static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4653  int ncount;
4654  secp256k1_scalar sc[32];
4655  secp256k1_ge pt[32];
4656  secp256k1_gej r;
4657  secp256k1_gej r2;
4658  ecmult_multi_data data;
4659 
4660  data.sc = sc;
4661  data.pt = pt;
4662 
4663  /* No points to multiply */
4664  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4665 
4666  /* Check 1- and 2-point multiplies against ecmult */
4667  for (ncount = 0; ncount < COUNT; ncount++) {
4668  secp256k1_ge ptg;
4669  secp256k1_gej ptgj;
4670  random_scalar_order(&sc[0]);
4671  random_scalar_order(&sc[1]);
4672 
4673  random_group_element_test(&ptg);
4674  secp256k1_gej_set_ge(&ptgj, &ptg);
4675  pt[0] = ptg;
4676  pt[1] = secp256k1_ge_const_g;
4677 
4678  /* only G scalar */
4679  secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4680  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4681  CHECK(secp256k1_gej_eq_var(&r, &r2));
4682 
4683  /* 1-point */
4684  secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4685  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4686  CHECK(secp256k1_gej_eq_var(&r, &r2));
4687 
4688  /* Try to multiply 1 point, but callback returns false */
4689  CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4690 
4691  /* 2-point */
4692  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4693  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4694  CHECK(secp256k1_gej_eq_var(&r, &r2));
4695 
4696  /* 2-point with G scalar */
4697  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4698  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4699  CHECK(secp256k1_gej_eq_var(&r, &r2));
4700  }
4701 
4702  /* Check infinite outputs of various forms */
4703  for (ncount = 0; ncount < COUNT; ncount++) {
4704  secp256k1_ge ptg;
4705  size_t i, j;
4706  size_t sizes[] = { 2, 10, 32 };
4707 
4708  for (j = 0; j < 3; j++) {
4709  for (i = 0; i < 32; i++) {
4710  random_scalar_order(&sc[i]);
4711  secp256k1_ge_set_infinity(&pt[i]);
4712  }
4713  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4714  CHECK(secp256k1_gej_is_infinity(&r));
4715  }
4716 
4717  for (j = 0; j < 3; j++) {
4718  for (i = 0; i < 32; i++) {
4719  random_group_element_test(&ptg);
4720  pt[i] = ptg;
4721  secp256k1_scalar_set_int(&sc[i], 0);
4722  }
4723  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4724  CHECK(secp256k1_gej_is_infinity(&r));
4725  }
4726 
4727  for (j = 0; j < 3; j++) {
4728  random_group_element_test(&ptg);
4729  for (i = 0; i < 16; i++) {
4730  random_scalar_order(&sc[2*i]);
4731  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4732  pt[2 * i] = ptg;
4733  pt[2 * i + 1] = ptg;
4734  }
4735 
4736  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4737  CHECK(secp256k1_gej_is_infinity(&r));
4738 
4739  random_scalar_order(&sc[0]);
4740  for (i = 0; i < 16; i++) {
4741  random_group_element_test(&ptg);
4742 
4743  sc[2*i] = sc[0];
4744  sc[2*i+1] = sc[0];
4745  pt[2 * i] = ptg;
4746  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4747  }
4748 
4749  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4750  CHECK(secp256k1_gej_is_infinity(&r));
4751  }
4752 
4753  random_group_element_test(&ptg);
4754  secp256k1_scalar_set_int(&sc[0], 0);
4755  pt[0] = ptg;
4756  for (i = 1; i < 32; i++) {
4757  pt[i] = ptg;
4758 
4759  random_scalar_order(&sc[i]);
4760  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4761  secp256k1_scalar_negate(&sc[i], &sc[i]);
4762  }
4763 
4764  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4765  CHECK(secp256k1_gej_is_infinity(&r));
4766  }
4767 
4768  /* Check random points, constant scalar */
4769  for (ncount = 0; ncount < COUNT; ncount++) {
4770  size_t i;
4771  secp256k1_gej_set_infinity(&r);
4772 
4773  random_scalar_order(&sc[0]);
4774  for (i = 0; i < 20; i++) {
4775  secp256k1_ge ptg;
4776  sc[i] = sc[0];
4777  random_group_element_test(&ptg);
4778  pt[i] = ptg;
4779  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4780  }
4781 
4782  secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4783  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4784  CHECK(secp256k1_gej_eq_var(&r, &r2));
4785  }
4786 
4787  /* Check random scalars, constant point */
4788  for (ncount = 0; ncount < COUNT; ncount++) {
4789  size_t i;
4790  secp256k1_ge ptg;
4791  secp256k1_gej p0j;
4792  secp256k1_scalar rs;
4793  secp256k1_scalar_set_int(&rs, 0);
4794 
4795  random_group_element_test(&ptg);
4796  for (i = 0; i < 20; i++) {
4797  random_scalar_order(&sc[i]);
4798  pt[i] = ptg;
4799  secp256k1_scalar_add(&rs, &rs, &sc[i]);
4800  }
4801 
4802  secp256k1_gej_set_ge(&p0j, &pt[0]);
4803  secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4804  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4805  CHECK(secp256k1_gej_eq_var(&r, &r2));
4806  }
4807 
4808  /* Sanity check that zero scalars don't cause problems */
4809  for (ncount = 0; ncount < 20; ncount++) {
4810  random_scalar_order(&sc[ncount]);
4811  random_group_element_test(&pt[ncount]);
4812  }
4813 
4814  secp256k1_scalar_clear(&sc[0]);
4815  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4816  secp256k1_scalar_clear(&sc[1]);
4817  secp256k1_scalar_clear(&sc[2]);
4818  secp256k1_scalar_clear(&sc[3]);
4819  secp256k1_scalar_clear(&sc[4]);
4820  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4821  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4822  CHECK(secp256k1_gej_is_infinity(&r));
4823 
4824  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4825  {
4826  const size_t TOP = 8;
4827  size_t s0i, s1i;
4828  size_t t0i, t1i;
4829  secp256k1_ge ptg;
4830  secp256k1_gej ptgj;
4831 
4832  random_group_element_test(&ptg);
4833  secp256k1_gej_set_ge(&ptgj, &ptg);
4834 
4835  for(t0i = 0; t0i < TOP; t0i++) {
4836  for(t1i = 0; t1i < TOP; t1i++) {
4837  secp256k1_gej t0p, t1p;
4838  secp256k1_scalar t0, t1;
4839 
4840  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4841  secp256k1_scalar_cond_negate(&t0, t0i & 1);
4842  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4843  secp256k1_scalar_cond_negate(&t1, t1i & 1);
4844 
4845  secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4846  secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4847 
4848  for(s0i = 0; s0i < TOP; s0i++) {
4849  for(s1i = 0; s1i < TOP; s1i++) {
4850  secp256k1_scalar tmp1, tmp2;
4851  secp256k1_gej expected, actual;
4852 
4853  secp256k1_ge_set_gej(&pt[0], &t0p);
4854  secp256k1_ge_set_gej(&pt[1], &t1p);
4855 
4856  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4857  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4858  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4859  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4860 
4861  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4862  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4863  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4864 
4865  secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4866  CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4867  CHECK(secp256k1_gej_eq_var(&actual, &expected));
4868  }
4869  }
4870  }
4871  }
4872  }
4873 }
4874 
4875 static int test_ecmult_multi_random(secp256k1_scratch *scratch) {
4876  /* Large random test for ecmult_multi_* functions which exercises:
4877  * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4878  * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4879  * - Including or excluding an nonzero a*G term (or such a term at all).
4880  * - Final expected result equal to infinity or not (roughly 50%).
4881  * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4882  */
4883 
4884  /* These 4 variables define the eventual input to the ecmult_multi function.
4885  * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4886  * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4887  * which form its normal inputs. */
4888  int filled = 0;
4889  secp256k1_scalar g_scalar = secp256k1_scalar_zero;
4890  secp256k1_scalar scalars[128];
4891  secp256k1_gej gejs[128];
4892  /* The expected result, and the computed result. */
4893  secp256k1_gej expected, computed;
4894  /* Temporaries. */
4895  secp256k1_scalar sc_tmp;
4896  secp256k1_ge ge_tmp;
4897  /* Variables needed for the actual input to ecmult_multi. */
4898  secp256k1_ge ges[128];
4899  ecmult_multi_data data;
4900 
4901  int i;
4902  /* Which multiplication function to use */
4903  int fn = secp256k1_testrand_int(3);
4904  secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4905  fn == 1 ? secp256k1_ecmult_strauss_batch_single :
4906  secp256k1_ecmult_pippenger_batch_single;
4907  /* Simulate exponentially distributed num. */
4908  int num_bits = 2 + secp256k1_testrand_int(6);
4909  /* Number of (scalar, point) inputs (excluding g). */
4910  int num = secp256k1_testrand_int((1 << num_bits) + 1);
4911  /* Number of those which are nonzero. */
4912  int num_nonzero = secp256k1_testrand_int(num + 1);
4913  /* Whether we're aiming to create an input with nonzero expected result. */
4914  int nonzero_result = secp256k1_testrand_bits(1);
4915  /* Whether we will provide nonzero g multiplicand. In some cases our hand
4916  * is forced here based on num_nonzero and nonzero_result. */
4917  int g_nonzero = num_nonzero == 0 ? nonzero_result :
4918  num_nonzero == 1 && !nonzero_result ? 1 :
4919  (int)secp256k1_testrand_bits(1);
4920  /* Which g_scalar pointer to pass into ecmult_multi(). */
4921  const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4922  /* How many EC multiplications were performed in this function. */
4923  int mults = 0;
4924  /* How many randomization steps to apply to the input list. */
4925  int rands = (int)secp256k1_testrand_bits(3);
4926  if (rands > num_nonzero) rands = num_nonzero;
4927 
4928  secp256k1_gej_set_infinity(&expected);
4929  secp256k1_gej_set_infinity(&gejs[0]);
4930  secp256k1_scalar_set_int(&scalars[0], 0);
4931 
4932  if (g_nonzero) {
4933  /* If g_nonzero, set g_scalar to nonzero value r. */
4934  random_scalar_order_test(&g_scalar);
4935  if (!nonzero_result) {
4936  /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4937  CHECK(num_nonzero > filled);
4938  random_scalar_order_test(&sc_tmp);
4939  secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4940  secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4941  secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4942  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4943  ++filled;
4944  ++mults;
4945  }
4946  }
4947 
4948  if (nonzero_result && filled < num_nonzero) {
4949  /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4950  random_scalar_order_test(&scalars[filled]);
4951  random_group_element_test(&ge_tmp);
4952  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4953  ++filled;
4954  }
4955 
4956  if (nonzero_result) {
4957  /* Compute the expected result using normal ecmult. */
4958  CHECK(filled <= 1);
4959  secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4960  mults += filled + g_nonzero;
4961  }
4962 
4963  /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4964  CHECK(filled <= 1 + !nonzero_result);
4965  CHECK(filled <= num_nonzero);
4966 
4967  /* Add entries to scalars,gejs so that there are num of them. All the added entries
4968  * either have scalar=0 or point=infinity, so these do not change the expected result. */
4969  while (filled < num) {
4970  if (secp256k1_testrand_bits(1)) {
4971  secp256k1_gej_set_infinity(&gejs[filled]);
4972  random_scalar_order_test(&scalars[filled]);
4973  } else {
4974  secp256k1_scalar_set_int(&scalars[filled], 0);
4975  random_group_element_test(&ge_tmp);
4976  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4977  }
4978  ++filled;
4979  }
4980 
4981  /* Now perform cheapish transformations on gejs and scalars, for indices
4982  * 0..num_nonzero-1, which do not change the expected result, but may
4983  * convert some of them to be both non-0-scalar and non-infinity-point. */
4984  for (i = 0; i < rands; ++i) {
4985  int j;
4986  secp256k1_scalar v, iv;
4987  /* Shuffle the entries. */
4988  for (j = 0; j < num_nonzero; ++j) {
4989  int k = secp256k1_testrand_int(num_nonzero - j);
4990  if (k != 0) {
4991  secp256k1_gej gej = gejs[j];
4992  secp256k1_scalar sc = scalars[j];
4993  gejs[j] = gejs[j + k];
4994  scalars[j] = scalars[j + k];
4995  gejs[j + k] = gej;
4996  scalars[j + k] = sc;
4997  }
4998  }
4999  /* Perturb all consecutive pairs of inputs:
5000  * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5001  for (j = 0; j + 1 < num_nonzero; j += 2) {
5002  secp256k1_gej gej;
5003  secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5004  secp256k1_gej_neg(&gej, &gejs[j]);
5005  secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5006  }
5007  /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5008  CHECK(num_nonzero >= 1);
5009  random_scalar_order_test(&v);
5010  secp256k1_scalar_inverse(&iv, &v);
5011  secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5012  secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5013  ++mults;
5014  }
5015 
5016  /* Shuffle all entries (0..num-1). */
5017  for (i = 0; i < num; ++i) {
5018  int j = secp256k1_testrand_int(num - i);
5019  if (j != 0) {
5020  secp256k1_gej gej = gejs[i];
5021  secp256k1_scalar sc = scalars[i];
5022  gejs[i] = gejs[i + j];
5023  scalars[i] = scalars[i + j];
5024  gejs[i + j] = gej;
5025  scalars[i + j] = sc;
5026  }
5027  }
5028 
5029  /* Compute affine versions of all inputs. */
5030  secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5031  /* Invoke ecmult_multi code. */
5032  data.sc = scalars;
5033  data.pt = ges;
5034  CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5035  mults += num_nonzero + g_nonzero;
5036  /* Compare with expected result. */
5037  CHECK(secp256k1_gej_eq_var(&computed, &expected));
5038  return mults;
5039 }
5040 
5041 static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
5042  secp256k1_scalar sc;
5043  secp256k1_ge pt;
5044  secp256k1_gej r;
5045  ecmult_multi_data data;
5046  secp256k1_scratch *scratch_empty;
5047 
5048  random_group_element_test(&pt);
5049  random_scalar_order(&sc);
5050  data.sc = &sc;
5051  data.pt = &pt;
5052 
5053  /* Try to multiply 1 point, but scratch space is empty.*/
5054  scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5055  CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5056  secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty);
5057 }
5058 
5059 static void test_secp256k1_pippenger_bucket_window_inv(void) {
5060  int i;
5061 
5062  CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
5063  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5064  /* Bucket_window of 8 is not used with endo */
5065  if (i == 8) {
5066  continue;
5067  }
5068  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
5069  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5070  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
5071  }
5072  }
5073 }
5074 
5079 static void test_ecmult_multi_pippenger_max_points(void) {
5080  size_t scratch_size = secp256k1_testrand_bits(8);
5081  size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
5082  secp256k1_scratch *scratch;
5083  size_t n_points_supported;
5084  int bucket_window = 0;
5085 
5086  for(; scratch_size < max_size; scratch_size+=256) {
5087  size_t i;
5088  size_t total_alloc;
5089  size_t checkpoint;
5090  scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5091  CHECK(scratch != NULL);
5092  checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5093  n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5094  if (n_points_supported == 0) {
5095  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5096  continue;
5097  }
5098  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5099  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5100  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5101  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5102  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 1));
5103  total_alloc--;
5104  }
5105  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5106  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
5107  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5108  }
5109  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5110 }
5111 
5112 static void test_ecmult_multi_batch_size_helper(void) {
5113  size_t n_batches, n_batch_points, max_n_batch_points, n;
5114 
5115  max_n_batch_points = 0;
5116  n = 1;
5117  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5118 
5119  max_n_batch_points = 1;
5120  n = 0;
5121  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5122  CHECK(n_batches == 0);
5123  CHECK(n_batch_points == 0);
5124 
5125  max_n_batch_points = 2;
5126  n = 5;
5127  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5128  CHECK(n_batches == 3);
5129  CHECK(n_batch_points == 2);
5130 
5131  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5132  n = ECMULT_MAX_POINTS_PER_BATCH;
5133  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5134  CHECK(n_batches == 1);
5135  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5136 
5137  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5138  n = ECMULT_MAX_POINTS_PER_BATCH + 1;
5139  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5140  CHECK(n_batches == 2);
5141  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5142 
5143  max_n_batch_points = 1;
5144  n = SIZE_MAX;
5145  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5146  CHECK(n_batches == SIZE_MAX);
5147  CHECK(n_batch_points == 1);
5148 
5149  max_n_batch_points = 2;
5150  n = SIZE_MAX;
5151  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5152  CHECK(n_batches == SIZE_MAX/2 + 1);
5153  CHECK(n_batch_points == 2);
5154 }
5155 
5160 static void test_ecmult_multi_batching(void) {
5161  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5162  secp256k1_scalar scG;
5163  secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_scalar) * n_points);
5164  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5165  secp256k1_gej r;
5166  secp256k1_gej r2;
5167  ecmult_multi_data data;
5168  int i;
5169  secp256k1_scratch *scratch;
5170 
5171  secp256k1_gej_set_infinity(&r2);
5172 
5173  /* Get random scalars and group elements and compute result */
5174  random_scalar_order(&scG);
5175  secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5176  for(i = 0; i < n_points; i++) {
5177  secp256k1_ge ptg;
5178  secp256k1_gej ptgj;
5179  random_group_element_test(&ptg);
5180  secp256k1_gej_set_ge(&ptgj, &ptg);
5181  pt[i] = ptg;
5182  random_scalar_order(&sc[i]);
5183  secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5184  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5185  }
5186  data.sc = sc;
5187  data.pt = pt;
5188  secp256k1_gej_neg(&r2, &r2);
5189 
5190  /* Test with empty scratch space. It should compute the correct result using
5191  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5192  scratch = secp256k1_scratch_create(&CTX->error_callback, 0);
5193  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5194  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5195  CHECK(secp256k1_gej_is_infinity(&r));
5196  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5197 
5198  /* Test with space for 1 point in pippenger. That's not enough because
5199  * ecmult_multi selects strauss which requires more memory. It should
5200  * therefore select the simple algorithm. */
5201  scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5202  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5203  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5204  CHECK(secp256k1_gej_is_infinity(&r));
5205  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5206 
5207  for(i = 1; i <= n_points; i++) {
5208  if (i > ECMULT_PIPPENGER_THRESHOLD) {
5209  int bucket_window = secp256k1_pippenger_bucket_window(i);
5210  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5211  scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5212  } else {
5213  size_t scratch_size = secp256k1_strauss_scratch_size(i);
5214  scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5215  }
5216  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5217  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5218  CHECK(secp256k1_gej_is_infinity(&r));
5219  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5220  }
5221  free(sc);
5222  free(pt);
5223 }
5224 
5225 static void run_ecmult_multi_tests(void) {
5226  secp256k1_scratch *scratch;
5227  int64_t todo = (int64_t)320 * COUNT;
5228 
5229  test_secp256k1_pippenger_bucket_window_inv();
5230  test_ecmult_multi_pippenger_max_points();
5231  scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5232  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5233  test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
5234  test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
5235  test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
5236  test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
5237  test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
5238  while (todo > 0) {
5239  todo -= test_ecmult_multi_random(scratch);
5240  }
5241  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5242 
5243  /* Run test_ecmult_multi with space for exactly one point */
5244  scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5245  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5246  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5247 
5248  test_ecmult_multi_batch_size_helper();
5249  test_ecmult_multi_batching();
5250 }
5251 
5252 static void test_wnaf(const secp256k1_scalar *number, int w) {
5253  secp256k1_scalar x, two, t;
5254  int wnaf[256];
5255  int zeroes = -1;
5256  int i;
5257  int bits;
5258  secp256k1_scalar_set_int(&x, 0);
5259  secp256k1_scalar_set_int(&two, 2);
5260  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5261  CHECK(bits <= 256);
5262  for (i = bits-1; i >= 0; i--) {
5263  int v = wnaf[i];
5264  secp256k1_scalar_mul(&x, &x, &two);
5265  if (v) {
5266  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5267  zeroes=0;
5268  CHECK((v & 1) == 1); /* check non-zero elements are odd */
5269  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5270  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5271  } else {
5272  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5273  zeroes++;
5274  }
5275  if (v >= 0) {
5276  secp256k1_scalar_set_int(&t, v);
5277  } else {
5278  secp256k1_scalar_set_int(&t, -v);
5279  secp256k1_scalar_negate(&t, &t);
5280  }
5281  secp256k1_scalar_add(&x, &x, &t);
5282  }
5283  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5284 }
5285 
5286 static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5287  secp256k1_scalar x, shift;
5288  int wnaf[256] = {0};
5289  int i;
5290  int skew;
5291  secp256k1_scalar num, unused;
5292 
5293  secp256k1_scalar_set_int(&x, 0);
5294  secp256k1_scalar_set_int(&shift, 1 << w);
5295  /* Make num a 128-bit scalar. */
5296  secp256k1_scalar_split_128(&num, &unused, number);
5297  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5298 
5299  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5300  secp256k1_scalar t;
5301  int v = wnaf[i];
5302  CHECK(v == 0 || v & 1); /* check parity */
5303  CHECK(v > -(1 << w)); /* check range above */
5304  CHECK(v < (1 << w)); /* check range below */
5305 
5306  secp256k1_scalar_mul(&x, &x, &shift);
5307  if (v >= 0) {
5308  secp256k1_scalar_set_int(&t, v);
5309  } else {
5310  secp256k1_scalar_set_int(&t, -v);
5311  secp256k1_scalar_negate(&t, &t);
5312  }
5313  secp256k1_scalar_add(&x, &x, &t);
5314  }
5315  /* If skew is 1 then add 1 to num */
5316  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5317  CHECK(secp256k1_scalar_eq(&x, &num));
5318 }
5319 
5320 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5321  * rest is 0.*/
5322 static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5323  int i;
5324  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5325  CHECK(wnaf[i] == 0);
5326  }
5327  for (i = 7; i >= 0; --i) {
5328  CHECK(wnaf[i] == wnaf_expected[i]);
5329  }
5330 }
5331 
5332 static void test_fixed_wnaf_small(void) {
5333  int w = 4;
5334  int wnaf[256] = {0};
5335  int i;
5336  int skew;
5337  secp256k1_scalar num;
5338 
5339  secp256k1_scalar_set_int(&num, 0);
5340  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5341  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5342  int v = wnaf[i];
5343  CHECK(v == 0);
5344  }
5345  CHECK(skew == 0);
5346 
5347  secp256k1_scalar_set_int(&num, 1);
5348  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5349  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5350  int v = wnaf[i];
5351  CHECK(v == 0);
5352  }
5353  CHECK(wnaf[0] == 1);
5354  CHECK(skew == 0);
5355 
5356  {
5357  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5358  secp256k1_scalar_set_int(&num, 0xffffffff);
5359  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5360  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5361  CHECK(skew == 0);
5362  }
5363  {
5364  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5365  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5366  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5367  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5368  CHECK(skew == 1);
5369  }
5370  {
5371  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5372  secp256k1_scalar_set_int(&num, 0x01010101);
5373  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5374  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5375  CHECK(skew == 0);
5376  }
5377  {
5378  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5379  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5380  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5381  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5382  CHECK(skew == 0);
5383  }
5384 }
5385 
5386 static void run_wnaf(void) {
5387  int i;
5388  secp256k1_scalar n;
5389 
5390  /* Test 0 for fixed wnaf */
5391  test_fixed_wnaf_small();
5392  /* Random tests */
5393  for (i = 0; i < COUNT; i++) {
5394  random_scalar_order(&n);
5395  test_wnaf(&n, 4+(i%10));
5396  test_fixed_wnaf(&n, 4 + (i % 10));
5397  }
5398  secp256k1_scalar_set_int(&n, 0);
5399  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5400  CHECK(secp256k1_scalar_is_zero(&n));
5401  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5402  CHECK(secp256k1_scalar_is_zero(&n));
5403 }
5404 
5405 static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5406  const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5407  *sc = *indata;
5408  *pt = secp256k1_ge_const_g;
5409  CHECK(idx == 0);
5410  return 1;
5411 }
5412 
5413 static void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
5414  /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5415  secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5416  secp256k1_ge r;
5417  unsigned char bytes[65];
5418  size_t size = 65;
5419  secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
5420  secp256k1_gej_set_infinity(&infj);
5421  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &rj1, x);
5422  secp256k1_ecmult(&rj2, &gj, x, &secp256k1_scalar_zero);
5423  secp256k1_ecmult(&rj3, &infj, &secp256k1_scalar_zero, x);
5424  secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
5425  secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &secp256k1_scalar_zero, test_ecmult_accumulate_cb, (void*)x, 1);
5426  secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x);
5427  secp256k1_ge_set_gej_var(&r, &rj1);
5428  CHECK(secp256k1_gej_eq_ge_var(&rj2, &r));
5429  CHECK(secp256k1_gej_eq_ge_var(&rj3, &r));
5430  CHECK(secp256k1_gej_eq_ge_var(&rj4, &r));
5431  CHECK(secp256k1_gej_eq_ge_var(&rj5, &r));
5432  CHECK(secp256k1_gej_eq_ge_var(&rj6, &r));
5433  if (secp256k1_ge_is_infinity(&r)) {
5434  /* Store infinity as 0x00 */
5435  const unsigned char zerobyte[1] = {0};
5436  secp256k1_sha256_write(acc, zerobyte, 1);
5437  } else {
5438  /* Store other points using their uncompressed serialization. */
5439  secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5440  CHECK(size == 65);
5441  secp256k1_sha256_write(acc, bytes, size);
5442  }
5443 }
5444 
5445 static void test_ecmult_constants_2bit(void) {
5446  /* Using test_ecmult_accumulate, test ecmult for:
5447  * - For i in 0..36:
5448  * - Key i
5449  * - Key -i
5450  * - For i in 0..255:
5451  * - For j in 1..255 (only odd values):
5452  * - Key (j*2^i) mod order
5453  */
5454  secp256k1_scalar x;
5455  secp256k1_sha256 acc;
5456  unsigned char b32[32];
5457  int i, j;
5458  secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5459 
5460  /* Expected hash of all the computed points; created with an independent
5461  * implementation. */
5462  static const unsigned char expected32[32] = {
5463  0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5464  0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5465  0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5466  0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5467  };
5468  secp256k1_sha256_initialize(&acc);
5469  for (i = 0; i <= 36; ++i) {
5470  secp256k1_scalar_set_int(&x, i);
5471  test_ecmult_accumulate(&acc, &x, scratch);
5472  secp256k1_scalar_negate(&x, &x);
5473  test_ecmult_accumulate(&acc, &x, scratch);
5474  };
5475  for (i = 0; i < 256; ++i) {
5476  for (j = 1; j < 256; j += 2) {
5477  int k;
5478  secp256k1_scalar_set_int(&x, j);
5479  for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5480  test_ecmult_accumulate(&acc, &x, scratch);
5481  }
5482  }
5483  secp256k1_sha256_finalize(&acc, b32);
5484  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5485 
5486  secp256k1_scratch_space_destroy(CTX, scratch);
5487 }
5488 
5489 static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5490  /* Using test_ecmult_accumulate, test ecmult for:
5491  * - Key 0
5492  * - Key 1
5493  * - Key -1
5494  * - For i in range(iter):
5495  * - Key SHA256(LE32(prefix) || LE16(i))
5496  */
5497  secp256k1_scalar x;
5498  secp256k1_sha256 acc;
5499  unsigned char b32[32];
5500  unsigned char inp[6];
5501  size_t i;
5502  secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5503 
5504  inp[0] = prefix & 0xFF;
5505  inp[1] = (prefix >> 8) & 0xFF;
5506  inp[2] = (prefix >> 16) & 0xFF;
5507  inp[3] = (prefix >> 24) & 0xFF;
5508  secp256k1_sha256_initialize(&acc);
5509  secp256k1_scalar_set_int(&x, 0);
5510  test_ecmult_accumulate(&acc, &x, scratch);
5511  secp256k1_scalar_set_int(&x, 1);
5512  test_ecmult_accumulate(&acc, &x, scratch);
5513  secp256k1_scalar_negate(&x, &x);
5514  test_ecmult_accumulate(&acc, &x, scratch);
5515 
5516  for (i = 0; i < iter; ++i) {
5517  secp256k1_sha256 gen;
5518  inp[4] = i & 0xff;
5519  inp[5] = (i >> 8) & 0xff;
5520  secp256k1_sha256_initialize(&gen);
5521  secp256k1_sha256_write(&gen, inp, sizeof(inp));
5522  secp256k1_sha256_finalize(&gen, b32);
5523  secp256k1_scalar_set_b32(&x, b32, NULL);
5524  test_ecmult_accumulate(&acc, &x, scratch);
5525  }
5526  secp256k1_sha256_finalize(&acc, b32);
5527  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5528 
5529  secp256k1_scratch_space_destroy(CTX, scratch);
5530 }
5531 
5532 static void run_ecmult_constants(void) {
5533  /* Expected hashes of all points in the tests below. Computed using an
5534  * independent implementation. */
5535  static const unsigned char expected32_6bit20[32] = {
5536  0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5537  0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5538  0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5539  0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5540  };
5541  static const unsigned char expected32_8bit8[32] = {
5542  0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5543  0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5544  0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5545  0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5546  };
5547  /* For every combination of 6 bit positions out of 256, restricted to
5548  * 20-bit windows (i.e., the first and last bit position are no more than
5549  * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5550  * this test. */
5551  CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5552  test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5553  }
5554 
5555  /* For every combination of 8 consecutive bit positions, all 256 bit
5556  * patterns occur in the input scalars used in this test. */
5557  CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5558  test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5559  }
5560 
5561  CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5562  test_ecmult_constants_2bit();
5563  }
5564 }
5565 
5566 static void test_ecmult_gen_blind(void) {
5567  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5568  secp256k1_scalar key;
5569  secp256k1_scalar b;
5570  unsigned char seed32[32];
5571  secp256k1_gej pgej;
5572  secp256k1_gej pgej2;
5573  secp256k1_gej i;
5574  secp256k1_ge pge;
5575  random_scalar_order_test(&key);
5576  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5577  secp256k1_testrand256(seed32);
5578  b = CTX->ecmult_gen_ctx.blind;
5579  i = CTX->ecmult_gen_ctx.initial;
5580  secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, seed32);
5581  CHECK(!secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5582  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5583  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5584  CHECK(!gej_xyz_equals_gej(&i, &CTX->ecmult_gen_ctx.initial));
5585  secp256k1_ge_set_gej(&pge, &pgej);
5586  CHECK(secp256k1_gej_eq_ge_var(&pgej2, &pge));
5587 }
5588 
5589 static void test_ecmult_gen_blind_reset(void) {
5590  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5591  secp256k1_scalar b;
5592  secp256k1_gej initial;
5593  secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5594  b = CTX->ecmult_gen_ctx.blind;
5595  initial = CTX->ecmult_gen_ctx.initial;
5596  secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5597  CHECK(secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5598  CHECK(gej_xyz_equals_gej(&initial, &CTX->ecmult_gen_ctx.initial));
5599 }
5600 
5601 static void run_ecmult_gen_blind(void) {
5602  int i;
5603  test_ecmult_gen_blind_reset();
5604  for (i = 0; i < 10; i++) {
5605  test_ecmult_gen_blind();
5606  }
5607 }
5608 
5609 /***** ENDOMORPHISH TESTS *****/
5610 static void test_scalar_split(const secp256k1_scalar* full) {
5611  secp256k1_scalar s, s1, slam;
5612  const unsigned char zero[32] = {0};
5613  unsigned char tmp[32];
5614 
5615  secp256k1_scalar_split_lambda(&s1, &slam, full);
5616 
5617  /* check slam*lambda + s1 == full */
5618  secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5619  secp256k1_scalar_add(&s, &s, &s1);
5620  CHECK(secp256k1_scalar_eq(&s, full));
5621 
5622  /* check that both are <= 128 bits in size */
5623  if (secp256k1_scalar_is_high(&s1)) {
5624  secp256k1_scalar_negate(&s1, &s1);
5625  }
5626  if (secp256k1_scalar_is_high(&slam)) {
5627  secp256k1_scalar_negate(&slam, &slam);
5628  }
5629 
5630  secp256k1_scalar_get_b32(tmp, &s1);
5631  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5632  secp256k1_scalar_get_b32(tmp, &slam);
5633  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5634 }
5635 
5636 
5637 static void run_endomorphism_tests(void) {
5638  unsigned i;
5639  static secp256k1_scalar s;
5640  test_scalar_split(&secp256k1_scalar_zero);
5641  test_scalar_split(&secp256k1_scalar_one);
5642  secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5643  test_scalar_split(&s);
5644  test_scalar_split(&secp256k1_const_lambda);
5645  secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5646  test_scalar_split(&s);
5647 
5648  for (i = 0; i < 100U * COUNT; ++i) {
5649  secp256k1_scalar full;
5650  random_scalar_order_test(&full);
5651  test_scalar_split(&full);
5652  }
5653  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5654  test_scalar_split(&scalars_near_split_bounds[i]);
5655  }
5656 }
5657 
5658 static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5659  unsigned char pubkeyc[65];
5660  secp256k1_pubkey pubkey;
5661  secp256k1_ge ge;
5662  size_t pubkeyclen;
5663 
5664  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5665  /* Smaller sizes are tested exhaustively elsewhere. */
5666  int32_t i;
5667  memcpy(&pubkeyc[1], input, 64);
5668  SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5669  for (i = 0; i < 256; i++) {
5670  /* Try all type bytes. */
5671  int xpass;
5672  int ypass;
5673  int ysign;
5674  pubkeyc[0] = i;
5675  /* What sign does this point have? */
5676  ysign = (input[63] & 1) + 2;
5677  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5678  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5679  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5680  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5681  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5682  if (xpass || ypass) {
5683  /* These cases must parse. */
5684  unsigned char pubkeyo[65];
5685  size_t outl;
5686  memset(&pubkey, 0, sizeof(pubkey));
5687  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5688  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5689  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5690  outl = 65;
5691  SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5692  CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5693  SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5694  CHECK(outl == 33);
5695  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5696  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5697  if (ypass) {
5698  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5699  CHECK(pubkeyo[0] == ysign);
5700  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5701  memset(&pubkey, 0, sizeof(pubkey));
5702  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5703  secp256k1_pubkey_save(&pubkey, &ge);
5704  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5705  outl = 65;
5706  SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5707  CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5708  SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5709  CHECK(outl == 65);
5710  CHECK(pubkeyo[0] == 4);
5711  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5712  }
5713  } else {
5714  /* These cases must fail to parse. */
5715  memset(&pubkey, 0xfe, sizeof(pubkey));
5716  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5717  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5718  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5719  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5720  }
5721  }
5722  }
5723 }
5724 
5725 static void run_ec_pubkey_parse_test(void) {
5726 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
5727  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5728  {
5729  /* Point with leading and trailing zeros in x and y serialization. */
5730  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5731  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5732  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5733  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5734  },
5735  {
5736  /* Point with x equal to a 3rd root of unity.*/
5737  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5738  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5739  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5740  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5741  },
5742  {
5743  /* Point with largest x. (1/2) */
5744  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5745  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5746  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5747  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5748  },
5749  {
5750  /* Point with largest x. (2/2) */
5751  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5752  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5753  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5754  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5755  },
5756  {
5757  /* Point with smallest x. (1/2) */
5758  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5759  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5760  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5761  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5762  },
5763  {
5764  /* Point with smallest x. (2/2) */
5765  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5766  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5767  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5768  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5769  },
5770  {
5771  /* Point with largest y. (1/3) */
5772  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5773  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5774  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5775  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5776  },
5777  {
5778  /* Point with largest y. (2/3) */
5779  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5780  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5781  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5782  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5783  },
5784  {
5785  /* Point with largest y. (3/3) */
5786  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5787  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5788  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5789  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5790  },
5791  {
5792  /* Point with smallest y. (1/3) */
5793  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5794  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5795  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5796  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5797  },
5798  {
5799  /* Point with smallest y. (2/3) */
5800  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5801  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5802  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5803  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5804  },
5805  {
5806  /* Point with smallest y. (3/3) */
5807  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5808  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5809  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5810  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5811  }
5812  };
5813 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5814  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5815  {
5816  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5817  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5818  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5819  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5820  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5821  },
5822  {
5823  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5824  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5825  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5826  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5827  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5828  },
5829  {
5830  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5831  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5832  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5833  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5834  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5835  },
5836  {
5837  /* x on curve, y is from y^2 = x^3 + 8. */
5838  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5839  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5840  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5841  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5842  }
5843  };
5844 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5845  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5846  {
5847  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5848  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5849  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5850  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5851  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5852  },
5853  {
5854  /* Valid if x overflow ignored (x = 1 mod p). */
5855  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5856  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5857  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5858  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5859  },
5860  {
5861  /* Valid if x overflow ignored (x = 1 mod p). */
5862  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5863  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5864  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5865  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5866  },
5867  {
5868  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5869  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5870  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5871  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5872  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5873  },
5874  {
5875  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5876  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5877  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5878  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5879  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5880  },
5881  {
5882  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5883  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5884  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5885  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5886  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5887  },
5888  {
5889  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5890  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5891  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5892  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5893  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5894  }
5895  };
5896  const unsigned char pubkeyc[66] = {
5897  /* Serialization of G. */
5898  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5899  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5900  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5901  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5902  0xB8, 0x00
5903  };
5904  unsigned char sout[65];
5905  unsigned char shortkey[2] = { 0 };
5906  secp256k1_ge ge;
5907  secp256k1_pubkey pubkey;
5908  size_t len;
5909  int32_t i;
5910 
5911  /* Nothing should be reading this far into pubkeyc. */
5912  SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
5913  /* Zero length claimed, fail, zeroize, no illegal arg error. */
5914  memset(&pubkey, 0xfe, sizeof(pubkey));
5915  SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
5916  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5917  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
5918  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5919  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5920  /* Length one claimed, fail, zeroize, no illegal arg error. */
5921  for (i = 0; i < 256 ; i++) {
5922  memset(&pubkey, 0xfe, sizeof(pubkey));
5923  shortkey[0] = i;
5924  SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
5925  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5926  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
5927  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5928  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5929  }
5930  /* Length two claimed, fail, zeroize, no illegal arg error. */
5931  for (i = 0; i < 65536 ; i++) {
5932  memset(&pubkey, 0xfe, sizeof(pubkey));
5933  shortkey[0] = i & 255;
5934  shortkey[1] = i >> 8;
5935  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5936  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
5937  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5938  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5939  }
5940  memset(&pubkey, 0xfe, sizeof(pubkey));
5941  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5942  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5943  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
5944  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5945  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5946  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5947  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65));
5948  /* NULL input string. Illegal arg and zeroize output. */
5949  memset(&pubkey, 0xfe, sizeof(pubkey));
5950  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5951  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65));
5952  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5953  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5954  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5955  memset(&pubkey, 0xfe, sizeof(pubkey));
5956  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5957  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
5958  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5959  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5960  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5961  memset(&pubkey, 0xfe, sizeof(pubkey));
5962  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5963  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
5964  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5965  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5966  /* Valid parse. */
5967  memset(&pubkey, 0, sizeof(pubkey));
5968  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5969  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
5970  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
5971  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5972  SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
5973  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5974  SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
5975  SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
5976  SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity));
5977  CHECK(secp256k1_ge_eq_var(&ge, &secp256k1_ge_const_g));
5978  /* secp256k1_ec_pubkey_serialize illegal args. */
5979  len = 65;
5980  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED));
5981  CHECK(len == 0);
5982  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED));
5983  len = 65;
5984  SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
5985  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED));
5986  SECP256K1_CHECKMEM_CHECK(sout, 65);
5987  CHECK(len == 0);
5988  len = 65;
5989  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0));
5990  CHECK(len == 0);
5991  len = 65;
5992  SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
5993  CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5994  SECP256K1_CHECKMEM_CHECK(sout, 65);
5995  CHECK(len == 65);
5996  /* Multiple illegal args. Should still set arg error only once. */
5997  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65));
5998  /* Try a bunch of prefabbed points with all possible encodings. */
5999  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6000  ec_pubkey_parse_pointtest(valid[i], 1, 1);
6001  }
6002  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6003  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6004  }
6005  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6006  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6007  }
6008 }
6009 
6010 static void run_eckey_edge_case_test(void) {
6011  const unsigned char orderc[32] = {
6012  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6013  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6014  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6015  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
6016  };
6017  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6018  unsigned char ctmp[33];
6019  unsigned char ctmp2[33];
6020  secp256k1_pubkey pubkey;
6021  secp256k1_pubkey pubkey2;
6022  secp256k1_pubkey pubkey_one;
6023  secp256k1_pubkey pubkey_negone;
6024  const secp256k1_pubkey *pubkeys[3];
6025  size_t len;
6026  /* Group order is too large, reject. */
6027  CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6028  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6029  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6030  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6031  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6032  /* Maximum value is too large, reject. */
6033  memset(ctmp, 255, 32);
6034  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6035  memset(&pubkey, 1, sizeof(pubkey));
6036  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6037  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6038  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6039  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6040  /* Zero is too small, reject. */
6041  memset(ctmp, 0, 32);
6042  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6043  memset(&pubkey, 1, sizeof(pubkey));
6044  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6045  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6046  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6047  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6048  /* One must be accepted. */
6049  ctmp[31] = 0x01;
6050  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6051  memset(&pubkey, 0, sizeof(pubkey));
6052  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6053  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6054  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6055  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6056  pubkey_one = pubkey;
6057  /* Group order + 1 is too large, reject. */
6058  memcpy(ctmp, orderc, 32);
6059  ctmp[31] = 0x42;
6060  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6061  memset(&pubkey, 1, sizeof(pubkey));
6062  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6063  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6064  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6065  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6066  /* -1 must be accepted. */
6067  ctmp[31] = 0x40;
6068  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6069  memset(&pubkey, 0, sizeof(pubkey));
6070  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6071  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6072  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6073  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6074  pubkey_negone = pubkey;
6075  /* Tweak of zero leaves the value unchanged. */
6076  memset(ctmp2, 0, 32);
6077  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6078  CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6079  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6080  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6081  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6082  /* Multiply tweak of zero zeroizes the output. */
6083  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6084  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6085  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6086  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6087  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6088  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6089  seckey, the seckey is zeroized. */
6090  memcpy(ctmp, orderc, 32);
6091  memset(ctmp2, 0, 32);
6092  ctmp2[31] = 0x01;
6093  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6094  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6095  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6096  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6097  memcpy(ctmp, orderc, 32);
6098  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6099  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6100  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6101  tweak, the seckey is zeroized. */
6102  memcpy(ctmp, orderc, 32);
6103  ctmp[31] = 0x40;
6104  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6105  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6106  memcpy(ctmp, orderc, 32);
6107  ctmp[31] = 0x40;
6108  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6109  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6110  memcpy(ctmp, orderc, 32);
6111  ctmp[31] = 0x40;
6112  /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6113  tweak, the pubkey is zeroized. */
6114  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6115  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6116  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6117  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6118  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6119  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6120  /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6121  * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6122  * case the pubkey is zeroized. */
6123  memcpy(ctmp, orderc, 32);
6124  ctmp[31] = 0x40;
6125  memset(ctmp2, 0, 32);
6126  ctmp2[31] = 1;
6127  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6128  CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6129  ctmp2[31] = 1;
6130  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6131  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6132  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6133  /* Tweak computation wraps and results in a key of 1. */
6134  ctmp2[31] = 2;
6135  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6136  CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6137  ctmp2[31] = 2;
6138  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6139  ctmp2[31] = 1;
6140  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6141  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6142  /* Tweak mul * 2 = 1+1. */
6143  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6144  ctmp2[31] = 2;
6145  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6146  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6147  /* Zeroize pubkey on parse error. */
6148  memset(&pubkey, 0, 32);
6149  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2));
6150  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6151  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6152  memset(&pubkey2, 0, 32);
6153  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2));
6154  CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6155  /* Plain argument errors. */
6156  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6157  CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_verify(CTX, NULL));
6158  memset(ctmp2, 0, 32);
6159  ctmp2[31] = 4;
6160  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, NULL, ctmp2));
6161  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, NULL));
6162  memset(ctmp2, 0, 32);
6163  ctmp2[31] = 4;
6164  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, NULL, ctmp2));
6165  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, NULL));
6166  memset(ctmp2, 0, 32);
6167  CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_add(CTX, NULL, ctmp2));
6168  CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_add(CTX, ctmp, NULL));
6169  memset(ctmp2, 0, 32);
6170  ctmp2[31] = 1;
6171  CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_mul(CTX, NULL, ctmp2));
6172  CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_mul(CTX, ctmp, NULL));
6173  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, NULL, ctmp));
6174  memset(&pubkey, 1, sizeof(pubkey));
6175  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL));
6176  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6177  /* secp256k1_ec_pubkey_combine tests. */
6178  pubkeys[0] = &pubkey_one;
6179  SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6180  SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6181  SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6182  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6183  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6184  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0));
6185  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6186  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6187  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1));
6188  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6189  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6190  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6191  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1));
6192  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6193  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6194  pubkeys[0] = &pubkey_negone;
6195  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6196  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6197  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6198  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6199  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6200  len = 33;
6201  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6202  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6203  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6204  /* Result is infinity. */
6205  pubkeys[0] = &pubkey_one;
6206  pubkeys[1] = &pubkey_negone;
6207  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6208  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6209  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6210  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6211  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6212  /* Passes through infinity but comes out one. */
6213  pubkeys[2] = &pubkey_one;
6214  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6215  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6216  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6217  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6218  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6219  len = 33;
6220  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6221  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6222  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6223  /* Adds to two. */
6224  pubkeys[1] = &pubkey_one;
6225  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6226  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6227  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6228  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6229  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6230 }
6231 
6232 static void run_eckey_negate_test(void) {
6233  unsigned char seckey[32];
6234  unsigned char seckey_tmp[32];
6235 
6236  random_scalar_order_b32(seckey);
6237  memcpy(seckey_tmp, seckey, 32);
6238 
6239  /* Verify negation changes the key and changes it back */
6240  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6241  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6242  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6243  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6244 
6245  /* Check that privkey alias gives same result */
6246  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6247  CHECK(secp256k1_ec_privkey_negate(CTX, seckey_tmp) == 1);
6248  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6249 
6250  /* Negating all 0s fails */
6251  memset(seckey, 0, 32);
6252  memset(seckey_tmp, 0, 32);
6253  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6254  /* Check that seckey is not modified */
6255  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6256 
6257  /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6258  * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6259  * doesn't just set seckey to a constant value in case of failure. */
6260  random_scalar_order_b32(seckey);
6261  memset(seckey, 0xFF, 16);
6262  memset(seckey_tmp, 0, 32);
6263  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6264  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6265 }
6266 
6267 static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6268  secp256k1_scalar nonce;
6269  do {
6270  random_scalar_order_test(&nonce);
6271  } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6272 }
6273 
6274 static void test_ecdsa_sign_verify(void) {
6275  secp256k1_gej pubj;
6276  secp256k1_ge pub;
6277  secp256k1_scalar one;
6278  secp256k1_scalar msg, key;
6279  secp256k1_scalar sigr, sigs;
6280  int getrec;
6281  int recid;
6282  random_scalar_order_test(&msg);
6283  random_scalar_order_test(&key);
6284  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6285  secp256k1_ge_set_gej(&pub, &pubj);
6286  getrec = secp256k1_testrand_bits(1);
6287  /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6288  See the commit messages of the commit that introduced this comment for details. */
6289  if (getrec) {
6290  random_sign(&sigr, &sigs, &key, &msg, &recid);
6291  CHECK(recid >= 0 && recid < 4);
6292  } else {
6293  random_sign(&sigr, &sigs, &key, &msg, NULL);
6294  }
6295  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6296  secp256k1_scalar_set_int(&one, 1);
6297  secp256k1_scalar_add(&msg, &msg, &one);
6298  CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6299 }
6300 
6301 static void run_ecdsa_sign_verify(void) {
6302  int i;
6303  for (i = 0; i < 10*COUNT; i++) {
6304  test_ecdsa_sign_verify();
6305  }
6306 }
6307 
6309 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6310  (void)msg32;
6311  (void)key32;
6312  (void)algo16;
6313  memcpy(nonce32, data, 32);
6314  return (counter == 0);
6315 }
6316 
6317 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6318  /* Dummy nonce generator that has a fatal error on the first counter value. */
6319  if (counter == 0) {
6320  return 0;
6321  }
6322  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6323 }
6324 
6325 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6326  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6327  if (counter < 3) {
6328  memset(nonce32, counter==0 ? 0 : 255, 32);
6329  if (counter == 2) {
6330  nonce32[31]--;
6331  }
6332  return 1;
6333  }
6334  if (counter < 5) {
6335  static const unsigned char order[] = {
6336  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6337  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6338  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6339  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6340  };
6341  memcpy(nonce32, order, 32);
6342  if (counter == 4) {
6343  nonce32[31]++;
6344  }
6345  return 1;
6346  }
6347  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6348  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6349  if (counter > 5) {
6350  return 0;
6351  }
6352  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6353 }
6354 
6355 static int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
6356  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6357  return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6358 }
6359 
6360 static void test_ecdsa_end_to_end(void) {
6361  unsigned char extra[32] = {0x00};
6362  unsigned char privkey[32];
6363  unsigned char message[32];
6364  unsigned char privkey2[32];
6365  secp256k1_ecdsa_signature signature[6];
6366  secp256k1_scalar r, s;
6367  unsigned char sig[74];
6368  size_t siglen = 74;
6369  unsigned char pubkeyc[65];
6370  size_t pubkeyclen = 65;
6371  secp256k1_pubkey pubkey;
6372  secp256k1_pubkey pubkey_tmp;
6373  unsigned char seckey[300];
6374  size_t seckeylen = 300;
6375 
6376  /* Generate a random key and message. */
6377  {
6378  secp256k1_scalar msg, key;
6379  random_scalar_order_test(&msg);
6380  random_scalar_order_test(&key);
6381  secp256k1_scalar_get_b32(privkey, &key);
6382  secp256k1_scalar_get_b32(message, &msg);
6383  }
6384 
6385  /* Construct and verify corresponding public key. */
6386  CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6387  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6388 
6389  /* Verify exporting and importing public key. */
6390  CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
6391  memset(&pubkey, 0, sizeof(pubkey));
6392  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6393 
6394  /* Verify negation changes the key and changes it back */
6395  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6396  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6397  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6398  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6399  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6400 
6401  /* Verify private key import and export. */
6402  CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6403  CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6404  CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6405 
6406  /* Optionally tweak the keys using addition. */
6407  if (secp256k1_testrand_int(3) == 0) {
6408  int ret1;
6409  int ret2;
6410  int ret3;
6411  unsigned char rnd[32];
6412  unsigned char privkey_tmp[32];
6413  secp256k1_pubkey pubkey2;
6414  secp256k1_testrand256_test(rnd);
6415  memcpy(privkey_tmp, privkey, 32);
6416  ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6417  ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6418  /* Check that privkey alias gives same result */
6419  ret3 = secp256k1_ec_privkey_tweak_add(CTX, privkey_tmp, rnd);
6420  CHECK(ret1 == ret2);
6421  CHECK(ret2 == ret3);
6422  if (ret1 == 0) {
6423  return;
6424  }
6425  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6426  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6427  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6428  }
6429 
6430  /* Optionally tweak the keys using multiplication. */
6431  if (secp256k1_testrand_int(3) == 0) {
6432  int ret1;
6433  int ret2;
6434  int ret3;
6435  unsigned char rnd[32];
6436  unsigned char privkey_tmp[32];
6437  secp256k1_pubkey pubkey2;
6438  secp256k1_testrand256_test(rnd);
6439  memcpy(privkey_tmp, privkey, 32);
6440  ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6441  ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6442  /* Check that privkey alias gives same result */
6443  ret3 = secp256k1_ec_privkey_tweak_mul(CTX, privkey_tmp, rnd);
6444  CHECK(ret1 == ret2);
6445  CHECK(ret2 == ret3);
6446  if (ret1 == 0) {
6447  return;
6448  }
6449  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6450  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6451  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6452  }
6453 
6454  /* Sign. */
6455  CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6456  CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6457  CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6458  extra[31] = 1;
6459  CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6460  extra[31] = 0;
6461  extra[0] = 1;
6462  CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6463  CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6464  CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6465  CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6466  CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6467  CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6468  CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6469  CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6470  /* Verify. */
6471  CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6472  CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6473  CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6474  CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6475  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6476  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6477  secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6478  secp256k1_scalar_negate(&s, &s);
6479  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6480  CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6481  CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6482  CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6483  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6484  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6485  CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6486  secp256k1_scalar_negate(&s, &s);
6487  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6488  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6489  CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6490  CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6491 
6492  /* Serialize/parse DER and verify again */
6493  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6494  memset(&signature[0], 0, sizeof(signature[0]));
6495  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6496  CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6497  /* Serialize/destroy/parse DER and verify again. */
6498  siglen = 74;
6499  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6500  sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6501  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6502  secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6503 }
6504 
6505 static void test_random_pubkeys(void) {
6506  secp256k1_ge elem;
6507  secp256k1_ge elem2;
6508  unsigned char in[65];
6509  /* Generate some randomly sized pubkeys. */
6510  size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6511  if (secp256k1_testrand_bits(2) == 0) {
6512  len = secp256k1_testrand_bits(6);
6513  }
6514  if (len == 65) {
6515  in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6516  } else {
6517  in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6518  }
6519  if (secp256k1_testrand_bits(3) == 0) {
6520  in[0] = secp256k1_testrand_bits(8);
6521  }
6522  if (len > 1) {
6523  secp256k1_testrand256(&in[1]);
6524  }
6525  if (len > 33) {
6526  secp256k1_testrand256(&in[33]);
6527  }
6528  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6529  unsigned char out[65];
6530  unsigned char firstb;
6531  int res;
6532  size_t size = len;
6533  firstb = in[0];
6534  /* If the pubkey can be parsed, it should round-trip... */
6535  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6536  CHECK(size == len);
6537  CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6538  /* ... except for the type of hybrid inputs. */
6539  if ((in[0] != 6) && (in[0] != 7)) {
6540  CHECK(in[0] == out[0]);
6541  }
6542  size = 65;
6543  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6544  CHECK(size == 65);
6545  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6546  CHECK(secp256k1_ge_eq_var(&elem2, &elem));
6547  /* Check that the X9.62 hybrid type is checked. */
6548  in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6549  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6550  if (firstb == 2 || firstb == 3) {
6551  if (in[0] == firstb + 4) {
6552  CHECK(res);
6553  } else {
6554  CHECK(!res);
6555  }
6556  }
6557  if (res) {
6558  CHECK(secp256k1_ge_eq_var(&elem, &elem2));
6559  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6560  CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6561  }
6562  }
6563 }
6564 
6565 static void run_pubkey_comparison(void) {
6566  unsigned char pk1_ser[33] = {
6567  0x02,
6568  0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6569  0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6570  };
6571  const unsigned char pk2_ser[33] = {
6572  0x02,
6573  0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6574  0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6575  };
6576  secp256k1_pubkey pk1;
6577  secp256k1_pubkey pk2;
6578 
6579  CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6580  CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6581 
6582  CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, NULL, &pk2) < 0));
6583  CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, NULL) > 0));
6584  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6585  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6586  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6587  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6588  {
6589  secp256k1_pubkey pk_tmp;
6590  memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6591  CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0));
6592  {
6593  int32_t ecount = 0;
6594  secp256k1_context_set_illegal_callback(CTX, counting_callback_fn, &ecount);
6595  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6596  CHECK(ecount == 2);
6597  secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6598  }
6599  CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0));
6600  }
6601 
6602  /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6603  * an uncompressed encoding, these would have the opposite ordering */
6604  pk1_ser[0] = 3;
6605  CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6606  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6607  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6608 }
6609 
6610 static void run_random_pubkeys(void) {
6611  int i;
6612  for (i = 0; i < 10*COUNT; i++) {
6613  test_random_pubkeys();
6614  }
6615 }
6616 
6617 static void run_ecdsa_end_to_end(void) {
6618  int i;
6619  for (i = 0; i < 64*COUNT; i++) {
6620  test_ecdsa_end_to_end();
6621  }
6622 }
6623 
6624 static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6625  static const unsigned char zeroes[32] = {0};
6626 
6627  int ret = 0;
6628 
6629  secp256k1_ecdsa_signature sig_der;
6630  unsigned char roundtrip_der[2048];
6631  unsigned char compact_der[64];
6632  size_t len_der = 2048;
6633  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6634 
6635  secp256k1_ecdsa_signature sig_der_lax;
6636  unsigned char roundtrip_der_lax[2048];
6637  unsigned char compact_der_lax[64];
6638  size_t len_der_lax = 2048;
6639  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6640 
6641  parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
6642  if (parsed_der) {
6643  ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
6644  valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6645  }
6646  if (valid_der) {
6647  ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
6648  roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6649  }
6650 
6651  parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
6652  if (parsed_der_lax) {
6653  ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
6654  valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6655  }
6656  if (valid_der_lax) {
6657  ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6658  roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6659  }
6660 
6661  if (certainly_der) {
6662  ret |= (!parsed_der) << 2;
6663  }
6664  if (certainly_not_der) {
6665  ret |= (parsed_der) << 17;
6666  }
6667  if (valid_der) {
6668  ret |= (!roundtrips_der) << 3;
6669  }
6670 
6671  if (valid_der) {
6672  ret |= (!roundtrips_der_lax) << 12;
6673  ret |= (len_der != len_der_lax) << 13;
6674  ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6675  }
6676  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6677  if (parsed_der) {
6678  ret |= (!parsed_der_lax) << 16;
6679  }
6680 
6681  return ret;
6682 }
6683 
6684 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6685  size_t i;
6686  for (i = 0; i < ptrlen; i++) {
6687  int shift = ptrlen - 1 - i;
6688  if (shift >= 4) {
6689  ptr[i] = 0;
6690  } else {
6691  ptr[i] = (val >> shift) & 0xFF;
6692  }
6693  }
6694 }
6695 
6696 static void damage_array(unsigned char *sig, size_t *len) {
6697  int pos;
6698  int action = secp256k1_testrand_bits(3);
6699  if (action < 1 && *len > 3) {
6700  /* Delete a byte. */
6701  pos = secp256k1_testrand_int(*len);
6702  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6703  (*len)--;
6704  return;
6705  } else if (action < 2 && *len < 2048) {
6706  /* Insert a byte. */
6707  pos = secp256k1_testrand_int(1 + *len);
6708  memmove(sig + pos + 1, sig + pos, *len - pos);
6709  sig[pos] = secp256k1_testrand_bits(8);
6710  (*len)++;
6711  return;
6712  } else if (action < 4) {
6713  /* Modify a byte. */
6714  sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6715  return;
6716  } else { /* action < 8 */
6717  /* Modify a bit. */
6718  sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6719  return;
6720  }
6721 }
6722 
6723 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6724  int der;
6725  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6726  size_t tlen, elen, glen;
6727  int indet;
6728  int n;
6729 
6730  *len = 0;
6731  der = secp256k1_testrand_bits(2) == 0;
6732  *certainly_der = der;
6733  *certainly_not_der = 0;
6734  indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6735 
6736  for (n = 0; n < 2; n++) {
6737  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6738  nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6739  /* The length of the number in bytes (the first byte of which will always be nonzero) */
6740  nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6741  CHECK(nlen[n] <= 232);
6742  /* The top bit of the number. */
6743  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6744  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6745  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6746  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6747  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6748  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6749  *certainly_not_der = 1;
6750  }
6751  CHECK(nlen[n] + nzlen[n] <= 300);
6752  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6753  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6754  if (!der) {
6755  /* nlenlen[n] max 127 bytes */
6756  int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6757  nlenlen[n] += add;
6758  if (add != 0) {
6759  *certainly_not_der = 1;
6760  }
6761  }
6762  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6763  }
6764 
6765  /* The total length of the data to go, so far */
6766  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6767  CHECK(tlen <= 856);
6768 
6769  /* The length of the garbage inside the tuple. */
6770  elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6771  if (elen != 0) {
6772  *certainly_not_der = 1;
6773  }
6774  tlen += elen;
6775  CHECK(tlen <= 980);
6776 
6777  /* The length of the garbage after the end of the tuple. */
6778  glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6779  if (glen != 0) {
6780  *certainly_not_der = 1;
6781  }
6782  CHECK(tlen + glen <= 990);
6783 
6784  /* Write the tuple header. */
6785  sig[(*len)++] = 0x30;
6786  if (indet) {
6787  /* Indeterminate length */
6788  sig[(*len)++] = 0x80;
6789  *certainly_not_der = 1;
6790  } else {
6791  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6792  if (!der) {
6793  int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6794  tlenlen += add;
6795  if (add != 0) {
6796  *certainly_not_der = 1;
6797  }
6798  }
6799  if (tlenlen == 0) {
6800  /* Short length notation */
6801  sig[(*len)++] = tlen;
6802  } else {
6803  /* Long length notation */
6804  sig[(*len)++] = 128 + tlenlen;
6805  assign_big_endian(sig + *len, tlenlen, tlen);
6806  *len += tlenlen;
6807  }
6808  tlen += tlenlen;
6809  }
6810  tlen += 2;
6811  CHECK(tlen + glen <= 1119);
6812 
6813  for (n = 0; n < 2; n++) {
6814  /* Write the integer header. */
6815  sig[(*len)++] = 0x02;
6816  if (nlenlen[n] == 0) {
6817  /* Short length notation */
6818  sig[(*len)++] = nlen[n] + nzlen[n];
6819  } else {
6820  /* Long length notation. */
6821  sig[(*len)++] = 128 + nlenlen[n];
6822  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6823  *len += nlenlen[n];
6824  }
6825  /* Write zero padding */
6826  while (nzlen[n] > 0) {
6827  sig[(*len)++] = 0x00;
6828  nzlen[n]--;
6829  }
6830  if (nlen[n] == 32 && !nlow[n]) {
6831  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6832  int i;
6833  for (i = 0; i < 16; i++) {
6834  sig[(*len)++] = 0xFF;
6835  }
6836  nlen[n] -= 16;
6837  }
6838  /* Write first byte of number */
6839  if (nlen[n] > 0) {
6840  sig[(*len)++] = nhbyte[n];
6841  nlen[n]--;
6842  }
6843  /* Generate remaining random bytes of number */
6844  secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
6845  *len += nlen[n];
6846  nlen[n] = 0;
6847  }
6848 
6849  /* Generate random garbage inside tuple. */
6850  secp256k1_testrand_bytes_test(sig + *len, elen);
6851  *len += elen;
6852 
6853  /* Generate end-of-contents bytes. */
6854  if (indet) {
6855  sig[(*len)++] = 0;
6856  sig[(*len)++] = 0;
6857  tlen += 2;
6858  }
6859  CHECK(tlen + glen <= 1121);
6860 
6861  /* Generate random garbage outside tuple. */
6862  secp256k1_testrand_bytes_test(sig + *len, glen);
6863  *len += glen;
6864  tlen += glen;
6865  CHECK(tlen <= 1121);
6866  CHECK(tlen == *len);
6867 }
6868 
6869 static void run_ecdsa_der_parse(void) {
6870  int i,j;
6871  for (i = 0; i < 200 * COUNT; i++) {
6872  unsigned char buffer[2048];
6873  size_t buflen = 0;
6874  int certainly_der = 0;
6875  int certainly_not_der = 0;
6876  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
6877  CHECK(buflen <= 2048);
6878  for (j = 0; j < 16; j++) {
6879  int ret = 0;
6880  if (j > 0) {
6881  damage_array(buffer, &buflen);
6882  /* We don't know anything anymore about the DERness of the result */
6883  certainly_der = 0;
6884  certainly_not_der = 0;
6885  }
6886  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
6887  if (ret != 0) {
6888  size_t k;
6889  fprintf(stderr, "Failure %x on ", ret);
6890  for (k = 0; k < buflen; k++) {
6891  fprintf(stderr, "%02x ", buffer[k]);
6892  }
6893  fprintf(stderr, "\n");
6894  }
6895  CHECK(ret == 0);
6896  }
6897  }
6898 }
6899 
6900 /* Tests several edge cases. */
6901 static void test_ecdsa_edge_cases(void) {
6902  int t;
6903  secp256k1_ecdsa_signature sig;
6904 
6905  /* Test the case where ECDSA recomputes a point that is infinity. */
6906  {
6907  secp256k1_gej keyj;
6908  secp256k1_ge key;
6909  secp256k1_scalar msg;
6910  secp256k1_scalar sr, ss;
6911  secp256k1_scalar_set_int(&ss, 1);
6912  secp256k1_scalar_negate(&ss, &ss);
6913  secp256k1_scalar_inverse(&ss, &ss);
6914  secp256k1_scalar_set_int(&sr, 1);
6915  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr);
6916  secp256k1_ge_set_gej(&key, &keyj);
6917  msg = ss;
6918  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6919  }
6920 
6921  /* Verify signature with r of zero fails. */
6922  {
6923  const unsigned char pubkey_mods_zero[33] = {
6924  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6925  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6926  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6927  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6928  0x41
6929  };
6930  secp256k1_ge key;
6931  secp256k1_scalar msg;
6932  secp256k1_scalar sr, ss;
6933  secp256k1_scalar_set_int(&ss, 1);
6934  secp256k1_scalar_set_int(&msg, 0);
6935  secp256k1_scalar_set_int(&sr, 0);
6936  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
6937  CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
6938  }
6939 
6940  /* Verify signature with s of zero fails. */
6941  {
6942  const unsigned char pubkey[33] = {
6943  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6944  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6945  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6946  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6947  0x01
6948  };
6949  secp256k1_ge key;
6950  secp256k1_scalar msg;
6951  secp256k1_scalar sr, ss;
6952  secp256k1_scalar_set_int(&ss, 0);
6953  secp256k1_scalar_set_int(&msg, 0);
6954  secp256k1_scalar_set_int(&sr, 1);
6955  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6956  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6957  }
6958 
6959  /* Verify signature with message 0 passes. */
6960  {
6961  const unsigned char pubkey[33] = {
6962  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6963  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6964  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6965  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6966  0x02
6967  };
6968  const unsigned char pubkey2[33] = {
6969  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6970  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6971  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6972  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6973  0x43
6974  };
6975  secp256k1_ge key;
6976  secp256k1_ge key2;
6977  secp256k1_scalar msg;
6978  secp256k1_scalar sr, ss;
6979  secp256k1_scalar_set_int(&ss, 2);
6980  secp256k1_scalar_set_int(&msg, 0);
6981  secp256k1_scalar_set_int(&sr, 2);
6982  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6983  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6984  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6985  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6986  secp256k1_scalar_negate(&ss, &ss);
6987  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6988  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6989  secp256k1_scalar_set_int(&ss, 1);
6990  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6991  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6992  }
6993 
6994  /* Verify signature with message 1 passes. */
6995  {
6996  const unsigned char pubkey[33] = {
6997  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
6998  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
6999  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7000  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7001  0x25
7002  };
7003  const unsigned char pubkey2[33] = {
7004  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7005  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7006  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7007  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7008  0x62
7009  };
7010  const unsigned char csr[32] = {
7011  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7012  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7013  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7014  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7015  };
7016  secp256k1_ge key;
7017  secp256k1_ge key2;
7018  secp256k1_scalar msg;
7019  secp256k1_scalar sr, ss;
7020  secp256k1_scalar_set_int(&ss, 1);
7021  secp256k1_scalar_set_int(&msg, 1);
7022  secp256k1_scalar_set_b32(&sr, csr, NULL);
7023  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7024  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7025  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7026  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7027  secp256k1_scalar_negate(&ss, &ss);
7028  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7029  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7030  secp256k1_scalar_set_int(&ss, 2);
7031  secp256k1_scalar_inverse_var(&ss, &ss);
7032  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7033  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7034  }
7035 
7036  /* Verify signature with message -1 passes. */
7037  {
7038  const unsigned char pubkey[33] = {
7039  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7040  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7041  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7042  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7043  0xf1
7044  };
7045  const unsigned char csr[32] = {
7046  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7047  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7048  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7049  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7050  };
7051  secp256k1_ge key;
7052  secp256k1_scalar msg;
7053  secp256k1_scalar sr, ss;
7054  secp256k1_scalar_set_int(&ss, 1);
7055  secp256k1_scalar_set_int(&msg, 1);
7056  secp256k1_scalar_negate(&msg, &msg);
7057  secp256k1_scalar_set_b32(&sr, csr, NULL);
7058  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7059  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7060  secp256k1_scalar_negate(&ss, &ss);
7061  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7062  secp256k1_scalar_set_int(&ss, 3);
7063  secp256k1_scalar_inverse_var(&ss, &ss);
7064  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7065  }
7066 
7067  /* Signature where s would be zero. */
7068  {
7069  secp256k1_pubkey pubkey;
7070  size_t siglen;
7071  unsigned char signature[72];
7072  static const unsigned char nonce[32] = {
7073  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7074  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7075  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7076  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7077  };
7078  static const unsigned char nonce2[32] = {
7079  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7080  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7081  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7082  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7083  };
7084  const unsigned char key[32] = {
7085  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7086  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7087  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7088  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7089  };
7090  unsigned char msg[32] = {
7091  0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7092  0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7093  0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7094  0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7095  };
7096  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
7097  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7098  msg[31] = 0xaa;
7099  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
7100  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, NULL, msg, key, precomputed_nonce_function, nonce2));
7101  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, &sig, NULL, key, precomputed_nonce_function, nonce2));
7102  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, &sig, msg, NULL, precomputed_nonce_function, nonce2));
7103  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7104  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7105  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey));
7106  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey));
7107  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, NULL));
7108  CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7109  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL));
7110  /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7111  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey));
7112  siglen = 72;
7113  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, NULL, &siglen, &sig));
7114  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, NULL, &sig));
7115  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL));
7116  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7117  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen));
7118  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, &sig, NULL, siglen));
7119  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7120  siglen = 10;
7121  /* Too little room for a signature does not fail via ARGCHECK. */
7122  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7123  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_normalize(CTX, NULL, NULL));
7124  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_compact(CTX, NULL, &sig));
7125  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_compact(CTX, signature, NULL));
7126  CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1);
7127  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_compact(CTX, NULL, signature));
7128  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_compact(CTX, &sig, NULL));
7129  CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7130  memset(signature, 255, 64);
7131  CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7132  }
7133 
7134  /* Nonce function corner cases. */
7135  for (t = 0; t < 2; t++) {
7136  static const unsigned char zero[32] = {0x00};
7137  int i;
7138  unsigned char key[32];
7139  unsigned char msg[32];
7140  secp256k1_ecdsa_signature sig2;
7141  secp256k1_scalar sr[512], ss;
7142  const unsigned char *extra;
7143  extra = t == 0 ? NULL : zero;
7144  memset(msg, 0, 32);
7145  msg[31] = 1;
7146  /* High key results in signature failure. */
7147  memset(key, 0xFF, 32);
7148  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7149  CHECK(is_empty_signature(&sig));
7150  /* Zero key results in signature failure. */
7151  memset(key, 0, 32);
7152  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7153  CHECK(is_empty_signature(&sig));
7154  /* Nonce function failure results in signature failure. */
7155  key[31] = 1;
7156  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7157  CHECK(is_empty_signature(&sig));
7158  /* The retry loop successfully makes its way to the first good value. */
7159  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7160  CHECK(!is_empty_signature(&sig));
7161  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7162  CHECK(!is_empty_signature(&sig2));
7163  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7164  /* The default nonce function is deterministic. */
7165  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7166  CHECK(!is_empty_signature(&sig2));
7167  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7168  /* The default nonce function changes output with different messages. */
7169  for(i = 0; i < 256; i++) {
7170  int j;
7171  msg[0] = i;
7172  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7173  CHECK(!is_empty_signature(&sig2));
7174  secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7175  for (j = 0; j < i; j++) {
7176  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7177  }
7178  }
7179  msg[0] = 0;
7180  msg[31] = 2;
7181  /* The default nonce function changes output with different keys. */
7182  for(i = 256; i < 512; i++) {
7183  int j;
7184  key[0] = i - 256;
7185  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7186  CHECK(!is_empty_signature(&sig2));
7187  secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7188  for (j = 0; j < i; j++) {
7189  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7190  }
7191  }
7192  key[0] = 0;
7193  }
7194 
7195  {
7196  /* Check that optional nonce arguments do not have equivalent effect. */
7197  const unsigned char zeros[32] = {0};
7198  unsigned char nonce[32];
7199  unsigned char nonce2[32];
7200  unsigned char nonce3[32];
7201  unsigned char nonce4[32];
7202  SECP256K1_CHECKMEM_UNDEFINE(nonce,32);
7203  SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7204  SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7205  SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7206  CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7207  SECP256K1_CHECKMEM_CHECK(nonce,32);
7208  CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7209  SECP256K1_CHECKMEM_CHECK(nonce2,32);
7210  CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7211  SECP256K1_CHECKMEM_CHECK(nonce3,32);
7212  CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7213  SECP256K1_CHECKMEM_CHECK(nonce4,32);
7214  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7215  CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7216  CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7217  CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7218  CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7219  CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7220  }
7221 
7222 
7223  /* Privkey export where pubkey is the point at infinity. */
7224  {
7225  unsigned char privkey[300];
7226  unsigned char seckey[32] = {
7227  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7228  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7229  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7230  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7231  };
7232  size_t outlen = 300;
7233  CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7234  outlen = 300;
7235  CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7236  }
7237 }
7238 
7239 static void run_ecdsa_edge_cases(void) {
7240  test_ecdsa_edge_cases();
7241 }
7242 
7247 static void test_ecdsa_wycheproof(void) {
7248  #include "wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h"
7249 
7250  int t;
7251  for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) {
7252  secp256k1_ecdsa_signature signature;
7253  secp256k1_sha256 hasher;
7254  secp256k1_pubkey pubkey;
7255  const unsigned char *msg, *sig, *pk;
7256  unsigned char out[32] = {0};
7257  int actual_verify = 0;
7258 
7259  memset(&pubkey, 0, sizeof(pubkey));
7260  pk = &wycheproof_ecdsa_public_keys[testvectors[t].pk_offset];
7261  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7262 
7263  secp256k1_sha256_initialize(&hasher);
7264  msg = &wycheproof_ecdsa_messages[testvectors[t].msg_offset];
7265  secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len);
7266  secp256k1_sha256_finalize(&hasher, out);
7267 
7268  sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset];
7269  if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7270  actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7271  }
7272  CHECK(testvectors[t].expected_verify == actual_verify);
7273  }
7274 }
7275 
7276 /* Tests cases from Wycheproof test suite. */
7277 static void run_ecdsa_wycheproof(void) {
7278  test_ecdsa_wycheproof();
7279 }
7280 
7281 #ifdef ENABLE_MODULE_ECDH
7282 # include "modules/ecdh/tests_impl.h"
7283 #endif
7284 
7285 #ifdef ENABLE_MODULE_RECOVERY
7286 # include "modules/recovery/tests_impl.h"
7287 #endif
7288 
7289 #ifdef ENABLE_MODULE_EXTRAKEYS
7290 # include "modules/extrakeys/tests_impl.h"
7291 #endif
7292 
7293 #ifdef ENABLE_MODULE_SCHNORRSIG
7294 # include "modules/schnorrsig/tests_impl.h"
7295 #endif
7296 
7297 #ifdef ENABLE_MODULE_ELLSWIFT
7298 # include "modules/ellswift/tests_impl.h"
7299 #endif
7300 
7301 static void run_secp256k1_memczero_test(void) {
7302  unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7303  unsigned char buf2[sizeof(buf1)];
7304 
7305  /* secp256k1_memczero(..., ..., 0) is a noop. */
7306  memcpy(buf2, buf1, sizeof(buf1));
7307  secp256k1_memczero(buf1, sizeof(buf1), 0);
7308  CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7309 
7310  /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7311  memset(buf2, 0, sizeof(buf2));
7312  secp256k1_memczero(buf1, sizeof(buf1) , 1);
7313  CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7314 }
7315 
7316 static void run_secp256k1_byteorder_tests(void) {
7317  {
7318  const uint32_t x = 0xFF03AB45;
7319  const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7320  unsigned char buf[4];
7321  uint32_t x_;
7322 
7323  secp256k1_write_be32(buf, x);
7324  CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7325 
7326  x_ = secp256k1_read_be32(buf);
7327  CHECK(x == x_);
7328  }
7329 
7330  {
7331  const uint64_t x = 0xCAFE0123BEEF4567;
7332  const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7333  unsigned char buf[8];
7334  uint64_t x_;
7335 
7336  secp256k1_write_be64(buf, x);
7337  CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7338 
7339  x_ = secp256k1_read_be64(buf);
7340  CHECK(x == x_);
7341  }
7342 }
7343 
7344 static void int_cmov_test(void) {
7345  int r = INT_MAX;
7346  int a = 0;
7347 
7348  secp256k1_int_cmov(&r, &a, 0);
7349  CHECK(r == INT_MAX);
7350 
7351  r = 0; a = INT_MAX;
7352  secp256k1_int_cmov(&r, &a, 1);
7353  CHECK(r == INT_MAX);
7354 
7355  a = 0;
7356  secp256k1_int_cmov(&r, &a, 1);
7357  CHECK(r == 0);
7358 
7359  a = 1;
7360  secp256k1_int_cmov(&r, &a, 1);
7361  CHECK(r == 1);
7362 
7363  r = 1; a = 0;
7364  secp256k1_int_cmov(&r, &a, 0);
7365  CHECK(r == 1);
7366 
7367 }
7368 
7369 static void fe_cmov_test(void) {
7370  static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7371  static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7372  static const secp256k1_fe max = SECP256K1_FE_CONST(
7373  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7374  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7375  );
7376  secp256k1_fe r = max;
7377  secp256k1_fe a = zero;
7378 
7379  secp256k1_fe_cmov(&r, &a, 0);
7380  CHECK(fe_identical(&r, &max));
7381 
7382  r = zero; a = max;
7383  secp256k1_fe_cmov(&r, &a, 1);
7384  CHECK(fe_identical(&r, &max));
7385 
7386  a = zero;
7387  secp256k1_fe_cmov(&r, &a, 1);
7388  CHECK(fe_identical(&r, &zero));
7389 
7390  a = one;
7391  secp256k1_fe_cmov(&r, &a, 1);
7392  CHECK(fe_identical(&r, &one));
7393 
7394  r = one; a = zero;
7395  secp256k1_fe_cmov(&r, &a, 0);
7396  CHECK(fe_identical(&r, &one));
7397 }
7398 
7399 static void fe_storage_cmov_test(void) {
7400  static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7401  static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7402  static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
7403  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7404  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7405  );
7406  secp256k1_fe_storage r = max;
7407  secp256k1_fe_storage a = zero;
7408 
7409  secp256k1_fe_storage_cmov(&r, &a, 0);
7410  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7411 
7412  r = zero; a = max;
7413  secp256k1_fe_storage_cmov(&r, &a, 1);
7414  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7415 
7416  a = zero;
7417  secp256k1_fe_storage_cmov(&r, &a, 1);
7418  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7419 
7420  a = one;
7421  secp256k1_fe_storage_cmov(&r, &a, 1);
7422  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7423 
7424  r = one; a = zero;
7425  secp256k1_fe_storage_cmov(&r, &a, 0);
7426  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7427 }
7428 
7429 static void scalar_cmov_test(void) {
7430  static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7431  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
7432  0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
7433  );
7434  secp256k1_scalar r = max;
7435  secp256k1_scalar a = secp256k1_scalar_zero;
7436 
7437  secp256k1_scalar_cmov(&r, &a, 0);
7438  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7439 
7440  r = secp256k1_scalar_zero; a = max;
7441  secp256k1_scalar_cmov(&r, &a, 1);
7442  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7443 
7444  a = secp256k1_scalar_zero;
7445  secp256k1_scalar_cmov(&r, &a, 1);
7446  CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0);
7447 
7448  a = secp256k1_scalar_one;
7449  secp256k1_scalar_cmov(&r, &a, 1);
7450  CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7451 
7452  r = secp256k1_scalar_one; a = secp256k1_scalar_zero;
7453  secp256k1_scalar_cmov(&r, &a, 0);
7454  CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7455 }
7456 
7457 static void ge_storage_cmov_test(void) {
7458  static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7459  static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7460  static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7461  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7462  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7463  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7464  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7465  );
7466  secp256k1_ge_storage r = max;
7467  secp256k1_ge_storage a = zero;
7468 
7469  secp256k1_ge_storage_cmov(&r, &a, 0);
7470  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7471 
7472  r = zero; a = max;
7473  secp256k1_ge_storage_cmov(&r, &a, 1);
7474  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7475 
7476  a = zero;
7477  secp256k1_ge_storage_cmov(&r, &a, 1);
7478  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7479 
7480  a = one;
7481  secp256k1_ge_storage_cmov(&r, &a, 1);
7482  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7483 
7484  r = one; a = zero;
7485  secp256k1_ge_storage_cmov(&r, &a, 0);
7486  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7487 }
7488 
7489 static void run_cmov_tests(void) {
7490  int_cmov_test();
7491  fe_cmov_test();
7492  fe_storage_cmov_test();
7493  scalar_cmov_test();
7494  ge_storage_cmov_test();
7495 }
7496 
7497 int main(int argc, char **argv) {
7498  /* Disable buffering for stdout to improve reliability of getting
7499  * diagnostic information. Happens right at the start of main because
7500  * setbuf must be used before any other operation on the stream. */
7501  setbuf(stdout, NULL);
7502  /* Also disable buffering for stderr because it's not guaranteed that it's
7503  * unbuffered on all systems. */
7504  setbuf(stderr, NULL);
7505 
7506  /* find iteration count */
7507  if (argc > 1) {
7508  COUNT = strtol(argv[1], NULL, 0);
7509  } else {
7510  const char* env = getenv("SECP256K1_TEST_ITERS");
7511  if (env && strlen(env) > 0) {
7512  COUNT = strtol(env, NULL, 0);
7513  }
7514  }
7515  if (COUNT <= 0) {
7516  fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7517  return EXIT_FAILURE;
7518  }
7519  printf("test count = %i\n", COUNT);
7520 
7521  /* run test RNG tests (must run before we really initialize the test RNG) */
7522  run_xoshiro256pp_tests();
7523 
7524  /* find random seed */
7525  secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7526 
7527  /*** Setup test environment ***/
7528 
7529  /* Create a global context available to all tests */
7530  CTX = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
7531  /* Randomize the context only with probability 15/16
7532  to make sure we test without context randomization from time to time.
7533  TODO Reconsider this when recalibrating the tests. */
7534  if (secp256k1_testrand_bits(4)) {
7535  unsigned char rand32[32];
7536  secp256k1_testrand256(rand32);
7537  CHECK(secp256k1_context_randomize(CTX, rand32));
7538  }
7539  /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
7540  that write to the context. The API does not support cloning the static context, so we use
7541  memcpy instead. The user is not supposed to copy a context but we should still ensure that
7542  the API functions handle copies of the static context gracefully. */
7543  STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
7544  CHECK(STATIC_CTX != NULL);
7545  memcpy(STATIC_CTX, secp256k1_context_static, sizeof(secp256k1_context));
7546  CHECK(!secp256k1_context_is_proper(STATIC_CTX));
7547 
7548  /*** Run actual tests ***/
7549 
7550  /* selftest tests */
7551  run_selftest_tests();
7552 
7553  /* context tests */
7554  run_proper_context_tests(0); run_proper_context_tests(1);
7555  run_static_context_tests(0); run_static_context_tests(1);
7556  run_deprecated_context_flags_test();
7557 
7558  /* scratch tests */
7559  run_scratch_tests();
7560 
7561  /* integer arithmetic tests */
7562 #ifdef SECP256K1_WIDEMUL_INT128
7563  run_int128_tests();
7564 #endif
7565  run_ctz_tests();
7566  run_modinv_tests();
7567  run_inverse_tests();
7568 
7569  /* hash tests */
7570  run_sha256_known_output_tests();
7571  run_sha256_counter_tests();
7572  run_hmac_sha256_tests();
7573  run_rfc6979_hmac_sha256_tests();
7574  run_tagged_sha256_tests();
7575 
7576  /* scalar tests */
7577  run_scalar_tests();
7578 
7579  /* field tests */
7580  run_field_half();
7581  run_field_misc();
7582  run_field_convert();
7583  run_field_be32_overflow();
7584  run_fe_mul();
7585  run_sqr();
7586  run_sqrt();
7587 
7588  /* group tests */
7589  run_ge();
7590  run_gej();
7591  run_group_decompress();
7592 
7593  /* ecmult tests */
7594  run_ecmult_pre_g();
7595  run_wnaf();
7596  run_point_times_order();
7597  run_ecmult_near_split_bound();
7598  run_ecmult_chain();
7599  run_ecmult_constants();
7600  run_ecmult_gen_blind();
7601  run_ecmult_const_tests();
7602  run_ecmult_multi_tests();
7603  run_ec_combine();
7604 
7605  /* endomorphism tests */
7606  run_endomorphism_tests();
7607 
7608  /* EC point parser test */
7609  run_ec_pubkey_parse_test();
7610 
7611  /* EC key edge cases */
7612  run_eckey_edge_case_test();
7613 
7614  /* EC key arithmetic test */
7615  run_eckey_negate_test();
7616 
7617 #ifdef ENABLE_MODULE_ECDH
7618  /* ecdh tests */
7619  run_ecdh_tests();
7620 #endif
7621 
7622  /* ecdsa tests */
7623  run_ec_illegal_argument_tests();
7624  run_pubkey_comparison();
7625  run_random_pubkeys();
7626  run_ecdsa_der_parse();
7627  run_ecdsa_sign_verify();
7628  run_ecdsa_end_to_end();
7629  run_ecdsa_edge_cases();
7630  run_ecdsa_wycheproof();
7631 
7632 #ifdef ENABLE_MODULE_RECOVERY
7633  /* ECDSA pubkey recovery tests */
7634  run_recovery_tests();
7635 #endif
7636 
7637 #ifdef ENABLE_MODULE_EXTRAKEYS
7638  run_extrakeys_tests();
7639 #endif
7640 
7641 #ifdef ENABLE_MODULE_SCHNORRSIG
7642  run_schnorrsig_tests();
7643 #endif
7644 
7645 #ifdef ENABLE_MODULE_ELLSWIFT
7646  run_ellswift_tests();
7647 #endif
7648 
7649  /* util tests */
7650  run_secp256k1_memczero_test();
7651  run_secp256k1_byteorder_tests();
7652 
7653  run_cmov_tests();
7654 
7655  /*** Tear down test environment ***/
7656  free(STATIC_CTX);
7657  secp256k1_context_destroy(CTX);
7658 
7659  secp256k1_testrand_finish();
7660 
7661  printf("no problems found\n");
7662  return 0;
7663 }
ret
int ret
Definition: bitcoin-cli.cpp:1271
flags
int flags
Definition: bitcoin-tx.cpp:530
SECP256K1_CHECKMEM_UNDEFINE
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:90
SECP256K1_CHECKMEM_CHECK
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:92
tests_impl.h
run_ecdh_tests
static void run_ecdh_tests(void)
Definition: tests_impl.h:145
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
ecdsa_secp256k1_sha256_bitcoin_test.h
wycheproof_ecdsa_signatures
static const unsigned char wycheproof_ecdsa_signatures[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:173
wycheproof_ecdsa_public_keys
static const unsigned char wycheproof_ecdsa_public_keys[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:73
wycheproof_ecdsa_messages
static const unsigned char wycheproof_ecdsa_messages[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:13
SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:2
testvectors
static const wycheproof_ecdsa_testvector testvectors[SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:636
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
ECMULT_TABLE_SIZE
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_const_xonly
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
secp256k1_ecmult_const_K
static const secp256k1_scalar secp256k1_ecmult_const_K
Definition: ecmult_const_impl.h:94
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:607
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:737
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:403
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:418
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:162
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:358
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:578
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:728
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:798
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:645
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:816
tests_impl.h
run_ellswift_tests
void run_ellswift_tests(void)
Definition: tests_impl.h:179
sum
volatile double sum
Definition: examples.cpp:10
tests_impl.h
run_extrakeys_tests
static void run_extrakeys_tests(void)
Definition: tests_impl.h:470
secp256k1_fe_cmov
#define secp256k1_fe_cmov
Definition: field.h:96
secp256k1_fe_negate
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:216
secp256k1_fe_mul_int
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:238
secp256k1_fe_normalizes_to_zero_var
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
secp256k1_fe_cmp_var
#define secp256k1_fe_cmp_var
Definition: field.h:87
secp256k1_fe_normalize_weak
#define secp256k1_fe_normalize_weak
Definition: field.h:79
secp256k1_fe_is_odd
#define secp256k1_fe_is_odd
Definition: field.h:86
secp256k1_fe_mul
#define secp256k1_fe_mul
Definition: field.h:94
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
secp256k1_fe_add
#define secp256k1_fe_add
Definition: field.h:93
secp256k1_fe_clear
#define secp256k1_fe_clear
Definition: field.h:84
secp256k1_fe_normalize_var
#define secp256k1_fe_normalize_var
Definition: field.h:80
secp256k1_fe_half
#define secp256k1_fe_half
Definition: field.h:102
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
secp256k1_fe_to_storage
#define secp256k1_fe_to_storage
Definition: field.h:97
secp256k1_fe_inv_var
#define secp256k1_fe_inv_var
Definition: field.h:100
secp256k1_fe_is_zero
#define secp256k1_fe_is_zero
Definition: field.h:85
secp256k1_fe_mul_int_unchecked
#define secp256k1_fe_mul_int_unchecked
Definition: field.h:92
secp256k1_fe_set_b32_limit
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
secp256k1_fe_is_square_var
#define secp256k1_fe_is_square_var
Definition: field.h:104
secp256k1_fe_get_bounds
#define secp256k1_fe_get_bounds
Definition: field.h:101
secp256k1_fe_from_storage
#define secp256k1_fe_from_storage
Definition: field.h:98
secp256k1_fe_set_b32_mod
#define secp256k1_fe_set_b32_mod
Definition: field.h:88
secp256k1_fe_negate_unchecked
#define secp256k1_fe_negate_unchecked
Definition: field.h:91
secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:90
secp256k1_fe_normalizes_to_zero
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
secp256k1_fe_inv
#define secp256k1_fe_inv
Definition: field.h:99
secp256k1_fe_sqr
#define secp256k1_fe_sqr
Definition: field.h:95
secp256k1_fe_normalize
#define secp256k1_fe_normalize
Definition: field.h:78
secp256k1_fe_equal
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_add_int
#define secp256k1_fe_add_int
Definition: field.h:103
secp256k1_fe_set_int
#define secp256k1_fe_set_int
Definition: field.h:83
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
secp256k1_gej_eq_var
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
SECP256K1_GE_X_MAGNITUDE_MAX
#define SECP256K1_GE_X_MAGNITUDE_MAX
Maximum allowed magnitudes for group element coordinates in affine (x, y) and jacobian (x,...
Definition: group.h:49
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
secp256k1_ge_eq_var
static int secp256k1_ge_eq_var(const secp256k1_ge *a, const secp256k1_ge *b)
Check two group elements (affine) for equality in variable time.
secp256k1_ge_x_on_curve_var
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
SECP256K1_GEJ_Y_MAGNITUDE_MAX
#define SECP256K1_GEJ_Y_MAGNITUDE_MAX
Definition: group.h:52
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_gej_eq_ge_var
static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b)
Check two group elements (jacobian and affine) for equality in variable time.
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_ge_x_frac_on_curve_var
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
SECP256K1_GE_Y_MAGNITUDE_MAX
#define SECP256K1_GE_Y_MAGNITUDE_MAX
Definition: group.h:50
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
secp256k1_gej_cmov
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
SECP256K1_GEJ_Z_MAGNITUDE_MAX
#define SECP256K1_GEJ_Z_MAGNITUDE_MAX
Definition: group.h:53
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
SECP256K1_GEJ_X_MAGNITUDE_MAX
#define SECP256K1_GEJ_X_MAGNITUDE_MAX
Definition: group.h:51
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:70
int128_impl.h
secp256k1_int128
int128_t secp256k1_int128
Definition: int128_native.h:17
secp256k1_i128_load
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
Definition: int128_native_impl.h:45
secp256k1_i128_det
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
Definition: int128_native_impl.h:59
secp256k1_u128_check_bits
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:40
secp256k1_i128_rshift
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:66
secp256k1_u128_hi_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:32
secp256k1_i128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:71
secp256k1_i128_from_i64
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
Definition: int128_native_impl.h:80
secp256k1_u128_from_u64
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:36
secp256k1_i128_eq_var
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
Definition: int128_native_impl.h:84
secp256k1_i128_to_i64
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:75
secp256k1_i128_mul
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:49
secp256k1_u128_rshift
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:23
secp256k1_i128_check_pow2
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
Definition: int128_native_impl.h:88
secp256k1_u128_accum_u64
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:19
secp256k1_i128_accum_mul
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:53
secp256k1_u128_accum_mul
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:15
secp256k1_u128_load
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
Definition: int128_native_impl.h:7
secp256k1_u128_mul
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:11
secp256k1_u128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:28
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:55
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:11
cs
static void pool cs
Definition: mempool_eviction.cpp:13
nonce
unsigned int nonce
Definition: miner_tests.cpp:71
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_jacobi32_maybe_var
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
modinv32_impl.h
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_jacobi64_maybe_var
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
modinv64_impl.h
miniscript::internal::ZERO
static const auto ZERO
A stack consisting of a single zero-length element (interpreted as 0 by the script interpreter in num...
Definition: miniscript.h:326
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:16
subprocess::util::split
static std::vector< std::string > split(const std::string &str, const std::string &delims=" \t")
Definition: subprocess.hpp:414
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
tests_wycheproof_generate.expected_verify
int expected_verify
Definition: tests_wycheproof_generate.py:46
tests_wycheproof_generate.out
string out
Definition: tests_wycheproof_generate.py:28
tinyformat::printf
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1077
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8236
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:16
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:15
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:42
tests_impl.h
run_recovery_tests
static void run_recovery_tests(void)
Definition: tests_impl.h:327
prefix
const char * prefix
Definition: rest.cpp:1007
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_half
static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a)
Multiply a scalar with the multiplicative inverse of 2.
secp256k1_scalar_split_128
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*2^128 = k.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:68
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:79
tests_impl.h
run_schnorrsig_tests
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:968
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:337
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:156
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:226
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:240
ALIGNMENT
#define ALIGNMENT
Definition: util.h:170
secp256k1_default_error_callback_fn
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:96
secp256k1_read_be32
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:355
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:319
secp256k1_write_be32
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:363
secp256k1_write_be64
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:383
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:91
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:308
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:296
secp256k1_read_be64
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:371
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:207
secp256k1_context_is_proper
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:81
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:74
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:342
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:252
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:454
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:328
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:692
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:209
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:739
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:749
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:602
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:368
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:279
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:302
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:561
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:547
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:261
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:205
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:352
secp256k1_selftest
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:85
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:584
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:162
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
secp256k1_tagged_sha256
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:775
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:215
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:433
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:414
secp256k1_scratch_space_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:222
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:675
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:216
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:389
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:621
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:664
secp256k1_scratch_space_destroy
SECP256K1_API void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:227
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:208
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:617
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:648
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:716
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:401
secp256k1_context_static
SECP256K1_API const secp256k1_context * secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:236
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:712
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:111
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:175
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:91
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:151
ecmult_multi_data
Definition: tests.c:4632
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:4633
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:4634
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:82
secp256k1_callback::data
const void * data
Definition: util.h:83
secp256k1_context_struct
Definition: secp256k1.c:60
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:62
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:64
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:63
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:87
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:31
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:37
secp256k1_ecmult_gen_context::built
int built
Definition: ecmult_gen.h:33
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:36
secp256k1_fe_storage
Definition: field_10x26.h:50
secp256k1_fe
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:22
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::infinity
int infinity
Definition: group.h:19
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
secp256k1_gej::infinity
int infinity
Definition: group.h:32
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_modinv32_modinfo
Definition: modinv32.h:19
secp256k1_modinv32_signed30
Definition: modinv32.h:15
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:16
secp256k1_modinv64_modinfo
Definition: modinv64.h:23
secp256k1_modinv64_signed62
Definition: modinv64.h:19
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:20
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:74
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_sha256
Definition: hash.h:13
secp256k1_sha256::bytes
uint64_t bytes
Definition: hash.h:16
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:14
secp256k1_uint128
Definition: int128_struct.h:7
wycheproof_ecdsa_testvector::sig_offset
size_t sig_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:8
wycheproof_ecdsa_testvector::msg_offset
size_t msg_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:6
wycheproof_ecdsa_testvector::pk_offset
size_t pk_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:5
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_seed
static SECP256K1_INLINE void secp256k1_testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_impl.h
secp256k1_test_state
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
run_random_pubkeys
static void run_random_pubkeys(void)
Definition: tests.c:6610
CHECK_ILLEGAL_VOID
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:70
test_wnaf
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5252
run_inverse_tests
static void run_inverse_tests(void)
Definition: tests.c:3432
counting_callback_fn
static void counting_callback_fn(const char *str, void *data)
Definition: tests.c:81
mutate_sign_signed30
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:968
ec_pubkey_parse_pointtest
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5658
test_ecdsa_sign_verify
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6274
test_ge
static void test_ge(void)
Definition: tests.c:3702
CHECK_ERROR_VOID
#define CHECK_ERROR_VOID(ctx, expr_or_stmt)
Definition: tests.c:68
random_gej_x_magnitude
static void random_gej_x_magnitude(secp256k1_gej *gej)
Definition: tests.c:143
run_pubkey_comparison
static void run_pubkey_comparison(void)
Definition: tests.c:6565
run_ecdsa_sign_verify
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6301
run_field_misc
static void run_field_misc(void)
Definition: tests.c:3116
test_ecmult_gen_blind_reset
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5589
random_field_element_magnitude
static void random_field_element_magnitude(secp256k1_fe *fe, int m)
Definition: tests.c:99
run_ec_pubkey_parse_test
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5725
run_static_context_tests
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:313
random_sign
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6267
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6317
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6325
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
test_ecmult_multi_random
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4875
COUNT
static int COUNT
Definition: tests.c:40
mulmod256
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:866
random_fe_non_zero_test
static void random_fe_non_zero_test(secp256k1_fe *fe)
Definition: tests.c:125
ecmult_const_check_result
static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar *q, const secp256k1_gej *res)
Definition: tests.c:4506
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:78
gej_xyz_equals_gej
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3681
ecmult_gen_context_eq
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:249
run_tagged_sha256_tests
static void run_tagged_sha256_tests(void)
Definition: tests.c:822
run_sha256_counter_tests
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:668
random_scalar_order_b32
static void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:209
random_group_element_jacobian_test
static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:167
test_fixed_wnaf_small_helper
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5322
all_bytes_equal
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:44
test_intialized_inf
static void test_intialized_inf(void)
Definition: tests.c:3936
test_fixed_wnaf_small
static void test_fixed_wnaf_small(void)
Definition: tests.c:5332
main
int main(int argc, char **argv)
Definition: tests.c:7497
run_ecmult_const_tests
static void run_ecmult_const_tests(void)
Definition: tests.c:4623
fe_identical
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3060
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
run_eckey_edge_case_test
static void run_eckey_edge_case_test(void)
Definition: tests.c:6010
random_fe_non_square
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2948
run_secp256k1_byteorder_tests
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7316
run_ecmult_constants
static void run_ecmult_constants(void)
Definition: tests.c:5532
run_field_be32_overflow
static void run_field_be32_overflow(void)
Definition: tests.c:2993
test_modinv32_uint16
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:983
run_ecmult_chain
static void run_ecmult_chain(void)
Definition: tests.c:4233
test_inverse_field
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3407
run_ec_combine
static void run_ec_combine(void)
Definition: tests.c:4106
run_deprecated_context_flags_test
static void run_deprecated_context_flags_test(void)
Definition: tests.c:264
CTX
static secp256k1_context * CTX
Definition: tests.c:41
run_point_times_order
static void run_point_times_order(void)
Definition: tests.c:4404
random_group_element_test
static void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:155
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6723
CONDITIONAL_TEST
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:38
ecmult_const_commutativity
static void ecmult_const_commutativity(void)
Definition: tests.c:4452
int_cmov_test
static void int_cmov_test(void)
Definition: tests.c:7344
test_add_neg_y_diff_x
static void test_add_neg_y_diff_x(void)
Definition: tests.c:3968
test_ecmult_accumulate
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5413
test_point_times_order
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4292
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6684
run_hmac_sha256_tests
static void run_hmac_sha256_tests(void)
Definition: tests.c:737
fe_equal
static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2956
test_ecmult_multi_batch_single
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5041
random_gej_test
static void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:177
signed30_to_uint16
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:959
is_empty_signature
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6355
run_field_half
static void run_field_half(void)
Definition: tests.c:3067
run_eckey_negate_test
static void run_eckey_negate_test(void)
Definition: tests.c:6232
scalar_test
static void scalar_test(void)
Definition: tests.c:2128
run_scalar_set_b32_seckey_tests
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2283
test_ecmult_multi
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4652
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6309
run_gej
static void run_gej(void)
Definition: tests.c:4045
run_ge
static void run_ge(void)
Definition: tests.c:4028
ge_storage_cmov_test
static void ge_storage_cmov_test(void)
Definition: tests.c:7457
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3368
fe_storage_cmov_test
static void fe_storage_cmov_test(void)
Definition: tests.c:7399
test_ec_combine
static void test_ec_combine(void)
Definition: tests.c:4081
random_gej_y_magnitude
static void random_gej_y_magnitude(secp256k1_gej *gej)
Definition: tests.c:147
test_secp256k1_pippenger_bucket_window_inv
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5059
run_ctz_tests
static void run_ctz_tests(void)
Definition: tests.c:546
test_ecmult_multi_pippenger_max_points
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5079
run_scalar_tests
static void run_scalar_tests(void)
Definition: tests.c:2300
test_random_pubkeys
static void test_random_pubkeys(void)
Definition: tests.c:6505
random_fe_test
static void random_fe_test(secp256k1_fe *x)
Definition: tests.c:115
test_gej_cmov
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4037
random_ge_y_magnitude
static void random_ge_y_magnitude(secp256k1_ge *ge)
Definition: tests.c:139
test_sqrt
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3316
scalar_cmov_test
static void scalar_cmov_test(void)
Definition: tests.c:7429
random_ge_x_magnitude
static void random_ge_x_magnitude(secp256k1_ge *ge)
Definition: tests.c:135
run_ecmult_gen_blind
static void run_ecmult_gen_blind(void)
Definition: tests.c:5601
test_ecdsa_end_to_end
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6360
run_sha256_known_output_tests
static void run_sha256_known_output_tests(void)
Definition: tests.c:567
test_ecmult_target
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4354
CHECK_ERROR
#define CHECK_ERROR(ctx, expr)
Definition: tests.c:79
random_gej_z_magnitude
static void random_gej_z_magnitude(secp256k1_gej *gej)
Definition: tests.c:151
random_scalar_order
static void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:196
run_ecdsa_end_to_end
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6617
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4637
ecmult_const_mult_xonly
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4542
run_proper_context_tests
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:354
random_fe_magnitude
static void random_fe_magnitude(secp256k1_fe *fe)
Definition: tests.c:131
test_fe_mul
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3223
test_group_decompress
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4113
test_ecmult_constants_2bit
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5445
run_cmov_tests
static void run_cmov_tests(void)
Definition: tests.c:7489
run_ecdsa_der_parse
static void run_ecdsa_der_parse(void)
Definition: tests.c:6869
ecmult_const_random_mult
static void ecmult_const_random_mult(void)
Definition: tests.c:4425
test_scalar_split
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5610
run_field_convert
static void run_field_convert(void)
Definition: tests.c:2963
test_ecdsa_der_parse
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6624
run_ec_illegal_argument_tests
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:282
run_ecdsa_wycheproof
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7277
test_ecmult_constants_sha
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5489
test_ecmult_multi_batching
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5160
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:90
run_sqrt
static void run_sqrt(void)
Definition: tests.c:3330
run_modinv_tests
static void run_modinv_tests(void)
Definition: tests.c:1164
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4331
uint16_to_signed30
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:950
run_xoshiro256pp_tests
static void run_xoshiro256pp_tests(void)
Definition: tests.c:215
run_wnaf
static void run_wnaf(void)
Definition: tests.c:5386
run_ecmult_multi_tests
static void run_ecmult_multi_tests(void)
Definition: tests.c:5225
run_selftest_tests
static void run_selftest_tests(void)
Definition: tests.c:244
coprime
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1134
run_sqr
static void run_sqr(void)
Definition: tests.c:3287
context_eq
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:255
test_ecmult_multi_batch_size_helper
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5112
random_scalar_order_test
static void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:183
run_endomorphism_tests
static void run_endomorphism_tests(void)
Definition: tests.c:5637
run_scratch_tests
static void run_scratch_tests(void)
Definition: tests.c:476
test_ecdsa_wycheproof
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7247
run_ecmult_near_split_bound
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4392
run_ecdsa_edge_cases
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7239
fe_cmov_test
static void fe_cmov_test(void)
Definition: tests.c:7369
run_group_decompress
static void run_group_decompress(void)
Definition: tests.c:4148
ecmult_const_mult_zero_one
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4473
test_ecmult_accumulate_cb
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5405
ecmult_const_edges
static void ecmult_const_edges(void)
Definition: tests.c:4515
test_ecdsa_edge_cases
static void test_ecdsa_edge_cases(void)
Definition: tests.c:6901
ecmult_const_chain_multiply
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4597
run_ecmult_pre_g
static void run_ecmult_pre_g(void)
Definition: tests.c:4209
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4644
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:729
test_pre_g_table
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4159
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:42
test_fixed_wnaf
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5286
test_inverse_scalar
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3385
test_ecmult_gen_blind
static void test_ecmult_gen_blind(void)
Definition: tests.c:5566
run_secp256k1_memczero_test
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7301
run_fe_mul
static void run_fe_mul(void)
Definition: tests.c:3266
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6696
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:3373
run_rfc6979_hmac_sha256_tests
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:781
modinv2p64
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:849
random_fe
static void random_fe(secp256k1_fe *x)
Definition: testutil.h:13
random_fe_non_zero
static void random_fe_non_zero(secp256k1_fe *nz)
Definition: testutil.h:23
expect
#define expect(bit)
Definition: univalue_read.cpp:259
Generated on Tue Apr 16 2024 02:42:34 for Bitcoin Core by doxygen 1.9.1