Bitcoin Core  27.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <string.h>
10 
11 #include <time.h>
12 
13 #ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14  #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15  #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16 #endif
17 #if defined(VERIFY) && defined(COVERAGE)
18  #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19 #endif
20 #include "secp256k1.c"
21 
22 #include "../include/secp256k1.h"
23 #include "../include/secp256k1_preallocated.h"
24 #include "testrand_impl.h"
25 #include "checkmem.h"
26 #include "testutil.h"
27 #include "util.h"
28 
29 #include "../contrib/lax_der_parsing.c"
30 #include "../contrib/lax_der_privatekey_parsing.c"
31 
32 #include "modinv32_impl.h"
33 #ifdef SECP256K1_WIDEMUL_INT128
34 #include "modinv64_impl.h"
35 #include "int128_impl.h"
36 #endif
37 
38 #define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
39 
40 static int COUNT = 64;
41 static secp256k1_context *CTX = NULL;
43 
44 static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
45  const unsigned char *p = s;
46  size_t i;
47 
48  for (i = 0; i < n; i++) {
49  if (p[i] != value) {
50  return 0;
51  }
52  }
53  return 1;
54 }
55 
56 #define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \
57  int32_t _calls_to_callback = 0; \
58  secp256k1_callback _saved_callback = ctx->callback; \
59  callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \
60  { expr_or_stmt; } \
61  ctx->callback = _saved_callback; \
62  CHECK(_calls_to_callback == 1); \
63 } while(0);
64 
65 /* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once
66  *
67  * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */
68 #define CHECK_ERROR_VOID(ctx, expr_or_stmt) \
69  CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback)
70 #define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \
71  CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback)
72 
73 /* CHECK that
74  * - expr calls the illegal callback of ctx exactly once and,
75  * - expr == 0 (or equivalently, expr == NULL)
76  *
77  * Useful for checking functions that return an integer or a pointer. */
78 #define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
79 #define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0))
80 
81 static void counting_callback_fn(const char* str, void* data) {
82  /* Dummy callback function that just counts. */
83  int32_t *p;
84  (void)str;
85  p = data;
86  CHECK(*p != INT32_MAX);
87  (*p)++;
88 }
89 
90 static void uncounting_illegal_callback_fn(const char* str, void* data) {
91  /* Dummy callback function that just counts (backwards). */
92  int32_t *p;
93  (void)str;
94  p = data;
95  CHECK(*p != INT32_MIN);
96  (*p)--;
97 }
98 
100  secp256k1_fe zero;
101  int n = secp256k1_testrand_int(m + 1);
103  if (n == 0) {
104  return;
105  }
106  secp256k1_fe_clear(&zero);
107  secp256k1_fe_negate(&zero, &zero, 0);
108  secp256k1_fe_mul_int_unchecked(&zero, n - 1);
109  secp256k1_fe_add(fe, &zero);
110 #ifdef VERIFY
111  CHECK(fe->magnitude == n);
112 #endif
113 }
114 
115 static void random_fe_test(secp256k1_fe *x) {
116  unsigned char bin[32];
117  do {
119  if (secp256k1_fe_set_b32_limit(x, bin)) {
120  return;
121  }
122  } while(1);
123 }
124 
126  do {
127  random_fe_test(fe);
128  } while(secp256k1_fe_is_zero(fe));
129 }
130 
133 }
134 
137 }
138 
141 }
142 
145 }
146 
149 }
150 
153 }
154 
156  secp256k1_fe fe;
157  do {
158  random_fe_test(&fe);
161  break;
162  }
163  } while(1);
164  ge->infinity = 0;
165 }
166 
168  secp256k1_fe z2, z3;
169  random_fe_non_zero_test(&gej->z);
170  secp256k1_fe_sqr(&z2, &gej->z);
171  secp256k1_fe_mul(&z3, &z2, &gej->z);
172  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
173  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
174  gej->infinity = ge->infinity;
175 }
176 
177 static void random_gej_test(secp256k1_gej *gej) {
178  secp256k1_ge ge;
181 }
182 
184  do {
185  unsigned char b32[32];
186  int overflow = 0;
188  secp256k1_scalar_set_b32(num, b32, &overflow);
189  if (overflow || secp256k1_scalar_is_zero(num)) {
190  continue;
191  }
192  break;
193  } while(1);
194 }
195 
197  do {
198  unsigned char b32[32];
199  int overflow = 0;
201  secp256k1_scalar_set_b32(num, b32, &overflow);
202  if (overflow || secp256k1_scalar_is_zero(num)) {
203  continue;
204  }
205  break;
206  } while(1);
207 }
208 
209 static void random_scalar_order_b32(unsigned char *b32) {
210  secp256k1_scalar num;
211  random_scalar_order(&num);
212  secp256k1_scalar_get_b32(b32, &num);
213 }
214 
215 static void run_xoshiro256pp_tests(void) {
216  {
217  size_t i;
218  /* Sanity check that we run before the actual seeding. */
219  for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
220  CHECK(secp256k1_test_state[i] == 0);
221  }
222  }
223  {
224  int i;
225  unsigned char buf32[32];
226  unsigned char seed16[16] = {
227  'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
228  'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
229  };
230  unsigned char buf32_expected[32] = {
231  0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
232  0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
233  0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
234  0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
235  };
236  secp256k1_testrand_seed(seed16);
237  for (i = 0; i < 17; i++) {
238  secp256k1_testrand256(buf32);
239  }
240  CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
241  }
242 }
243 
244 static void run_selftest_tests(void) {
245  /* Test public API */
247 }
248 
250  return a->built == b->built
251  && secp256k1_scalar_eq(&a->blind, &b->blind)
252  && secp256k1_gej_eq_var(&a->initial, &b->initial);
253 }
254 
255 static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
256  return a->declassify == b->declassify
260  && a->error_callback.fn == b->error_callback.fn
262 }
263 
265  /* Check that a context created with any of the flags in the flags array is
266  * identical to the NONE context. */
267  unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
271  int i;
272  for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
273  secp256k1_context *tmp_ctx;
275  tmp_ctx = secp256k1_context_create(flags[i]);
276  CHECK(context_eq(none_ctx, tmp_ctx));
277  secp256k1_context_destroy(tmp_ctx);
278  }
279  secp256k1_context_destroy(none_ctx);
280 }
281 
282 static void run_ec_illegal_argument_tests(void) {
283  secp256k1_pubkey pubkey;
284  secp256k1_pubkey zero_pubkey;
286  unsigned char ctmp[32];
287 
288  /* Setup */
289  memset(ctmp, 1, 32);
290  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
291 
292  /* Verify context-type checking illegal-argument errors. */
294  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
295  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
296  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
297  CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL));
298  SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
299  CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
300  SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
301  CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
302  CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
303  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
304  CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
305  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
307  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
310  CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
311 }
312 
313 static void run_static_context_tests(int use_prealloc) {
314  /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
316 
317  {
318  unsigned char seed[32] = {0x17};
319 
320  /* Randomizing secp256k1_context_static is not supported. */
323 
324  /* Destroying or cloning secp256k1_context_static is not supported. */
325  if (use_prealloc) {
327  {
328  secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
329  CHECK(my_static_ctx != NULL);
330  memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
332  CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
333  free(my_static_ctx);
334  }
336  } else {
339  }
340  }
341 
342  {
343  /* Verify that setting and resetting illegal callback works */
344  int32_t dummy = 0;
351  }
352 }
353 
354 static void run_proper_context_tests(int use_prealloc) {
355  int32_t dummy = 0;
356  secp256k1_context *my_ctx, *my_ctx_fresh;
357  void *my_ctx_prealloc = NULL;
358  unsigned char seed[32] = {0x17};
359 
360  secp256k1_gej pubj;
361  secp256k1_ge pub;
362  secp256k1_scalar msg, key, nonce;
363  secp256k1_scalar sigr, sigs;
364 
365  /* Fresh reference context for comparison */
367 
368  if (use_prealloc) {
370  CHECK(my_ctx_prealloc != NULL);
372  } else {
374  }
375 
376  /* Randomize and reset randomization */
377  CHECK(context_eq(my_ctx, my_ctx_fresh));
378  CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
379  CHECK(!context_eq(my_ctx, my_ctx_fresh));
380  CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
381  CHECK(context_eq(my_ctx, my_ctx_fresh));
382 
383  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
387 
388  /* check if sizes for cloning are consistent */
390 
391  /*** clone and destroy all of them to make sure cloning was complete ***/
392  {
393  secp256k1_context *ctx_tmp;
394 
395  if (use_prealloc) {
396  /* clone into a non-preallocated context and then again into a new preallocated one. */
397  ctx_tmp = my_ctx;
398  my_ctx = secp256k1_context_clone(my_ctx);
399  CHECK(context_eq(ctx_tmp, my_ctx));
401 
402  free(my_ctx_prealloc);
404  CHECK(my_ctx_prealloc != NULL);
405  ctx_tmp = my_ctx;
406  my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
407  CHECK(context_eq(ctx_tmp, my_ctx));
408  secp256k1_context_destroy(ctx_tmp);
409  } else {
410  /* clone into a preallocated context and then again into a new non-preallocated one. */
411  void *prealloc_tmp;
412 
414  CHECK(prealloc_tmp != NULL);
415  ctx_tmp = my_ctx;
416  my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
417  CHECK(context_eq(ctx_tmp, my_ctx));
418  secp256k1_context_destroy(ctx_tmp);
419 
420  ctx_tmp = my_ctx;
421  my_ctx = secp256k1_context_clone(my_ctx);
422  CHECK(context_eq(ctx_tmp, my_ctx));
424  free(prealloc_tmp);
425  }
426  }
427 
428  /* Verify that the error callback makes it across the clone. */
431  /* And that it resets back to default. */
432  secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
434  CHECK(context_eq(my_ctx, my_ctx_fresh));
435 
436  /* Verify that setting and resetting illegal callback works */
439  CHECK(my_ctx->illegal_callback.data == &dummy);
440  secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
442  CHECK(my_ctx->illegal_callback.data == NULL);
443  CHECK(context_eq(my_ctx, my_ctx_fresh));
444 
445  /*** attempt to use them ***/
448  secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
449  secp256k1_ge_set_gej(&pub, &pubj);
450 
451  /* obtain a working nonce */
452  do {
454  } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
455 
456  /* try signing */
457  CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
458 
459  /* try verifying */
460  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
461 
462  /* cleanup */
463  if (use_prealloc) {
465  free(my_ctx_prealloc);
466  } else {
468  }
469  secp256k1_context_destroy(my_ctx_fresh);
470 
471  /* Defined as no-op. */
474 }
475 
476 static void run_scratch_tests(void) {
477  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
478 
479  size_t checkpoint;
480  size_t checkpoint_2;
481  secp256k1_scratch_space *scratch;
482  secp256k1_scratch_space local_scratch;
483 
484  /* Test public API */
485  scratch = secp256k1_scratch_space_create(CTX, 1000);
486  CHECK(scratch != NULL);
487 
488  /* Test internal API */
490  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
491  CHECK(scratch->alloc_size == 0);
492  CHECK(scratch->alloc_size % ALIGNMENT == 0);
493 
494  /* Allocating 500 bytes succeeds */
495  checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
496  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
497  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
498  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
499  CHECK(scratch->alloc_size != 0);
500  CHECK(scratch->alloc_size % ALIGNMENT == 0);
501 
502  /* Allocating another 501 bytes fails */
503  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
504  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
505  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
506  CHECK(scratch->alloc_size != 0);
507  CHECK(scratch->alloc_size % ALIGNMENT == 0);
508 
509  /* ...but it succeeds once we apply the checkpoint to undo it */
510  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
511  CHECK(scratch->alloc_size == 0);
513  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
514  CHECK(scratch->alloc_size != 0);
515 
516  /* try to apply a bad checkpoint */
517  checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
518  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
519  CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */
520  CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */
521 
522  /* try to use badly initialized scratch space */
524  memset(&local_scratch, 0, sizeof(local_scratch));
525  scratch = &local_scratch;
529 
530  /* Test that large integers do not wrap around in a bad way */
531  scratch = secp256k1_scratch_space_create(CTX, 1000);
532  /* Try max allocation with a large number of objects. Only makes sense if
533  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
534  * space. */
535  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
536  /* Try allocating SIZE_MAX to test wrap around which only happens if
537  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
538  * space is too small. */
539  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
541 
542  /* cleanup */
543  secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
544 }
545 
546 static void run_ctz_tests(void) {
547  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
548  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
549  int shift;
550  unsigned i;
551  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
552  for (shift = 0; shift < 32; ++shift) {
553  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
554  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
555  }
556  }
557  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
558  for (shift = 0; shift < 64; ++shift) {
559  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
560  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
561  }
562  }
563 }
564 
565 /***** HASH TESTS *****/
566 
567 static void run_sha256_known_output_tests(void) {
568  static const char *inputs[] = {
569  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
570  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
571  "For this sample, this 63-byte string will be used as input data",
572  "This is exactly 64 bytes long, not counting the terminating byte",
573  "aaaaa",
574  };
575  static const unsigned int repeat[] = {
576  1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
577  };
578  static const unsigned char outputs[][32] = {
579  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
580  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
581  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
582  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
583  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
584  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
585  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
586  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
587  {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
588  };
589  unsigned int i, ninputs;
590 
591  /* Skip last input vector for low iteration counts */
592  ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
593  CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
594 
595  for (i = 0; i < ninputs; i++) {
596  unsigned char out[32];
597  secp256k1_sha256 hasher;
598  unsigned int j;
599  /* 1. Run: simply write the input bytestrings */
600  j = repeat[i];
602  while (j > 0) {
603  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
604  j--;
605  }
606  secp256k1_sha256_finalize(&hasher, out);
607  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
608  /* 2. Run: split the input bytestrings randomly before writing */
609  if (strlen(inputs[i]) > 0) {
610  int split = secp256k1_testrand_int(strlen(inputs[i]));
612  j = repeat[i];
613  while (j > 0) {
614  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
615  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
616  j--;
617  }
618  secp256k1_sha256_finalize(&hasher, out);
619  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
620  }
621  }
622 }
623 
668 static void run_sha256_counter_tests(void) {
669  static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
670  static const secp256k1_sha256 midstates[] = {
671  {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
672  {0x00}, 0xfffc0},
673  {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
674  {0x00}, 0x1fffc0},
675  {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
676  {0x00}, 0x3fffc0},
677  {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
678  {0x00}, 0x7fffc0},
679  {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
680  {0x00}, 0xffffc0},
681  {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
682  {0x00}, 0x1ffffc0},
683  {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
684  {0x00}, 0x3ffffc0},
685  {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
686  {0x00}, 0x7ffffc0},
687  {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
688  {0x00}, 0xfffffc0},
689  {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
690  {0x00}, 0x1fffffc0},
691  {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
692  {0x00}, 0x3fffffc0},
693  {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
694  {0x00}, 0x7fffffc0},
695  {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
696  {0x00}, 0xffffffc0},
697  {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
698  {0x00}, 0x1ffffffc0},
699  };
700  static const unsigned char outputs[][32] = {
701  {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
702  {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
703  {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
704  {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
705  {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
706  {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
707  {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
708  {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
709  {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
710  {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
711  {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
712  {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
713  {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
714  {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
715  };
716  unsigned int i;
717  for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
718  unsigned char out[32];
719  secp256k1_sha256 hasher = midstates[i];
720  secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
721  secp256k1_sha256_finalize(&hasher, out);
722  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
723  }
724 }
725 
726 /* Tests for the equality of two sha256 structs. This function only produces a
727  * correct result if an integer multiple of 64 many bytes have been written
728  * into the hash functions. This function is used by some module tests. */
729 static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
730  /* Is buffer fully consumed? */
731  CHECK((sha1->bytes & 0x3F) == 0);
732 
733  CHECK(sha1->bytes == sha2->bytes);
734  CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
735 }
736 
737 static void run_hmac_sha256_tests(void) {
738  static const char *keys[6] = {
739  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
740  "\x4a\x65\x66\x65",
741  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
742  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
743  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
744  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
745  };
746  static const char *inputs[6] = {
747  "\x48\x69\x20\x54\x68\x65\x72\x65",
748  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
749  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
750  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
751  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
752  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
753  };
754  static const unsigned char outputs[6][32] = {
755  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
756  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
757  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
758  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
759  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
760  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
761  };
762  int i;
763  for (i = 0; i < 6; i++) {
764  secp256k1_hmac_sha256 hasher;
765  unsigned char out[32];
766  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
767  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
769  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
770  if (strlen(inputs[i]) > 0) {
771  int split = secp256k1_testrand_int(strlen(inputs[i]));
772  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
773  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
774  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
776  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
777  }
778  }
779 }
780 
781 static void run_rfc6979_hmac_sha256_tests(void) {
782  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
783  static const unsigned char out1[3][32] = {
784  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
785  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
786  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
787  };
788 
789  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
790  static const unsigned char out2[3][32] = {
791  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
792  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
793  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
794  };
795 
797  unsigned char out[32];
798  int i;
799 
801  for (i = 0; i < 3; i++) {
803  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
804  }
806 
808  for (i = 0; i < 3; i++) {
810  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
811  }
813 
815  for (i = 0; i < 3; i++) {
817  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
818  }
820 }
821 
822 static void run_tagged_sha256_tests(void) {
823  unsigned char tag[32] = { 0 };
824  unsigned char msg[32] = { 0 };
825  unsigned char hash32[32];
826  unsigned char hash_expected[32] = {
827  0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
828  0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
829  0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
830  0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
831  };
832 
833  /* API test */
834  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
835  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)));
836  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)));
837  CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0));
838 
839  /* Static test vector */
840  memcpy(tag, "tag", 3);
841  memcpy(msg, "msg", 3);
842  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
843  CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
844 }
845 
846 /***** MODINV TESTS *****/
847 
848 /* Compute the modular inverse of (odd) x mod 2^64. */
849 static uint64_t modinv2p64(uint64_t x) {
850  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
851  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
852  * why. Start with L=0, for which it is true for every odd x that
853  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
854  int l;
855  uint64_t w = 1;
856  CHECK(x & 1);
857  for (l = 0; l < 6; ++l) w *= (2 - w*x);
858  return w;
859 }
860 
861 
862 /* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
863  *
864  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
865  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
866 static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
867  uint16_t mul[32];
868  uint64_t c = 0;
869  int i, j;
870  int m_bitlen = 0;
871  int mul_bitlen = 0;
872 
873  if (b != NULL) {
874  /* Compute the product of a and b, and put it in mul. */
875  for (i = 0; i < 32; ++i) {
876  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
877  c += (uint64_t)a[j] * b[i - j];
878  }
879  mul[i] = c & 0xFFFF;
880  c >>= 16;
881  }
882  CHECK(c == 0);
883 
884  /* compute the highest set bit in mul */
885  for (i = 511; i >= 0; --i) {
886  if ((mul[i >> 4] >> (i & 15)) & 1) {
887  mul_bitlen = i;
888  break;
889  }
890  }
891  } else {
892  /* if b==NULL, set mul=a. */
893  memcpy(mul, a, 32);
894  memset(mul + 16, 0, 32);
895  /* compute the highest set bit in mul */
896  for (i = 255; i >= 0; --i) {
897  if ((mul[i >> 4] >> (i & 15)) & 1) {
898  mul_bitlen = i;
899  break;
900  }
901  }
902  }
903 
904  if (m) {
905  /* Compute the highest set bit in m. */
906  for (i = 255; i >= 0; --i) {
907  if ((m[i >> 4] >> (i & 15)) & 1) {
908  m_bitlen = i;
909  break;
910  }
911  }
912 
913  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
914  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
915  uint16_t mul2[32];
916  int64_t cs;
917 
918  /* Compute mul2 = mul - m<<i. */
919  cs = 0; /* accumulator */
920  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
921  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
922  uint16_t sub = 0;
923  int p;
924  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
925  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
926  if (bitpos >= 0 && bitpos < 256) {
927  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
928  }
929  }
930  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
931  cs += mul[j];
932  cs -= sub;
933  mul2[j] = (cs & 0xFFFF);
934  cs >>= 16;
935  }
936  /* If remainder of subtraction is 0, set mul = mul2. */
937  if (cs == 0) {
938  memcpy(mul, mul2, sizeof(mul));
939  }
940  }
941  /* Sanity check: test that all limbs higher than m's highest are zero */
942  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
943  CHECK(mul[i] == 0);
944  }
945  }
946  memcpy(out, mul, 32);
947 }
948 
949 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
950 static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
951  int i;
952  memset(out->v, 0, sizeof(out->v));
953  for (i = 0; i < 256; ++i) {
954  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
955  }
956 }
957 
958 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
959 static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
960  int i;
961  memset(out, 0, 32);
962  for (i = 0; i < 256; ++i) {
963  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
964  }
965 }
966 
967 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
969  int i;
970  for (i = 0; i < 16; ++i) {
971  int pos = secp256k1_testrand_bits(3);
972  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
973  x->v[pos] -= 0x40000000;
974  x->v[pos + 1] += 1;
975  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
976  x->v[pos] += 0x40000000;
977  x->v[pos + 1] -= 1;
978  }
979  }
980 }
981 
982 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
983 static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
984  uint16_t tmp[16];
987  int i, vartime, nonzero;
988 
989  uint16_to_signed30(&x, in);
990  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
991  uint16_to_signed30(&m.modulus, mod);
992 
993  /* compute 1/modulus mod 2^30 */
994  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
995  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
996 
997  /* Test secp256k1_jacobi32_maybe_var. */
998  if (nonzero) {
999  int jac;
1000  uint16_t sqr[16], negone[16];
1001  mulmod256(sqr, in, in, mod);
1002  uint16_to_signed30(&x, sqr);
1003  /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1004  jac = secp256k1_jacobi32_maybe_var(&x, &m);
1005  CHECK(jac == 0 || jac == 1);
1006  /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1007  * jacobi symbols if and only if (mod % 4) == 3. */
1008  negone[0] = mod[0] - 1;
1009  for (i = 1; i < 16; ++i) negone[i] = mod[i];
1010  mulmod256(sqr, sqr, negone, mod);
1011  uint16_to_signed30(&x, sqr);
1012  jac = secp256k1_jacobi32_maybe_var(&x, &m);
1013  CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1014  }
1015 
1016  uint16_to_signed30(&x, in);
1017  mutate_sign_signed30(&m.modulus);
1018  for (vartime = 0; vartime < 2; ++vartime) {
1019  /* compute inverse */
1020  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1021 
1022  /* produce output */
1023  signed30_to_uint16(out, &x);
1024 
1025  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1026  mulmod256(tmp, out, in, mod);
1027  CHECK(tmp[0] == nonzero);
1028  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1029 
1030  /* invert again */
1031  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1032 
1033  /* check if the result is equal to the input */
1034  signed30_to_uint16(tmp, &x);
1035  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1036  }
1037 }
1038 
1039 #ifdef SECP256K1_WIDEMUL_INT128
1040 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1041 static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1042  int i;
1043  memset(out->v, 0, sizeof(out->v));
1044  for (i = 0; i < 256; ++i) {
1045  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1046  }
1047 }
1048 
1049 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1050 static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1051  int i;
1052  memset(out, 0, 32);
1053  for (i = 0; i < 256; ++i) {
1054  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1055  }
1056 }
1057 
1058 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1059 static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1060  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1061  int i;
1062  for (i = 0; i < 8; ++i) {
1063  int pos = secp256k1_testrand_bits(2);
1064  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1065  x->v[pos] -= (M62 + 1);
1066  x->v[pos + 1] += 1;
1067  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1068  x->v[pos] += (M62 + 1);
1069  x->v[pos + 1] -= 1;
1070  }
1071  }
1072 }
1073 
1074 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1075 static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1076  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1077  uint16_t tmp[16];
1080  int i, vartime, nonzero;
1081 
1082  uint16_to_signed62(&x, in);
1083  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1084  uint16_to_signed62(&m.modulus, mod);
1085 
1086  /* compute 1/modulus mod 2^62 */
1087  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1088  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1089 
1090  /* Test secp256k1_jacobi64_maybe_var. */
1091  if (nonzero) {
1092  int jac;
1093  uint16_t sqr[16], negone[16];
1094  mulmod256(sqr, in, in, mod);
1095  uint16_to_signed62(&x, sqr);
1096  /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1097  jac = secp256k1_jacobi64_maybe_var(&x, &m);
1098  CHECK(jac == 0 || jac == 1);
1099  /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1100  * jacobi symbols if and only if (mod % 4) == 3. */
1101  negone[0] = mod[0] - 1;
1102  for (i = 1; i < 16; ++i) negone[i] = mod[i];
1103  mulmod256(sqr, sqr, negone, mod);
1104  uint16_to_signed62(&x, sqr);
1105  jac = secp256k1_jacobi64_maybe_var(&x, &m);
1106  CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1107  }
1108 
1109  uint16_to_signed62(&x, in);
1110  mutate_sign_signed62(&m.modulus);
1111  for (vartime = 0; vartime < 2; ++vartime) {
1112  /* compute inverse */
1113  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1114 
1115  /* produce output */
1116  signed62_to_uint16(out, &x);
1117 
1118  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1119  mulmod256(tmp, out, in, mod);
1120  CHECK(tmp[0] == nonzero);
1121  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1122 
1123  /* invert again */
1124  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1125 
1126  /* check if the result is equal to the input */
1127  signed62_to_uint16(tmp, &x);
1128  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1129  }
1130 }
1131 #endif
1132 
1133 /* test if a and b are coprime */
1134 static int coprime(const uint16_t* a, const uint16_t* b) {
1135  uint16_t x[16], y[16], t[16];
1136  int i;
1137  int iszero;
1138  memcpy(x, a, 32);
1139  memcpy(y, b, 32);
1140 
1141  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1142  while (1) {
1143  iszero = 1;
1144  for (i = 0; i < 16; ++i) {
1145  if (x[i] != 0) {
1146  iszero = 0;
1147  break;
1148  }
1149  }
1150  if (iszero) break;
1151  mulmod256(t, y, NULL, x);
1152  memcpy(y, x, 32);
1153  memcpy(x, t, 32);
1154  }
1155 
1156  /* return whether y=1 */
1157  if (y[0] != 1) return 0;
1158  for (i = 1; i < 16; ++i) {
1159  if (y[i] != 0) return 0;
1160  }
1161  return 1;
1162 }
1163 
1164 static void run_modinv_tests(void) {
1165  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1166  static const uint16_t CASES[][3][16] = {
1167  /* Test cases triggering edge cases in divsteps */
1168 
1169  /* Test case known to need 713 divsteps */
1170  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1171  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1172  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1173  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1174  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1175  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1176  /* Test case known to need 589 divsteps, reaching delta=-140 and
1177  delta=141. */
1178  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1179  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1180  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1181  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1182  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1183  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1184  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1185  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1186  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1187  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1188  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1189  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1190  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1191  /* example needing 713 divsteps; delta=-2..3 */
1192  {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1193  0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1194  {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1195  0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1196  {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1197  0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1198  /* example needing 713 divsteps; delta=-2..3 */
1199  {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1200  0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1201  {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1202  0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1203  {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1204  0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1205  /* example needing 713 divsteps; delta=-2..3 */
1206  {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1207  0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1208  {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1209  0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1210  {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1211  0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1212  /* example reaching delta=-64..65; 661 divsteps */
1213  {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1214  0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1215  {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1216  0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1217  {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1218  0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1219  /* example reaching delta=-64..65; 661 divsteps */
1220  {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1221  0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1222  {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1223  0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1224  {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1225  0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1226  /* example reaching delta=-64..65; 661 divsteps */
1227  {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1228  0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1229  {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1230  0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1231  {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1232  0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1233  /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1234  {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1235  0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1236  {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1237  0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1238  {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1239  0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1240  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1241  {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1242  0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1243  {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1244  0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1245  {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1246  0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1247  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1248  {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1249  0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1250  {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1251  0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1252  {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1253  0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1254  /* example doing 446 (f,g/2) steps; 523 divsteps */
1255  {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1256  0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1257  {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1258  0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1259  {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1260  0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1261  /* example doing 446 (f,g/2) steps; 523 divsteps */
1262  {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1263  0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1264  {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1265  0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1266  {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1267  0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1268  /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1269  {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1270  0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1271  {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1272  0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1273  {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1274  0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1275  /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1276  {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1277  0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1278  {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1279  0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1280  {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1281  0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1282  /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1283  {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1284  0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1285  {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1286  0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1287  {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1288  0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1289  /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1290  {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1291  0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1292  {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1293  0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1294  {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1295  0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1296 
1297  /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1298 
1299  /* example needing 590 divsteps; delta=-5/2..7/2 */
1300  {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1301  0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1302  {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1303  0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1304  {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1305  0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1306  /* example needing 590 divsteps; delta=-3/2..5/2 */
1307  {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1308  0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1309  {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1310  0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1311  {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1312  0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1313  /* example needing 590 divsteps; delta=-3/2..5/2 */
1314  {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1315  0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1316  {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1317  0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1318  {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1319  0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1320  /* example needing 590 divsteps; delta=-5/2..7/2 */
1321  {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1322  0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1323  {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1324  0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1325  {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1326  0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1327  /* example needing 590 divsteps; delta=-3/2..5/2 */
1328  {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1329  0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1330  {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1331  0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1332  {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1333  0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1334  /* example reaching delta=-127/2..129/2; 571 divsteps */
1335  {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1336  0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1337  {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1338  0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1339  {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1340  0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1341  /* example reaching delta=-127/2..129/2; 571 divsteps */
1342  {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1343  0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1344  {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1345  0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1346  {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1347  0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1348  /* example reaching delta=-127/2..129/2; 571 divsteps */
1349  {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1350  0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1351  {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1352  0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1353  {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1354  0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1355  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1356  {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1357  0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1358  {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1359  0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1360  {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1361  0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1362  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1363  {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1364  0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1365  {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1366  0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1367  {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1368  0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1369  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1370  {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1371  0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1372  {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1373  0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1374  {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1375  0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1376  /* example doing 453 (f,g/2) steps; 514 divsteps */
1377  {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1378  0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1379  {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1380  0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1381  {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1382  0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1383  /* example doing 453 (f,g/2) steps; 514 divsteps */
1384  {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1385  0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1386  {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1387  0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1388  {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1389  0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1390  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1391  {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1392  0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1393  {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1394  0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1395  {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1396  0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1397  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1398  {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1399  0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1400  {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1401  0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1402  {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1403  0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1404  /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1405  {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1406  0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1407  {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1408  0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1409  {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1410  0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1411  /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1412  {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1413  0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1414  {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1415  0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1416  {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1417  0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1418 
1419  /* Test cases with the group order as modulus. */
1420 
1421  /* Test case with the group order as modulus, needing 635 divsteps. */
1422  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1423  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1424  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1425  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1426  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1427  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1428  /* example with group size as modulus needing 631 divsteps */
1429  {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1430  0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1431  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1432  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1433  {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1434  0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1435  /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1436  {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1437  0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1438  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1439  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1440  {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1441  0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1442  /* Test case with the group size as modulus, needing 981 divsteps with
1443  broken eta handling. */
1444  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1445  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1446  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1447  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1448  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1449  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1450  /* Test case with the group size as modulus, input = 0. */
1451  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1452  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1453  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1454  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1455  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1456  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1457  /* Test case with the group size as modulus, input = 1. */
1458  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1459  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1460  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1461  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1462  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1463  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1464  /* Test case with the group size as modulus, input = 2. */
1465  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1466  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1467  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1468  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1469  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1470  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1471  /* Test case with the group size as modulus, input = group - 1. */
1472  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1473  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1474  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1475  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1476  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1477  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1478 
1479  /* Test cases with the field size as modulus. */
1480 
1481  /* Test case with the field size as modulus, needing 637 divsteps. */
1482  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1483  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1484  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1485  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1486  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1487  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1488  /* example with field size as modulus needing 637 divsteps */
1489  {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1490  0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1491  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1492  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1493  {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1494  0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1495  /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1496  {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1497  0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1498  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1499  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1500  {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1501  0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1502  /* Test case with the field size as modulus, needing 935 divsteps with
1503  broken eta handling. */
1504  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1505  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1506  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1507  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1508  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1509  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1510  /* Test case with the field size as modulus, input = 0. */
1511  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1512  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1513  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1514  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1515  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1516  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1517  /* Test case with the field size as modulus, input = 1. */
1518  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1519  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1520  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1521  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1522  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1523  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1524  /* Test case with the field size as modulus, input = 2. */
1525  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1526  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1527  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1528  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1529  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1530  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1531  /* Test case with the field size as modulus, input = field - 1. */
1532  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1533  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1534  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1535  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1536  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1537  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1538 
1539  /* Selected from a large number of random inputs to reach small/large
1540  * d/e values in various configurations. */
1541  {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1542  0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1543  {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1544  0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1545  {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1546  0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1547  {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1548  0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1549  {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1550  0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1551  {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1552  0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1553  {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1554  0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1555  {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1556  0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1557  {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1558  0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1559  {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1560  0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1561  {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1562  0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1563  {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1564  0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1565  {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1566  0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1567  {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1568  0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1569  {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1570  0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1571  {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1572  0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1573  {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1574  0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1575  {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1576  0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1577  {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1578  0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1579  {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1580  0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1581  {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1582  0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1583  {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1584  0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1585  {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1586  0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1587  {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1588  0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1589  {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1590  0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1591  {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1592  0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1593  {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1594  0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1595  {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1596  0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1597  {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1598  0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1599  {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1600  0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1601  {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1602  0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1603  {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1604  0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1605  {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1606  0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1607  {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1608  0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1609  {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1610  0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1611  {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1612  0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1613  {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1614  0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1615  {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1616  0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1617  {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1618  0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1619  {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1620  0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1621  {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1622  0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1623  {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1624  0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1625  {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1626  0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1627  {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1628  0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1629  {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1630  0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1631  {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1632  0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1633  {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1634  0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1635  {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1636  0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1637  {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1638  0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1639  {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1640  0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1641  {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1642  0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1643  {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1644  0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1645  {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1646  0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1647  {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1648  0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1649  {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1650  0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1651  {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1652  0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1653  {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1654  0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1655  {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1656  0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1657  {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1658  0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1659  {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1660  0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1661  {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1662  0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1663  {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1664  0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1665  {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1666  0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1667  {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1668  0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1669  {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1670  0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1671  {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1672  0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1673  {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1674  0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1675  {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1676  0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1677  {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1678  0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1679  {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1680  0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1681  {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1682  0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1683  {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1684  0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1685  {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1686  0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1687  {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1688  0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1689  {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1690  0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1691  {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1692  0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1693  {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1694  0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1695  {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1696  0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1697  {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1698  0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1699  {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1700  0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1701  {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1702  0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1703  {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1704  0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1705  {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1706  0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1707  {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1708  0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1709  {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1710  0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1711  {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1712  0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1713  {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1714  0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1715  {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1716  0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1717  {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1718  0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1719  {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1720  0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1721  {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1722  0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1723  {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1724  0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1725  {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1726  0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1727  {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1728  0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1729  {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1730  0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1731  {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1732  0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1733  {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1734  0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1735  {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1736  0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1737  {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1738  0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1739  {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1740  0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1741  {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1742  0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1743  {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1744  0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1745  {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1746  0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1747  {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1748  0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1749  {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1750  0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1751  };
1752 
1753  int i, j, ok;
1754 
1755  /* Test known inputs/outputs */
1756  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1757  uint16_t out[16];
1758  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1759  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1760 #ifdef SECP256K1_WIDEMUL_INT128
1761  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1762  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1763 #endif
1764  }
1765 
1766  for (i = 0; i < 100 * COUNT; ++i) {
1767  /* 256-bit numbers in 16-uint16_t's notation */
1768  static const uint16_t ZERO[16] = {0};
1769  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1770  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1771  uint16_t id[16]; /* the inverse of xd mod md */
1772 
1773  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1774  do {
1775  /* generate random xd and md (with many subsequent 0s and 1s) */
1776  secp256k1_testrand256_test((unsigned char*)xd);
1777  secp256k1_testrand256_test((unsigned char*)md);
1778  md[0] |= 1; /* modulus must be odd */
1779  /* If modulus is 1, find another one. */
1780  ok = md[0] != 1;
1781  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1782  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1783  } while (!(ok && coprime(xd, md)));
1784 
1785  test_modinv32_uint16(id, xd, md);
1786 #ifdef SECP256K1_WIDEMUL_INT128
1787  test_modinv64_uint16(id, xd, md);
1788 #endif
1789 
1790  /* In a few cases, also test with input=0 */
1791  if (i < COUNT) {
1792  test_modinv32_uint16(id, ZERO, md);
1793 #ifdef SECP256K1_WIDEMUL_INT128
1794  test_modinv64_uint16(id, ZERO, md);
1795 #endif
1796  }
1797  }
1798 }
1799 
1800 /***** INT128 TESTS *****/
1801 
1802 #ifdef SECP256K1_WIDEMUL_INT128
1803 /* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1804 static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1805  int i;
1806  uint32_t carry = 0;
1807  for (i = 0; i < 16; ++i) {
1808  carry += a[i];
1809  carry += b[i];
1810  out[i] = carry;
1811  carry >>= 16;
1812  }
1813 }
1814 
1815 /* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1816 static void neg256(uint16_t* out, const uint16_t* a) {
1817  int i;
1818  uint32_t carry = 1;
1819  for (i = 0; i < 16; ++i) {
1820  carry += (uint16_t)~a[i];
1821  out[i] = carry;
1822  carry >>= 16;
1823  }
1824 }
1825 
1826 /* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1827 static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1828  uint16_t sign = sign_extend && (a[15] >> 15);
1829  int i, j;
1830  for (i = 15; i >= 0; --i) {
1831  uint16_t v = 0;
1832  for (j = 0; j < 16; ++j) {
1833  int frompos = i*16 + j + n;
1834  if (frompos >= 256) {
1835  v |= sign << j;
1836  } else {
1837  v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1838  }
1839  }
1840  out[i] = v;
1841  }
1842 }
1843 
1844 /* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1845 static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1846  int i;
1847  uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1848  for (i = 0; i < 4; ++i) {
1849  out[i] = v >> (16 * i);
1850  }
1851  for (i = 4; i < 16; ++i) {
1852  out[i] = sign;
1853  }
1854 }
1855 
1856 /* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1857 static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1858  int i;
1859  uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1860  for (i = 0; i < 4; ++i) {
1861  out[i] = lo >> (16 * i);
1862  }
1863  for (i = 4; i < 8; ++i) {
1864  out[i] = hi >> (16 * (i - 4));
1865  }
1866  for (i = 8; i < 16; ++i) {
1867  out[i] = sign;
1868  }
1869 }
1870 
1871 /* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1872 static int int256is127(const uint16_t* v) {
1873  int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1874  int i;
1875  for (i = 8; i < 16; ++i) {
1876  if (v[i] != 0) all_0 = 0;
1877  if (v[i] != 0xffff) all_1 = 0;
1878  }
1879  return all_0 || all_1;
1880 }
1881 
1882 static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1883  uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1884  load256two64(out, hi, lo, 0);
1885 }
1886 
1887 static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1888  uint64_t lo;
1889  int64_t hi;
1890  secp256k1_int128 c = *v;
1891  lo = secp256k1_i128_to_u64(&c);
1892  secp256k1_i128_rshift(&c, 64);
1893  hi = secp256k1_i128_to_i64(&c);
1894  load256two64(out, hi, lo, 1);
1895 }
1896 
1897 static void run_int128_test_case(void) {
1898  unsigned char buf[32];
1899  uint64_t v[4];
1900  secp256k1_int128 swa, swz;
1901  secp256k1_uint128 uwa, uwz;
1902  uint64_t ub, uc;
1903  int64_t sb, sc;
1904  uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1905  uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1906  int i;
1907 
1908  /* Generate 32-byte random value. */
1910  /* Convert into 4 64-bit integers. */
1911  for (i = 0; i < 4; ++i) {
1912  uint64_t vi = 0;
1913  int j;
1914  for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1915  v[i] = vi;
1916  }
1917  /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1918  secp256k1_u128_load(&uwa, v[1], v[0]);
1919  secp256k1_i128_load(&swa, v[1], v[0]);
1920  ub = v[2];
1921  sb = v[2];
1922  uc = v[3];
1923  sc = v[3];
1924  /* Load those also into 16-bit array representations. */
1925  load256u128(ruwa, &uwa);
1926  load256i128(rswa, &swa);
1927  load256u64(rub, ub, 0);
1928  load256u64(rsb, sb, 1);
1929  load256u64(ruc, uc, 0);
1930  load256u64(rsc, sc, 1);
1931  /* test secp256k1_u128_mul */
1932  mulmod256(ruwr, rub, ruc, NULL);
1933  secp256k1_u128_mul(&uwz, ub, uc);
1934  load256u128(ruwz, &uwz);
1935  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1936  /* test secp256k1_u128_accum_mul */
1937  mulmod256(ruwr, rub, ruc, NULL);
1938  add256(ruwr, ruwr, ruwa);
1939  uwz = uwa;
1940  secp256k1_u128_accum_mul(&uwz, ub, uc);
1941  load256u128(ruwz, &uwz);
1942  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1943  /* test secp256k1_u128_accum_u64 */
1944  add256(ruwr, rub, ruwa);
1945  uwz = uwa;
1946  secp256k1_u128_accum_u64(&uwz, ub);
1947  load256u128(ruwz, &uwz);
1948  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1949  /* test secp256k1_u128_rshift */
1950  rshift256(ruwr, ruwa, uc % 128, 0);
1951  uwz = uwa;
1952  secp256k1_u128_rshift(&uwz, uc % 128);
1953  load256u128(ruwz, &uwz);
1954  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1955  /* test secp256k1_u128_to_u64 */
1956  CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1957  /* test secp256k1_u128_hi_u64 */
1958  CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1959  /* test secp256k1_u128_from_u64 */
1960  secp256k1_u128_from_u64(&uwz, ub);
1961  load256u128(ruwz, &uwz);
1962  CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1963  /* test secp256k1_u128_check_bits */
1964  {
1965  int uwa_bits = 0;
1966  int j;
1967  for (j = 0; j < 128; ++j) {
1968  if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1969  }
1970  for (j = 0; j < 128; ++j) {
1971  CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1972  }
1973  }
1974  /* test secp256k1_i128_mul */
1975  mulmod256(rswr, rsb, rsc, NULL);
1976  secp256k1_i128_mul(&swz, sb, sc);
1977  load256i128(rswz, &swz);
1978  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1979  /* test secp256k1_i128_accum_mul */
1980  mulmod256(rswr, rsb, rsc, NULL);
1981  add256(rswr, rswr, rswa);
1982  if (int256is127(rswr)) {
1983  swz = swa;
1984  secp256k1_i128_accum_mul(&swz, sb, sc);
1985  load256i128(rswz, &swz);
1986  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1987  }
1988  /* test secp256k1_i128_det */
1989  {
1990  uint16_t rsd[16], rse[16], rst[32];
1991  int64_t sd = v[0], se = v[1];
1992  load256u64(rsd, sd, 1);
1993  load256u64(rse, se, 1);
1994  mulmod256(rst, rsc, rsd, NULL);
1995  neg256(rst, rst);
1996  mulmod256(rswr, rsb, rse, NULL);
1997  add256(rswr, rswr, rst);
1998  secp256k1_i128_det(&swz, sb, sc, sd, se);
1999  load256i128(rswz, &swz);
2000  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2001  }
2002  /* test secp256k1_i128_rshift */
2003  rshift256(rswr, rswa, uc % 127, 1);
2004  swz = swa;
2005  secp256k1_i128_rshift(&swz, uc % 127);
2006  load256i128(rswz, &swz);
2007  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2008  /* test secp256k1_i128_to_u64 */
2009  CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2010  /* test secp256k1_i128_from_i64 */
2011  secp256k1_i128_from_i64(&swz, sb);
2012  load256i128(rswz, &swz);
2013  CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2014  /* test secp256k1_i128_to_i64 */
2015  CHECK(secp256k1_i128_to_i64(&swz) == sb);
2016  /* test secp256k1_i128_eq_var */
2017  {
2018  int expect = (uc & 1);
2019  swz = swa;
2020  if (!expect) {
2021  /* Make sure swz != swa */
2022  uint64_t v0c = v[0], v1c = v[1];
2023  if (ub & 64) {
2024  v1c ^= (((uint64_t)1) << (ub & 63));
2025  } else {
2026  v0c ^= (((uint64_t)1) << (ub & 63));
2027  }
2028  secp256k1_i128_load(&swz, v1c, v0c);
2029  }
2030  CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2031  }
2032  /* test secp256k1_i128_check_pow2 (sign == 1) */
2033  {
2034  int expect = (uc & 1);
2035  int pos = ub % 127;
2036  if (expect) {
2037  /* If expect==1, set swz to exactly 2^pos. */
2038  uint64_t hi = 0;
2039  uint64_t lo = 0;
2040  if (pos >= 64) {
2041  hi = (((uint64_t)1) << (pos & 63));
2042  } else {
2043  lo = (((uint64_t)1) << (pos & 63));
2044  }
2045  secp256k1_i128_load(&swz, hi, lo);
2046  } else {
2047  /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2048  if (pos >= 64) {
2049  if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2050  } else {
2051  if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2052  }
2053  swz = swa;
2054  }
2055  CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2056  }
2057  /* test secp256k1_i128_check_pow2 (sign == -1) */
2058  {
2059  int expect = (uc & 1);
2060  int pos = ub % 127;
2061  if (expect) {
2062  /* If expect==1, set swz to exactly -2^pos. */
2063  uint64_t hi = ~(uint64_t)0;
2064  uint64_t lo = ~(uint64_t)0;
2065  if (pos >= 64) {
2066  hi <<= (pos & 63);
2067  lo = 0;
2068  } else {
2069  lo <<= (pos & 63);
2070  }
2071  secp256k1_i128_load(&swz, hi, lo);
2072  } else {
2073  /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2074  if (pos >= 64) {
2075  if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2076  } else {
2077  if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2078  }
2079  swz = swa;
2080  }
2081  CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2082  }
2083 }
2084 
2085 static void run_int128_tests(void) {
2086  { /* secp256k1_u128_accum_mul */
2087  secp256k1_uint128 res;
2088 
2089  /* Check secp256k1_u128_accum_mul overflow */
2090  secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2091  secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2092  CHECK(secp256k1_u128_to_u64(&res) == 2);
2093  CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2094  }
2095  { /* secp256k1_u128_accum_mul */
2096  secp256k1_int128 res;
2097 
2098  /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2099  secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2100  secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2101  CHECK(secp256k1_i128_to_u64(&res) == 2);
2102  secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2103  secp256k1_i128_accum_mul(&res, 1, 1);
2104  CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2105  secp256k1_i128_rshift(&res, 64);
2106  CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2107 
2108  /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2109  secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2110  CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2111  secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2112  CHECK(secp256k1_i128_to_u64(&res) == 0);
2113  secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2114  CHECK(secp256k1_i128_to_u64(&res) == 0);
2115  secp256k1_i128_rshift(&res, 64);
2116  CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2117  }
2118  {
2119  /* Randomized tests. */
2120  int i;
2121  for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2122  }
2123 }
2124 #endif
2125 
2126 /***** SCALAR TESTS *****/
2127 
2128 static void scalar_test(void) {
2129  secp256k1_scalar s;
2130  secp256k1_scalar s1;
2131  secp256k1_scalar s2;
2132  unsigned char c[32];
2133 
2134  /* Set 's' to a random scalar, with value 'snum'. */
2136 
2137  /* Set 's1' to a random scalar, with value 's1num'. */
2139 
2140  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2142  secp256k1_scalar_get_b32(c, &s2);
2143 
2144  {
2145  int i;
2146  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2147  secp256k1_scalar n;
2148  secp256k1_scalar_set_int(&n, 0);
2149  for (i = 0; i < 256; i += 4) {
2151  int j;
2152  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
2153  for (j = 0; j < 4; j++) {
2154  secp256k1_scalar_add(&n, &n, &n);
2155  }
2156  secp256k1_scalar_add(&n, &n, &t);
2157  }
2158  CHECK(secp256k1_scalar_eq(&n, &s));
2159  }
2160 
2161  {
2162  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2163  secp256k1_scalar n;
2164  int i = 0;
2165  secp256k1_scalar_set_int(&n, 0);
2166  while (i < 256) {
2168  int j;
2169  int now = secp256k1_testrand_int(15) + 1;
2170  if (now + i > 256) {
2171  now = 256 - i;
2172  }
2173  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2174  for (j = 0; j < now; j++) {
2175  secp256k1_scalar_add(&n, &n, &n);
2176  }
2177  secp256k1_scalar_add(&n, &n, &t);
2178  i += now;
2179  }
2180  CHECK(secp256k1_scalar_eq(&n, &s));
2181  }
2182 
2183  {
2184  /* Test commutativity of add. */
2185  secp256k1_scalar r1, r2;
2186  secp256k1_scalar_add(&r1, &s1, &s2);
2187  secp256k1_scalar_add(&r2, &s2, &s1);
2188  CHECK(secp256k1_scalar_eq(&r1, &r2));
2189  }
2190 
2191  {
2192  secp256k1_scalar r1, r2;
2193  secp256k1_scalar b;
2194  int i;
2195  /* Test add_bit. */
2196  int bit = secp256k1_testrand_bits(8);
2197  secp256k1_scalar_set_int(&b, 1);
2199  for (i = 0; i < bit; i++) {
2200  secp256k1_scalar_add(&b, &b, &b);
2201  }
2202  r1 = s1;
2203  r2 = s1;
2204  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2205  /* No overflow happened. */
2206  secp256k1_scalar_cadd_bit(&r2, bit, 1);
2207  CHECK(secp256k1_scalar_eq(&r1, &r2));
2208  /* cadd is a noop when flag is zero */
2209  secp256k1_scalar_cadd_bit(&r2, bit, 0);
2210  CHECK(secp256k1_scalar_eq(&r1, &r2));
2211  }
2212  }
2213 
2214  {
2215  /* Test commutativity of mul. */
2216  secp256k1_scalar r1, r2;
2217  secp256k1_scalar_mul(&r1, &s1, &s2);
2218  secp256k1_scalar_mul(&r2, &s2, &s1);
2219  CHECK(secp256k1_scalar_eq(&r1, &r2));
2220  }
2221 
2222  {
2223  /* Test associativity of add. */
2224  secp256k1_scalar r1, r2;
2225  secp256k1_scalar_add(&r1, &s1, &s2);
2226  secp256k1_scalar_add(&r1, &r1, &s);
2227  secp256k1_scalar_add(&r2, &s2, &s);
2228  secp256k1_scalar_add(&r2, &s1, &r2);
2229  CHECK(secp256k1_scalar_eq(&r1, &r2));
2230  }
2231 
2232  {
2233  /* Test associativity of mul. */
2234  secp256k1_scalar r1, r2;
2235  secp256k1_scalar_mul(&r1, &s1, &s2);
2236  secp256k1_scalar_mul(&r1, &r1, &s);
2237  secp256k1_scalar_mul(&r2, &s2, &s);
2238  secp256k1_scalar_mul(&r2, &s1, &r2);
2239  CHECK(secp256k1_scalar_eq(&r1, &r2));
2240  }
2241 
2242  {
2243  /* Test distributitivity of mul over add. */
2244  secp256k1_scalar r1, r2, t;
2245  secp256k1_scalar_add(&r1, &s1, &s2);
2246  secp256k1_scalar_mul(&r1, &r1, &s);
2247  secp256k1_scalar_mul(&r2, &s1, &s);
2248  secp256k1_scalar_mul(&t, &s2, &s);
2249  secp256k1_scalar_add(&r2, &r2, &t);
2250  CHECK(secp256k1_scalar_eq(&r1, &r2));
2251  }
2252 
2253  {
2254  /* Test multiplicative identity. */
2255  secp256k1_scalar r1;
2257  CHECK(secp256k1_scalar_eq(&r1, &s1));
2258  }
2259 
2260  {
2261  /* Test additive identity. */
2262  secp256k1_scalar r1;
2264  CHECK(secp256k1_scalar_eq(&r1, &s1));
2265  }
2266 
2267  {
2268  /* Test zero product property. */
2269  secp256k1_scalar r1;
2272  }
2273 
2274  {
2275  /* Test halving. */
2276  secp256k1_scalar r;
2277  secp256k1_scalar_add(&r, &s, &s);
2278  secp256k1_scalar_half(&r, &r);
2279  CHECK(secp256k1_scalar_eq(&r, &s));
2280  }
2281 }
2282 
2284  unsigned char b32[32];
2285  secp256k1_scalar s1;
2286  secp256k1_scalar s2;
2287 
2288  /* Usually set_b32 and set_b32_seckey give the same result */
2290  secp256k1_scalar_set_b32(&s1, b32, NULL);
2291  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2292  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2293 
2294  memset(b32, 0, sizeof(b32));
2295  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2296  memset(b32, 0xFF, sizeof(b32));
2297  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2298 }
2299 
2300 static void run_scalar_tests(void) {
2301  int i;
2302  for (i = 0; i < 128 * COUNT; i++) {
2303  scalar_test();
2304  }
2305  for (i = 0; i < COUNT; i++) {
2307  }
2308 
2309  {
2310  /* Check that the scalar constants secp256k1_scalar_zero and
2311  secp256k1_scalar_one contain the expected values. */
2312  secp256k1_scalar zero, one;
2313 
2315  secp256k1_scalar_set_int(&zero, 0);
2317 
2319  secp256k1_scalar_set_int(&one, 1);
2321  }
2322 
2323  {
2324  /* (-1)+1 should be zero. */
2325  secp256k1_scalar o;
2329  secp256k1_scalar_negate(&o, &o);
2331  }
2332 
2333  {
2334  /* Test that halving and doubling roundtrips on some fixed values. */
2335  static const secp256k1_scalar HALF_TESTS[] = {
2336  /* 0 */
2337  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2338  /* 1 */
2339  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2340  /* -1 */
2341  SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul),
2342  /* -2 (largest odd value) */
2343  SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful),
2344  /* Half the secp256k1 order */
2345  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul),
2346  /* Half the secp256k1 order + 1 */
2347  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul),
2348  /* 2^255 */
2349  SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0),
2350  /* 2^255 - 1 */
2351  SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful),
2352  };
2353  unsigned n;
2354  for (n = 0; n < sizeof(HALF_TESTS) / sizeof(HALF_TESTS[0]); ++n) {
2355  secp256k1_scalar s;
2356  secp256k1_scalar_half(&s, &HALF_TESTS[n]);
2357  secp256k1_scalar_add(&s, &s, &s);
2358  CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2359  secp256k1_scalar_add(&s, &s, &s);
2360  secp256k1_scalar_half(&s, &s);
2361  CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2362  }
2363  }
2364 
2365  {
2366  /* Does check_overflow check catch all ones? */
2367  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2368  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2369  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2370  );
2371  CHECK(secp256k1_scalar_check_overflow(&overflowed));
2372  }
2373 
2374  {
2375  /* Static test vectors.
2376  * These were reduced from ~10^12 random vectors based on comparison-decision
2377  * and edge-case coverage on 32-bit and 64-bit implementations.
2378  * The responses were generated with Sage 5.9.
2379  */
2380  secp256k1_scalar x;
2381  secp256k1_scalar y;
2382  secp256k1_scalar z;
2383  secp256k1_scalar zz;
2384  secp256k1_scalar r1;
2385  secp256k1_scalar r2;
2386  secp256k1_scalar zzv;
2387  int overflow;
2388  unsigned char chal[33][2][32] = {
2389  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2390  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2391  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2392  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2393  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2394  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2395  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2396  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2397  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2398  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2399  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2400  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2401  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2402  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2403  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2404  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2405  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2406  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2407  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2408  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2409  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2410  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2411  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2412  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2413  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2414  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2415  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2416  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2417  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2418  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2419  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2420  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2421  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2422  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2423  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2424  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2425  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2426  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2427  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2428  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2429  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2430  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2431  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2432  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2433  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2434  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2435  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2436  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2437  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2438  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2439  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2440  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2441  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2442  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2443  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2444  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2445  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2446  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2447  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2448  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2449  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2450  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2451  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2452  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2453  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2454  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2455  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2456  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2457  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2458  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2459  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2460  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2461  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2462  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2463  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2464  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2465  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2466  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2467  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2468  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2469  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2470  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2471  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2472  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2473  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2474  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2475  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2476  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2477  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2478  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2479  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2480  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2481  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2482  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2483  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2484  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2485  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2486  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2487  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2488  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2489  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2490  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2491  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2492  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2493  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2494  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2495  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2496  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2497  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2498  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2499  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2500  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2501  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2502  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2503  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2504  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2505  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2506  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2507  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2508  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2509  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2510  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2511  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2512  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2513  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2514  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2515  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2516  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2517  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2518  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2519  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2520  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2521  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2522  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2523  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2524  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2525  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2526  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2527  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2528  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2529  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2530  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2531  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2532  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2533  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2534  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2535  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2536  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2537  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2538  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2539  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2540  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2541  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2542  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2543  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2544  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2545  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2546  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2547  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2548  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2549  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2550  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2551  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2552  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2553  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2554  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2555  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2556  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2557  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2558  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2559  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2560  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2561  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2562  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2563  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2564  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2565  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2566  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2567  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2568  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2569  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2570  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2571  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2572  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2573  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2574  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2575  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2576  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2577  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2578  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2579  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2580  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2581  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2582  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2583  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2584  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2585  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2586  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2587  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2588  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2589  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2590  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2591  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2592  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2593  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2594  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2595  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2596  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2597  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2598  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2599  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2600  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2601  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2602  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2603  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2604  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2605  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2606  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2607  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2608  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2609  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2610  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2611  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2612  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2613  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2614  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2615  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2616  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2617  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2618  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2619  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2620  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2621  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2622  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2623  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2624  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2625  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2626  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2627  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2628  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2629  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2630  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2631  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2632  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2633  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2634  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2635  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2636  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2637  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2638  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2639  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2640  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2641  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2642  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2643  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2644  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2645  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2646  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2647  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2648  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2649  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2650  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2651  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2652  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2653  };
2654  unsigned char res[33][2][32] = {
2655  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2656  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2657  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2658  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2659  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2660  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2661  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2662  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2663  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2664  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2665  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2666  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2667  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2668  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2669  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2670  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2671  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2672  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2673  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2674  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2675  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2676  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2677  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2678  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2679  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2680  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2681  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2682  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2683  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2684  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2685  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2686  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2687  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2688  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2689  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2690  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2691  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2692  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2693  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2694  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2695  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2696  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2697  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2698  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2699  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2700  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2701  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2702  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2703  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2704  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2705  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2706  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2707  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2708  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2709  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2710  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2711  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2712  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2713  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2714  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2715  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2716  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2717  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2718  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2719  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2720  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2721  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2722  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2723  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2724  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2725  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2726  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2727  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2728  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2729  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2730  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2731  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2732  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2733  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2734  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2735  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2736  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2737  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2738  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2739  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2740  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2741  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2742  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2743  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2744  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2745  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2746  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2747  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2748  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2749  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2750  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2751  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2752  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2753  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2754  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2755  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2756  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2757  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2758  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2759  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2760  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2761  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2762  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2763  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2764  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2765  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2766  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2767  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2768  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2769  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2770  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2771  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2772  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2773  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2774  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2775  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2776  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2777  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2778  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2779  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2780  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2781  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2782  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2783  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2784  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2785  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2786  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2787  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2788  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2789  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2790  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2791  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2792  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2793  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2794  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2795  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2796  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2797  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2798  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2799  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2800  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2801  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2802  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2803  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2804  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2805  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2806  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2807  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2808  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2809  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2810  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2811  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2812  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2813  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2814  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2815  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2816  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2817  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2818  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2819  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2820  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2821  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2822  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2823  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2824  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2825  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2826  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2827  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2828  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2829  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2830  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2831  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2832  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2833  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2834  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2835  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2836  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2837  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2838  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2839  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2840  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2841  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2842  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2843  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2844  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2845  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2846  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2847  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2848  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2849  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2850  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2851  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2852  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2853  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2854  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2855  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2856  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2857  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2858  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2859  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2860  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2861  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2862  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2863  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2864  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2865  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2866  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2867  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2868  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2869  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2870  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2871  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2872  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2873  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2874  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2875  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2876  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2877  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2878  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2879  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2880  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2881  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2882  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2883  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2884  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2885  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2886  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2887  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2888  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2889  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2890  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2891  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2892  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2893  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2894  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2895  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2896  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2897  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2898  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2899  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2900  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2901  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2902  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2903  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2904  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2905  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2906  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2907  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2908  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2909  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2910  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2911  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2912  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2913  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2914  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2915  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2916  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2917  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2918  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2919  };
2920  for (i = 0; i < 33; i++) {
2921  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2922  CHECK(!overflow);
2923  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2924  CHECK(!overflow);
2925  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2926  CHECK(!overflow);
2927  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2928  CHECK(!overflow);
2929  secp256k1_scalar_mul(&z, &x, &y);
2931  CHECK(secp256k1_scalar_eq(&r1, &z));
2932  if (!secp256k1_scalar_is_zero(&y)) {
2933  secp256k1_scalar_inverse(&zz, &y);
2935  secp256k1_scalar_inverse_var(&zzv, &y);
2936  CHECK(secp256k1_scalar_eq(&zzv, &zz));
2937  secp256k1_scalar_mul(&z, &z, &zz);
2939  CHECK(secp256k1_scalar_eq(&x, &z));
2940  secp256k1_scalar_mul(&zz, &zz, &y);
2943  }
2944  }
2945  }
2946 }
2947 
2948 /***** FIELD TESTS *****/
2949 
2951  secp256k1_fe r;
2952  random_fe_non_zero(ns);
2953  if (secp256k1_fe_sqrt(&r, ns)) {
2954  secp256k1_fe_negate(ns, ns, 1);
2955  }
2956 }
2957 
2958 static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2959  secp256k1_fe an = *a;
2960  secp256k1_fe bn = *b;
2962  return secp256k1_fe_equal(&an, &bn);
2963 }
2964 
2965 static void run_field_convert(void) {
2966  static const unsigned char b32[32] = {
2967  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2968  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2969  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2970  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2971  };
2973  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2974  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2975  );
2976  static const secp256k1_fe fe = SECP256K1_FE_CONST(
2977  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2978  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2979  );
2980  secp256k1_fe fe2;
2981  unsigned char b322[32];
2982  secp256k1_fe_storage fes2;
2983  /* Check conversions to fe. */
2984  CHECK(secp256k1_fe_set_b32_limit(&fe2, b32));
2985  CHECK(secp256k1_fe_equal(&fe, &fe2));
2986  secp256k1_fe_from_storage(&fe2, &fes);
2987  CHECK(secp256k1_fe_equal(&fe, &fe2));
2988  /* Check conversion from fe. */
2989  secp256k1_fe_get_b32(b322, &fe);
2990  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2991  secp256k1_fe_to_storage(&fes2, &fe);
2992  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2993 }
2994 
2995 static void run_field_be32_overflow(void) {
2996  {
2997  static const unsigned char zero_overflow[32] = {
2998  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2999  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3000  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3001  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3002  };
3003  static const unsigned char zero[32] = { 0x00 };
3004  unsigned char out[32];
3005  secp256k1_fe fe;
3006  CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3007  secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3010  CHECK(secp256k1_fe_is_zero(&fe) == 1);
3011  secp256k1_fe_get_b32(out, &fe);
3012  CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3013  }
3014  {
3015  static const unsigned char one_overflow[32] = {
3016  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3017  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3018  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3019  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3020  };
3021  static const unsigned char one[32] = {
3022  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3023  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3024  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3025  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3026  };
3027  unsigned char out[32];
3028  secp256k1_fe fe;
3029  CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3030  secp256k1_fe_set_b32_mod(&fe, one_overflow);
3033  secp256k1_fe_get_b32(out, &fe);
3034  CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3035  }
3036  {
3037  static const unsigned char ff_overflow[32] = {
3038  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3039  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3040  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3041  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3042  };
3043  static const unsigned char ff[32] = {
3044  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3045  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3046  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3047  0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3048  };
3049  unsigned char out[32];
3050  secp256k1_fe fe;
3051  const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3052  CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3053  secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3055  CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3056  secp256k1_fe_get_b32(out, &fe);
3057  CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3058  }
3059 }
3060 
3061 /* Returns true if two field elements have the same representation. */
3062 static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3063  int ret = 1;
3064  /* Compare the struct member that holds the limbs. */
3065  ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3066  return ret;
3067 }
3068 
3069 static void run_field_half(void) {
3070  secp256k1_fe t, u;
3071  int m;
3072 
3073  /* Check magnitude 0 input */
3075  secp256k1_fe_half(&t);
3076 #ifdef VERIFY
3077  CHECK(t.magnitude == 1);
3078  CHECK(t.normalized == 0);
3079 #endif
3081 
3082  /* Check non-zero magnitudes in the supported range */
3083  for (m = 1; m < 32; m++) {
3084  /* Check max-value input */
3086 
3087  u = t;
3088  secp256k1_fe_half(&u);
3089 #ifdef VERIFY
3090  CHECK(u.magnitude == (m >> 1) + 1);
3091  CHECK(u.normalized == 0);
3092 #endif
3094  secp256k1_fe_add(&u, &u);
3095  CHECK(check_fe_equal(&t, &u));
3096 
3097  /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3098  * which will also cause all carries to be 1, since all limbs that can
3099  * generate a carry are initially even and all limbs of P are odd in
3100  * every existing field implementation. */
3102  CHECK(t.n[0] > 0);
3103  CHECK((t.n[0] & 1) == 0);
3104  --t.n[0];
3105 
3106  u = t;
3107  secp256k1_fe_half(&u);
3108 #ifdef VERIFY
3109  CHECK(u.magnitude == (m >> 1) + 1);
3110  CHECK(u.normalized == 0);
3111 #endif
3113  secp256k1_fe_add(&u, &u);
3114  CHECK(check_fe_equal(&t, &u));
3115  }
3116 }
3117 
3118 static void run_field_misc(void) {
3119  secp256k1_fe x;
3120  secp256k1_fe y;
3121  secp256k1_fe z;
3122  secp256k1_fe q;
3123  int v;
3124  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3125  int i, j;
3126  for (i = 0; i < 1000 * COUNT; i++) {
3127  secp256k1_fe_storage xs, ys, zs;
3128  if (i & 1) {
3129  random_fe(&x);
3130  } else {
3131  random_fe_test(&x);
3132  }
3133  random_fe_non_zero(&y);
3134  v = secp256k1_testrand_bits(15);
3135  /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3136  secp256k1_fe_set_int(&q, v); /* q = v */
3137  z = x; /* z = x */
3138  secp256k1_fe_add(&z, &q); /* z = x+v */
3139  q = x; /* q = x */
3140  secp256k1_fe_add_int(&q, v); /* q = x+v */
3141  CHECK(check_fe_equal(&q, &z));
3142  /* Test the fe equality and comparison operations. */
3143  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3144  CHECK(secp256k1_fe_equal(&x, &x));
3145  z = x;
3146  secp256k1_fe_add(&z,&y);
3147  /* Test fe conditional move; z is not normalized here. */
3148  q = x;
3149  secp256k1_fe_cmov(&x, &z, 0);
3150 #ifdef VERIFY
3151  CHECK(!x.normalized);
3152  CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3153  CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3154 #endif
3155  x = q;
3156  secp256k1_fe_cmov(&x, &x, 1);
3157  CHECK(!fe_identical(&x, &z));
3158  CHECK(fe_identical(&x, &q));
3159  secp256k1_fe_cmov(&q, &z, 1);
3160 #ifdef VERIFY
3161  CHECK(!q.normalized);
3162  CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3163  CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3164 #endif
3165  CHECK(fe_identical(&q, &z));
3166  q = z;
3169  CHECK(!secp256k1_fe_equal(&x, &z));
3171  secp256k1_fe_cmov(&q, &z, (i&1));
3172 #ifdef VERIFY
3173  CHECK(q.normalized && q.magnitude == 1);
3174 #endif
3175  for (j = 0; j < 6; j++) {
3176  secp256k1_fe_negate_unchecked(&z, &z, j+1);
3178  secp256k1_fe_cmov(&q, &z, (j&1));
3179 #ifdef VERIFY
3180  CHECK(!q.normalized && q.magnitude == z.magnitude);
3181 #endif
3182  }
3184  /* Test storage conversion and conditional moves. */
3185  secp256k1_fe_to_storage(&xs, &x);
3186  secp256k1_fe_to_storage(&ys, &y);
3187  secp256k1_fe_to_storage(&zs, &z);
3188  secp256k1_fe_storage_cmov(&zs, &xs, 0);
3189  secp256k1_fe_storage_cmov(&zs, &zs, 1);
3190  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3191  secp256k1_fe_storage_cmov(&ys, &xs, 1);
3192  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3193  secp256k1_fe_from_storage(&x, &xs);
3194  secp256k1_fe_from_storage(&y, &ys);
3195  secp256k1_fe_from_storage(&z, &zs);
3196  /* Test that mul_int, mul, and add agree. */
3197  secp256k1_fe_add(&y, &x);
3198  secp256k1_fe_add(&y, &x);
3199  z = x;
3200  secp256k1_fe_mul_int(&z, 3);
3201  CHECK(check_fe_equal(&y, &z));
3202  secp256k1_fe_add(&y, &x);
3203  secp256k1_fe_add(&z, &x);
3204  CHECK(check_fe_equal(&z, &y));
3205  z = x;
3206  secp256k1_fe_mul_int(&z, 5);
3207  secp256k1_fe_mul(&q, &x, &fe5);
3208  CHECK(check_fe_equal(&z, &q));
3209  secp256k1_fe_negate(&x, &x, 1);
3210  secp256k1_fe_add(&z, &x);
3211  secp256k1_fe_add(&q, &x);
3212  CHECK(check_fe_equal(&y, &z));
3213  CHECK(check_fe_equal(&q, &y));
3214  /* Check secp256k1_fe_half. */
3215  z = x;
3216  secp256k1_fe_half(&z);
3217  secp256k1_fe_add(&z, &z);
3218  CHECK(check_fe_equal(&x, &z));
3219  secp256k1_fe_add(&z, &z);
3220  secp256k1_fe_half(&z);
3221  CHECK(check_fe_equal(&x, &z));
3222  }
3223 }
3224 
3225 static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3226 {
3227  secp256k1_fe c, an, bn;
3228  /* Variables in BE 32-byte format. */
3229  unsigned char a32[32], b32[32], c32[32];
3230  /* Variables in LE 16x uint16_t format. */
3231  uint16_t a16[16], b16[16], c16[16];
3232  /* Field modulus in LE 16x uint16_t format. */
3233  static const uint16_t m16[16] = {
3234  0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3235  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3236  };
3237  uint16_t t16[32];
3238  int i;
3239 
3240  /* Compute C = A * B in fe format. */
3241  c = *a;
3242  if (use_sqr) {
3243  secp256k1_fe_sqr(&c, &c);
3244  } else {
3245  secp256k1_fe_mul(&c, &c, b);
3246  }
3247 
3248  /* Convert A, B, C into LE 16x uint16_t format. */
3249  an = *a;
3250  bn = *b;
3254  secp256k1_fe_get_b32(a32, &an);
3255  secp256k1_fe_get_b32(b32, &bn);
3256  secp256k1_fe_get_b32(c32, &c);
3257  for (i = 0; i < 16; ++i) {
3258  a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3259  b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3260  c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3261  }
3262  /* Compute T = A * B in LE 16x uint16_t format. */
3263  mulmod256(t16, a16, b16, m16);
3264  /* Compare */
3265  CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3266 }
3267 
3268 static void run_fe_mul(void) {
3269  int i;
3270  for (i = 0; i < 100 * COUNT; ++i) {
3271  secp256k1_fe a, b, c, d;
3272  random_fe(&a);
3273  random_fe_magnitude(&a);
3274  random_fe(&b);
3275  random_fe_magnitude(&b);
3276  random_fe_test(&c);
3277  random_fe_magnitude(&c);
3278  random_fe_test(&d);
3279  random_fe_magnitude(&d);
3280  test_fe_mul(&a, &a, 1);
3281  test_fe_mul(&c, &c, 1);
3282  test_fe_mul(&a, &b, 0);
3283  test_fe_mul(&a, &c, 0);
3284  test_fe_mul(&c, &b, 0);
3285  test_fe_mul(&c, &d, 0);
3286  }
3287 }
3288 
3289 static void run_sqr(void) {
3290  secp256k1_fe x, s;
3291 
3292  {
3293  int i;
3294  secp256k1_fe_set_int(&x, 1);
3295  secp256k1_fe_negate(&x, &x, 1);
3296 
3297  for (i = 1; i <= 512; ++i) {
3298  secp256k1_fe_mul_int(&x, 2);
3300  secp256k1_fe_sqr(&s, &x);
3301  }
3302  }
3303 }
3304 
3305 static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3306  secp256k1_fe r1, r2;
3307  int v = secp256k1_fe_sqrt(&r1, a);
3308  CHECK((v == 0) == (k == NULL));
3309 
3310  if (k != NULL) {
3311  /* Check that the returned root is +/- the given known answer */
3312  secp256k1_fe_negate(&r2, &r1, 1);
3313  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3316  }
3317 }
3318 
3319 static void run_sqrt(void) {
3320  secp256k1_fe ns, x, s, t;
3321  int i;
3322 
3323  /* Check sqrt(0) is 0 */
3324  secp256k1_fe_set_int(&x, 0);
3325  secp256k1_fe_sqr(&s, &x);
3326  test_sqrt(&s, &x);
3327 
3328  /* Check sqrt of small squares (and their negatives) */
3329  for (i = 1; i <= 100; i++) {
3330  secp256k1_fe_set_int(&x, i);
3331  secp256k1_fe_sqr(&s, &x);
3332  test_sqrt(&s, &x);
3333  secp256k1_fe_negate(&t, &s, 1);
3334  test_sqrt(&t, NULL);
3335  }
3336 
3337  /* Consistency checks for large random values */
3338  for (i = 0; i < 10; i++) {
3339  int j;
3340  random_fe_non_square(&ns);
3341  for (j = 0; j < COUNT; j++) {
3342  random_fe(&x);
3343  secp256k1_fe_sqr(&s, &x);
3345  test_sqrt(&s, &x);
3346  secp256k1_fe_negate(&t, &s, 1);
3348  test_sqrt(&t, NULL);
3349  secp256k1_fe_mul(&t, &s, &ns);
3350  test_sqrt(&t, NULL);
3351  }
3352  }
3353 }
3354 
3355 /***** FIELD/SCALAR INVERSE TESTS *****/
3356 
3358  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3359  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3360 );
3361 
3363  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3364  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3365 );
3366 
3367 /* These tests test the following identities:
3368  *
3369  * for x==0: 1/x == 0
3370  * for x!=0: x*(1/x) == 1
3371  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3372  */
3373 
3375 {
3376  secp256k1_scalar l, r, t;
3377 
3378  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3379  if (out) *out = l;
3380  if (secp256k1_scalar_is_zero(x)) {
3382  return;
3383  }
3384  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3385  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3386  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3387  if (secp256k1_scalar_is_zero(&r)) return;
3388  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3389  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3390  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3391  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3392  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3393  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3394 }
3395 
3396 static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3397 {
3398  secp256k1_fe l, r, t;
3399 
3400  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3401  if (out) *out = l;
3402  t = *x; /* t = x */
3405  return;
3406  }
3407  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3408  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3409  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3410  r = *x; /* r = x */
3411  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3412  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3413  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3414  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3415  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3416  secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3417  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3418  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3419 }
3420 
3421 static void run_inverse_tests(void)
3422 {
3423  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3424  static const secp256k1_fe fe_cases[][2] = {
3425  /* 0 */
3426  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3427  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3428  /* 1 */
3429  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3430  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3431  /* -1 */
3432  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3433  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3434  /* 2 */
3435  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3436  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3437  /* 2**128 */
3438  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3439  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3440  /* Input known to need 637 divsteps */
3441  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3442  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3443  /* Input known to need 567 divsteps starting with delta=1/2. */
3444  {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3445  SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3446  /* Input known to need 566 divsteps starting with delta=1/2. */
3447  {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3448  SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3449  /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3450  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3451  SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3452  {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3453  SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3454  {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3455  SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3456  {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3457  SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3458  {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3459  SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3460  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3461  SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3462  {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3463  SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3464  {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3465  SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3466  {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3467  SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3468  {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3469  SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3470  /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3471  {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3472  SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3473  {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3474  SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3475  {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3476  SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3477  {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3478  SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3479  {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3480  SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3481  {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3482  SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3483  {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3484  SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3485  {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3486  SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3487  {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3488  SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3489  {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3490  SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3491  {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3492  SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3493  {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3494  SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3495  {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3496  SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3497  {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3498  SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3499  {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3500  SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3501  {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3502  SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3503  {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3504  SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3505  {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3506  SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3507  {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3508  SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3509  {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3510  SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3511  {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3512  SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3513  {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3514  SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3515  {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3516  SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3517  {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3518  SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3519  {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3520  SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3521  {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3522  SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3523  {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3524  SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3525  {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3526  SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3527  };
3528  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3529  static const secp256k1_scalar scalar_cases[][2] = {
3530  /* 0 */
3531  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3532  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3533  /* 1 */
3534  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3535  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3536  /* -1 */
3537  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3538  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3539  /* 2 */
3540  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3541  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3542  /* 2**128 */
3543  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3544  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3545  /* Input known to need 635 divsteps */
3546  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3547  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3548  /* Input known to need 566 divsteps starting with delta=1/2. */
3549  {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3550  SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3551  /* Input known to need 565 divsteps starting with delta=1/2. */
3552  {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3553  SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3554  /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3555  {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3556  SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3557  {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3558  SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3559  {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3560  SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3561  {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3562  SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3563  {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3564  SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3565  {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3566  SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3567  {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3568  SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3569  {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3570  SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3571  {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3572  SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3573  {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3574  SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3575  {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3576  SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3577  {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3578  SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3579  {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3580  SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3581  {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3582  SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3583  {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3584  SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3585  {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3586  SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3587  {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3588  SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3589  {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3590  SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3591  {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3592  SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3593  {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3594  SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3595  {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3596  SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3597  {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3598  SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3599  {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3600  SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3601  {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3602  SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3603  {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3604  SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3605  {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3606  SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3607  {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3608  SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3609  {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3610  SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3611  {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3612  SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3613  };
3614  int i, var, testrand;
3615  unsigned char b32[32];
3616  secp256k1_fe x_fe;
3617  secp256k1_scalar x_scalar;
3618  memset(b32, 0, sizeof(b32));
3619  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3620  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3621  for (var = 0; var <= 1; ++var) {
3622  test_inverse_field(&x_fe, &fe_cases[i][0], var);
3623  check_fe_equal(&x_fe, &fe_cases[i][1]);
3624  test_inverse_field(&x_fe, &fe_cases[i][1], var);
3625  check_fe_equal(&x_fe, &fe_cases[i][0]);
3626  }
3627  }
3628  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3629  for (var = 0; var <= 1; ++var) {
3630  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3631  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3632  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3633  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3634  }
3635  }
3636  /* Test inputs 0..999 and their respective negations. */
3637  for (i = 0; i < 1000; ++i) {
3638  b32[31] = i & 0xff;
3639  b32[30] = (i >> 8) & 0xff;
3640  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3641  secp256k1_fe_set_b32_mod(&x_fe, b32);
3642  for (var = 0; var <= 1; ++var) {
3643  test_inverse_scalar(NULL, &x_scalar, var);
3644  test_inverse_field(NULL, &x_fe, var);
3645  }
3646  secp256k1_scalar_negate(&x_scalar, &x_scalar);
3647  secp256k1_fe_negate(&x_fe, &x_fe, 1);
3648  for (var = 0; var <= 1; ++var) {
3649  test_inverse_scalar(NULL, &x_scalar, var);
3650  test_inverse_field(NULL, &x_fe, var);
3651  }
3652  }
3653  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3654  for (testrand = 0; testrand <= 1; ++testrand) {
3655  for (i = 0; i < 64 * COUNT; ++i) {
3657  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3658  secp256k1_fe_set_b32_mod(&x_fe, b32);
3659  for (var = 0; var <= 1; ++var) {
3660  test_inverse_scalar(NULL, &x_scalar, var);
3661  test_inverse_field(NULL, &x_fe, var);
3662  }
3663  }
3664  }
3665 }
3666 
3667 /***** GROUP TESTS *****/
3668 
3669 /* This compares jacobian points including their Z, not just their geometric meaning. */
3670 static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3671  secp256k1_gej a2;
3672  secp256k1_gej b2;
3673  int ret = 1;
3674  ret &= a->infinity == b->infinity;
3675  if (ret && !a->infinity) {
3676  a2 = *a;
3677  b2 = *b;
3684  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3685  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3686  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3687  }
3688  return ret;
3689 }
3690 
3691 static void test_ge(void) {
3692  int i, i1;
3693  int runs = 6;
3694  /* 25 points are used:
3695  * - infinity
3696  * - for each of four random points p1 p2 p3 p4, we add the point, its
3697  * negation, and then those two again but with randomized Z coordinate.
3698  * - The same is then done for lambda*p1 and lambda^2*p1.
3699  */
3700  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3701  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3702  secp256k1_fe zf, r;
3703  secp256k1_fe zfi2, zfi3;
3704 
3705  secp256k1_gej_set_infinity(&gej[0]);
3706  secp256k1_ge_clear(&ge[0]);
3707  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3708  for (i = 0; i < runs; i++) {
3709  int j, k;
3710  secp256k1_ge g;
3712  if (i >= runs - 2) {
3713  secp256k1_ge_mul_lambda(&g, &ge[1]);
3714  CHECK(!secp256k1_ge_eq_var(&g, &ge[1]));
3715  }
3716  if (i >= runs - 1) {
3718  }
3719  ge[1 + 4 * i] = g;
3720  ge[2 + 4 * i] = g;
3721  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3722  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3723  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3724  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3725  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3726  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3727  for (j = 0; j < 4; j++) {
3728  random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3729  random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3730  random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3731  random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3732  random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3733  }
3734 
3735  for (j = 0; j < 4; ++j) {
3736  for (k = 0; k < 4; ++k) {
3737  int expect_equal = (j >> 1) == (k >> 1);
3738  CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3739  CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal);
3740  CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3741  CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal);
3742  }
3743  }
3744  }
3745 
3746  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3748  random_fe_magnitude(&zf);
3749  secp256k1_fe_inv_var(&zfi3, &zf);
3750  secp256k1_fe_sqr(&zfi2, &zfi3);
3751  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3752 
3753  /* Generate random r */
3755 
3756  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3757  int i2;
3758  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3759  /* Compute reference result using gej + gej (var). */
3760  secp256k1_gej refj, resj;
3761  secp256k1_ge ref;
3762  secp256k1_fe zr;
3763  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3764  /* Check Z ratio. */
3765  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3766  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3767  CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3768  }
3769  secp256k1_ge_set_gej_var(&ref, &refj);
3770 
3771  /* Test gej + ge with Z ratio result (var). */
3772  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3773  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3774  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3775  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3776  CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3777  }
3778 
3779  /* Test gej + ge (var, with additional Z factor). */
3780  {
3781  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3782  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3783  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3784  random_ge_x_magnitude(&ge2_zfi);
3785  random_ge_y_magnitude(&ge2_zfi);
3786  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3787  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3788  }
3789 
3790  /* Test gej + ge (const). */
3791  if (i2 != 0) {
3792  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3793  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3794  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3795  }
3796 
3797  /* Test doubling (var). */
3798  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3799  secp256k1_fe zr2;
3800  /* Normal doubling with Z ratio result. */
3801  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3802  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3803  /* Check Z ratio. */
3804  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3805  CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3806  /* Normal doubling. */
3807  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3808  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3809  /* Constant-time doubling. */
3810  secp256k1_gej_double(&resj, &gej[i2]);
3811  CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3812  }
3813 
3814  /* Test adding opposites. */
3815  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3817  }
3818 
3819  /* Test adding infinity. */
3820  if (i1 == 0) {
3821  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3822  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3823  CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref));
3824  }
3825  if (i2 == 0) {
3826  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3827  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3828  CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref));
3829  }
3830  }
3831  }
3832 
3833  /* Test adding all points together in random order equals infinity. */
3834  {
3836  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3837  for (i = 0; i < 4 * runs + 1; i++) {
3838  gej_shuffled[i] = gej[i];
3839  }
3840  for (i = 0; i < 4 * runs + 1; i++) {
3841  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3842  if (swap != i) {
3843  secp256k1_gej t = gej_shuffled[i];
3844  gej_shuffled[i] = gej_shuffled[swap];
3845  gej_shuffled[swap] = t;
3846  }
3847  }
3848  for (i = 0; i < 4 * runs + 1; i++) {
3849  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3850  }
3852  free(gej_shuffled);
3853  }
3854 
3855  /* Test batch gej -> ge conversion without known z ratios. */
3856  {
3857  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3858  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3859  for (i = 0; i < 4 * runs + 1; i++) {
3860  secp256k1_fe s;
3861  random_fe_non_zero(&s);
3862  secp256k1_gej_rescale(&gej[i], &s);
3863  CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i]));
3864  }
3865  free(ge_set_all);
3866  }
3867 
3868  /* Test that all elements have X coordinates on the curve. */
3869  for (i = 1; i < 4 * runs + 1; i++) {
3870  secp256k1_fe n;
3872  /* And the same holds after random rescaling. */
3873  secp256k1_fe_mul(&n, &zf, &ge[i].x);
3875  }
3876 
3877  /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3878  {
3879  secp256k1_fe n;
3880  secp256k1_ge q;
3881  int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3882  secp256k1_fe_mul(&n, &zf, &r);
3883  ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3884  ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3885  ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3886  CHECK(ret_on_curve == ret_frac_on_curve);
3887  CHECK(ret_on_curve == ret_set_xo);
3888  if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
3889  }
3890 
3891  /* Test batch gej -> ge conversion with many infinities. */
3892  for (i = 0; i < 4 * runs + 1; i++) {
3893  int odd;
3894  random_group_element_test(&ge[i]);
3895  odd = secp256k1_fe_is_odd(&ge[i].x);
3896  CHECK(odd == 0 || odd == 1);
3897  /* randomly set half the points to infinity */
3898  if (odd == i % 2) {
3899  secp256k1_ge_set_infinity(&ge[i]);
3900  }
3901  secp256k1_gej_set_ge(&gej[i], &ge[i]);
3902  }
3903  /* batch convert */
3904  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3905  /* check result */
3906  for (i = 0; i < 4 * runs + 1; i++) {
3907  CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i]));
3908  }
3909 
3910  /* Test batch gej -> ge conversion with all infinities. */
3911  for (i = 0; i < 4 * runs + 1; i++) {
3912  secp256k1_gej_set_infinity(&gej[i]);
3913  }
3914  /* batch convert */
3915  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3916  /* check result */
3917  for (i = 0; i < 4 * runs + 1; i++) {
3919  }
3920 
3921  free(ge);
3922  free(gej);
3923 }
3924 
3925 static void test_intialized_inf(void) {
3926  secp256k1_ge p;
3927  secp256k1_gej pj, npj, infj1, infj2, infj3;
3928  secp256k1_fe zinv;
3929 
3930  /* Test that adding P+(-P) results in a fully initialized infinity*/
3932  secp256k1_gej_set_ge(&pj, &p);
3933  secp256k1_gej_neg(&npj, &pj);
3934 
3935  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3937  CHECK(secp256k1_fe_is_zero(&infj1.x));
3938  CHECK(secp256k1_fe_is_zero(&infj1.y));
3939  CHECK(secp256k1_fe_is_zero(&infj1.z));
3940 
3941  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3943  CHECK(secp256k1_fe_is_zero(&infj2.x));
3944  CHECK(secp256k1_fe_is_zero(&infj2.y));
3945  CHECK(secp256k1_fe_is_zero(&infj2.z));
3946 
3947  secp256k1_fe_set_int(&zinv, 1);
3948  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3950  CHECK(secp256k1_fe_is_zero(&infj3.x));
3951  CHECK(secp256k1_fe_is_zero(&infj3.y));
3952  CHECK(secp256k1_fe_is_zero(&infj3.z));
3953 
3954 
3955 }
3956 
3957 static void test_add_neg_y_diff_x(void) {
3958  /* The point of this test is to check that we can add two points
3959  * whose y-coordinates are negatives of each other but whose x
3960  * coordinates differ. If the x-coordinates were the same, these
3961  * points would be negatives of each other and their sum is
3962  * infinity. This is cool because it "covers up" any degeneracy
3963  * in the addition algorithm that would cause the xy coordinates
3964  * of the sum to be wrong (since infinity has no xy coordinates).
3965  * HOWEVER, if the x-coordinates are different, infinity is the
3966  * wrong answer, and such degeneracies are exposed. This is the
3967  * root of https://github.com/bitcoin-core/secp256k1/issues/257
3968  * which this test is a regression test for.
3969  *
3970  * These points were generated in sage as
3971  *
3972  * load("secp256k1_params.sage")
3973  *
3974  * # random "bad pair"
3975  * P = C.random_element()
3976  * Q = -int(LAMBDA) * P
3977  * print(" P: %x %x" % P.xy())
3978  * print(" Q: %x %x" % Q.xy())
3979  * print("P + Q: %x %x" % (P + Q).xy())
3980  */
3982  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3983  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3984  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3985  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3986  );
3988  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3989  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3990  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3991  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3992  );
3994  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3995  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3996  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3997  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3998  );
3999  secp256k1_ge b;
4000  secp256k1_gej resj;
4001  secp256k1_ge res;
4002  secp256k1_ge_set_gej(&b, &bj);
4003 
4004  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4005  secp256k1_ge_set_gej(&res, &resj);
4006  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4007 
4008  secp256k1_gej_add_ge(&resj, &aj, &b);
4009  secp256k1_ge_set_gej(&res, &resj);
4010  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4011 
4012  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4013  secp256k1_ge_set_gej(&res, &resj);
4014  CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4015 }
4016 
4017 static void run_ge(void) {
4018  int i;
4019  for (i = 0; i < COUNT * 32; i++) {
4020  test_ge();
4021  }
4024 }
4025 
4026 static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4027  secp256k1_gej t = *a;
4028  secp256k1_gej_cmov(&t, b, 0);
4029  CHECK(gej_xyz_equals_gej(&t, a));
4030  secp256k1_gej_cmov(&t, b, 1);
4031  CHECK(gej_xyz_equals_gej(&t, b));
4032 }
4033 
4034 static void run_gej(void) {
4035  int i;
4036  secp256k1_gej a, b;
4037 
4038  /* Tests for secp256k1_gej_cmov */
4039  for (i = 0; i < COUNT; i++) {
4042  test_gej_cmov(&a, &b);
4043 
4044  random_gej_test(&a);
4045  test_gej_cmov(&a, &b);
4046  test_gej_cmov(&b, &a);
4047 
4048  b = a;
4049  test_gej_cmov(&a, &b);
4050 
4051  random_gej_test(&b);
4052  test_gej_cmov(&a, &b);
4053  test_gej_cmov(&b, &a);
4054  }
4055 
4056  /* Tests for secp256k1_gej_eq_var */
4057  for (i = 0; i < COUNT; i++) {
4058  secp256k1_fe fe;
4059  random_gej_test(&a);
4060  random_gej_test(&b);
4061  CHECK(!secp256k1_gej_eq_var(&a, &b));
4062 
4063  b = a;
4065  secp256k1_gej_rescale(&a, &fe);
4066  CHECK(secp256k1_gej_eq_var(&a, &b));
4067  }
4068 }
4069 
4070 static void test_ec_combine(void) {
4072  secp256k1_pubkey data[6];
4073  const secp256k1_pubkey* d[6];
4074  secp256k1_pubkey sd;
4075  secp256k1_pubkey sd2;
4076  secp256k1_gej Qj;
4077  secp256k1_ge Q;
4078  int i;
4079  for (i = 1; i <= 6; i++) {
4080  secp256k1_scalar s;
4082  secp256k1_scalar_add(&sum, &sum, &s);
4084  secp256k1_ge_set_gej(&Q, &Qj);
4085  secp256k1_pubkey_save(&data[i - 1], &Q);
4086  d[i - 1] = &data[i - 1];
4088  secp256k1_ge_set_gej(&Q, &Qj);
4089  secp256k1_pubkey_save(&sd, &Q);
4090  CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4091  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4092  }
4093 }
4094 
4095 static void run_ec_combine(void) {
4096  int i;
4097  for (i = 0; i < COUNT * 8; i++) {
4098  test_ec_combine();
4099  }
4100 }
4101 
4102 static void test_group_decompress(const secp256k1_fe* x) {
4103  /* The input itself, normalized. */
4104  secp256k1_fe fex = *x;
4105  /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
4106  secp256k1_ge ge_even, ge_odd;
4107  /* Return values of the above calls. */
4108  int res_even, res_odd;
4109 
4111 
4112  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4113  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4114 
4115  CHECK(res_even == res_odd);
4116 
4117  if (res_even) {
4118  secp256k1_fe_normalize_var(&ge_odd.x);
4119  secp256k1_fe_normalize_var(&ge_even.x);
4120  secp256k1_fe_normalize_var(&ge_odd.y);
4121  secp256k1_fe_normalize_var(&ge_even.y);
4122 
4123  /* No infinity allowed. */
4124  CHECK(!ge_even.infinity);
4125  CHECK(!ge_odd.infinity);
4126 
4127  /* Check that the x coordinates check out. */
4128  CHECK(secp256k1_fe_equal(&ge_even.x, x));
4129  CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4130 
4131  /* Check odd/even Y in ge_odd, ge_even. */
4132  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4133  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4134  }
4135 }
4136 
4137 static void run_group_decompress(void) {
4138  int i;
4139  for (i = 0; i < COUNT * 4; i++) {
4140  secp256k1_fe fe;
4141  random_fe_test(&fe);
4142  test_group_decompress(&fe);
4143  }
4144 }
4145 
4146 /***** ECMULT TESTS *****/
4147 
4148 static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4149  /* Tests the pre_g / pre_g_128 tables for consistency.
4150  * For independent verification we take a "geometric" approach to verification.
4151  * We check that every entry is on-curve.
4152  * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4153  * (1) p, gg, and -q are colinear.
4154  * (2) p, gg, and -q are all distinct.
4155  * where gg is twice the generator, where the generator is the first table entry.
4156  *
4157  * Checking the table's generators are correct is done in run_ecmult_pre_g.
4158  */
4159  secp256k1_gej g2;
4160  secp256k1_ge p, q, gg;
4161  secp256k1_fe dpx, dpy, dqx, dqy;
4162  size_t i;
4163 
4164  CHECK(0 < n);
4165 
4166  secp256k1_ge_from_storage(&p, &pre_g[0]);
4168 
4169  secp256k1_gej_set_ge(&g2, &p);
4170  secp256k1_gej_double_var(&g2, &g2, NULL);
4171  secp256k1_ge_set_gej_var(&gg, &g2);
4172  for (i = 1; i < n; ++i) {
4173  secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4174  secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4175  /* Check that p is not equal to gg */
4177 
4178  secp256k1_ge_from_storage(&q, &pre_g[i]);
4180 
4181  secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4182  dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4183  /* Check that -q is not equal to gg */
4185 
4186  /* Check that -q is not equal to p */
4187  CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4188 
4189  /* Check that p, -q and gg are colinear */
4190  secp256k1_fe_mul(&dpx, &dpx, &dqy);
4191  secp256k1_fe_mul(&dpy, &dpy, &dqx);
4192  CHECK(secp256k1_fe_equal(&dpx, &dpy));
4193 
4194  p = q;
4195  }
4196 }
4197 
4198 static void run_ecmult_pre_g(void) {
4200  secp256k1_gej gj;
4201  secp256k1_ge g;
4202  size_t i;
4203 
4204  /* Check that the pre_g and pre_g_128 tables are consistent. */
4207 
4208  /* Check the first entry from the pre_g table. */
4210  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4211 
4212  /* Check the first entry from the pre_g_128 table. */
4214  for (i = 0; i < 128; ++i) {
4215  secp256k1_gej_double_var(&gj, &gj, NULL);
4216  }
4217  secp256k1_ge_set_gej(&g, &gj);
4218  secp256k1_ge_to_storage(&gs, &g);
4219  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4220 }
4221 
4222 static void run_ecmult_chain(void) {
4223  /* random starting point A (on the curve) */
4225  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4226  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4227  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4228  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4229  );
4230  /* two random initial factors xn and gn */
4232  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4233  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4234  );
4236  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4237  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4238  );
4239  /* two small multipliers to be applied to xn and gn in every iteration: */
4240  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4241  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4242  /* accumulators with the resulting coefficients to A and G */
4245  /* actual points */
4246  secp256k1_gej x;
4247  secp256k1_gej x2;
4248  int i;
4249 
4250  /* the point being computed */
4251  x = a;
4252  for (i = 0; i < 200*COUNT; i++) {
4253  /* in each iteration, compute X = xn*X + gn*G; */
4254  secp256k1_ecmult(&x, &x, &xn, &gn);
4255  /* also compute ae and ge: the actual accumulated factors for A and G */
4256  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4257  secp256k1_scalar_mul(&ae, &ae, &xn);
4258  secp256k1_scalar_mul(&ge, &ge, &xn);
4259  secp256k1_scalar_add(&ge, &ge, &gn);
4260  /* modify xn and gn */
4261  secp256k1_scalar_mul(&xn, &xn, &xf);
4262  secp256k1_scalar_mul(&gn, &gn, &gf);
4263 
4264  /* verify */
4265  if (i == 19999) {
4266  /* expected result after 19999 iterations */
4268  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4269  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4270  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4271  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4272  );
4273  CHECK(secp256k1_gej_eq_var(&rp, &x));
4274  }
4275  }
4276  /* redo the computation, but directly with the resulting ae and ge coefficients: */
4277  secp256k1_ecmult(&x2, &a, &ae, &ge);
4278  CHECK(secp256k1_gej_eq_var(&x, &x2));
4279 }
4280 
4281 static void test_point_times_order(const secp256k1_gej *point) {
4282  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4283  secp256k1_scalar x;
4284  secp256k1_scalar nx;
4285  secp256k1_gej res1, res2;
4286  secp256k1_ge res3;
4287  unsigned char pub[65];
4288  size_t psize = 65;
4290  secp256k1_scalar_negate(&nx, &x);
4291  secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4292  secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4293  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4295  secp256k1_ge_set_gej(&res3, &res1);
4297  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4298  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4299  psize = 65;
4300  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4301  /* check zero/one edge cases */
4303  secp256k1_ge_set_gej(&res3, &res1);
4306  secp256k1_ge_set_gej(&res3, &res1);
4307  CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4309  secp256k1_ge_set_gej(&res3, &res1);
4311 }
4312 
4313 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4314  *
4315  * They are computed as:
4316  * - For a in [-2, -1, 0, 1, 2]:
4317  * - For b in [-3, -1, 1, 3]:
4318  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4319  */
4321  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4322  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4323  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4324  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4325  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4326  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4327  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4328  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4329  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4330  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4331  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4332  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4333  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4334  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4335  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4336  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4337  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4338  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4339  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4340  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4341 };
4342 
4343 static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4344  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4345  secp256k1_scalar n1, n2;
4346  secp256k1_ge p;
4347  secp256k1_gej pj, p1j, p2j, ptj;
4348 
4349  /* Generate random n1,n2 such that n1+n2 = -target. */
4351  secp256k1_scalar_add(&n2, &n1, target);
4352  secp256k1_scalar_negate(&n2, &n2);
4353 
4354  /* Generate a random input point. */
4355  if (mode != 0) {
4357  secp256k1_gej_set_ge(&pj, &p);
4358  }
4359 
4360  /* EC multiplications */
4361  if (mode == 0) {
4362  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1);
4363  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2);
4364  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4365  } else if (mode == 1) {
4366  secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4367  secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4368  secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4369  } else {
4370  secp256k1_ecmult_const(&p1j, &p, &n1);
4371  secp256k1_ecmult_const(&p2j, &p, &n2);
4372  secp256k1_ecmult_const(&ptj, &p, target);
4373  }
4374 
4375  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4376  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4377  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4379 }
4380 
4381 static void run_ecmult_near_split_bound(void) {
4382  int i;
4383  unsigned j;
4384  for (i = 0; i < 4*COUNT; ++i) {
4385  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4389  }
4390  }
4391 }
4392 
4393 static void run_point_times_order(void) {
4394  int i;
4395  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4396  static const secp256k1_fe xr = SECP256K1_FE_CONST(
4397  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4398  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4399  );
4400  for (i = 0; i < 500; i++) {
4401  secp256k1_ge p;
4402  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4403  secp256k1_gej j;
4405  secp256k1_gej_set_ge(&j, &p);
4407  }
4408  secp256k1_fe_sqr(&x, &x);
4409  }
4411  CHECK(secp256k1_fe_equal(&x, &xr));
4412 }
4413 
4414 static void ecmult_const_random_mult(void) {
4415  /* random starting point A (on the curve) */
4417  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4418  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4419  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4420  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4421  );
4422  /* random initial factor xn */
4424  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4425  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4426  );
4427  /* expected xn * A (from sage) */
4428  secp256k1_ge expected_b = SECP256K1_GE_CONST(
4429  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4430  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4431  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4432  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4433  );
4434  secp256k1_gej b;
4435  secp256k1_ecmult_const(&b, &a, &xn);
4436 
4438  CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b));
4439 }
4440 
4441 static void ecmult_const_commutativity(void) {
4442  secp256k1_scalar a;
4443  secp256k1_scalar b;
4444  secp256k1_gej res1;
4445  secp256k1_gej res2;
4446  secp256k1_ge mid1;
4447  secp256k1_ge mid2;
4450 
4453  secp256k1_ge_set_gej(&mid1, &res1);
4454  secp256k1_ge_set_gej(&mid2, &res2);
4455  secp256k1_ecmult_const(&res1, &mid1, &b);
4456  secp256k1_ecmult_const(&res2, &mid2, &a);
4457  secp256k1_ge_set_gej(&mid1, &res1);
4458  secp256k1_ge_set_gej(&mid2, &res2);
4459  CHECK(secp256k1_ge_eq_var(&mid1, &mid2));
4460 }
4461 
4462 static void ecmult_const_mult_zero_one(void) {
4463  secp256k1_scalar s;
4464  secp256k1_scalar negone;
4465  secp256k1_gej res1;
4466  secp256k1_ge res2;
4467  secp256k1_ge point;
4468  secp256k1_ge inf;
4469 
4472  random_group_element_test(&point);
4474 
4475  /* 0*point */
4478 
4479  /* s*inf */
4480  secp256k1_ecmult_const(&res1, &inf, &s);
4482 
4483  /* 1*point */
4485  secp256k1_ge_set_gej(&res2, &res1);
4486  CHECK(secp256k1_ge_eq_var(&res2, &point));
4487 
4488  /* -1*point */
4489  secp256k1_ecmult_const(&res1, &point, &negone);
4490  secp256k1_gej_neg(&res1, &res1);
4491  secp256k1_ge_set_gej(&res2, &res1);
4492  CHECK(secp256k1_ge_eq_var(&res2, &point));
4493 }
4494 
4495 static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) {
4496  secp256k1_gej pointj, res2j;
4497  secp256k1_ge res2;
4498  secp256k1_gej_set_ge(&pointj, A);
4499  secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero);
4500  secp256k1_ge_set_gej(&res2, &res2j);
4501  CHECK(secp256k1_gej_eq_ge_var(res, &res2));
4502 }
4503 
4504 static void ecmult_const_edges(void) {
4505  secp256k1_scalar q;
4506  secp256k1_ge point;
4507  secp256k1_gej res;
4508  size_t i;
4509  size_t cases = 1 + sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]);
4510 
4511  /* We are trying to reach the following edge cases (variables are defined as
4512  * in ecmult_const_impl.h):
4513  * 1. i = 0: s = 0 <=> q = -K
4514  * 2. i > 0: v1, v2 large values
4515  * <=> s1, s2 large values
4516  * <=> s = scalars_near_split_bounds[i]
4517  * <=> q = 2*scalars_near_split_bounds[i] - K
4518  */
4519  for (i = 0; i < cases; ++i) {
4521  if (i > 0) {
4524  }
4525  random_group_element_test(&point);
4526  secp256k1_ecmult_const(&res, &point, &q);
4527  ecmult_const_check_result(&point, &q, &res);
4528  }
4529 }
4530 
4531 static void ecmult_const_mult_xonly(void) {
4532  int i;
4533 
4534  /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4535  for (i = 0; i < 2*COUNT; ++i) {
4536  secp256k1_ge base;
4537  secp256k1_gej basej, resj;
4538  secp256k1_fe n, d, resx, v;
4539  secp256k1_scalar q;
4540  int res;
4541  /* Random base point. */
4543  /* Random scalar to multiply it with. */
4545  /* If i is odd, n=d*base.x for random non-zero d */
4546  if (i & 1) {
4548  secp256k1_fe_mul(&n, &base.x, &d);
4549  } else {
4550  n = base.x;
4551  }
4552  /* Perform x-only multiplication. */
4553  res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4554  CHECK(res);
4555  /* Perform normal multiplication. */
4556  secp256k1_gej_set_ge(&basej, &base);
4557  secp256k1_ecmult(&resj, &basej, &q, NULL);
4558  /* Check that resj's X coordinate corresponds with resx. */
4559  secp256k1_fe_sqr(&v, &resj.z);
4560  secp256k1_fe_mul(&v, &v, &resx);
4561  CHECK(check_fe_equal(&v, &resj.x));
4562  }
4563 
4564  /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4565  for (i = 0; i < 2*COUNT; ++i) {
4566  secp256k1_fe x, n, d, r;
4567  int res;
4568  secp256k1_scalar q;
4570  /* Generate random X coordinate not on the curve. */
4571  do {
4572  random_fe_test(&x);
4573  } while (secp256k1_ge_x_on_curve_var(&x));
4574  /* If i is odd, n=d*x for random non-zero d. */
4575  if (i & 1) {
4577  secp256k1_fe_mul(&n, &x, &d);
4578  } else {
4579  n = x;
4580  }
4581  res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4582  CHECK(res == 0);
4583  }
4584 }
4585 
4586 static void ecmult_const_chain_multiply(void) {
4587  /* Check known result (randomly generated test problem from sage) */
4589  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4590  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4591  );
4592  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4593  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4594  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4595  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4596  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4597  );
4598  secp256k1_gej point;
4599  secp256k1_ge res;
4600  int i;
4601 
4603  for (i = 0; i < 100; ++i) {
4604  secp256k1_ge tmp;
4605  secp256k1_ge_set_gej(&tmp, &point);
4606  secp256k1_ecmult_const(&point, &tmp, &scalar);
4607  }
4608  secp256k1_ge_set_gej(&res, &point);
4609  CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res));
4610 }
4611 
4612 static void run_ecmult_const_tests(void) {
4619 }
4620 
4621 typedef struct {
4625 
4626 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4627  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4628  *sc = data->sc[idx];
4629  *pt = data->pt[idx];
4630  return 1;
4631 }
4632 
4633 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4634  (void)sc;
4635  (void)pt;
4636  (void)idx;
4637  (void)cbdata;
4638  return 0;
4639 }
4640 
4642  int ncount;
4643  secp256k1_scalar sc[32];
4644  secp256k1_ge pt[32];
4645  secp256k1_gej r;
4646  secp256k1_gej r2;
4647  ecmult_multi_data data;
4648 
4649  data.sc = sc;
4650  data.pt = pt;
4651 
4652  /* No points to multiply */
4653  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4654 
4655  /* Check 1- and 2-point multiplies against ecmult */
4656  for (ncount = 0; ncount < COUNT; ncount++) {
4657  secp256k1_ge ptg;
4658  secp256k1_gej ptgj;
4659  random_scalar_order(&sc[0]);
4660  random_scalar_order(&sc[1]);
4661 
4663  secp256k1_gej_set_ge(&ptgj, &ptg);
4664  pt[0] = ptg;
4665  pt[1] = secp256k1_ge_const_g;
4666 
4667  /* only G scalar */
4668  secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4669  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4670  CHECK(secp256k1_gej_eq_var(&r, &r2));
4671 
4672  /* 1-point */
4673  secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4674  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4675  CHECK(secp256k1_gej_eq_var(&r, &r2));
4676 
4677  /* Try to multiply 1 point, but callback returns false */
4678  CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4679 
4680  /* 2-point */
4681  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4682  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4683  CHECK(secp256k1_gej_eq_var(&r, &r2));
4684 
4685  /* 2-point with G scalar */
4686  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4687  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4688  CHECK(secp256k1_gej_eq_var(&r, &r2));
4689  }
4690 
4691  /* Check infinite outputs of various forms */
4692  for (ncount = 0; ncount < COUNT; ncount++) {
4693  secp256k1_ge ptg;
4694  size_t i, j;
4695  size_t sizes[] = { 2, 10, 32 };
4696 
4697  for (j = 0; j < 3; j++) {
4698  for (i = 0; i < 32; i++) {
4699  random_scalar_order(&sc[i]);
4700  secp256k1_ge_set_infinity(&pt[i]);
4701  }
4702  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4704  }
4705 
4706  for (j = 0; j < 3; j++) {
4707  for (i = 0; i < 32; i++) {
4709  pt[i] = ptg;
4710  secp256k1_scalar_set_int(&sc[i], 0);
4711  }
4712  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4714  }
4715 
4716  for (j = 0; j < 3; j++) {
4718  for (i = 0; i < 16; i++) {
4719  random_scalar_order(&sc[2*i]);
4720  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4721  pt[2 * i] = ptg;
4722  pt[2 * i + 1] = ptg;
4723  }
4724 
4725  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4727 
4728  random_scalar_order(&sc[0]);
4729  for (i = 0; i < 16; i++) {
4731 
4732  sc[2*i] = sc[0];
4733  sc[2*i+1] = sc[0];
4734  pt[2 * i] = ptg;
4735  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4736  }
4737 
4738  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4740  }
4741 
4743  secp256k1_scalar_set_int(&sc[0], 0);
4744  pt[0] = ptg;
4745  for (i = 1; i < 32; i++) {
4746  pt[i] = ptg;
4747 
4748  random_scalar_order(&sc[i]);
4749  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4750  secp256k1_scalar_negate(&sc[i], &sc[i]);
4751  }
4752 
4753  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4755  }
4756 
4757  /* Check random points, constant scalar */
4758  for (ncount = 0; ncount < COUNT; ncount++) {
4759  size_t i;
4761 
4762  random_scalar_order(&sc[0]);
4763  for (i = 0; i < 20; i++) {
4764  secp256k1_ge ptg;
4765  sc[i] = sc[0];
4767  pt[i] = ptg;
4768  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4769  }
4770 
4771  secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4772  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4773  CHECK(secp256k1_gej_eq_var(&r, &r2));
4774  }
4775 
4776  /* Check random scalars, constant point */
4777  for (ncount = 0; ncount < COUNT; ncount++) {
4778  size_t i;
4779  secp256k1_ge ptg;
4780  secp256k1_gej p0j;
4781  secp256k1_scalar rs;
4782  secp256k1_scalar_set_int(&rs, 0);
4783 
4785  for (i = 0; i < 20; i++) {
4786  random_scalar_order(&sc[i]);
4787  pt[i] = ptg;
4788  secp256k1_scalar_add(&rs, &rs, &sc[i]);
4789  }
4790 
4791  secp256k1_gej_set_ge(&p0j, &pt[0]);
4792  secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4793  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4794  CHECK(secp256k1_gej_eq_var(&r, &r2));
4795  }
4796 
4797  /* Sanity check that zero scalars don't cause problems */
4798  for (ncount = 0; ncount < 20; ncount++) {
4799  random_scalar_order(&sc[ncount]);
4800  random_group_element_test(&pt[ncount]);
4801  }
4802 
4803  secp256k1_scalar_clear(&sc[0]);
4804  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4805  secp256k1_scalar_clear(&sc[1]);
4806  secp256k1_scalar_clear(&sc[2]);
4807  secp256k1_scalar_clear(&sc[3]);
4808  secp256k1_scalar_clear(&sc[4]);
4809  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4810  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4812 
4813  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4814  {
4815  const size_t TOP = 8;
4816  size_t s0i, s1i;
4817  size_t t0i, t1i;
4818  secp256k1_ge ptg;
4819  secp256k1_gej ptgj;
4820 
4822  secp256k1_gej_set_ge(&ptgj, &ptg);
4823 
4824  for(t0i = 0; t0i < TOP; t0i++) {
4825  for(t1i = 0; t1i < TOP; t1i++) {
4826  secp256k1_gej t0p, t1p;
4827  secp256k1_scalar t0, t1;
4828 
4829  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4830  secp256k1_scalar_cond_negate(&t0, t0i & 1);
4831  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4832  secp256k1_scalar_cond_negate(&t1, t1i & 1);
4833 
4834  secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4835  secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4836 
4837  for(s0i = 0; s0i < TOP; s0i++) {
4838  for(s1i = 0; s1i < TOP; s1i++) {
4839  secp256k1_scalar tmp1, tmp2;
4840  secp256k1_gej expected, actual;
4841 
4842  secp256k1_ge_set_gej(&pt[0], &t0p);
4843  secp256k1_ge_set_gej(&pt[1], &t1p);
4844 
4845  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4846  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4847  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4848  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4849 
4850  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4851  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4852  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4853 
4854  secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4855  CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4856  CHECK(secp256k1_gej_eq_var(&actual, &expected));
4857  }
4858  }
4859  }
4860  }
4861  }
4862 }
4863 
4865  /* Large random test for ecmult_multi_* functions which exercises:
4866  * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4867  * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4868  * - Including or excluding an nonzero a*G term (or such a term at all).
4869  * - Final expected result equal to infinity or not (roughly 50%).
4870  * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4871  */
4872 
4873  /* These 4 variables define the eventual input to the ecmult_multi function.
4874  * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4875  * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4876  * which form its normal inputs. */
4877  int filled = 0;
4879  secp256k1_scalar scalars[128];
4880  secp256k1_gej gejs[128];
4881  /* The expected result, and the computed result. */
4882  secp256k1_gej expected, computed;
4883  /* Temporaries. */
4884  secp256k1_scalar sc_tmp;
4885  secp256k1_ge ge_tmp;
4886  /* Variables needed for the actual input to ecmult_multi. */
4887  secp256k1_ge ges[128];
4888  ecmult_multi_data data;
4889 
4890  int i;
4891  /* Which multiplication function to use */
4892  int fn = secp256k1_testrand_int(3);
4893  secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4896  /* Simulate exponentially distributed num. */
4897  int num_bits = 2 + secp256k1_testrand_int(6);
4898  /* Number of (scalar, point) inputs (excluding g). */
4899  int num = secp256k1_testrand_int((1 << num_bits) + 1);
4900  /* Number of those which are nonzero. */
4901  int num_nonzero = secp256k1_testrand_int(num + 1);
4902  /* Whether we're aiming to create an input with nonzero expected result. */
4903  int nonzero_result = secp256k1_testrand_bits(1);
4904  /* Whether we will provide nonzero g multiplicand. In some cases our hand
4905  * is forced here based on num_nonzero and nonzero_result. */
4906  int g_nonzero = num_nonzero == 0 ? nonzero_result :
4907  num_nonzero == 1 && !nonzero_result ? 1 :
4908  (int)secp256k1_testrand_bits(1);
4909  /* Which g_scalar pointer to pass into ecmult_multi(). */
4910  const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4911  /* How many EC multiplications were performed in this function. */
4912  int mults = 0;
4913  /* How many randomization steps to apply to the input list. */
4914  int rands = (int)secp256k1_testrand_bits(3);
4915  if (rands > num_nonzero) rands = num_nonzero;
4916 
4917  secp256k1_gej_set_infinity(&expected);
4918  secp256k1_gej_set_infinity(&gejs[0]);
4919  secp256k1_scalar_set_int(&scalars[0], 0);
4920 
4921  if (g_nonzero) {
4922  /* If g_nonzero, set g_scalar to nonzero value r. */
4923  random_scalar_order_test(&g_scalar);
4924  if (!nonzero_result) {
4925  /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4926  CHECK(num_nonzero > filled);
4927  random_scalar_order_test(&sc_tmp);
4928  secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4929  secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4930  secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4931  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4932  ++filled;
4933  ++mults;
4934  }
4935  }
4936 
4937  if (nonzero_result && filled < num_nonzero) {
4938  /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4939  random_scalar_order_test(&scalars[filled]);
4940  random_group_element_test(&ge_tmp);
4941  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4942  ++filled;
4943  }
4944 
4945  if (nonzero_result) {
4946  /* Compute the expected result using normal ecmult. */
4947  CHECK(filled <= 1);
4948  secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4949  mults += filled + g_nonzero;
4950  }
4951 
4952  /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4953  CHECK(filled <= 1 + !nonzero_result);
4954  CHECK(filled <= num_nonzero);
4955 
4956  /* Add entries to scalars,gejs so that there are num of them. All the added entries
4957  * either have scalar=0 or point=infinity, so these do not change the expected result. */
4958  while (filled < num) {
4959  if (secp256k1_testrand_bits(1)) {
4960  secp256k1_gej_set_infinity(&gejs[filled]);
4961  random_scalar_order_test(&scalars[filled]);
4962  } else {
4963  secp256k1_scalar_set_int(&scalars[filled], 0);
4964  random_group_element_test(&ge_tmp);
4965  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4966  }
4967  ++filled;
4968  }
4969 
4970  /* Now perform cheapish transformations on gejs and scalars, for indices
4971  * 0..num_nonzero-1, which do not change the expected result, but may
4972  * convert some of them to be both non-0-scalar and non-infinity-point. */
4973  for (i = 0; i < rands; ++i) {
4974  int j;
4975  secp256k1_scalar v, iv;
4976  /* Shuffle the entries. */
4977  for (j = 0; j < num_nonzero; ++j) {
4978  int k = secp256k1_testrand_int(num_nonzero - j);
4979  if (k != 0) {
4980  secp256k1_gej gej = gejs[j];
4981  secp256k1_scalar sc = scalars[j];
4982  gejs[j] = gejs[j + k];
4983  scalars[j] = scalars[j + k];
4984  gejs[j + k] = gej;
4985  scalars[j + k] = sc;
4986  }
4987  }
4988  /* Perturb all consecutive pairs of inputs:
4989  * a*P + b*Q -> (a+b)*P + b*(Q-P). */
4990  for (j = 0; j + 1 < num_nonzero; j += 2) {
4991  secp256k1_gej gej;
4992  secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
4993  secp256k1_gej_neg(&gej, &gejs[j]);
4994  secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
4995  }
4996  /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
4997  CHECK(num_nonzero >= 1);
4999  secp256k1_scalar_inverse(&iv, &v);
5000  secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5001  secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5002  ++mults;
5003  }
5004 
5005  /* Shuffle all entries (0..num-1). */
5006  for (i = 0; i < num; ++i) {
5007  int j = secp256k1_testrand_int(num - i);
5008  if (j != 0) {
5009  secp256k1_gej gej = gejs[i];
5010  secp256k1_scalar sc = scalars[i];
5011  gejs[i] = gejs[i + j];
5012  scalars[i] = scalars[i + j];
5013  gejs[i + j] = gej;
5014  scalars[i + j] = sc;
5015  }
5016  }
5017 
5018  /* Compute affine versions of all inputs. */
5019  secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5020  /* Invoke ecmult_multi code. */
5021  data.sc = scalars;
5022  data.pt = ges;
5023  CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5024  mults += num_nonzero + g_nonzero;
5025  /* Compare with expected result. */
5026  CHECK(secp256k1_gej_eq_var(&computed, &expected));
5027  return mults;
5028 }
5029 
5031  secp256k1_scalar sc;
5032  secp256k1_ge pt;
5033  secp256k1_gej r;
5034  ecmult_multi_data data;
5035  secp256k1_scratch *scratch_empty;
5036 
5038  random_scalar_order(&sc);
5039  data.sc = &sc;
5040  data.pt = &pt;
5041 
5042  /* Try to multiply 1 point, but scratch space is empty.*/
5043  scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5044  CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5045  secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty);
5046 }
5047 
5049  int i;
5050 
5052  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5053  /* Bucket_window of 8 is not used with endo */
5054  if (i == 8) {
5055  continue;
5056  }
5058  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5060  }
5061  }
5062 }
5063 
5069  size_t scratch_size = secp256k1_testrand_bits(8);
5071  secp256k1_scratch *scratch;
5072  size_t n_points_supported;
5073  int bucket_window = 0;
5074 
5075  for(; scratch_size < max_size; scratch_size+=256) {
5076  size_t i;
5077  size_t total_alloc;
5078  size_t checkpoint;
5079  scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5080  CHECK(scratch != NULL);
5081  checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5082  n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5083  if (n_points_supported == 0) {
5085  continue;
5086  }
5087  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5088  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5089  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5090  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5092  total_alloc--;
5093  }
5094  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5095  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
5097  }
5098  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5099 }
5100 
5102  size_t n_batches, n_batch_points, max_n_batch_points, n;
5103 
5104  max_n_batch_points = 0;
5105  n = 1;
5106  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5107 
5108  max_n_batch_points = 1;
5109  n = 0;
5110  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5111  CHECK(n_batches == 0);
5112  CHECK(n_batch_points == 0);
5113 
5114  max_n_batch_points = 2;
5115  n = 5;
5116  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5117  CHECK(n_batches == 3);
5118  CHECK(n_batch_points == 2);
5119 
5120  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5122  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5123  CHECK(n_batches == 1);
5124  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5125 
5126  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5128  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5129  CHECK(n_batches == 2);
5130  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5131 
5132  max_n_batch_points = 1;
5133  n = SIZE_MAX;
5134  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5135  CHECK(n_batches == SIZE_MAX);
5136  CHECK(n_batch_points == 1);
5137 
5138  max_n_batch_points = 2;
5139  n = SIZE_MAX;
5140  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5141  CHECK(n_batches == SIZE_MAX/2 + 1);
5142  CHECK(n_batch_points == 2);
5143 }
5144 
5149 static void test_ecmult_multi_batching(void) {
5150  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5151  secp256k1_scalar scG;
5153  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5154  secp256k1_gej r;
5155  secp256k1_gej r2;
5156  ecmult_multi_data data;
5157  int i;
5158  secp256k1_scratch *scratch;
5159 
5161 
5162  /* Get random scalars and group elements and compute result */
5163  random_scalar_order(&scG);
5164  secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5165  for(i = 0; i < n_points; i++) {
5166  secp256k1_ge ptg;
5167  secp256k1_gej ptgj;
5169  secp256k1_gej_set_ge(&ptgj, &ptg);
5170  pt[i] = ptg;
5171  random_scalar_order(&sc[i]);
5172  secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5173  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5174  }
5175  data.sc = sc;
5176  data.pt = pt;
5177  secp256k1_gej_neg(&r2, &r2);
5178 
5179  /* Test with empty scratch space. It should compute the correct result using
5180  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5182  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5183  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5186 
5187  /* Test with space for 1 point in pippenger. That's not enough because
5188  * ecmult_multi selects strauss which requires more memory. It should
5189  * therefore select the simple algorithm. */
5191  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5192  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5195 
5196  for(i = 1; i <= n_points; i++) {
5197  if (i > ECMULT_PIPPENGER_THRESHOLD) {
5198  int bucket_window = secp256k1_pippenger_bucket_window(i);
5199  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5201  } else {
5202  size_t scratch_size = secp256k1_strauss_scratch_size(i);
5204  }
5205  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5206  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5209  }
5210  free(sc);
5211  free(pt);
5212 }
5213 
5214 static void run_ecmult_multi_tests(void) {
5215  secp256k1_scratch *scratch;
5216  int64_t todo = (int64_t)320 * COUNT;
5217 
5220  scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5227  while (todo > 0) {
5228  todo -= test_ecmult_multi_random(scratch);
5229  }
5231 
5232  /* Run test_ecmult_multi with space for exactly one point */
5236 
5239 }
5240 
5241 static void test_wnaf(const secp256k1_scalar *number, int w) {
5242  secp256k1_scalar x, two, t;
5243  int wnaf[256];
5244  int zeroes = -1;
5245  int i;
5246  int bits;
5247  secp256k1_scalar_set_int(&x, 0);
5248  secp256k1_scalar_set_int(&two, 2);
5249  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5250  CHECK(bits <= 256);
5251  for (i = bits-1; i >= 0; i--) {
5252  int v = wnaf[i];
5253  secp256k1_scalar_mul(&x, &x, &two);
5254  if (v) {
5255  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5256  zeroes=0;
5257  CHECK((v & 1) == 1); /* check non-zero elements are odd */
5258  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5259  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5260  } else {
5261  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5262  zeroes++;
5263  }
5264  if (v >= 0) {
5266  } else {
5269  }
5270  secp256k1_scalar_add(&x, &x, &t);
5271  }
5272  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5273 }
5274 
5275 static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5276  secp256k1_scalar x, shift;
5277  int wnaf[256] = {0};
5278  int i;
5279  int skew;
5280  secp256k1_scalar num, unused;
5281 
5282  secp256k1_scalar_set_int(&x, 0);
5283  secp256k1_scalar_set_int(&shift, 1 << w);
5284  /* Make num a 128-bit scalar. */
5285  secp256k1_scalar_split_128(&num, &unused, number);
5286  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5287 
5288  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5290  int v = wnaf[i];
5291  CHECK(v == 0 || v & 1); /* check parity */
5292  CHECK(v > -(1 << w)); /* check range above */
5293  CHECK(v < (1 << w)); /* check range below */
5294 
5295  secp256k1_scalar_mul(&x, &x, &shift);
5296  if (v >= 0) {
5298  } else {
5301  }
5302  secp256k1_scalar_add(&x, &x, &t);
5303  }
5304  /* If skew is 1 then add 1 to num */
5305  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5306  CHECK(secp256k1_scalar_eq(&x, &num));
5307 }
5308 
5309 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5310  * rest is 0.*/
5311 static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5312  int i;
5313  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5314  CHECK(wnaf[i] == 0);
5315  }
5316  for (i = 7; i >= 0; --i) {
5317  CHECK(wnaf[i] == wnaf_expected[i]);
5318  }
5319 }
5320 
5321 static void test_fixed_wnaf_small(void) {
5322  int w = 4;
5323  int wnaf[256] = {0};
5324  int i;
5325  int skew;
5326  secp256k1_scalar num;
5327 
5328  secp256k1_scalar_set_int(&num, 0);
5329  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5330  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5331  int v = wnaf[i];
5332  CHECK(v == 0);
5333  }
5334  CHECK(skew == 0);
5335 
5336  secp256k1_scalar_set_int(&num, 1);
5337  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5338  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5339  int v = wnaf[i];
5340  CHECK(v == 0);
5341  }
5342  CHECK(wnaf[0] == 1);
5343  CHECK(skew == 0);
5344 
5345  {
5346  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5347  secp256k1_scalar_set_int(&num, 0xffffffff);
5348  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5349  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5350  CHECK(skew == 0);
5351  }
5352  {
5353  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5354  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5355  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5356  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5357  CHECK(skew == 1);
5358  }
5359  {
5360  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5361  secp256k1_scalar_set_int(&num, 0x01010101);
5362  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5363  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5364  CHECK(skew == 0);
5365  }
5366  {
5367  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5368  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5369  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5370  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5371  CHECK(skew == 0);
5372  }
5373 }
5374 
5375 static void run_wnaf(void) {
5376  int i;
5377  secp256k1_scalar n;
5378 
5379  /* Test 0 for fixed wnaf */
5381  /* Random tests */
5382  for (i = 0; i < COUNT; i++) {
5383  random_scalar_order(&n);
5384  test_wnaf(&n, 4+(i%10));
5385  test_fixed_wnaf(&n, 4 + (i % 10));
5386  }
5387  secp256k1_scalar_set_int(&n, 0);
5388  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5390  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5392 }
5393 
5394 static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5395  const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5396  *sc = *indata;
5397  *pt = secp256k1_ge_const_g;
5398  CHECK(idx == 0);
5399  return 1;
5400 }
5401 
5403  /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5404  secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5405  secp256k1_ge r;
5406  unsigned char bytes[65];
5407  size_t size = 65;
5411  secp256k1_ecmult(&rj2, &gj, x, &secp256k1_scalar_zero);
5412  secp256k1_ecmult(&rj3, &infj, &secp256k1_scalar_zero, x);
5413  secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
5414  secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &secp256k1_scalar_zero, test_ecmult_accumulate_cb, (void*)x, 1);
5416  secp256k1_ge_set_gej_var(&r, &rj1);
5417  CHECK(secp256k1_gej_eq_ge_var(&rj2, &r));
5418  CHECK(secp256k1_gej_eq_ge_var(&rj3, &r));
5419  CHECK(secp256k1_gej_eq_ge_var(&rj4, &r));
5420  CHECK(secp256k1_gej_eq_ge_var(&rj5, &r));
5421  CHECK(secp256k1_gej_eq_ge_var(&rj6, &r));
5422  if (secp256k1_ge_is_infinity(&r)) {
5423  /* Store infinity as 0x00 */
5424  const unsigned char zerobyte[1] = {0};
5425  secp256k1_sha256_write(acc, zerobyte, 1);
5426  } else {
5427  /* Store other points using their uncompressed serialization. */
5428  secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5429  CHECK(size == 65);
5430  secp256k1_sha256_write(acc, bytes, size);
5431  }
5432 }
5433 
5434 static void test_ecmult_constants_2bit(void) {
5435  /* Using test_ecmult_accumulate, test ecmult for:
5436  * - For i in 0..36:
5437  * - Key i
5438  * - Key -i
5439  * - For i in 0..255:
5440  * - For j in 1..255 (only odd values):
5441  * - Key (j*2^i) mod order
5442  */
5443  secp256k1_scalar x;
5444  secp256k1_sha256 acc;
5445  unsigned char b32[32];
5446  int i, j;
5448 
5449  /* Expected hash of all the computed points; created with an independent
5450  * implementation. */
5451  static const unsigned char expected32[32] = {
5452  0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5453  0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5454  0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5455  0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5456  };
5458  for (i = 0; i <= 36; ++i) {
5459  secp256k1_scalar_set_int(&x, i);
5460  test_ecmult_accumulate(&acc, &x, scratch);
5461  secp256k1_scalar_negate(&x, &x);
5462  test_ecmult_accumulate(&acc, &x, scratch);
5463  };
5464  for (i = 0; i < 256; ++i) {
5465  for (j = 1; j < 256; j += 2) {
5466  int k;
5467  secp256k1_scalar_set_int(&x, j);
5468  for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5469  test_ecmult_accumulate(&acc, &x, scratch);
5470  }
5471  }
5472  secp256k1_sha256_finalize(&acc, b32);
5473  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5474 
5476 }
5477 
5478 static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5479  /* Using test_ecmult_accumulate, test ecmult for:
5480  * - Key 0
5481  * - Key 1
5482  * - Key -1
5483  * - For i in range(iter):
5484  * - Key SHA256(LE32(prefix) || LE16(i))
5485  */
5486  secp256k1_scalar x;
5487  secp256k1_sha256 acc;
5488  unsigned char b32[32];
5489  unsigned char inp[6];
5490  size_t i;
5492 
5493  inp[0] = prefix & 0xFF;
5494  inp[1] = (prefix >> 8) & 0xFF;
5495  inp[2] = (prefix >> 16) & 0xFF;
5496  inp[3] = (prefix >> 24) & 0xFF;
5498  secp256k1_scalar_set_int(&x, 0);
5499  test_ecmult_accumulate(&acc, &x, scratch);
5500  secp256k1_scalar_set_int(&x, 1);
5501  test_ecmult_accumulate(&acc, &x, scratch);
5502  secp256k1_scalar_negate(&x, &x);
5503  test_ecmult_accumulate(&acc, &x, scratch);
5504 
5505  for (i = 0; i < iter; ++i) {
5506  secp256k1_sha256 gen;
5507  inp[4] = i & 0xff;
5508  inp[5] = (i >> 8) & 0xff;
5510  secp256k1_sha256_write(&gen, inp, sizeof(inp));
5511  secp256k1_sha256_finalize(&gen, b32);
5512  secp256k1_scalar_set_b32(&x, b32, NULL);
5513  test_ecmult_accumulate(&acc, &x, scratch);
5514  }
5515  secp256k1_sha256_finalize(&acc, b32);
5516  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5517 
5519 }
5520 
5521 static void run_ecmult_constants(void) {
5522  /* Expected hashes of all points in the tests below. Computed using an
5523  * independent implementation. */
5524  static const unsigned char expected32_6bit20[32] = {
5525  0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5526  0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5527  0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5528  0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5529  };
5530  static const unsigned char expected32_8bit8[32] = {
5531  0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5532  0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5533  0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5534  0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5535  };
5536  /* For every combination of 6 bit positions out of 256, restricted to
5537  * 20-bit windows (i.e., the first and last bit position are no more than
5538  * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5539  * this test. */
5540  CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5541  test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5542  }
5543 
5544  /* For every combination of 8 consecutive bit positions, all 256 bit
5545  * patterns occur in the input scalars used in this test. */
5546  CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5547  test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5548  }
5549 
5550  CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5552  }
5553 }
5554 
5555 static void test_ecmult_gen_blind(void) {
5556  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5557  secp256k1_scalar key;
5558  secp256k1_scalar b;
5559  unsigned char seed32[32];
5560  secp256k1_gej pgej;
5561  secp256k1_gej pgej2;
5562  secp256k1_gej i;
5563  secp256k1_ge pge;
5565  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5566  secp256k1_testrand256(seed32);
5567  b = CTX->ecmult_gen_ctx.blind;
5568  i = CTX->ecmult_gen_ctx.initial;
5571  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5572  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5574  secp256k1_ge_set_gej(&pge, &pgej);
5575  CHECK(secp256k1_gej_eq_ge_var(&pgej2, &pge));
5576 }
5577 
5578 static void test_ecmult_gen_blind_reset(void) {
5579  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5580  secp256k1_scalar b;
5581  secp256k1_gej initial;
5583  b = CTX->ecmult_gen_ctx.blind;
5584  initial = CTX->ecmult_gen_ctx.initial;
5588 }
5589 
5590 static void run_ecmult_gen_blind(void) {
5591  int i;
5593  for (i = 0; i < 10; i++) {
5595  }
5596 }
5597 
5598 /***** ENDOMORPHISH TESTS *****/
5599 static void test_scalar_split(const secp256k1_scalar* full) {
5600  secp256k1_scalar s, s1, slam;
5601  const unsigned char zero[32] = {0};
5602  unsigned char tmp[32];
5603 
5604  secp256k1_scalar_split_lambda(&s1, &slam, full);
5605 
5606  /* check slam*lambda + s1 == full */
5608  secp256k1_scalar_add(&s, &s, &s1);
5609  CHECK(secp256k1_scalar_eq(&s, full));
5610 
5611  /* check that both are <= 128 bits in size */
5612  if (secp256k1_scalar_is_high(&s1)) {
5613  secp256k1_scalar_negate(&s1, &s1);
5614  }
5615  if (secp256k1_scalar_is_high(&slam)) {
5616  secp256k1_scalar_negate(&slam, &slam);
5617  }
5618 
5619  secp256k1_scalar_get_b32(tmp, &s1);
5620  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5621  secp256k1_scalar_get_b32(tmp, &slam);
5622  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5623 }
5624 
5625 
5626 static void run_endomorphism_tests(void) {
5627  unsigned i;
5628  static secp256k1_scalar s;
5632  test_scalar_split(&s);
5635  test_scalar_split(&s);
5636 
5637  for (i = 0; i < 100U * COUNT; ++i) {
5638  secp256k1_scalar full;
5639  random_scalar_order_test(&full);
5640  test_scalar_split(&full);
5641  }
5642  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5644  }
5645 }
5646 
5647 static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5648  unsigned char pubkeyc[65];
5649  secp256k1_pubkey pubkey;
5650  secp256k1_ge ge;
5651  size_t pubkeyclen;
5652 
5653  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5654  /* Smaller sizes are tested exhaustively elsewhere. */
5655  int32_t i;
5656  memcpy(&pubkeyc[1], input, 64);
5657  SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5658  for (i = 0; i < 256; i++) {
5659  /* Try all type bytes. */
5660  int xpass;
5661  int ypass;
5662  int ysign;
5663  pubkeyc[0] = i;
5664  /* What sign does this point have? */
5665  ysign = (input[63] & 1) + 2;
5666  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5667  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5668  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5669  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5670  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5671  if (xpass || ypass) {
5672  /* These cases must parse. */
5673  unsigned char pubkeyo[65];
5674  size_t outl;
5675  memset(&pubkey, 0, sizeof(pubkey));
5676  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5677  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5678  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5679  outl = 65;
5680  SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5681  CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5682  SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5683  CHECK(outl == 33);
5684  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5685  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5686  if (ypass) {
5687  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5688  CHECK(pubkeyo[0] == ysign);
5689  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5690  memset(&pubkey, 0, sizeof(pubkey));
5691  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5692  secp256k1_pubkey_save(&pubkey, &ge);
5693  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5694  outl = 65;
5695  SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5696  CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5697  SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5698  CHECK(outl == 65);
5699  CHECK(pubkeyo[0] == 4);
5700  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5701  }
5702  } else {
5703  /* These cases must fail to parse. */
5704  memset(&pubkey, 0xfe, sizeof(pubkey));
5705  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5706  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5707  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5708  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5709  }
5710  }
5711  }
5712 }
5713 
5714 static void run_ec_pubkey_parse_test(void) {
5715 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
5716  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5717  {
5718  /* Point with leading and trailing zeros in x and y serialization. */
5719  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5720  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5721  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5722  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5723  },
5724  {
5725  /* Point with x equal to a 3rd root of unity.*/
5726  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5727  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5728  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5729  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5730  },
5731  {
5732  /* Point with largest x. (1/2) */
5733  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5734  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5735  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5736  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5737  },
5738  {
5739  /* Point with largest x. (2/2) */
5740  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5741  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5742  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5743  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5744  },
5745  {
5746  /* Point with smallest x. (1/2) */
5747  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5748  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5749  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5750  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5751  },
5752  {
5753  /* Point with smallest x. (2/2) */
5754  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5755  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5756  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5757  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5758  },
5759  {
5760  /* Point with largest y. (1/3) */
5761  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5762  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5763  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5764  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5765  },
5766  {
5767  /* Point with largest y. (2/3) */
5768  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5769  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5770  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5771  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5772  },
5773  {
5774  /* Point with largest y. (3/3) */
5775  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5776  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5777  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5778  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5779  },
5780  {
5781  /* Point with smallest y. (1/3) */
5782  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5783  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5784  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5785  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5786  },
5787  {
5788  /* Point with smallest y. (2/3) */
5789  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5790  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5791  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5792  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5793  },
5794  {
5795  /* Point with smallest y. (3/3) */
5796  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5797  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5798  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5799  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5800  }
5801  };
5802 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5803  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5804  {
5805  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5806  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5807  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5808  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5809  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5810  },
5811  {
5812  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5813  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5814  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5815  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5816  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5817  },
5818  {
5819  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5820  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5821  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5822  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5823  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5824  },
5825  {
5826  /* x on curve, y is from y^2 = x^3 + 8. */
5827  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5828  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5829  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5830  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5831  }
5832  };
5833 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5834  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5835  {
5836  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5837  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5838  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5839  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5840  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5841  },
5842  {
5843  /* Valid if x overflow ignored (x = 1 mod p). */
5844  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5845  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5846  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5847  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5848  },
5849  {
5850  /* Valid if x overflow ignored (x = 1 mod p). */
5851  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5852  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5853  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5854  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5855  },
5856  {
5857  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5858  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5859  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5860  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5861  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5862  },
5863  {
5864  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5865  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5866  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5867  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5868  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5869  },
5870  {
5871  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5872  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5873  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5874  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5875  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5876  },
5877  {
5878  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5879  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5880  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5881  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5882  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5883  }
5884  };
5885  const unsigned char pubkeyc[66] = {
5886  /* Serialization of G. */
5887  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5888  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5889  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5890  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5891  0xB8, 0x00
5892  };
5893  unsigned char sout[65];
5894  unsigned char shortkey[2] = { 0 };
5895  secp256k1_ge ge;
5896  secp256k1_pubkey pubkey;
5897  size_t len;
5898  int32_t i;
5899 
5900  /* Nothing should be reading this far into pubkeyc. */
5901  SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
5902  /* Zero length claimed, fail, zeroize, no illegal arg error. */
5903  memset(&pubkey, 0xfe, sizeof(pubkey));
5904  SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
5905  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5906  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
5907  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5908  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5909  /* Length one claimed, fail, zeroize, no illegal arg error. */
5910  for (i = 0; i < 256 ; i++) {
5911  memset(&pubkey, 0xfe, sizeof(pubkey));
5912  shortkey[0] = i;
5913  SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
5914  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5915  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
5916  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5917  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5918  }
5919  /* Length two claimed, fail, zeroize, no illegal arg error. */
5920  for (i = 0; i < 65536 ; i++) {
5921  memset(&pubkey, 0xfe, sizeof(pubkey));
5922  shortkey[0] = i & 255;
5923  shortkey[1] = i >> 8;
5924  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5925  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
5926  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5927  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5928  }
5929  memset(&pubkey, 0xfe, sizeof(pubkey));
5930  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5931  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5932  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
5933  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5934  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5935  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5936  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65));
5937  /* NULL input string. Illegal arg and zeroize output. */
5938  memset(&pubkey, 0xfe, sizeof(pubkey));
5939  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5940  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65));
5941  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5942  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5943  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5944  memset(&pubkey, 0xfe, sizeof(pubkey));
5945  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5946  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
5947  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5948  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5949  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5950  memset(&pubkey, 0xfe, sizeof(pubkey));
5951  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5952  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
5953  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5954  CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5955  /* Valid parse. */
5956  memset(&pubkey, 0, sizeof(pubkey));
5957  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5958  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
5959  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
5960  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5961  SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
5962  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5963  SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
5964  SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
5965  SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity));
5967  /* secp256k1_ec_pubkey_serialize illegal args. */
5968  len = 65;
5970  CHECK(len == 0);
5972  len = 65;
5973  SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
5975  SECP256K1_CHECKMEM_CHECK(sout, 65);
5976  CHECK(len == 0);
5977  len = 65;
5978  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0));
5979  CHECK(len == 0);
5980  len = 65;
5981  SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
5983  SECP256K1_CHECKMEM_CHECK(sout, 65);
5984  CHECK(len == 65);
5985  /* Multiple illegal args. Should still set arg error only once. */
5986  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65));
5987  /* Try a bunch of prefabbed points with all possible encodings. */
5988  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
5989  ec_pubkey_parse_pointtest(valid[i], 1, 1);
5990  }
5991  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
5992  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
5993  }
5994  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
5995  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
5996  }
5997 }
5998 
5999 static void run_eckey_edge_case_test(void) {
6000  const unsigned char orderc[32] = {
6001  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6002  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6003  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6004  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
6005  };
6006  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6007  unsigned char ctmp[33];
6008  unsigned char ctmp2[33];
6009  secp256k1_pubkey pubkey;
6010  secp256k1_pubkey pubkey2;
6011  secp256k1_pubkey pubkey_one;
6012  secp256k1_pubkey pubkey_negone;
6013  const secp256k1_pubkey *pubkeys[3];
6014  size_t len;
6015  /* Group order is too large, reject. */
6016  CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6017  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6018  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6019  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6020  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6021  /* Maximum value is too large, reject. */
6022  memset(ctmp, 255, 32);
6023  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6024  memset(&pubkey, 1, sizeof(pubkey));
6025  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6026  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6027  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6028  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6029  /* Zero is too small, reject. */
6030  memset(ctmp, 0, 32);
6031  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6032  memset(&pubkey, 1, sizeof(pubkey));
6033  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6034  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6035  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6036  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6037  /* One must be accepted. */
6038  ctmp[31] = 0x01;
6039  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6040  memset(&pubkey, 0, sizeof(pubkey));
6041  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6042  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6043  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6044  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6045  pubkey_one = pubkey;
6046  /* Group order + 1 is too large, reject. */
6047  memcpy(ctmp, orderc, 32);
6048  ctmp[31] = 0x42;
6049  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6050  memset(&pubkey, 1, sizeof(pubkey));
6051  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6052  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6053  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6054  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6055  /* -1 must be accepted. */
6056  ctmp[31] = 0x40;
6057  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6058  memset(&pubkey, 0, sizeof(pubkey));
6059  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6060  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6061  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6062  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6063  pubkey_negone = pubkey;
6064  /* Tweak of zero leaves the value unchanged. */
6065  memset(ctmp2, 0, 32);
6066  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6067  CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6068  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6069  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6070  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6071  /* Multiply tweak of zero zeroizes the output. */
6072  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6073  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6074  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6075  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6076  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6077  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6078  seckey, the seckey is zeroized. */
6079  memcpy(ctmp, orderc, 32);
6080  memset(ctmp2, 0, 32);
6081  ctmp2[31] = 0x01;
6082  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6083  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6084  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6085  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6086  memcpy(ctmp, orderc, 32);
6087  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6088  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6089  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6090  tweak, the seckey is zeroized. */
6091  memcpy(ctmp, orderc, 32);
6092  ctmp[31] = 0x40;
6093  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6094  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6095  memcpy(ctmp, orderc, 32);
6096  ctmp[31] = 0x40;
6097  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6098  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6099  memcpy(ctmp, orderc, 32);
6100  ctmp[31] = 0x40;
6101  /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6102  tweak, the pubkey is zeroized. */
6103  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6104  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6105  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6106  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6107  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6108  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6109  /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6110  * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6111  * case the pubkey is zeroized. */
6112  memcpy(ctmp, orderc, 32);
6113  ctmp[31] = 0x40;
6114  memset(ctmp2, 0, 32);
6115  ctmp2[31] = 1;
6116  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6117  CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6118  ctmp2[31] = 1;
6119  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6120  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6121  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6122  /* Tweak computation wraps and results in a key of 1. */
6123  ctmp2[31] = 2;
6124  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6125  CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6126  ctmp2[31] = 2;
6127  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6128  ctmp2[31] = 1;
6129  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6130  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6131  /* Tweak mul * 2 = 1+1. */
6132  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6133  ctmp2[31] = 2;
6134  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6135  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6136  /* Zeroize pubkey on parse error. */
6137  memset(&pubkey, 0, 32);
6139  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6140  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6141  memset(&pubkey2, 0, 32);
6142  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2));
6143  CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6144  /* Plain argument errors. */
6145  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6147  memset(ctmp2, 0, 32);
6148  ctmp2[31] = 4;
6151  memset(ctmp2, 0, 32);
6152  ctmp2[31] = 4;
6155  memset(ctmp2, 0, 32);
6158  memset(ctmp2, 0, 32);
6159  ctmp2[31] = 1;
6163  memset(&pubkey, 1, sizeof(pubkey));
6164  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL));
6165  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6166  /* secp256k1_ec_pubkey_combine tests. */
6167  pubkeys[0] = &pubkey_one;
6168  SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6169  SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6170  SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6171  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6173  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0));
6174  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6175  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6176  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1));
6177  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6178  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6180  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1));
6181  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6182  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6183  pubkeys[0] = &pubkey_negone;
6184  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6186  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6187  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6188  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6189  len = 33;
6190  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6191  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6192  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6193  /* Result is infinity. */
6194  pubkeys[0] = &pubkey_one;
6195  pubkeys[1] = &pubkey_negone;
6196  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6198  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6199  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6200  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6201  /* Passes through infinity but comes out one. */
6202  pubkeys[2] = &pubkey_one;
6203  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6205  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6206  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6207  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6208  len = 33;
6209  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6210  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6211  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6212  /* Adds to two. */
6213  pubkeys[1] = &pubkey_one;
6214  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6216  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6217  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6218  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6219 }
6220 
6221 static void run_eckey_negate_test(void) {
6222  unsigned char seckey[32];
6223  unsigned char seckey_tmp[32];
6224 
6225  random_scalar_order_b32(seckey);
6226  memcpy(seckey_tmp, seckey, 32);
6227 
6228  /* Verify negation changes the key and changes it back */
6229  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6230  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6231  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6232  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6233 
6234  /* Check that privkey alias gives same result */
6235  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6236  CHECK(secp256k1_ec_privkey_negate(CTX, seckey_tmp) == 1);
6237  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6238 
6239  /* Negating all 0s fails */
6240  memset(seckey, 0, 32);
6241  memset(seckey_tmp, 0, 32);
6242  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6243  /* Check that seckey is not modified */
6244  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6245 
6246  /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6247  * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6248  * doesn't just set seckey to a constant value in case of failure. */
6249  random_scalar_order_b32(seckey);
6250  memset(seckey, 0xFF, 16);
6251  memset(seckey_tmp, 0, 32);
6252  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6253  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6254 }
6255 
6256 static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6258  do {
6260  } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6261 }
6262 
6263 static void test_ecdsa_sign_verify(void) {
6264  secp256k1_gej pubj;
6265  secp256k1_ge pub;
6266  secp256k1_scalar one;
6267  secp256k1_scalar msg, key;
6268  secp256k1_scalar sigr, sigs;
6269  int getrec;
6270  int recid;
6273  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6274  secp256k1_ge_set_gej(&pub, &pubj);
6275  getrec = secp256k1_testrand_bits(1);
6276  /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6277  See the commit messages of the commit that introduced this comment for details. */
6278  if (getrec) {
6279  random_sign(&sigr, &sigs, &key, &msg, &recid);
6280  CHECK(recid >= 0 && recid < 4);
6281  } else {
6282  random_sign(&sigr, &sigs, &key, &msg, NULL);
6283  }
6284  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6285  secp256k1_scalar_set_int(&one, 1);
6286  secp256k1_scalar_add(&msg, &msg, &one);
6287  CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6288 }
6289 
6290 static void run_ecdsa_sign_verify(void) {
6291  int i;
6292  for (i = 0; i < 10*COUNT; i++) {
6294  }
6295 }
6296 
6298 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6299  (void)msg32;
6300  (void)key32;
6301  (void)algo16;
6302  memcpy(nonce32, data, 32);
6303  return (counter == 0);
6304 }
6305 
6306 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6307  /* Dummy nonce generator that has a fatal error on the first counter value. */
6308  if (counter == 0) {
6309  return 0;
6310  }
6311  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6312 }
6313 
6314 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6315  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6316  if (counter < 3) {
6317  memset(nonce32, counter==0 ? 0 : 255, 32);
6318  if (counter == 2) {
6319  nonce32[31]--;
6320  }
6321  return 1;
6322  }
6323  if (counter < 5) {
6324  static const unsigned char order[] = {
6325  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6326  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6327  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6328  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6329  };
6330  memcpy(nonce32, order, 32);
6331  if (counter == 4) {
6332  nonce32[31]++;
6333  }
6334  return 1;
6335  }
6336  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6337  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6338  if (counter > 5) {
6339  return 0;
6340  }
6341  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6342 }
6343 
6345  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6346  return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6347 }
6348 
6349 static void test_ecdsa_end_to_end(void) {
6350  unsigned char extra[32] = {0x00};
6351  unsigned char privkey[32];
6352  unsigned char message[32];
6353  unsigned char privkey2[32];
6354  secp256k1_ecdsa_signature signature[6];
6355  secp256k1_scalar r, s;
6356  unsigned char sig[74];
6357  size_t siglen = 74;
6358  unsigned char pubkeyc[65];
6359  size_t pubkeyclen = 65;
6360  secp256k1_pubkey pubkey;
6361  secp256k1_pubkey pubkey_tmp;
6362  unsigned char seckey[300];
6363  size_t seckeylen = 300;
6364 
6365  /* Generate a random key and message. */
6366  {
6367  secp256k1_scalar msg, key;
6370  secp256k1_scalar_get_b32(privkey, &key);
6371  secp256k1_scalar_get_b32(message, &msg);
6372  }
6373 
6374  /* Construct and verify corresponding public key. */
6375  CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6376  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6377 
6378  /* Verify exporting and importing public key. */
6380  memset(&pubkey, 0, sizeof(pubkey));
6381  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6382 
6383  /* Verify negation changes the key and changes it back */
6384  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6385  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6386  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6387  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6388  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6389 
6390  /* Verify private key import and export. */
6391  CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6392  CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6393  CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6394 
6395  /* Optionally tweak the keys using addition. */
6396  if (secp256k1_testrand_int(3) == 0) {
6397  int ret1;
6398  int ret2;
6399  int ret3;
6400  unsigned char rnd[32];
6401  unsigned char privkey_tmp[32];
6402  secp256k1_pubkey pubkey2;
6404  memcpy(privkey_tmp, privkey, 32);
6405  ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6406  ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6407  /* Check that privkey alias gives same result */
6408  ret3 = secp256k1_ec_privkey_tweak_add(CTX, privkey_tmp, rnd);
6409  CHECK(ret1 == ret2);
6410  CHECK(ret2 == ret3);
6411  if (ret1 == 0) {
6412  return;
6413  }
6414  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6415  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6416  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6417  }
6418 
6419  /* Optionally tweak the keys using multiplication. */
6420  if (secp256k1_testrand_int(3) == 0) {
6421  int ret1;
6422  int ret2;
6423  int ret3;
6424  unsigned char rnd[32];
6425  unsigned char privkey_tmp[32];
6426  secp256k1_pubkey pubkey2;
6428  memcpy(privkey_tmp, privkey, 32);
6429  ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6430  ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6431  /* Check that privkey alias gives same result */
6432  ret3 = secp256k1_ec_privkey_tweak_mul(CTX, privkey_tmp, rnd);
6433  CHECK(ret1 == ret2);
6434  CHECK(ret2 == ret3);
6435  if (ret1 == 0) {
6436  return;
6437  }
6438  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6439  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6440  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6441  }
6442 
6443  /* Sign. */
6444  CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6445  CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6446  CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6447  extra[31] = 1;
6448  CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6449  extra[31] = 0;
6450  extra[0] = 1;
6451  CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6452  CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6453  CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6454  CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6455  CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6456  CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6457  CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6458  CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6459  /* Verify. */
6460  CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6461  CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6462  CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6463  CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6464  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6465  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6466  secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6467  secp256k1_scalar_negate(&s, &s);
6468  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6469  CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6470  CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6471  CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6472  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6473  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6474  CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6475  secp256k1_scalar_negate(&s, &s);
6476  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6477  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6478  CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6479  CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6480 
6481  /* Serialize/parse DER and verify again */
6482  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6483  memset(&signature[0], 0, sizeof(signature[0]));
6484  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6485  CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6486  /* Serialize/destroy/parse DER and verify again. */
6487  siglen = 74;
6488  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6489  sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6490  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6491  secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6492 }
6493 
6494 static void test_random_pubkeys(void) {
6495  secp256k1_ge elem;
6496  secp256k1_ge elem2;
6497  unsigned char in[65];
6498  /* Generate some randomly sized pubkeys. */
6499  size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6500  if (secp256k1_testrand_bits(2) == 0) {
6501  len = secp256k1_testrand_bits(6);
6502  }
6503  if (len == 65) {
6504  in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6505  } else {
6506  in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6507  }
6508  if (secp256k1_testrand_bits(3) == 0) {
6509  in[0] = secp256k1_testrand_bits(8);
6510  }
6511  if (len > 1) {
6512  secp256k1_testrand256(&in[1]);
6513  }
6514  if (len > 33) {
6515  secp256k1_testrand256(&in[33]);
6516  }
6517  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6518  unsigned char out[65];
6519  unsigned char firstb;
6520  int res;
6521  size_t size = len;
6522  firstb = in[0];
6523  /* If the pubkey can be parsed, it should round-trip... */
6524  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6525  CHECK(size == len);
6526  CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6527  /* ... except for the type of hybrid inputs. */
6528  if ((in[0] != 6) && (in[0] != 7)) {
6529  CHECK(in[0] == out[0]);
6530  }
6531  size = 65;
6532  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6533  CHECK(size == 65);
6534  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6535  CHECK(secp256k1_ge_eq_var(&elem2, &elem));
6536  /* Check that the X9.62 hybrid type is checked. */
6537  in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6538  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6539  if (firstb == 2 || firstb == 3) {
6540  if (in[0] == firstb + 4) {
6541  CHECK(res);
6542  } else {
6543  CHECK(!res);
6544  }
6545  }
6546  if (res) {
6547  CHECK(secp256k1_ge_eq_var(&elem, &elem2));
6548  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6549  CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6550  }
6551  }
6552 }
6553 
6554 static void run_pubkey_comparison(void) {
6555  unsigned char pk1_ser[33] = {
6556  0x02,
6557  0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6558  0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6559  };
6560  const unsigned char pk2_ser[33] = {
6561  0x02,
6562  0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6563  0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6564  };
6565  secp256k1_pubkey pk1;
6566  secp256k1_pubkey pk2;
6567 
6568  CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6569  CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6570 
6573  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6574  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6575  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6576  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6577  {
6578  secp256k1_pubkey pk_tmp;
6579  memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6580  CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0));
6581  {
6582  int32_t ecount = 0;
6584  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6585  CHECK(ecount == 2);
6587  }
6588  CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0));
6589  }
6590 
6591  /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6592  * an uncompressed encoding, these would have the opposite ordering */
6593  pk1_ser[0] = 3;
6594  CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6595  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6596  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6597 }
6598 
6599 static void run_random_pubkeys(void) {
6600  int i;
6601  for (i = 0; i < 10*COUNT; i++) {
6603  }
6604 }
6605 
6606 static void run_ecdsa_end_to_end(void) {
6607  int i;
6608  for (i = 0; i < 64*COUNT; i++) {
6610  }
6611 }
6612 
6613 static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6614  static const unsigned char zeroes[32] = {0};
6615 
6616  int ret = 0;
6617 
6618  secp256k1_ecdsa_signature sig_der;
6619  unsigned char roundtrip_der[2048];
6620  unsigned char compact_der[64];
6621  size_t len_der = 2048;
6622  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6623 
6624  secp256k1_ecdsa_signature sig_der_lax;
6625  unsigned char roundtrip_der_lax[2048];
6626  unsigned char compact_der_lax[64];
6627  size_t len_der_lax = 2048;
6628  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6629 
6630  parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
6631  if (parsed_der) {
6632  ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
6633  valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6634  }
6635  if (valid_der) {
6636  ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
6637  roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6638  }
6639 
6640  parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
6641  if (parsed_der_lax) {
6642  ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
6643  valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6644  }
6645  if (valid_der_lax) {
6646  ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6647  roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6648  }
6649 
6650  if (certainly_der) {
6651  ret |= (!parsed_der) << 2;
6652  }
6653  if (certainly_not_der) {
6654  ret |= (parsed_der) << 17;
6655  }
6656  if (valid_der) {
6657  ret |= (!roundtrips_der) << 3;
6658  }
6659 
6660  if (valid_der) {
6661  ret |= (!roundtrips_der_lax) << 12;
6662  ret |= (len_der != len_der_lax) << 13;
6663  ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6664  }
6665  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6666  if (parsed_der) {
6667  ret |= (!parsed_der_lax) << 16;
6668  }
6669 
6670  return ret;
6671 }
6672 
6673 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6674  size_t i;
6675  for (i = 0; i < ptrlen; i++) {
6676  int shift = ptrlen - 1 - i;
6677  if (shift >= 4) {
6678  ptr[i] = 0;
6679  } else {
6680  ptr[i] = (val >> shift) & 0xFF;
6681  }
6682  }
6683 }
6684 
6685 static void damage_array(unsigned char *sig, size_t *len) {
6686  int pos;
6687  int action = secp256k1_testrand_bits(3);
6688  if (action < 1 && *len > 3) {
6689  /* Delete a byte. */
6690  pos = secp256k1_testrand_int(*len);
6691  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6692  (*len)--;
6693  return;
6694  } else if (action < 2 && *len < 2048) {
6695  /* Insert a byte. */
6696  pos = secp256k1_testrand_int(1 + *len);
6697  memmove(sig + pos + 1, sig + pos, *len - pos);
6698  sig[pos] = secp256k1_testrand_bits(8);
6699  (*len)++;
6700  return;
6701  } else if (action < 4) {
6702  /* Modify a byte. */
6703  sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6704  return;
6705  } else { /* action < 8 */
6706  /* Modify a bit. */
6707  sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6708  return;
6709  }
6710 }
6711 
6712 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6713  int der;
6714  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6715  size_t tlen, elen, glen;
6716  int indet;
6717  int n;
6718 
6719  *len = 0;
6720  der = secp256k1_testrand_bits(2) == 0;
6721  *certainly_der = der;
6722  *certainly_not_der = 0;
6723  indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6724 
6725  for (n = 0; n < 2; n++) {
6726  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6727  nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6728  /* The length of the number in bytes (the first byte of which will always be nonzero) */
6729  nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6730  CHECK(nlen[n] <= 232);
6731  /* The top bit of the number. */
6732  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6733  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6734  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6735  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6736  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6737  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6738  *certainly_not_der = 1;
6739  }
6740  CHECK(nlen[n] + nzlen[n] <= 300);
6741  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6742  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6743  if (!der) {
6744  /* nlenlen[n] max 127 bytes */
6745  int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6746  nlenlen[n] += add;
6747  if (add != 0) {
6748  *certainly_not_der = 1;
6749  }
6750  }
6751  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6752  }
6753 
6754  /* The total length of the data to go, so far */
6755  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6756  CHECK(tlen <= 856);
6757 
6758  /* The length of the garbage inside the tuple. */
6759  elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6760  if (elen != 0) {
6761  *certainly_not_der = 1;
6762  }
6763  tlen += elen;
6764  CHECK(tlen <= 980);
6765 
6766  /* The length of the garbage after the end of the tuple. */
6767  glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6768  if (glen != 0) {
6769  *certainly_not_der = 1;
6770  }
6771  CHECK(tlen + glen <= 990);
6772 
6773  /* Write the tuple header. */
6774  sig[(*len)++] = 0x30;
6775  if (indet) {
6776  /* Indeterminate length */
6777  sig[(*len)++] = 0x80;
6778  *certainly_not_der = 1;
6779  } else {
6780  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6781  if (!der) {
6782  int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6783  tlenlen += add;
6784  if (add != 0) {
6785  *certainly_not_der = 1;
6786  }
6787  }
6788  if (tlenlen == 0) {
6789  /* Short length notation */
6790  sig[(*len)++] = tlen;
6791  } else {
6792  /* Long length notation */
6793  sig[(*len)++] = 128 + tlenlen;
6794  assign_big_endian(sig + *len, tlenlen, tlen);
6795  *len += tlenlen;
6796  }
6797  tlen += tlenlen;
6798  }
6799  tlen += 2;
6800  CHECK(tlen + glen <= 1119);
6801 
6802  for (n = 0; n < 2; n++) {
6803  /* Write the integer header. */
6804  sig[(*len)++] = 0x02;
6805  if (nlenlen[n] == 0) {
6806  /* Short length notation */
6807  sig[(*len)++] = nlen[n] + nzlen[n];
6808  } else {
6809  /* Long length notation. */
6810  sig[(*len)++] = 128 + nlenlen[n];
6811  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6812  *len += nlenlen[n];
6813  }
6814  /* Write zero padding */
6815  while (nzlen[n] > 0) {
6816  sig[(*len)++] = 0x00;
6817  nzlen[n]--;
6818  }
6819  if (nlen[n] == 32 && !nlow[n]) {
6820  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6821  int i;
6822  for (i = 0; i < 16; i++) {
6823  sig[(*len)++] = 0xFF;
6824  }
6825  nlen[n] -= 16;
6826  }
6827  /* Write first byte of number */
6828  if (nlen[n] > 0) {
6829  sig[(*len)++] = nhbyte[n];
6830  nlen[n]--;
6831  }
6832  /* Generate remaining random bytes of number */
6833  secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
6834  *len += nlen[n];
6835  nlen[n] = 0;
6836  }
6837 
6838  /* Generate random garbage inside tuple. */
6839  secp256k1_testrand_bytes_test(sig + *len, elen);
6840  *len += elen;
6841 
6842  /* Generate end-of-contents bytes. */
6843  if (indet) {
6844  sig[(*len)++] = 0;
6845  sig[(*len)++] = 0;
6846  tlen += 2;
6847  }
6848  CHECK(tlen + glen <= 1121);
6849 
6850  /* Generate random garbage outside tuple. */
6851  secp256k1_testrand_bytes_test(sig + *len, glen);
6852  *len += glen;
6853  tlen += glen;
6854  CHECK(tlen <= 1121);
6855  CHECK(tlen == *len);
6856 }
6857 
6858 static void run_ecdsa_der_parse(void) {
6859  int i,j;
6860  for (i = 0; i < 200 * COUNT; i++) {
6861  unsigned char buffer[2048];
6862  size_t buflen = 0;
6863  int certainly_der = 0;
6864  int certainly_not_der = 0;
6865  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
6866  CHECK(buflen <= 2048);
6867  for (j = 0; j < 16; j++) {
6868  int ret = 0;
6869  if (j > 0) {
6870  damage_array(buffer, &buflen);
6871  /* We don't know anything anymore about the DERness of the result */
6872  certainly_der = 0;
6873  certainly_not_der = 0;
6874  }
6875  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
6876  if (ret != 0) {
6877  size_t k;
6878  fprintf(stderr, "Failure %x on ", ret);
6879  for (k = 0; k < buflen; k++) {
6880  fprintf(stderr, "%02x ", buffer[k]);
6881  }
6882  fprintf(stderr, "\n");
6883  }
6884  CHECK(ret == 0);
6885  }
6886  }
6887 }
6888 
6889 /* Tests several edge cases. */
6890 static void test_ecdsa_edge_cases(void) {
6891  int t;
6893 
6894  /* Test the case where ECDSA recomputes a point that is infinity. */
6895  {
6896  secp256k1_gej keyj;
6897  secp256k1_ge key;
6899  secp256k1_scalar sr, ss;
6900  secp256k1_scalar_set_int(&ss, 1);
6901  secp256k1_scalar_negate(&ss, &ss);
6902  secp256k1_scalar_inverse(&ss, &ss);
6903  secp256k1_scalar_set_int(&sr, 1);
6904  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr);
6905  secp256k1_ge_set_gej(&key, &keyj);
6906  msg = ss;
6907  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6908  }
6909 
6910  /* Verify signature with r of zero fails. */
6911  {
6912  const unsigned char pubkey_mods_zero[33] = {
6913  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6914  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6915  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6916  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6917  0x41
6918  };
6919  secp256k1_ge key;
6921  secp256k1_scalar sr, ss;
6922  secp256k1_scalar_set_int(&ss, 1);
6924  secp256k1_scalar_set_int(&sr, 0);
6925  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
6926  CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
6927  }
6928 
6929  /* Verify signature with s of zero fails. */
6930  {
6931  const unsigned char pubkey[33] = {
6932  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6933  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6934  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6935  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6936  0x01
6937  };
6938  secp256k1_ge key;
6940  secp256k1_scalar sr, ss;
6941  secp256k1_scalar_set_int(&ss, 0);
6943  secp256k1_scalar_set_int(&sr, 1);
6944  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6945  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6946  }
6947 
6948  /* Verify signature with message 0 passes. */
6949  {
6950  const unsigned char pubkey[33] = {
6951  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6952  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6953  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6954  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6955  0x02
6956  };
6957  const unsigned char pubkey2[33] = {
6958  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6959  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6960  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6961  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6962  0x43
6963  };
6964  secp256k1_ge key;
6965  secp256k1_ge key2;
6967  secp256k1_scalar sr, ss;
6968  secp256k1_scalar_set_int(&ss, 2);
6970  secp256k1_scalar_set_int(&sr, 2);
6971  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6972  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6973  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6974  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6975  secp256k1_scalar_negate(&ss, &ss);
6976  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6977  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6978  secp256k1_scalar_set_int(&ss, 1);
6979  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6980  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6981  }
6982 
6983  /* Verify signature with message 1 passes. */
6984  {
6985  const unsigned char pubkey[33] = {
6986  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
6987  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
6988  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
6989  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
6990  0x25
6991  };
6992  const unsigned char pubkey2[33] = {
6993  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
6994  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
6995  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
6996  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
6997  0x62
6998  };
6999  const unsigned char csr[32] = {
7000  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7001  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7002  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7003  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7004  };
7005  secp256k1_ge key;
7006  secp256k1_ge key2;
7008  secp256k1_scalar sr, ss;
7009  secp256k1_scalar_set_int(&ss, 1);
7011  secp256k1_scalar_set_b32(&sr, csr, NULL);
7012  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7013  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7014  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7015  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7016  secp256k1_scalar_negate(&ss, &ss);
7017  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7018  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7019  secp256k1_scalar_set_int(&ss, 2);
7020  secp256k1_scalar_inverse_var(&ss, &ss);
7021  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7022  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7023  }
7024 
7025  /* Verify signature with message -1 passes. */
7026  {
7027  const unsigned char pubkey[33] = {
7028  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7029  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7030  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7031  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7032  0xf1
7033  };
7034  const unsigned char csr[32] = {
7035  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7036  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7037  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7038  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7039  };
7040  secp256k1_ge key;
7042  secp256k1_scalar sr, ss;
7043  secp256k1_scalar_set_int(&ss, 1);
7046  secp256k1_scalar_set_b32(&sr, csr, NULL);
7047  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7048  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7049  secp256k1_scalar_negate(&ss, &ss);
7050  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7051  secp256k1_scalar_set_int(&ss, 3);
7052  secp256k1_scalar_inverse_var(&ss, &ss);
7053  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7054  }
7055 
7056  /* Signature where s would be zero. */
7057  {
7058  secp256k1_pubkey pubkey;
7059  size_t siglen;
7060  unsigned char signature[72];
7061  static const unsigned char nonce[32] = {
7062  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7063  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7064  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7065  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7066  };
7067  static const unsigned char nonce2[32] = {
7068  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7069  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7070  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7071  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7072  };
7073  const unsigned char key[32] = {
7074  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7075  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7076  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7077  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7078  };
7079  unsigned char msg[32] = {
7080  0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7081  0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7082  0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7083  0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7084  };
7086  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7087  msg[31] = 0xaa;
7092  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7093  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7094  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey));
7095  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey));
7097  CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7098  CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL));
7099  /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7100  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey));
7101  siglen = 72;
7104  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL));
7105  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7106  CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen));
7108  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7109  siglen = 10;
7110  /* Too little room for a signature does not fail via ARGCHECK. */
7111  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7115  CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1);
7118  CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7119  memset(signature, 255, 64);
7120  CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7121  }
7122 
7123  /* Nonce function corner cases. */
7124  for (t = 0; t < 2; t++) {
7125  static const unsigned char zero[32] = {0x00};
7126  int i;
7127  unsigned char key[32];
7128  unsigned char msg[32];
7130  secp256k1_scalar sr[512], ss;
7131  const unsigned char *extra;
7132  extra = t == 0 ? NULL : zero;
7133  memset(msg, 0, 32);
7134  msg[31] = 1;
7135  /* High key results in signature failure. */
7136  memset(key, 0xFF, 32);
7137  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7138  CHECK(is_empty_signature(&sig));
7139  /* Zero key results in signature failure. */
7140  memset(key, 0, 32);
7141  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7142  CHECK(is_empty_signature(&sig));
7143  /* Nonce function failure results in signature failure. */
7144  key[31] = 1;
7145  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7146  CHECK(is_empty_signature(&sig));
7147  /* The retry loop successfully makes its way to the first good value. */
7148  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7149  CHECK(!is_empty_signature(&sig));
7150  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7151  CHECK(!is_empty_signature(&sig2));
7152  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7153  /* The default nonce function is deterministic. */
7154  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7155  CHECK(!is_empty_signature(&sig2));
7156  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7157  /* The default nonce function changes output with different messages. */
7158  for(i = 0; i < 256; i++) {
7159  int j;
7160  msg[0] = i;
7161  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7162  CHECK(!is_empty_signature(&sig2));
7163  secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7164  for (j = 0; j < i; j++) {
7165  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7166  }
7167  }
7168  msg[0] = 0;
7169  msg[31] = 2;
7170  /* The default nonce function changes output with different keys. */
7171  for(i = 256; i < 512; i++) {
7172  int j;
7173  key[0] = i - 256;
7174  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7175  CHECK(!is_empty_signature(&sig2));
7176  secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7177  for (j = 0; j < i; j++) {
7178  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7179  }
7180  }
7181  key[0] = 0;
7182  }
7183 
7184  {
7185  /* Check that optional nonce arguments do not have equivalent effect. */
7186  const unsigned char zeros[32] = {0};
7187  unsigned char nonce[32];
7188  unsigned char nonce2[32];
7189  unsigned char nonce3[32];
7190  unsigned char nonce4[32];
7192  SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7193  SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7194  SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7195  CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7197  CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7198  SECP256K1_CHECKMEM_CHECK(nonce2,32);
7199  CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7200  SECP256K1_CHECKMEM_CHECK(nonce3,32);
7201  CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7202  SECP256K1_CHECKMEM_CHECK(nonce4,32);
7203  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7204  CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7205  CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7206  CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7207  CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7208  CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7209  }
7210 
7211 
7212  /* Privkey export where pubkey is the point at infinity. */
7213  {
7214  unsigned char privkey[300];
7215  unsigned char seckey[32] = {
7216  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7217  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7218  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7219  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7220  };
7221  size_t outlen = 300;
7222  CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7223  outlen = 300;
7224  CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7225  }
7226 }
7227 
7228 static void run_ecdsa_edge_cases(void) {
7230 }
7231 
7236 static void test_ecdsa_wycheproof(void) {
7238 
7239  int t;
7241  secp256k1_ecdsa_signature signature;
7242  secp256k1_sha256 hasher;
7243  secp256k1_pubkey pubkey;
7244  const unsigned char *msg, *sig, *pk;
7245  unsigned char out[32] = {0};
7246  int actual_verify = 0;
7247 
7248  memset(&pubkey, 0, sizeof(pubkey));
7250  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7251 
7252  secp256k1_sha256_initialize(&hasher);
7254  secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len);
7255  secp256k1_sha256_finalize(&hasher, out);
7256 
7258  if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7259  actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7260  }
7261  CHECK(testvectors[t].expected_verify == actual_verify);
7262  }
7263 }
7264 
7265 /* Tests cases from Wycheproof test suite. */
7266 static void run_ecdsa_wycheproof(void) {
7268 }
7269 
7270 #ifdef ENABLE_MODULE_ECDH
7271 # include "modules/ecdh/tests_impl.h"
7272 #endif
7273 
7274 #ifdef ENABLE_MODULE_RECOVERY
7276 #endif
7277 
7278 #ifdef ENABLE_MODULE_EXTRAKEYS
7280 #endif
7281 
7282 #ifdef ENABLE_MODULE_SCHNORRSIG
7284 #endif
7285 
7286 #ifdef ENABLE_MODULE_ELLSWIFT
7288 #endif
7289 
7290 static void run_secp256k1_memczero_test(void) {
7291  unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7292  unsigned char buf2[sizeof(buf1)];
7293 
7294  /* secp256k1_memczero(..., ..., 0) is a noop. */
7295  memcpy(buf2, buf1, sizeof(buf1));
7296  secp256k1_memczero(buf1, sizeof(buf1), 0);
7297  CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7298 
7299  /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7300  memset(buf2, 0, sizeof(buf2));
7301  secp256k1_memczero(buf1, sizeof(buf1) , 1);
7302  CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7303 }
7304 
7306  {
7307  const uint32_t x = 0xFF03AB45;
7308  const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7309  unsigned char buf[4];
7310  uint32_t x_;
7311 
7312  secp256k1_write_be32(buf, x);
7313  CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7314 
7315  x_ = secp256k1_read_be32(buf);
7316  CHECK(x == x_);
7317  }
7318 
7319  {
7320  const uint64_t x = 0xCAFE0123BEEF4567;
7321  const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7322  unsigned char buf[8];
7323  uint64_t x_;
7324 
7325  secp256k1_write_be64(buf, x);
7326  CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7327 
7328  x_ = secp256k1_read_be64(buf);
7329  CHECK(x == x_);
7330  }
7331 }
7332 
7333 static void int_cmov_test(void) {
7334  int r = INT_MAX;
7335  int a = 0;
7336 
7337  secp256k1_int_cmov(&r, &a, 0);
7338  CHECK(r == INT_MAX);
7339 
7340  r = 0; a = INT_MAX;
7341  secp256k1_int_cmov(&r, &a, 1);
7342  CHECK(r == INT_MAX);
7343 
7344  a = 0;
7345  secp256k1_int_cmov(&r, &a, 1);
7346  CHECK(r == 0);
7347 
7348  a = 1;
7349  secp256k1_int_cmov(&r, &a, 1);
7350  CHECK(r == 1);
7351 
7352  r = 1; a = 0;
7353  secp256k1_int_cmov(&r, &a, 0);
7354  CHECK(r == 1);
7355 
7356 }
7357 
7358 static void fe_cmov_test(void) {
7359  static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7360  static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7361  static const secp256k1_fe max = SECP256K1_FE_CONST(
7362  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7363  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7364  );
7365  secp256k1_fe r = max;
7366  secp256k1_fe a = zero;
7367 
7368  secp256k1_fe_cmov(&r, &a, 0);
7369  CHECK(fe_identical(&r, &max));
7370 
7371  r = zero; a = max;
7372  secp256k1_fe_cmov(&r, &a, 1);
7373  CHECK(fe_identical(&r, &max));
7374 
7375  a = zero;
7376  secp256k1_fe_cmov(&r, &a, 1);
7377  CHECK(fe_identical(&r, &zero));
7378 
7379  a = one;
7380  secp256k1_fe_cmov(&r, &a, 1);
7381  CHECK(fe_identical(&r, &one));
7382 
7383  r = one; a = zero;
7384  secp256k1_fe_cmov(&r, &a, 0);
7385  CHECK(fe_identical(&r, &one));
7386 }
7387 
7388 static void fe_storage_cmov_test(void) {
7389  static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7390  static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7392  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7393  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7394  );
7395  secp256k1_fe_storage r = max;
7396  secp256k1_fe_storage a = zero;
7397 
7398  secp256k1_fe_storage_cmov(&r, &a, 0);
7399  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7400 
7401  r = zero; a = max;
7402  secp256k1_fe_storage_cmov(&r, &a, 1);
7403  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7404 
7405  a = zero;
7406  secp256k1_fe_storage_cmov(&r, &a, 1);
7407  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7408 
7409  a = one;
7410  secp256k1_fe_storage_cmov(&r, &a, 1);
7411  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7412 
7413  r = one; a = zero;
7414  secp256k1_fe_storage_cmov(&r, &a, 0);
7415  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7416 }
7417 
7418 static void scalar_cmov_test(void) {
7419  static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7420  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
7421  0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
7422  );
7423  secp256k1_scalar r = max;
7425 
7426  secp256k1_scalar_cmov(&r, &a, 0);
7427  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7428 
7429  r = secp256k1_scalar_zero; a = max;
7430  secp256k1_scalar_cmov(&r, &a, 1);
7431  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7432 
7434  secp256k1_scalar_cmov(&r, &a, 1);
7435  CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0);
7436 
7438  secp256k1_scalar_cmov(&r, &a, 1);
7439  CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7440 
7442  secp256k1_scalar_cmov(&r, &a, 0);
7443  CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7444 }
7445 
7446 static void ge_storage_cmov_test(void) {
7447  static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7448  static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7450  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7451  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7452  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7453  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7454  );
7455  secp256k1_ge_storage r = max;
7456  secp256k1_ge_storage a = zero;
7457 
7458  secp256k1_ge_storage_cmov(&r, &a, 0);
7459  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7460 
7461  r = zero; a = max;
7462  secp256k1_ge_storage_cmov(&r, &a, 1);
7463  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7464 
7465  a = zero;
7466  secp256k1_ge_storage_cmov(&r, &a, 1);
7467  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7468 
7469  a = one;
7470  secp256k1_ge_storage_cmov(&r, &a, 1);
7471  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7472 
7473  r = one; a = zero;
7474  secp256k1_ge_storage_cmov(&r, &a, 0);
7475  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7476 }
7477 
7478 static void run_cmov_tests(void) {
7479  int_cmov_test();
7480  fe_cmov_test();
7482  scalar_cmov_test();
7484 }
7485 
7486 int main(int argc, char **argv) {
7487  /* Disable buffering for stdout to improve reliability of getting
7488  * diagnostic information. Happens right at the start of main because
7489  * setbuf must be used before any other operation on the stream. */
7490  setbuf(stdout, NULL);
7491  /* Also disable buffering for stderr because it's not guaranteed that it's
7492  * unbuffered on all systems. */
7493  setbuf(stderr, NULL);
7494 
7495  /* find iteration count */
7496  if (argc > 1) {
7497  COUNT = strtol(argv[1], NULL, 0);
7498  } else {
7499  const char* env = getenv("SECP256K1_TEST_ITERS");
7500  if (env && strlen(env) > 0) {
7501  COUNT = strtol(env, NULL, 0);
7502  }
7503  }
7504  if (COUNT <= 0) {
7505  fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7506  return EXIT_FAILURE;
7507  }
7508  printf("test count = %i\n", COUNT);
7509 
7510  /* run test RNG tests (must run before we really initialize the test RNG) */
7512 
7513  /* find random seed */
7514  secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7515 
7516  /*** Setup test environment ***/
7517 
7518  /* Create a global context available to all tests */
7520  /* Randomize the context only with probability 15/16
7521  to make sure we test without context randomization from time to time.
7522  TODO Reconsider this when recalibrating the tests. */
7523  if (secp256k1_testrand_bits(4)) {
7524  unsigned char rand32[32];
7525  secp256k1_testrand256(rand32);
7527  }
7528  /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
7529  that write to the context. The API does not support cloning the static context, so we use
7530  memcpy instead. The user is not supposed to copy a context but we should still ensure that
7531  the API functions handle copies of the static context gracefully. */
7532  STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
7533  CHECK(STATIC_CTX != NULL);
7536 
7537  /*** Run actual tests ***/
7538 
7539  /* selftest tests */
7541 
7542  /* context tests */
7546 
7547  /* scratch tests */
7549 
7550  /* integer arithmetic tests */
7551 #ifdef SECP256K1_WIDEMUL_INT128
7552  run_int128_tests();
7553 #endif
7554  run_ctz_tests();
7555  run_modinv_tests();
7557 
7558  /* hash tests */
7564 
7565  /* scalar tests */
7566  run_scalar_tests();
7567 
7568  /* field tests */
7569  run_field_half();
7570  run_field_misc();
7573  run_fe_mul();
7574  run_sqr();
7575  run_sqrt();
7576 
7577  /* group tests */
7578  run_ge();
7579  run_gej();
7581 
7582  /* ecmult tests */
7583  run_ecmult_pre_g();
7584  run_wnaf();
7587  run_ecmult_chain();
7592  run_ec_combine();
7593 
7594  /* endomorphism tests */
7596 
7597  /* EC point parser test */
7599 
7600  /* EC key edge cases */
7602 
7603  /* EC key arithmetic test */
7605 
7606 #ifdef ENABLE_MODULE_ECDH
7607  /* ecdh tests */
7608  run_ecdh_tests();
7609 #endif
7610 
7611  /* ecdsa tests */
7620 
7621 #ifdef ENABLE_MODULE_RECOVERY
7622  /* ECDSA pubkey recovery tests */
7624 #endif
7625 
7626 #ifdef ENABLE_MODULE_EXTRAKEYS
7628 #endif
7629 
7630 #ifdef ENABLE_MODULE_SCHNORRSIG
7632 #endif
7633 
7634 #ifdef ENABLE_MODULE_ELLSWIFT
7636 #endif
7637 
7638  /* util tests */
7641 
7642  run_cmov_tests();
7643 
7644  /*** Tear down test environment ***/
7645  free(STATIC_CTX);
7647 
7649 
7650  printf("no problems found\n");
7651  return 0;
7652 }
int ret
int flags
Definition: bitcoin-tx.cpp:530
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:83
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:85
static void run_ecdh_tests(void)
Definition: tests_impl.h:145
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
static const unsigned char wycheproof_ecdsa_signatures[]
static const unsigned char wycheproof_ecdsa_public_keys[]
static const unsigned char wycheproof_ecdsa_messages[]
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
static const wycheproof_ecdsa_testvector testvectors[SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS]
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
static const secp256k1_scalar secp256k1_ecmult_const_K
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:607
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:737
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:403
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:418
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:162
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:358
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:578
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:728
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:798
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:645
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:816
void run_ellswift_tests(void)
Definition: tests_impl.h:179
volatile double sum
Definition: examples.cpp:10
static void run_extrakeys_tests(void)
Definition: tests_impl.h:470
#define secp256k1_fe_cmov
Definition: field.h:96
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:216
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:238
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
#define secp256k1_fe_cmp_var
Definition: field.h:87
#define secp256k1_fe_normalize_weak
Definition: field.h:79
#define secp256k1_fe_is_odd
Definition: field.h:86
#define secp256k1_fe_mul
Definition: field.h:94
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
#define secp256k1_fe_add
Definition: field.h:93
#define secp256k1_fe_clear
Definition: field.h:84
#define secp256k1_fe_normalize_var
Definition: field.h:80
#define secp256k1_fe_half
Definition: field.h:102
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
#define secp256k1_fe_to_storage
Definition: field.h:97
#define secp256k1_fe_inv_var
Definition: field.h:100
#define secp256k1_fe_is_zero
Definition: field.h:85
#define secp256k1_fe_mul_int_unchecked
Definition: field.h:92
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
#define secp256k1_fe_is_square_var
Definition: field.h:104
#define secp256k1_fe_get_bounds
Definition: field.h:101
#define secp256k1_fe_from_storage
Definition: field.h:98
#define secp256k1_fe_set_b32_mod
Definition: field.h:88
#define secp256k1_fe_negate_unchecked
Definition: field.h:91
#define secp256k1_fe_get_b32
Definition: field.h:90
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
#define secp256k1_fe_inv
Definition: field.h:99
#define secp256k1_fe_sqr
Definition: field.h:95
#define secp256k1_fe_normalize
Definition: field.h:78
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
#define secp256k1_fe_add_int
Definition: field.h:103
#define secp256k1_fe_set_int
Definition: field.h:83
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
#define SECP256K1_GE_X_MAGNITUDE_MAX
Maximum allowed magnitudes for group element coordinates in affine (x, y) and jacobian (x,...
Definition: group.h:49
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
static int secp256k1_ge_eq_var(const secp256k1_ge *a, const secp256k1_ge *b)
Check two group elements (affine) for equality in variable time.
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
#define SECP256K1_GEJ_Y_MAGNITUDE_MAX
Definition: group.h:52
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b)
Check two group elements (jacobian and affine) for equality in variable time.
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
#define SECP256K1_GE_Y_MAGNITUDE_MAX
Definition: group.h:50
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
#define SECP256K1_GEJ_Z_MAGNITUDE_MAX
Definition: group.h:53
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
#define SECP256K1_GEJ_X_MAGNITUDE_MAX
Definition: group.h:51
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:70
int128_t secp256k1_int128
Definition: int128_native.h:17
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
static void pool cs
unsigned int nonce
Definition: miner_tests.cpp:71
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static const auto ZERO
A stack consisting of a single zero-length element (interpreted as 0 by the script interpreter in num...
Definition: miniscript.h:326
Internal SHA-1 implementation.
Definition: sha1.cpp:16
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1077
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
#define WINDOW_G
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:42
static void run_recovery_tests(void)
Definition: tests_impl.h:327
const char * prefix
Definition: rest.cpp:1007
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a)
Multiply a scalar with the multiplicative inverse of 2.
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*2^128 = k.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:79
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:968
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:323
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:142
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:212
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:226
#define ALIGNMENT
Definition: util.h:156
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:82
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:341
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:305
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:349
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:369
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:77
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:294
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:282
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:357
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:193
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:81
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:74
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:353
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:258
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:465
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:339
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:703
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:209
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:750
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:760
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:613
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:379
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:290
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:313
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:572
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:558
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:272
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:205
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:363
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:85
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:595
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:162
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:786
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:215
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:444
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:425
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:222
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:686
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:216
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:400
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:632
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:675
SECP256K1_API void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:227
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:208
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:628
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:659
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:727
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:412
SECP256K1_API const secp256k1_context * secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:236
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:723
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:111
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:175
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:91
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:151
secp256k1_scalar * sc
Definition: tests.c:4622
secp256k1_ge * pt
Definition: tests.c:4623
void(* fn)(const char *text, void *data)
Definition: util.h:68
const void * data
Definition: util.h:69
secp256k1_callback illegal_callback
Definition: secp256k1.c:62
secp256k1_callback error_callback
Definition: secp256k1.c:63
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:87
secp256k1_scalar blind
Definition: ecmult_gen.h:36
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
uint32_t n[10]
Definition: field_10x26.h:22
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
int infinity
Definition: group.h:19
secp256k1_fe x
Definition: group.h:17
secp256k1_fe y
Definition: group.h:18
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_fe y
Definition: group.h:30
secp256k1_fe x
Definition: group.h:29
int infinity
Definition: group.h:32
secp256k1_fe z
Definition: group.h:31
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:74
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
uint64_t bytes
Definition: hash.h:16
uint32_t s[8]
Definition: hash.h:14
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
static SECP256K1_INLINE void secp256k1_testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
static void secp256k1_testrand_finish(void)
Print final test information.
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
static void run_random_pubkeys(void)
Definition: tests.c:6599
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:70
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5241
static void run_inverse_tests(void)
Definition: tests.c:3421
static void counting_callback_fn(const char *str, void *data)
Definition: tests.c:81
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:968
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5647
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6263
static void test_ge(void)
Definition: tests.c:3691
#define CHECK_ERROR_VOID(ctx, expr_or_stmt)
Definition: tests.c:68
static void random_gej_x_magnitude(secp256k1_gej *gej)
Definition: tests.c:143
static void run_pubkey_comparison(void)
Definition: tests.c:6554
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6290
static void run_field_misc(void)
Definition: tests.c:3118
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5578
static void random_field_element_magnitude(secp256k1_fe *fe, int m)
Definition: tests.c:99
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5714
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:313
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6256
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6306
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6314
#define SECP256K1_EC_PARSE_TEST_NINVALID
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4864
static int COUNT
Definition: tests.c:40
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:866
static void random_fe_non_zero_test(secp256k1_fe *fe)
Definition: tests.c:125
static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar *q, const secp256k1_gej *res)
Definition: tests.c:4495
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:78
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3670
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:249
static void run_tagged_sha256_tests(void)
Definition: tests.c:822
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:668
static void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:209
static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:167
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5311
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:44
static void test_intialized_inf(void)
Definition: tests.c:3925
static void test_fixed_wnaf_small(void)
Definition: tests.c:5321
int main(int argc, char **argv)
Definition: tests.c:7486
static void run_ecmult_const_tests(void)
Definition: tests.c:4612
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3062
#define SECP256K1_EC_PARSE_TEST_NVALID
static void run_eckey_edge_case_test(void)
Definition: tests.c:5999
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2950
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7305
static void run_ecmult_constants(void)
Definition: tests.c:5521
static void run_field_be32_overflow(void)
Definition: tests.c:2995
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:983
static void run_ecmult_chain(void)
Definition: tests.c:4222
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3396
static void run_ec_combine(void)
Definition: tests.c:4095
static void run_deprecated_context_flags_test(void)
Definition: tests.c:264
static secp256k1_context * CTX
Definition: tests.c:41
static void run_point_times_order(void)
Definition: tests.c:4393
static void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:155
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6712
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:38
static void ecmult_const_commutativity(void)
Definition: tests.c:4441
static void int_cmov_test(void)
Definition: tests.c:7333
static void test_add_neg_y_diff_x(void)
Definition: tests.c:3957
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5402
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4281
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6673
static void run_hmac_sha256_tests(void)
Definition: tests.c:737
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5030
static void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:177
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:959
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6344
static void run_field_half(void)
Definition: tests.c:3069
static void run_eckey_negate_test(void)
Definition: tests.c:6221
static void scalar_test(void)
Definition: tests.c:2128
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2283
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4641
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6298
static void run_gej(void)
Definition: tests.c:4034
static void run_ge(void)
Definition: tests.c:4017
static void ge_storage_cmov_test(void)
Definition: tests.c:7446
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3357
static void fe_storage_cmov_test(void)
Definition: tests.c:7388
static void test_ec_combine(void)
Definition: tests.c:4070
static void random_gej_y_magnitude(secp256k1_gej *gej)
Definition: tests.c:147
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5048
static void run_ctz_tests(void)
Definition: tests.c:546
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5068
static void run_scalar_tests(void)
Definition: tests.c:2300
static void test_random_pubkeys(void)
Definition: tests.c:6494
static void random_fe_test(secp256k1_fe *x)
Definition: tests.c:115
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4026
static void random_ge_y_magnitude(secp256k1_ge *ge)
Definition: tests.c:139
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3305
static void scalar_cmov_test(void)
Definition: tests.c:7418
static void random_ge_x_magnitude(secp256k1_ge *ge)
Definition: tests.c:135
static void run_ecmult_gen_blind(void)
Definition: tests.c:5590
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6349
static void run_sha256_known_output_tests(void)
Definition: tests.c:567
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4343
#define CHECK_ERROR(ctx, expr)
Definition: tests.c:79
static void random_gej_z_magnitude(secp256k1_gej *gej)
Definition: tests.c:151
static void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:196
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6606
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4626
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4531
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:354
static void random_fe_magnitude(secp256k1_fe *fe)
Definition: tests.c:131
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3225
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4102
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5434
static void run_cmov_tests(void)
Definition: tests.c:7478
static void run_ecdsa_der_parse(void)
Definition: tests.c:6858
static void ecmult_const_random_mult(void)
Definition: tests.c:4414
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5599
static void run_field_convert(void)
Definition: tests.c:2965
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6613
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:282
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7266
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5478
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5149
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:90
static void run_sqrt(void)
Definition: tests.c:3319
static void run_modinv_tests(void)
Definition: tests.c:1164
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4320
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:950
static void run_xoshiro256pp_tests(void)
Definition: tests.c:215
static void run_wnaf(void)
Definition: tests.c:5375
static void run_ecmult_multi_tests(void)
Definition: tests.c:5214
static void run_selftest_tests(void)
Definition: tests.c:244
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1134
static void run_sqr(void)
Definition: tests.c:3289
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:255
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5101
static void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:183
static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2958
static void run_endomorphism_tests(void)
Definition: tests.c:5626
static void run_scratch_tests(void)
Definition: tests.c:476
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7236
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4381
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7228
static void fe_cmov_test(void)
Definition: tests.c:7358
static void run_group_decompress(void)
Definition: tests.c:4137
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4462
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5394
static void ecmult_const_edges(void)
Definition: tests.c:4504
static void test_ecdsa_edge_cases(void)
Definition: tests.c:6890
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4586
static void run_ecmult_pre_g(void)
Definition: tests.c:4198
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4633
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:729
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4148
static secp256k1_context * STATIC_CTX
Definition: tests.c:42
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5275
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3374
static void test_ecmult_gen_blind(void)
Definition: tests.c:5555
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7290
static void run_fe_mul(void)
Definition: tests.c:3268
#define SECP256K1_EC_PARSE_TEST_NXVALID
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6685
static const secp256k1_fe fe_minus_one
Definition: tests.c:3362
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:781
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:849
static void random_fe(secp256k1_fe *x)
Definition: testutil.h:13
static void random_fe_non_zero(secp256k1_fe *nz)
Definition: testutil.h:23
#define expect(bit)