Bitcoin Core  22.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "../include/secp256k1.h"
19 #include "../include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
21 #include "util.h"
22 
23 #include "../contrib/lax_der_parsing.c"
24 #include "../contrib/lax_der_privatekey_parsing.c"
25 
26 #include "modinv32_impl.h"
27 #ifdef SECP256K1_WIDEMUL_INT128
28 #include "modinv64_impl.h"
29 #endif
30 
31 static int count = 64;
32 static secp256k1_context *ctx = NULL;
33 
34 static void counting_illegal_callback_fn(const char* str, void* data) {
35  /* Dummy callback function that just counts. */
36  int32_t *p;
37  (void)str;
38  p = data;
39  (*p)++;
40 }
41 
42 static void uncounting_illegal_callback_fn(const char* str, void* data) {
43  /* Dummy callback function that just counts (backwards). */
44  int32_t *p;
45  (void)str;
46  p = data;
47  (*p)--;
48 }
49 
51  do {
52  unsigned char b32[32];
54  if (secp256k1_fe_set_b32(fe, b32)) {
55  break;
56  }
57  } while(1);
58 }
59 
61  secp256k1_fe zero;
62  int n = secp256k1_testrand_int(9);
64  if (n == 0) {
65  return;
66  }
67  secp256k1_fe_clear(&zero);
68  secp256k1_fe_negate(&zero, &zero, 0);
69  secp256k1_fe_mul_int(&zero, n - 1);
70  secp256k1_fe_add(fe, &zero);
71 #ifdef VERIFY
72  CHECK(fe->magnitude == n);
73 #endif
74 }
75 
77  secp256k1_fe fe;
78  do {
82  break;
83  }
84  } while(1);
85  ge->infinity = 0;
86 }
87 
89  secp256k1_fe z2, z3;
90  do {
92  if (!secp256k1_fe_is_zero(&gej->z)) {
93  break;
94  }
95  } while(1);
96  secp256k1_fe_sqr(&z2, &gej->z);
97  secp256k1_fe_mul(&z3, &z2, &gej->z);
98  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
99  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
100  gej->infinity = ge->infinity;
101 }
102 
104  do {
105  unsigned char b32[32];
106  int overflow = 0;
108  secp256k1_scalar_set_b32(num, b32, &overflow);
109  if (overflow || secp256k1_scalar_is_zero(num)) {
110  continue;
111  }
112  break;
113  } while(1);
114 }
115 
117  do {
118  unsigned char b32[32];
119  int overflow = 0;
121  secp256k1_scalar_set_b32(num, b32, &overflow);
122  if (overflow || secp256k1_scalar_is_zero(num)) {
123  continue;
124  }
125  break;
126  } while(1);
127 }
128 
129 void random_scalar_order_b32(unsigned char *b32) {
130  secp256k1_scalar num;
131  random_scalar_order(&num);
132  secp256k1_scalar_get_b32(b32, &num);
133 }
134 
135 void run_context_tests(int use_prealloc) {
136  secp256k1_pubkey pubkey;
137  secp256k1_pubkey zero_pubkey;
139  unsigned char ctmp[32];
140  int32_t ecount;
141  int32_t ecount2;
142  secp256k1_context *none;
143  secp256k1_context *sign;
144  secp256k1_context *vrfy;
145  secp256k1_context *both;
146  secp256k1_context *sttc;
147  void *none_prealloc = NULL;
148  void *sign_prealloc = NULL;
149  void *vrfy_prealloc = NULL;
150  void *both_prealloc = NULL;
151  void *sttc_prealloc = NULL;
152 
153  secp256k1_gej pubj;
154  secp256k1_ge pub;
155  secp256k1_scalar msg, key, nonce;
156  secp256k1_scalar sigr, sigs;
157 
158  if (use_prealloc) {
164  CHECK(none_prealloc != NULL);
165  CHECK(sign_prealloc != NULL);
166  CHECK(vrfy_prealloc != NULL);
167  CHECK(both_prealloc != NULL);
168  CHECK(sttc_prealloc != NULL);
174  } else {
180  }
181 
182  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
183 
184  ecount = 0;
185  ecount2 = 10;
188  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
190  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
192 
193  /* check if sizes for cloning are consistent */
199 
200  /*** clone and destroy all of them to make sure cloning was complete ***/
201  {
202  secp256k1_context *ctx_tmp;
203 
204  if (use_prealloc) {
205  /* clone into a non-preallocated context and then again into a new preallocated one. */
206  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
207  free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
208  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
209 
210  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
211  free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
212  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
213 
214  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
215  free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
216  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
217 
218  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
219  free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
220  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
221  } else {
222  /* clone into a preallocated context and then again into a new non-preallocated one. */
223  void *prealloc_tmp;
224 
225  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
226  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
227  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
228  free(prealloc_tmp);
229 
230  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
231  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
232  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
233  free(prealloc_tmp);
234 
235  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
236  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
237  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
238  free(prealloc_tmp);
239 
240  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
241  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
242  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
243  free(prealloc_tmp);
244  }
245  }
246 
247  /* Verify that the error callback makes it across the clone. */
248  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
250  /* And that it resets back to default. */
251  secp256k1_context_set_error_callback(sign, NULL, NULL);
252  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
253 
254  /*** attempt to use them ***/
257  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
258  secp256k1_ge_set_gej(&pub, &pubj);
259 
260  /* Verify context-type checking illegal-argument errors. */
261  memset(ctmp, 1, 32);
262  CHECK(secp256k1_ec_pubkey_create(sttc, &pubkey, ctmp) == 0);
263  CHECK(ecount == 1);
264  VG_UNDEF(&pubkey, sizeof(pubkey));
265  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
266  VG_CHECK(&pubkey, sizeof(pubkey));
267  CHECK(secp256k1_ecdsa_sign(sttc, &sig, ctmp, ctmp, NULL, NULL) == 0);
268  CHECK(ecount == 2);
269  VG_UNDEF(&sig, sizeof(sig));
270  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
271  VG_CHECK(&sig, sizeof(sig));
272  CHECK(ecount2 == 10);
273  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 1);
274  CHECK(ecount2 == 10);
275  CHECK(secp256k1_ecdsa_verify(sttc, &sig, ctmp, &pubkey) == 1);
276  CHECK(ecount == 2);
277  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 1);
278  CHECK(ecount2 == 10);
279  CHECK(secp256k1_ec_pubkey_tweak_add(sttc, &pubkey, ctmp) == 1);
280  CHECK(ecount == 2);
281  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 1);
282  CHECK(ecount2 == 10);
283  CHECK(secp256k1_ec_pubkey_negate(sttc, &pubkey) == 1);
284  CHECK(ecount == 2);
285  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
286  CHECK(ecount == 2);
287  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
288  CHECK(ecount2 == 11);
289  CHECK(secp256k1_ec_pubkey_negate(sttc, &zero_pubkey) == 0);
290  CHECK(ecount == 3);
291  CHECK(secp256k1_ec_pubkey_tweak_mul(sttc, &pubkey, ctmp) == 1);
292  CHECK(ecount == 3);
293  CHECK(secp256k1_context_randomize(sttc, ctmp) == 1);
294  CHECK(ecount == 3);
295  CHECK(secp256k1_context_randomize(sttc, NULL) == 1);
296  CHECK(ecount == 3);
297  CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
298  CHECK(ecount2 == 11);
299  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
300  CHECK(ecount2 == 11);
301  secp256k1_context_set_illegal_callback(sttc, NULL, NULL);
302  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
303 
304  /* obtain a working nonce */
305  do {
307  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
308 
309  /* try signing */
310  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
311  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
312 
313  /* try verifying */
314  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
315  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
316 
317  /* cleanup */
318  if (use_prealloc) {
324  free(none_prealloc);
325  free(sign_prealloc);
326  free(vrfy_prealloc);
327  free(both_prealloc);
328  free(sttc_prealloc);
329  } else {
335  }
336  /* Defined as no-op. */
339 
340 }
341 
342 void run_scratch_tests(void) {
343  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
344 
345  int32_t ecount = 0;
346  size_t checkpoint;
347  size_t checkpoint_2;
349  secp256k1_scratch_space *scratch;
350  secp256k1_scratch_space local_scratch;
351 
352  /* Test public API */
355 
356  scratch = secp256k1_scratch_space_create(none, 1000);
357  CHECK(scratch != NULL);
358  CHECK(ecount == 0);
359 
360  /* Test internal API */
361  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
362  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
363  CHECK(scratch->alloc_size == 0);
364  CHECK(scratch->alloc_size % ALIGNMENT == 0);
365 
366  /* Allocating 500 bytes succeeds */
367  checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
368  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
369  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
370  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
371  CHECK(scratch->alloc_size != 0);
372  CHECK(scratch->alloc_size % ALIGNMENT == 0);
373 
374  /* Allocating another 501 bytes fails */
375  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
376  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
377  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
378  CHECK(scratch->alloc_size != 0);
379  CHECK(scratch->alloc_size % ALIGNMENT == 0);
380 
381  /* ...but it succeeds once we apply the checkpoint to undo it */
382  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
383  CHECK(scratch->alloc_size == 0);
384  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
385  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
386  CHECK(scratch->alloc_size != 0);
387 
388  /* try to apply a bad checkpoint */
389  checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
390  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
391  CHECK(ecount == 0);
392  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
393  CHECK(ecount == 1);
394  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
395  CHECK(ecount == 2);
396 
397  /* try to use badly initialized scratch space */
398  secp256k1_scratch_space_destroy(none, scratch);
399  memset(&local_scratch, 0, sizeof(local_scratch));
400  scratch = &local_scratch;
402  CHECK(ecount == 3);
403  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
404  CHECK(ecount == 4);
405  secp256k1_scratch_space_destroy(none, scratch);
406  CHECK(ecount == 5);
407 
408  /* Test that large integers do not wrap around in a bad way */
409  scratch = secp256k1_scratch_space_create(none, 1000);
410  /* Try max allocation with a large number of objects. Only makes sense if
411  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
412  * space. */
413  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
414  /* Try allocating SIZE_MAX to test wrap around which only happens if
415  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
416  * space is too small. */
417  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
418  secp256k1_scratch_space_destroy(none, scratch);
419 
420  /* cleanup */
421  secp256k1_scratch_space_destroy(none, NULL); /* no-op */
423 }
424 
425 void run_ctz_tests(void) {
426  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
427  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
428  int shift;
429  unsigned i;
430  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
431  for (shift = 0; shift < 32; ++shift) {
432  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
433  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
434  }
435  }
436  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
437  for (shift = 0; shift < 64; ++shift) {
438  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
439  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
440  }
441  }
442 }
443 
444 /***** HASH TESTS *****/
445 
446 void run_sha256_tests(void) {
447  static const char *inputs[8] = {
448  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
449  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
450  "For this sample, this 63-byte string will be used as input data",
451  "This is exactly 64 bytes long, not counting the terminating byte"
452  };
453  static const unsigned char outputs[8][32] = {
454  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
455  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
456  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
457  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
458  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
459  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
460  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
461  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
462  };
463  int i;
464  for (i = 0; i < 8; i++) {
465  unsigned char out[32];
466  secp256k1_sha256 hasher;
468  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
469  secp256k1_sha256_finalize(&hasher, out);
470  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
471  if (strlen(inputs[i]) > 0) {
472  int split = secp256k1_testrand_int(strlen(inputs[i]));
474  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
475  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
476  secp256k1_sha256_finalize(&hasher, out);
477  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
478  }
479  }
480 }
481 
483  static const char *keys[6] = {
484  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
485  "\x4a\x65\x66\x65",
486  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
487  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
488  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
489  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
490  };
491  static const char *inputs[6] = {
492  "\x48\x69\x20\x54\x68\x65\x72\x65",
493  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
494  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
495  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
496  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
497  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
498  };
499  static const unsigned char outputs[6][32] = {
500  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
501  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
502  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
503  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
504  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
505  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
506  };
507  int i;
508  for (i = 0; i < 6; i++) {
509  secp256k1_hmac_sha256 hasher;
510  unsigned char out[32];
511  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
512  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
513  secp256k1_hmac_sha256_finalize(&hasher, out);
514  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
515  if (strlen(inputs[i]) > 0) {
516  int split = secp256k1_testrand_int(strlen(inputs[i]));
517  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
518  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
519  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
520  secp256k1_hmac_sha256_finalize(&hasher, out);
521  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
522  }
523  }
524 }
525 
527  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
528  static const unsigned char out1[3][32] = {
529  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
530  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
531  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
532  };
533 
534  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
535  static const unsigned char out2[3][32] = {
536  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
537  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
538  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
539  };
540 
542  unsigned char out[32];
543  int i;
544 
546  for (i = 0; i < 3; i++) {
548  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
549  }
551 
553  for (i = 0; i < 3; i++) {
555  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
556  }
558 
560  for (i = 0; i < 3; i++) {
562  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
563  }
565 }
566 
568  int ecount = 0;
570  unsigned char tag[32] = { 0 };
571  unsigned char msg[32] = { 0 };
572  unsigned char hash32[32];
573  unsigned char hash_expected[32] = {
574  0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
575  0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
576  0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
577  0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
578  };
579 
581 
582  /* API test */
583  CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
584  CHECK(secp256k1_tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
585  CHECK(ecount == 1);
586  CHECK(secp256k1_tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0);
587  CHECK(ecount == 2);
588  CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0);
589  CHECK(ecount == 3);
590 
591  /* Static test vector */
592  memcpy(tag, "tag", 3);
593  memcpy(msg, "msg", 3);
594  CHECK(secp256k1_tagged_sha256(none, hash32, tag, 3, msg, 3) == 1);
595  CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
597 }
598 
599 /***** RANDOM TESTS *****/
600 
601 void test_rand_bits(int rand32, int bits) {
602  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
603  * get a false negative chance below once in a billion */
604  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
605  /* We try multiplying the results with various odd numbers, which shouldn't
606  * influence the uniform distribution modulo a power of 2. */
607  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
608  /* We only select up to 6 bits from the output to analyse */
609  unsigned int usebits = bits > 6 ? 6 : bits;
610  unsigned int maxshift = bits - usebits;
611  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
612  number, track all observed outcomes, one per bit in a uint64_t. */
613  uint64_t x[6][27] = {{0}};
614  unsigned int i, shift, m;
615  /* Multiply the output of all rand calls with the odd number m, which
616  should not change the uniformity of its distribution. */
617  for (i = 0; i < rounds[usebits]; i++) {
618  uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
619  CHECK((((uint64_t)r) >> bits) == 0);
620  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
621  uint32_t rm = r * mults[m];
622  for (shift = 0; shift <= maxshift; shift++) {
623  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
624  }
625  }
626  }
627  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
628  for (shift = 0; shift <= maxshift; shift++) {
629  /* Test that the lower usebits bits of x[shift] are 1 */
630  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
631  }
632  }
633 }
634 
635 /* Subrange must be a whole divisor of range, and at most 64 */
636 void test_rand_int(uint32_t range, uint32_t subrange) {
637  /* (1-1/subrange)^rounds < 1/10^9 */
638  int rounds = (subrange * 2073) / 100;
639  int i;
640  uint64_t x = 0;
641  CHECK((range % subrange) == 0);
642  for (i = 0; i < rounds; i++) {
643  uint32_t r = secp256k1_testrand_int(range);
644  CHECK(r < range);
645  r = r % subrange;
646  x |= (((uint64_t)1) << r);
647  }
648  /* Test that the lower subrange bits of x are 1. */
649  CHECK(((~x) << (64 - subrange)) == 0);
650 }
651 
652 void run_rand_bits(void) {
653  size_t b;
654  test_rand_bits(1, 32);
655  for (b = 1; b <= 32; b++) {
656  test_rand_bits(0, b);
657  }
658 }
659 
660 void run_rand_int(void) {
661  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
662  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
663  unsigned int m, s;
664  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
665  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
666  test_rand_int(ms[m] * ss[s], ss[s]);
667  }
668  }
669 }
670 
671 /***** MODINV TESTS *****/
672 
673 /* Compute the modular inverse of (odd) x mod 2^64. */
674 uint64_t modinv2p64(uint64_t x) {
675  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
676  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
677  * why. Start with L=0, for which it is true for every odd x that
678  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
679  int l;
680  uint64_t w = 1;
681  CHECK(x & 1);
682  for (l = 0; l < 6; ++l) w *= (2 - w*x);
683  return w;
684 }
685 
686 /* compute out = (a*b) mod m; if b=NULL, treat b=1.
687  *
688  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
689  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
690 void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
691  uint16_t mul[32];
692  uint64_t c = 0;
693  int i, j;
694  int m_bitlen = 0;
695  int mul_bitlen = 0;
696 
697  if (b != NULL) {
698  /* Compute the product of a and b, and put it in mul. */
699  for (i = 0; i < 32; ++i) {
700  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
701  c += (uint64_t)a[j] * b[i - j];
702  }
703  mul[i] = c & 0xFFFF;
704  c >>= 16;
705  }
706  CHECK(c == 0);
707 
708  /* compute the highest set bit in mul */
709  for (i = 511; i >= 0; --i) {
710  if ((mul[i >> 4] >> (i & 15)) & 1) {
711  mul_bitlen = i;
712  break;
713  }
714  }
715  } else {
716  /* if b==NULL, set mul=a. */
717  memcpy(mul, a, 32);
718  memset(mul + 16, 0, 32);
719  /* compute the highest set bit in mul */
720  for (i = 255; i >= 0; --i) {
721  if ((mul[i >> 4] >> (i & 15)) & 1) {
722  mul_bitlen = i;
723  break;
724  }
725  }
726  }
727 
728  /* Compute the highest set bit in m. */
729  for (i = 255; i >= 0; --i) {
730  if ((m[i >> 4] >> (i & 15)) & 1) {
731  m_bitlen = i;
732  break;
733  }
734  }
735 
736  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
737  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
738  uint16_t mul2[32];
739  int64_t cs;
740 
741  /* Compute mul2 = mul - m<<i. */
742  cs = 0; /* accumulator */
743  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
744  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
745  uint16_t sub = 0;
746  int p;
747  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
748  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
749  if (bitpos >= 0 && bitpos < 256) {
750  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
751  }
752  }
753  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
754  cs += mul[j];
755  cs -= sub;
756  mul2[j] = (cs & 0xFFFF);
757  cs >>= 16;
758  }
759  /* If remainder of subtraction is 0, set mul = mul2. */
760  if (cs == 0) {
761  memcpy(mul, mul2, sizeof(mul));
762  }
763  }
764  /* Sanity check: test that all limbs higher than m's highest are zero */
765  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
766  CHECK(mul[i] == 0);
767  }
768  memcpy(out, mul, 32);
769 }
770 
771 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
772 void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
773  int i;
774  memset(out->v, 0, sizeof(out->v));
775  for (i = 0; i < 256; ++i) {
776  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
777  }
778 }
779 
780 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
781 void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
782  int i;
783  memset(out, 0, 32);
784  for (i = 0; i < 256; ++i) {
785  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
786  }
787 }
788 
789 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
791  int i;
792  for (i = 0; i < 16; ++i) {
793  int pos = secp256k1_testrand_int(8);
794  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
795  x->v[pos] -= 0x40000000;
796  x->v[pos + 1] += 1;
797  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
798  x->v[pos] += 0x40000000;
799  x->v[pos + 1] -= 1;
800  }
801  }
802 }
803 
804 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
805 void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
806  uint16_t tmp[16];
809  int i, vartime, nonzero;
810 
811  uint16_to_signed30(&x, in);
812  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
813  uint16_to_signed30(&m.modulus, mod);
814  mutate_sign_signed30(&m.modulus);
815 
816  /* compute 1/modulus mod 2^30 */
817  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
818  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
819 
820  for (vartime = 0; vartime < 2; ++vartime) {
821  /* compute inverse */
822  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
823 
824  /* produce output */
825  signed30_to_uint16(out, &x);
826 
827  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
828  mulmod256(tmp, out, in, mod);
829  CHECK(tmp[0] == nonzero);
830  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
831 
832  /* invert again */
833  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
834 
835  /* check if the result is equal to the input */
836  signed30_to_uint16(tmp, &x);
837  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
838  }
839 }
840 
841 #ifdef SECP256K1_WIDEMUL_INT128
842 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
843 void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
844  int i;
845  memset(out->v, 0, sizeof(out->v));
846  for (i = 0; i < 256; ++i) {
847  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
848  }
849 }
850 
851 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
852 void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
853  int i;
854  memset(out, 0, 32);
855  for (i = 0; i < 256; ++i) {
856  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
857  }
858 }
859 
860 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
861 void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
862  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
863  int i;
864  for (i = 0; i < 8; ++i) {
865  int pos = secp256k1_testrand_int(4);
866  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
867  x->v[pos] -= (M62 + 1);
868  x->v[pos + 1] += 1;
869  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
870  x->v[pos] += (M62 + 1);
871  x->v[pos + 1] -= 1;
872  }
873  }
874 }
875 
876 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
877 void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
878  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
879  uint16_t tmp[16];
882  int i, vartime, nonzero;
883 
884  uint16_to_signed62(&x, in);
885  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
886  uint16_to_signed62(&m.modulus, mod);
887  mutate_sign_signed62(&m.modulus);
888 
889  /* compute 1/modulus mod 2^62 */
890  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
891  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
892 
893  for (vartime = 0; vartime < 2; ++vartime) {
894  /* compute inverse */
895  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
896 
897  /* produce output */
898  signed62_to_uint16(out, &x);
899 
900  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
901  mulmod256(tmp, out, in, mod);
902  CHECK(tmp[0] == nonzero);
903  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
904 
905  /* invert again */
906  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
907 
908  /* check if the result is equal to the input */
909  signed62_to_uint16(tmp, &x);
910  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
911  }
912 }
913 #endif
914 
915 /* test if a and b are coprime */
916 int coprime(const uint16_t* a, const uint16_t* b) {
917  uint16_t x[16], y[16], t[16];
918  int i;
919  int iszero;
920  memcpy(x, a, 32);
921  memcpy(y, b, 32);
922 
923  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
924  while (1) {
925  iszero = 1;
926  for (i = 0; i < 16; ++i) {
927  if (x[i] != 0) {
928  iszero = 0;
929  break;
930  }
931  }
932  if (iszero) break;
933  mulmod256(t, y, NULL, x);
934  memcpy(y, x, 32);
935  memcpy(x, t, 32);
936  }
937 
938  /* return whether y=1 */
939  if (y[0] != 1) return 0;
940  for (i = 1; i < 16; ++i) {
941  if (y[i] != 0) return 0;
942  }
943  return 1;
944 }
945 
946 void run_modinv_tests(void) {
947  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
948  static const uint16_t CASES[][3][16] = {
949  /* Test cases triggering edge cases in divsteps */
950 
951  /* Test case known to need 713 divsteps */
952  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
953  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
954  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
955  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
956  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
957  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
958  /* Test case known to need 589 divsteps, reaching delta=-140 and
959  delta=141. */
960  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
961  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
962  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
963  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
964  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
965  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
966  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
967  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
968  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
969  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
970  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
971  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
972  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
973  /* example needing 713 divsteps; delta=-2..3 */
974  {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
975  0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
976  {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
977  0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
978  {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
979  0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
980  /* example needing 713 divsteps; delta=-2..3 */
981  {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
982  0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
983  {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
984  0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
985  {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
986  0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
987  /* example needing 713 divsteps; delta=-2..3 */
988  {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
989  0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
990  {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
991  0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
992  {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
993  0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
994  /* example reaching delta=-64..65; 661 divsteps */
995  {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
996  0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
997  {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
998  0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
999  {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1000  0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1001  /* example reaching delta=-64..65; 661 divsteps */
1002  {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1003  0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1004  {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1005  0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1006  {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1007  0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1008  /* example reaching delta=-64..65; 661 divsteps */
1009  {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1010  0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1011  {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1012  0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1013  {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1014  0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1015  /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1016  {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1017  0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1018  {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1019  0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1020  {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1021  0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1022  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1023  {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1024  0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1025  {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1026  0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1027  {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1028  0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1029  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1030  {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1031  0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1032  {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1033  0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1034  {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1035  0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1036  /* example doing 446 (f,g/2) steps; 523 divsteps */
1037  {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1038  0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1039  {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1040  0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1041  {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1042  0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1043  /* example doing 446 (f,g/2) steps; 523 divsteps */
1044  {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1045  0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1046  {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1047  0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1048  {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1049  0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1050  /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1051  {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1052  0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1053  {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1054  0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1055  {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1056  0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1057  /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1058  {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1059  0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1060  {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1061  0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1062  {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1063  0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1064  /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1065  {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1066  0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1067  {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1068  0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1069  {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1070  0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1071  /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1072  {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1073  0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1074  {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1075  0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1076  {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1077  0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1078 
1079  /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1080 
1081  /* example needing 590 divsteps; delta=-5/2..7/2 */
1082  {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1083  0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1084  {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1085  0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1086  {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1087  0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1088  /* example needing 590 divsteps; delta=-3/2..5/2 */
1089  {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1090  0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1091  {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1092  0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1093  {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1094  0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1095  /* example needing 590 divsteps; delta=-3/2..5/2 */
1096  {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1097  0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1098  {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1099  0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1100  {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1101  0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1102  /* example needing 590 divsteps; delta=-5/2..7/2 */
1103  {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1104  0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1105  {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1106  0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1107  {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1108  0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1109  /* example needing 590 divsteps; delta=-3/2..5/2 */
1110  {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1111  0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1112  {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1113  0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1114  {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1115  0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1116  /* example reaching delta=-127/2..129/2; 571 divsteps */
1117  {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1118  0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1119  {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1120  0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1121  {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1122  0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1123  /* example reaching delta=-127/2..129/2; 571 divsteps */
1124  {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1125  0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1126  {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1127  0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1128  {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1129  0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1130  /* example reaching delta=-127/2..129/2; 571 divsteps */
1131  {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1132  0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1133  {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1134  0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1135  {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1136  0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1137  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1138  {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1139  0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1140  {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1141  0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1142  {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1143  0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1144  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1145  {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1146  0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1147  {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1148  0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1149  {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1150  0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1151  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1152  {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1153  0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1154  {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1155  0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1156  {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1157  0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1158  /* example doing 453 (f,g/2) steps; 514 divsteps */
1159  {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1160  0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1161  {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1162  0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1163  {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1164  0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1165  /* example doing 453 (f,g/2) steps; 514 divsteps */
1166  {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1167  0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1168  {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1169  0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1170  {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1171  0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1172  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1173  {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1174  0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1175  {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1176  0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1177  {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1178  0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1179  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1180  {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1181  0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1182  {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1183  0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1184  {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1185  0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1186  /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1187  {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1188  0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1189  {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1190  0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1191  {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1192  0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1193  /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1194  {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1195  0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1196  {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1197  0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1198  {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1199  0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1200 
1201  /* Test cases with the group order as modulus. */
1202 
1203  /* Test case with the group order as modulus, needing 635 divsteps. */
1204  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1205  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1206  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1207  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1208  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1209  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1210  /* example with group size as modulus needing 631 divsteps */
1211  {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1212  0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1213  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1214  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1215  {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1216  0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1217  /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1218  {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1219  0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1220  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1221  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1222  {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1223  0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1224  /* Test case with the group size as modulus, needing 981 divsteps with
1225  broken eta handling. */
1226  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1227  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1228  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1229  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1230  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1231  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1232  /* Test case with the group size as modulus, input = 0. */
1233  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1234  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1235  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1236  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1237  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1238  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1239  /* Test case with the group size as modulus, input = 1. */
1240  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1241  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1242  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1243  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1244  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1245  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1246  /* Test case with the group size as modulus, input = 2. */
1247  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1248  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1249  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1250  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1251  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1252  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1253  /* Test case with the group size as modulus, input = group - 1. */
1254  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1255  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1256  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1257  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1258  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1259  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1260 
1261  /* Test cases with the field size as modulus. */
1262 
1263  /* Test case with the field size as modulus, needing 637 divsteps. */
1264  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1265  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1266  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1267  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1268  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1269  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1270  /* example with field size as modulus needing 637 divsteps */
1271  {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1272  0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1273  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1274  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1275  {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1276  0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1277  /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1278  {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1279  0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1280  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1281  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1282  {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1283  0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1284  /* Test case with the field size as modulus, needing 935 divsteps with
1285  broken eta handling. */
1286  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1287  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1288  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1289  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1290  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1291  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1292  /* Test case with the field size as modulus, input = 0. */
1293  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1294  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1295  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1296  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1297  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1298  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1299  /* Test case with the field size as modulus, input = 1. */
1300  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1301  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1302  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1303  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1304  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1305  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1306  /* Test case with the field size as modulus, input = 2. */
1307  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1308  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1309  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1310  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1311  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1312  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1313  /* Test case with the field size as modulus, input = field - 1. */
1314  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1315  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1316  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1317  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1318  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1319  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1320 
1321  /* Selected from a large number of random inputs to reach small/large
1322  * d/e values in various configurations. */
1323  {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1324  0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1325  {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1326  0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1327  {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1328  0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1329  {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1330  0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1331  {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1332  0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1333  {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1334  0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1335  {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1336  0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1337  {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1338  0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1339  {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1340  0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1341  {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1342  0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1343  {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1344  0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1345  {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1346  0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1347  {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1348  0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1349  {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1350  0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1351  {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1352  0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1353  {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1354  0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1355  {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1356  0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1357  {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1358  0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1359  {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1360  0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1361  {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1362  0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1363  {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1364  0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1365  {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1366  0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1367  {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1368  0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1369  {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1370  0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1371  {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1372  0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1373  {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1374  0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1375  {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1376  0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1377  {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1378  0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1379  {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1380  0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1381  {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1382  0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1383  {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1384  0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1385  {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1386  0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1387  {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1388  0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1389  {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1390  0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1391  {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1392  0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1393  {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1394  0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1395  {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1396  0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1397  {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1398  0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1399  {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1400  0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1401  {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1402  0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1403  {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1404  0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1405  {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1406  0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1407  {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1408  0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1409  {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1410  0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1411  {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1412  0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1413  {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1414  0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1415  {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1416  0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1417  {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1418  0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1419  {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1420  0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1421  {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1422  0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1423  {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1424  0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1425  {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1426  0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1427  {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1428  0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1429  {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1430  0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1431  {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1432  0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1433  {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1434  0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1435  {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1436  0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1437  {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1438  0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1439  {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1440  0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1441  {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1442  0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1443  {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1444  0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1445  {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1446  0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1447  {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1448  0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1449  {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1450  0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1451  {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1452  0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1453  {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1454  0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1455  {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1456  0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1457  {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1458  0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1459  {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1460  0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1461  {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1462  0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1463  {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1464  0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1465  {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1466  0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1467  {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1468  0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1469  {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1470  0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1471  {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1472  0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1473  {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1474  0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1475  {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1476  0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1477  {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1478  0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1479  {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1480  0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1481  {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1482  0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1483  {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1484  0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1485  {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1486  0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1487  {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1488  0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1489  {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1490  0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1491  {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1492  0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1493  {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1494  0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1495  {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1496  0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1497  {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1498  0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1499  {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1500  0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1501  {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1502  0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1503  {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1504  0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1505  {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1506  0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1507  {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1508  0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1509  {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1510  0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1511  {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1512  0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1513  {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1514  0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1515  {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1516  0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1517  {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1518  0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1519  {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1520  0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1521  {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1522  0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1523  {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1524  0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1525  {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1526  0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1527  {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1528  0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1529  {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1530  0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1531  {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1532  0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1533  };
1534 
1535  int i, j, ok;
1536 
1537  /* Test known inputs/outputs */
1538  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1539  uint16_t out[16];
1540  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1541  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1542 #ifdef SECP256K1_WIDEMUL_INT128
1543  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1544  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1545 #endif
1546  }
1547 
1548  for (i = 0; i < 100 * count; ++i) {
1549  /* 256-bit numbers in 16-uint16_t's notation */
1550  static const uint16_t ZERO[16] = {0};
1551  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1552  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1553  uint16_t id[16]; /* the inverse of xd mod md */
1554 
1555  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1556  do {
1557  /* generate random xd and md (with many subsequent 0s and 1s) */
1558  secp256k1_testrand256_test((unsigned char*)xd);
1559  secp256k1_testrand256_test((unsigned char*)md);
1560  md[0] |= 1; /* modulus must be odd */
1561  /* If modulus is 1, find another one. */
1562  ok = md[0] != 1;
1563  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1564  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1565  } while (!(ok && coprime(xd, md)));
1566 
1567  test_modinv32_uint16(id, xd, md);
1568 #ifdef SECP256K1_WIDEMUL_INT128
1569  test_modinv64_uint16(id, xd, md);
1570 #endif
1571 
1572  /* In a few cases, also test with input=0 */
1573  if (i < count) {
1574  test_modinv32_uint16(id, ZERO, md);
1575 #ifdef SECP256K1_WIDEMUL_INT128
1576  test_modinv64_uint16(id, ZERO, md);
1577 #endif
1578  }
1579  }
1580 }
1581 
1582 /***** SCALAR TESTS *****/
1583 
1584 
1585 void scalar_test(void) {
1586  secp256k1_scalar s;
1587  secp256k1_scalar s1;
1588  secp256k1_scalar s2;
1589  unsigned char c[32];
1590 
1591  /* Set 's' to a random scalar, with value 'snum'. */
1593 
1594  /* Set 's1' to a random scalar, with value 's1num'. */
1596 
1597  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1599  secp256k1_scalar_get_b32(c, &s2);
1600 
1601  {
1602  int i;
1603  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1604  secp256k1_scalar n;
1605  secp256k1_scalar_set_int(&n, 0);
1606  for (i = 0; i < 256; i += 4) {
1608  int j;
1609  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1610  for (j = 0; j < 4; j++) {
1611  secp256k1_scalar_add(&n, &n, &n);
1612  }
1613  secp256k1_scalar_add(&n, &n, &t);
1614  }
1615  CHECK(secp256k1_scalar_eq(&n, &s));
1616  }
1617 
1618  {
1619  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1620  secp256k1_scalar n;
1621  int i = 0;
1622  secp256k1_scalar_set_int(&n, 0);
1623  while (i < 256) {
1625  int j;
1626  int now = secp256k1_testrand_int(15) + 1;
1627  if (now + i > 256) {
1628  now = 256 - i;
1629  }
1630  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1631  for (j = 0; j < now; j++) {
1632  secp256k1_scalar_add(&n, &n, &n);
1633  }
1634  secp256k1_scalar_add(&n, &n, &t);
1635  i += now;
1636  }
1637  CHECK(secp256k1_scalar_eq(&n, &s));
1638  }
1639 
1640  {
1641  /* test secp256k1_scalar_shr_int */
1642  secp256k1_scalar r;
1643  int i;
1645  for (i = 0; i < 100; ++i) {
1646  int low;
1647  int shift = 1 + secp256k1_testrand_int(15);
1648  int expected = r.d[0] % (1 << shift);
1649  low = secp256k1_scalar_shr_int(&r, shift);
1650  CHECK(expected == low);
1651  }
1652  }
1653 
1654  {
1655  /* Test commutativity of add. */
1656  secp256k1_scalar r1, r2;
1657  secp256k1_scalar_add(&r1, &s1, &s2);
1658  secp256k1_scalar_add(&r2, &s2, &s1);
1659  CHECK(secp256k1_scalar_eq(&r1, &r2));
1660  }
1661 
1662  {
1663  secp256k1_scalar r1, r2;
1664  secp256k1_scalar b;
1665  int i;
1666  /* Test add_bit. */
1667  int bit = secp256k1_testrand_bits(8);
1668  secp256k1_scalar_set_int(&b, 1);
1670  for (i = 0; i < bit; i++) {
1671  secp256k1_scalar_add(&b, &b, &b);
1672  }
1673  r1 = s1;
1674  r2 = s1;
1675  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1676  /* No overflow happened. */
1677  secp256k1_scalar_cadd_bit(&r2, bit, 1);
1678  CHECK(secp256k1_scalar_eq(&r1, &r2));
1679  /* cadd is a noop when flag is zero */
1680  secp256k1_scalar_cadd_bit(&r2, bit, 0);
1681  CHECK(secp256k1_scalar_eq(&r1, &r2));
1682  }
1683  }
1684 
1685  {
1686  /* Test commutativity of mul. */
1687  secp256k1_scalar r1, r2;
1688  secp256k1_scalar_mul(&r1, &s1, &s2);
1689  secp256k1_scalar_mul(&r2, &s2, &s1);
1690  CHECK(secp256k1_scalar_eq(&r1, &r2));
1691  }
1692 
1693  {
1694  /* Test associativity of add. */
1695  secp256k1_scalar r1, r2;
1696  secp256k1_scalar_add(&r1, &s1, &s2);
1697  secp256k1_scalar_add(&r1, &r1, &s);
1698  secp256k1_scalar_add(&r2, &s2, &s);
1699  secp256k1_scalar_add(&r2, &s1, &r2);
1700  CHECK(secp256k1_scalar_eq(&r1, &r2));
1701  }
1702 
1703  {
1704  /* Test associativity of mul. */
1705  secp256k1_scalar r1, r2;
1706  secp256k1_scalar_mul(&r1, &s1, &s2);
1707  secp256k1_scalar_mul(&r1, &r1, &s);
1708  secp256k1_scalar_mul(&r2, &s2, &s);
1709  secp256k1_scalar_mul(&r2, &s1, &r2);
1710  CHECK(secp256k1_scalar_eq(&r1, &r2));
1711  }
1712 
1713  {
1714  /* Test distributitivity of mul over add. */
1715  secp256k1_scalar r1, r2, t;
1716  secp256k1_scalar_add(&r1, &s1, &s2);
1717  secp256k1_scalar_mul(&r1, &r1, &s);
1718  secp256k1_scalar_mul(&r2, &s1, &s);
1719  secp256k1_scalar_mul(&t, &s2, &s);
1720  secp256k1_scalar_add(&r2, &r2, &t);
1721  CHECK(secp256k1_scalar_eq(&r1, &r2));
1722  }
1723 
1724  {
1725  /* Test multiplicative identity. */
1726  secp256k1_scalar r1, v1;
1727  secp256k1_scalar_set_int(&v1,1);
1728  secp256k1_scalar_mul(&r1, &s1, &v1);
1729  CHECK(secp256k1_scalar_eq(&r1, &s1));
1730  }
1731 
1732  {
1733  /* Test additive identity. */
1734  secp256k1_scalar r1, v0;
1735  secp256k1_scalar_set_int(&v0,0);
1736  secp256k1_scalar_add(&r1, &s1, &v0);
1737  CHECK(secp256k1_scalar_eq(&r1, &s1));
1738  }
1739 
1740  {
1741  /* Test zero product property. */
1742  secp256k1_scalar r1, v0;
1743  secp256k1_scalar_set_int(&v0,0);
1744  secp256k1_scalar_mul(&r1, &s1, &v0);
1745  CHECK(secp256k1_scalar_eq(&r1, &v0));
1746  }
1747 
1748 }
1749 
1751  unsigned char b32[32];
1752  secp256k1_scalar s1;
1753  secp256k1_scalar s2;
1754 
1755  /* Usually set_b32 and set_b32_seckey give the same result */
1757  secp256k1_scalar_set_b32(&s1, b32, NULL);
1758  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1759  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1760 
1761  memset(b32, 0, sizeof(b32));
1762  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1763  memset(b32, 0xFF, sizeof(b32));
1764  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1765 }
1766 
1767 void run_scalar_tests(void) {
1768  int i;
1769  for (i = 0; i < 128 * count; i++) {
1770  scalar_test();
1771  }
1772  for (i = 0; i < count; i++) {
1774  }
1775 
1776  {
1777  /* (-1)+1 should be zero. */
1778  secp256k1_scalar s, o;
1779  secp256k1_scalar_set_int(&s, 1);
1781  secp256k1_scalar_negate(&o, &s);
1782  secp256k1_scalar_add(&o, &o, &s);
1784  secp256k1_scalar_negate(&o, &o);
1786  }
1787 
1788  {
1789  /* Does check_overflow check catch all ones? */
1790  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1791  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1792  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1793  );
1794  CHECK(secp256k1_scalar_check_overflow(&overflowed));
1795  }
1796 
1797  {
1798  /* Static test vectors.
1799  * These were reduced from ~10^12 random vectors based on comparison-decision
1800  * and edge-case coverage on 32-bit and 64-bit implementations.
1801  * The responses were generated with Sage 5.9.
1802  */
1803  secp256k1_scalar x;
1804  secp256k1_scalar y;
1805  secp256k1_scalar z;
1806  secp256k1_scalar zz;
1807  secp256k1_scalar one;
1808  secp256k1_scalar r1;
1809  secp256k1_scalar r2;
1810  secp256k1_scalar zzv;
1811  int overflow;
1812  unsigned char chal[33][2][32] = {
1813  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1814  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1815  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1816  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1817  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1818  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1819  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1820  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1821  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1822  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1823  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1824  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1825  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1826  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1827  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1828  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1829  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1830  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1831  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1832  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1833  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1834  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1835  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1836  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1837  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1838  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1839  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1840  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1841  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1842  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1843  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1844  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1845  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1846  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1847  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1848  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1849  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1850  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1851  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1852  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1853  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1854  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1855  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1856  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1857  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1858  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1859  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1860  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1861  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1862  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1863  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1864  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1865  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1866  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1867  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1868  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1869  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1870  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1871  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1872  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1873  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1874  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1875  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1876  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1877  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1878  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1879  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1880  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1881  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1882  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1883  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1884  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1885  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1886  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1887  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1888  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1889  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1890  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1891  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1892  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1893  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1894  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1895  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1896  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1897  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1898  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1899  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1900  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1901  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1902  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1903  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1904  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1905  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1906  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1907  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1908  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1909  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1910  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1911  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1912  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1913  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1914  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1915  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1916  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1917  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1918  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1919  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1920  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1921  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1922  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1923  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1924  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1925  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1926  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1927  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1928  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1929  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1930  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1931  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1932  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1933  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1934  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1935  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1936  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1937  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1938  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1939  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1940  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1941  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1942  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1943  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1944  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1945  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1946  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1947  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1948  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1949  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1950  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1951  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1952  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1953  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1954  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1955  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1956  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1957  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1958  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1959  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1960  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1961  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1962  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1963  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1964  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1965  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1966  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1967  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1968  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1969  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1970  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1971  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1972  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1973  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1974  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1975  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1976  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1977  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1978  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1979  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1980  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1981  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1982  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1983  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1984  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1985  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1986  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1987  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1988  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1989  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1990  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1991  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1992  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1993  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1994  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1995  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1996  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1997  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1998  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1999  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2000  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2001  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2002  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2003  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2004  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2005  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2006  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2007  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2008  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2009  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2010  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2011  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2012  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2013  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2014  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2015  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2016  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2017  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2018  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2019  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2020  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2021  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2022  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2023  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2024  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2025  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2026  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2027  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2028  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2029  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2030  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2031  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2032  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2033  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2034  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2035  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2036  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2037  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2038  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2039  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2040  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2041  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2042  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2043  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2044  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2045  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2046  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2047  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2048  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2049  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2050  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2051  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2052  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2053  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2054  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2055  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2056  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2057  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2058  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2059  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2060  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2061  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2062  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2063  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2064  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2065  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2066  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2067  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2068  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2069  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2070  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2071  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2072  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2073  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2074  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2075  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2076  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2077  };
2078  unsigned char res[33][2][32] = {
2079  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2080  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2081  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2082  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2083  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2084  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2085  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2086  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2087  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2088  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2089  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2090  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2091  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2092  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2093  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2094  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2095  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2096  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2097  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2098  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2099  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2100  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2101  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2102  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2103  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2104  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2105  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2106  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2107  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2108  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2109  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2110  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2111  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2112  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2113  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2114  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2115  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2116  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2117  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2118  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2119  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2120  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2121  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2122  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2123  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2124  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2125  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2126  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2127  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2128  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2129  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2130  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2131  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2132  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2133  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2134  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2135  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2136  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2137  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2138  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2139  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2140  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2141  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2142  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2143  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2144  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2145  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2146  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2147  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2148  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2149  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2150  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2151  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2152  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2153  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2154  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2155  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2156  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2157  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2158  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2159  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2160  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2161  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2162  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2163  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2164  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2165  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2166  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2167  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2168  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2169  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2170  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2171  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2172  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2173  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2174  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2175  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2176  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2177  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2178  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2179  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2180  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2181  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2182  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2183  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2184  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2185  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2186  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2187  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2188  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2189  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2190  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2191  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2192  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2193  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2194  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2195  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2196  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2197  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2198  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2199  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2200  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2201  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2202  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2203  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2204  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2205  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2206  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2207  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2208  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2209  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2210  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2211  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2212  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2213  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2214  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2215  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2216  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2217  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2218  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2219  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2220  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2221  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2222  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2223  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2224  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2225  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2226  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2227  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2228  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2229  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2230  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2231  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2232  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2233  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2234  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2235  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2236  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2237  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2238  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2239  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2240  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2241  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2242  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2243  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2244  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2245  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2246  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2247  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2248  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2249  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2250  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2251  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2252  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2253  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2254  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2255  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2256  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2257  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2258  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2259  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2260  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2261  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2262  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2263  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2264  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2265  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2266  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2267  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2268  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2269  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2270  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2271  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2272  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2273  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2274  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2275  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2276  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2277  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2278  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2279  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2280  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2281  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2282  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2283  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2284  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2285  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2286  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2287  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2288  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2289  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2290  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2291  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2292  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2293  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2294  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2295  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2296  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2297  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2298  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2299  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2300  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2301  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2302  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2303  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2304  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2305  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2306  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2307  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2308  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2309  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2310  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2311  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2312  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2313  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2314  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2315  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2316  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2317  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2318  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2319  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2320  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2321  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2322  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2323  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2324  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2325  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2326  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2327  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2328  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2329  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2330  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2331  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2332  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2333  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2334  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2335  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2336  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2337  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2338  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2339  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2340  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2341  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2342  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2343  };
2344  secp256k1_scalar_set_int(&one, 1);
2345  for (i = 0; i < 33; i++) {
2346  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2347  CHECK(!overflow);
2348  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2349  CHECK(!overflow);
2350  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2351  CHECK(!overflow);
2352  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2353  CHECK(!overflow);
2354  secp256k1_scalar_mul(&z, &x, &y);
2356  CHECK(secp256k1_scalar_eq(&r1, &z));
2357  if (!secp256k1_scalar_is_zero(&y)) {
2358  secp256k1_scalar_inverse(&zz, &y);
2360  secp256k1_scalar_inverse_var(&zzv, &y);
2361  CHECK(secp256k1_scalar_eq(&zzv, &zz));
2362  secp256k1_scalar_mul(&z, &z, &zz);
2364  CHECK(secp256k1_scalar_eq(&x, &z));
2365  secp256k1_scalar_mul(&zz, &zz, &y);
2367  CHECK(secp256k1_scalar_eq(&one, &zz));
2368  }
2369  }
2370  }
2371 }
2372 
2373 /***** FIELD TESTS *****/
2374 
2376  unsigned char bin[32];
2377  do {
2378  secp256k1_testrand256(bin);
2379  if (secp256k1_fe_set_b32(x, bin)) {
2380  return;
2381  }
2382  } while(1);
2383 }
2384 
2386  unsigned char bin[32];
2387  do {
2389  if (secp256k1_fe_set_b32(x, bin)) {
2390  return;
2391  }
2392  } while(1);
2393 }
2394 
2396  int tries = 10;
2397  while (--tries >= 0) {
2398  random_fe(nz);
2400  if (!secp256k1_fe_is_zero(nz)) {
2401  break;
2402  }
2403  }
2404  /* Infinitesimal probability of spurious failure here */
2405  CHECK(tries >= 0);
2406 }
2407 
2409  secp256k1_fe r;
2410  random_fe_non_zero(ns);
2411  if (secp256k1_fe_sqrt(&r, ns)) {
2412  secp256k1_fe_negate(ns, ns, 1);
2413  }
2414 }
2415 
2416 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2417  secp256k1_fe an = *a;
2418  secp256k1_fe bn = *b;
2421  return secp256k1_fe_equal_var(&an, &bn);
2422 }
2423 
2424 void run_field_convert(void) {
2425  static const unsigned char b32[32] = {
2426  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2427  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2428  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2429  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2430  };
2432  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2433  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2434  );
2435  static const secp256k1_fe fe = SECP256K1_FE_CONST(
2436  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2437  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2438  );
2439  secp256k1_fe fe2;
2440  unsigned char b322[32];
2441  secp256k1_fe_storage fes2;
2442  /* Check conversions to fe. */
2443  CHECK(secp256k1_fe_set_b32(&fe2, b32));
2444  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2445  secp256k1_fe_from_storage(&fe2, &fes);
2446  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2447  /* Check conversion from fe. */
2448  secp256k1_fe_get_b32(b322, &fe);
2449  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2450  secp256k1_fe_to_storage(&fes2, &fe);
2451  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2452 }
2453 
2455  secp256k1_fe t = *b;
2456 #ifdef VERIFY
2457  t.magnitude = a->magnitude;
2458  t.normalized = a->normalized;
2459 #endif
2460  return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
2461 }
2462 
2463 void run_field_misc(void) {
2464  secp256k1_fe x;
2465  secp256k1_fe y;
2466  secp256k1_fe z;
2467  secp256k1_fe q;
2468  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2469  int i, j;
2470  for (i = 0; i < 5*count; i++) {
2471  secp256k1_fe_storage xs, ys, zs;
2472  random_fe(&x);
2473  random_fe_non_zero(&y);
2474  /* Test the fe equality and comparison operations. */
2475  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
2476  CHECK(secp256k1_fe_equal_var(&x, &x));
2477  z = x;
2478  secp256k1_fe_add(&z,&y);
2479  /* Test fe conditional move; z is not normalized here. */
2480  q = x;
2481  secp256k1_fe_cmov(&x, &z, 0);
2482 #ifdef VERIFY
2483  CHECK(x.normalized && x.magnitude == 1);
2484 #endif
2485  secp256k1_fe_cmov(&x, &x, 1);
2486  CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
2487  CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
2488  secp256k1_fe_cmov(&q, &z, 1);
2489 #ifdef VERIFY
2490  CHECK(!q.normalized && q.magnitude == z.magnitude);
2491 #endif
2492  CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
2495  CHECK(!secp256k1_fe_equal_var(&x, &z));
2497  secp256k1_fe_cmov(&q, &z, (i&1));
2498 #ifdef VERIFY
2499  CHECK(q.normalized && q.magnitude == 1);
2500 #endif
2501  for (j = 0; j < 6; j++) {
2502  secp256k1_fe_negate(&z, &z, j+1);
2504  secp256k1_fe_cmov(&q, &z, (j&1));
2505 #ifdef VERIFY
2506  CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2507 #endif
2508  }
2510  /* Test storage conversion and conditional moves. */
2511  secp256k1_fe_to_storage(&xs, &x);
2512  secp256k1_fe_to_storage(&ys, &y);
2513  secp256k1_fe_to_storage(&zs, &z);
2514  secp256k1_fe_storage_cmov(&zs, &xs, 0);
2515  secp256k1_fe_storage_cmov(&zs, &zs, 1);
2516  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2517  secp256k1_fe_storage_cmov(&ys, &xs, 1);
2518  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2519  secp256k1_fe_from_storage(&x, &xs);
2520  secp256k1_fe_from_storage(&y, &ys);
2521  secp256k1_fe_from_storage(&z, &zs);
2522  /* Test that mul_int, mul, and add agree. */
2523  secp256k1_fe_add(&y, &x);
2524  secp256k1_fe_add(&y, &x);
2525  z = x;
2526  secp256k1_fe_mul_int(&z, 3);
2527  CHECK(check_fe_equal(&y, &z));
2528  secp256k1_fe_add(&y, &x);
2529  secp256k1_fe_add(&z, &x);
2530  CHECK(check_fe_equal(&z, &y));
2531  z = x;
2532  secp256k1_fe_mul_int(&z, 5);
2533  secp256k1_fe_mul(&q, &x, &fe5);
2534  CHECK(check_fe_equal(&z, &q));
2535  secp256k1_fe_negate(&x, &x, 1);
2536  secp256k1_fe_add(&z, &x);
2537  secp256k1_fe_add(&q, &x);
2538  CHECK(check_fe_equal(&y, &z));
2539  CHECK(check_fe_equal(&q, &y));
2540  }
2541 }
2542 
2543 void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
2544 {
2545  secp256k1_fe c, an, bn;
2546  /* Variables in BE 32-byte format. */
2547  unsigned char a32[32], b32[32], c32[32];
2548  /* Variables in LE 16x uint16_t format. */
2549  uint16_t a16[16], b16[16], c16[16];
2550  /* Field modulus in LE 16x uint16_t format. */
2551  static const uint16_t m16[16] = {
2552  0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2553  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2554  };
2555  uint16_t t16[32];
2556  int i;
2557 
2558  /* Compute C = A * B in fe format. */
2559  c = *a;
2560  if (use_sqr) {
2561  secp256k1_fe_sqr(&c, &c);
2562  } else {
2563  secp256k1_fe_mul(&c, &c, b);
2564  }
2565 
2566  /* Convert A, B, C into LE 16x uint16_t format. */
2567  an = *a;
2568  bn = *b;
2572  secp256k1_fe_get_b32(a32, &an);
2573  secp256k1_fe_get_b32(b32, &bn);
2574  secp256k1_fe_get_b32(c32, &c);
2575  for (i = 0; i < 16; ++i) {
2576  a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
2577  b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
2578  c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
2579  }
2580  /* Compute T = A * B in LE 16x uint16_t format. */
2581  mulmod256(t16, a16, b16, m16);
2582  /* Compare */
2583  CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
2584 }
2585 
2586 void run_fe_mul(void) {
2587  int i;
2588  for (i = 0; i < 100 * count; ++i) {
2589  secp256k1_fe a, b, c, d;
2590  random_fe(&a);
2592  random_fe(&b);
2594  random_fe_test(&c);
2596  random_fe_test(&d);
2598  test_fe_mul(&a, &a, 1);
2599  test_fe_mul(&c, &c, 1);
2600  test_fe_mul(&a, &b, 0);
2601  test_fe_mul(&a, &c, 0);
2602  test_fe_mul(&c, &b, 0);
2603  test_fe_mul(&c, &d, 0);
2604  }
2605 }
2606 
2607 void run_sqr(void) {
2608  secp256k1_fe x, s;
2609 
2610  {
2611  int i;
2612  secp256k1_fe_set_int(&x, 1);
2613  secp256k1_fe_negate(&x, &x, 1);
2614 
2615  for (i = 1; i <= 512; ++i) {
2616  secp256k1_fe_mul_int(&x, 2);
2618  secp256k1_fe_sqr(&s, &x);
2619  }
2620  }
2621 }
2622 
2623 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2624  secp256k1_fe r1, r2;
2625  int v = secp256k1_fe_sqrt(&r1, a);
2626  CHECK((v == 0) == (k == NULL));
2627 
2628  if (k != NULL) {
2629  /* Check that the returned root is +/- the given known answer */
2630  secp256k1_fe_negate(&r2, &r1, 1);
2631  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2634  }
2635 }
2636 
2637 void run_sqrt(void) {
2638  secp256k1_fe ns, x, s, t;
2639  int i;
2640 
2641  /* Check sqrt(0) is 0 */
2642  secp256k1_fe_set_int(&x, 0);
2643  secp256k1_fe_sqr(&s, &x);
2644  test_sqrt(&s, &x);
2645 
2646  /* Check sqrt of small squares (and their negatives) */
2647  for (i = 1; i <= 100; i++) {
2648  secp256k1_fe_set_int(&x, i);
2649  secp256k1_fe_sqr(&s, &x);
2650  test_sqrt(&s, &x);
2651  secp256k1_fe_negate(&t, &s, 1);
2652  test_sqrt(&t, NULL);
2653  }
2654 
2655  /* Consistency checks for large random values */
2656  for (i = 0; i < 10; i++) {
2657  int j;
2658  random_fe_non_square(&ns);
2659  for (j = 0; j < count; j++) {
2660  random_fe(&x);
2661  secp256k1_fe_sqr(&s, &x);
2662  test_sqrt(&s, &x);
2663  secp256k1_fe_negate(&t, &s, 1);
2664  test_sqrt(&t, NULL);
2665  secp256k1_fe_mul(&t, &s, &ns);
2666  test_sqrt(&t, NULL);
2667  }
2668  }
2669 }
2670 
2671 /***** FIELD/SCALAR INVERSE TESTS *****/
2672 
2674  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2675  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2676 );
2677 
2679  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2680  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2681 );
2682 
2683 /* These tests test the following identities:
2684  *
2685  * for x==0: 1/x == 0
2686  * for x!=0: x*(1/x) == 1
2687  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2688  */
2689 
2691 {
2692  secp256k1_scalar l, r, t;
2693 
2694  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
2695  if (out) *out = l;
2696  if (secp256k1_scalar_is_zero(x)) {
2698  return;
2699  }
2700  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2701  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2702  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2703  if (secp256k1_scalar_is_zero(&r)) return;
2704  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
2705  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2706  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
2707  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2708  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2709  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2710 }
2711 
2712 void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2713 {
2714  secp256k1_fe l, r, t;
2715 
2716  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2717  if (out) *out = l;
2718  t = *x; /* t = x */
2721  return;
2722  }
2723  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2724  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2725  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2726  r = *x; /* r = x */
2727  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2728  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
2729  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2730  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2731  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2732  secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2733  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2734  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
2735 }
2736 
2738 {
2739  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2740  static const secp256k1_fe fe_cases[][2] = {
2741  /* 0 */
2742  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2743  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2744  /* 1 */
2745  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2746  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2747  /* -1 */
2748  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2749  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2750  /* 2 */
2751  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2752  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2753  /* 2**128 */
2754  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2755  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2756  /* Input known to need 637 divsteps */
2757  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2758  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
2759  /* Input known to need 567 divsteps starting with delta=1/2. */
2760  {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
2761  SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
2762  /* Input known to need 566 divsteps starting with delta=1/2. */
2763  {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
2764  SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
2765  /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
2766  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
2767  SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
2768  {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
2769  SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
2770  {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
2771  SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
2772  {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
2773  SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
2774  {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
2775  SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
2776  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
2777  SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
2778  {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
2779  SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
2780  {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
2781  SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
2782  {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
2783  SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
2784  {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
2785  SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
2786  /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
2787  {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
2788  SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
2789  {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
2790  SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
2791  {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
2792  SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
2793  {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
2794  SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
2795  {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
2796  SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
2797  {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
2798  SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
2799  {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
2800  SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
2801  {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
2802  SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
2803  {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
2804  SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
2805  {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
2806  SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
2807  {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
2808  SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
2809  {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
2810  SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
2811  {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
2812  SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
2813  {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
2814  SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
2815  {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
2816  SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
2817  {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
2818  SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
2819  {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
2820  SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
2821  {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
2822  SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
2823  {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
2824  SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
2825  {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
2826  SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
2827  {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
2828  SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
2829  {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
2830  SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
2831  {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
2832  SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
2833  {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
2834  SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
2835  {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
2836  SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
2837  {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
2838  SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
2839  {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
2840  SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
2841  {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
2842  SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
2843  };
2844  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
2845  static const secp256k1_scalar scalar_cases[][2] = {
2846  /* 0 */
2847  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2848  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2849  /* 1 */
2850  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2851  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2852  /* -1 */
2853  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
2854  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
2855  /* 2 */
2856  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2857  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
2858  /* 2**128 */
2859  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2860  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
2861  /* Input known to need 635 divsteps */
2862  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
2863  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
2864  /* Input known to need 566 divsteps starting with delta=1/2. */
2865  {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
2866  SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
2867  /* Input known to need 565 divsteps starting with delta=1/2. */
2868  {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
2869  SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
2870  /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
2871  {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
2872  SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
2873  {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
2874  SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
2875  {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
2876  SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
2877  {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
2878  SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
2879  {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
2880  SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
2881  {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
2882  SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
2883  {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
2884  SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
2885  {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
2886  SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
2887  {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
2888  SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
2889  {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
2890  SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
2891  {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
2892  SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
2893  {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
2894  SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
2895  {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
2896  SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
2897  {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
2898  SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
2899  {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
2900  SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
2901  {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
2902  SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
2903  {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
2904  SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
2905  {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
2906  SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
2907  {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
2908  SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
2909  {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
2910  SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
2911  {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
2912  SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
2913  {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
2914  SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
2915  {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
2916  SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
2917  {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
2918  SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
2919  {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
2920  SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
2921  {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
2922  SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
2923  {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
2924  SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
2925  {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
2926  SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
2927  {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
2928  SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
2929  };
2930  int i, var, testrand;
2931  unsigned char b32[32];
2932  secp256k1_fe x_fe;
2933  secp256k1_scalar x_scalar;
2934  memset(b32, 0, sizeof(b32));
2935  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
2936  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
2937  for (var = 0; var <= 1; ++var) {
2938  test_inverse_field(&x_fe, &fe_cases[i][0], var);
2939  check_fe_equal(&x_fe, &fe_cases[i][1]);
2940  test_inverse_field(&x_fe, &fe_cases[i][1], var);
2941  check_fe_equal(&x_fe, &fe_cases[i][0]);
2942  }
2943  }
2944  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
2945  for (var = 0; var <= 1; ++var) {
2946  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
2947  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
2948  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
2949  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
2950  }
2951  }
2952  /* Test inputs 0..999 and their respective negations. */
2953  for (i = 0; i < 1000; ++i) {
2954  b32[31] = i & 0xff;
2955  b32[30] = (i >> 8) & 0xff;
2956  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2957  secp256k1_fe_set_b32(&x_fe, b32);
2958  for (var = 0; var <= 1; ++var) {
2959  test_inverse_scalar(NULL, &x_scalar, var);
2960  test_inverse_field(NULL, &x_fe, var);
2961  }
2962  secp256k1_scalar_negate(&x_scalar, &x_scalar);
2963  secp256k1_fe_negate(&x_fe, &x_fe, 1);
2964  for (var = 0; var <= 1; ++var) {
2965  test_inverse_scalar(NULL, &x_scalar, var);
2966  test_inverse_field(NULL, &x_fe, var);
2967  }
2968  }
2969  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
2970  for (testrand = 0; testrand <= 1; ++testrand) {
2971  for (i = 0; i < 64 * count; ++i) {
2973  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2974  secp256k1_fe_set_b32(&x_fe, b32);
2975  for (var = 0; var <= 1; ++var) {
2976  test_inverse_scalar(NULL, &x_scalar, var);
2977  test_inverse_field(NULL, &x_fe, var);
2978  }
2979  }
2980  }
2981 }
2982 
2983 /***** GROUP TESTS *****/
2984 
2985 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2986  CHECK(a->infinity == b->infinity);
2987  if (a->infinity) {
2988  return;
2989  }
2990  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2991  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2992 }
2993 
2994 /* This compares jacobian points including their Z, not just their geometric meaning. */
2996  secp256k1_gej a2;
2997  secp256k1_gej b2;
2998  int ret = 1;
2999  ret &= a->infinity == b->infinity;
3000  if (ret && !a->infinity) {
3001  a2 = *a;
3002  b2 = *b;
3009  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3010  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3011  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3012  }
3013  return ret;
3014 }
3015 
3016 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3017  secp256k1_fe z2s;
3018  secp256k1_fe u1, u2, s1, s2;
3019  CHECK(a->infinity == b->infinity);
3020  if (a->infinity) {
3021  return;
3022  }
3023  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3024  secp256k1_fe_sqr(&z2s, &b->z);
3025  secp256k1_fe_mul(&u1, &a->x, &z2s);
3026  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
3027  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3028  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
3029  CHECK(secp256k1_fe_equal_var(&u1, &u2));
3030  CHECK(secp256k1_fe_equal_var(&s1, &s2));
3031 }
3032 
3033 void test_ge(void) {
3034  int i, i1;
3035  int runs = 6;
3036  /* 25 points are used:
3037  * - infinity
3038  * - for each of four random points p1 p2 p3 p4, we add the point, its
3039  * negation, and then those two again but with randomized Z coordinate.
3040  * - The same is then done for lambda*p1 and lambda^2*p1.
3041  */
3042  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3043  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3044  secp256k1_fe zf;
3045  secp256k1_fe zfi2, zfi3;
3046 
3047  secp256k1_gej_set_infinity(&gej[0]);
3048  secp256k1_ge_clear(&ge[0]);
3049  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3050  for (i = 0; i < runs; i++) {
3051  int j;
3052  secp256k1_ge g;
3054  if (i >= runs - 2) {
3055  secp256k1_ge_mul_lambda(&g, &ge[1]);
3056  }
3057  if (i >= runs - 1) {
3059  }
3060  ge[1 + 4 * i] = g;
3061  ge[2 + 4 * i] = g;
3062  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3063  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3064  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3065  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3066  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3067  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3068  for (j = 0; j < 4; j++) {
3069  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
3070  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
3071  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
3072  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
3073  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3074  }
3075  }
3076 
3077  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3078  do {
3080  } while(secp256k1_fe_is_zero(&zf));
3082  secp256k1_fe_inv_var(&zfi3, &zf);
3083  secp256k1_fe_sqr(&zfi2, &zfi3);
3084  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3085 
3086  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3087  int i2;
3088  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3089  /* Compute reference result using gej + gej (var). */
3090  secp256k1_gej refj, resj;
3091  secp256k1_ge ref;
3092  secp256k1_fe zr;
3093  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3094  /* Check Z ratio. */
3095  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3096  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3097  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3098  }
3099  secp256k1_ge_set_gej_var(&ref, &refj);
3100 
3101  /* Test gej + ge with Z ratio result (var). */
3102  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3103  ge_equals_gej(&ref, &resj);
3104  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3105  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3106  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3107  }
3108 
3109  /* Test gej + ge (var, with additional Z factor). */
3110  {
3111  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3112  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3113  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3116  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3117  ge_equals_gej(&ref, &resj);
3118  }
3119 
3120  /* Test gej + ge (const). */
3121  if (i2 != 0) {
3122  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3123  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3124  ge_equals_gej(&ref, &resj);
3125  }
3126 
3127  /* Test doubling (var). */
3128  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3129  secp256k1_fe zr2;
3130  /* Normal doubling with Z ratio result. */
3131  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3132  ge_equals_gej(&ref, &resj);
3133  /* Check Z ratio. */
3134  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3135  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3136  /* Normal doubling. */
3137  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3138  ge_equals_gej(&ref, &resj);
3139  /* Constant-time doubling. */
3140  secp256k1_gej_double(&resj, &gej[i2]);
3141  ge_equals_gej(&ref, &resj);
3142  }
3143 
3144  /* Test adding opposites. */
3145  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3147  }
3148 
3149  /* Test adding infinity. */
3150  if (i1 == 0) {
3151  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3152  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3153  ge_equals_gej(&ref, &gej[i2]);
3154  }
3155  if (i2 == 0) {
3156  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3157  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3158  ge_equals_gej(&ref, &gej[i1]);
3159  }
3160  }
3161  }
3162 
3163  /* Test adding all points together in random order equals infinity. */
3164  {
3166  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3167  for (i = 0; i < 4 * runs + 1; i++) {
3168  gej_shuffled[i] = gej[i];
3169  }
3170  for (i = 0; i < 4 * runs + 1; i++) {
3171  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3172  if (swap != i) {
3173  secp256k1_gej t = gej_shuffled[i];
3174  gej_shuffled[i] = gej_shuffled[swap];
3175  gej_shuffled[swap] = t;
3176  }
3177  }
3178  for (i = 0; i < 4 * runs + 1; i++) {
3179  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3180  }
3182  free(gej_shuffled);
3183  }
3184 
3185  /* Test batch gej -> ge conversion without known z ratios. */
3186  {
3187  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3188  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3189  for (i = 0; i < 4 * runs + 1; i++) {
3190  secp256k1_fe s;
3191  random_fe_non_zero(&s);
3192  secp256k1_gej_rescale(&gej[i], &s);
3193  ge_equals_gej(&ge_set_all[i], &gej[i]);
3194  }
3195  free(ge_set_all);
3196  }
3197 
3198  /* Test batch gej -> ge conversion with many infinities. */
3199  for (i = 0; i < 4 * runs + 1; i++) {
3200  int odd;
3201  random_group_element_test(&ge[i]);
3202  odd = secp256k1_fe_is_odd(&ge[i].x);
3203  CHECK(odd == 0 || odd == 1);
3204  /* randomly set half the points to infinity */
3205  if (odd == i % 2) {
3206  secp256k1_ge_set_infinity(&ge[i]);
3207  }
3208  secp256k1_gej_set_ge(&gej[i], &ge[i]);
3209  }
3210  /* batch convert */
3211  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3212  /* check result */
3213  for (i = 0; i < 4 * runs + 1; i++) {
3214  ge_equals_gej(&ge[i], &gej[i]);
3215  }
3216 
3217  /* Test batch gej -> ge conversion with all infinities. */
3218  for (i = 0; i < 4 * runs + 1; i++) {
3219  secp256k1_gej_set_infinity(&gej[i]);
3220  }
3221  /* batch convert */
3222  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3223  /* check result */
3224  for (i = 0; i < 4 * runs + 1; i++) {
3226  }
3227 
3228  free(ge);
3229  free(gej);
3230 }
3231 
3232 
3234  secp256k1_ge p;
3235  secp256k1_gej pj, npj, infj1, infj2, infj3;
3236  secp256k1_fe zinv;
3237 
3238  /* Test that adding P+(-P) results in a fully initialized infinity*/
3240  secp256k1_gej_set_ge(&pj, &p);
3241  secp256k1_gej_neg(&npj, &pj);
3242 
3243  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3245  CHECK(secp256k1_fe_is_zero(&infj1.x));
3246  CHECK(secp256k1_fe_is_zero(&infj1.y));
3247  CHECK(secp256k1_fe_is_zero(&infj1.z));
3248 
3249  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3251  CHECK(secp256k1_fe_is_zero(&infj2.x));
3252  CHECK(secp256k1_fe_is_zero(&infj2.y));
3253  CHECK(secp256k1_fe_is_zero(&infj2.z));
3254 
3255  secp256k1_fe_set_int(&zinv, 1);
3256  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3258  CHECK(secp256k1_fe_is_zero(&infj3.x));
3259  CHECK(secp256k1_fe_is_zero(&infj3.y));
3260  CHECK(secp256k1_fe_is_zero(&infj3.z));
3261 
3262 
3263 }
3264 
3266  /* The point of this test is to check that we can add two points
3267  * whose y-coordinates are negatives of each other but whose x
3268  * coordinates differ. If the x-coordinates were the same, these
3269  * points would be negatives of each other and their sum is
3270  * infinity. This is cool because it "covers up" any degeneracy
3271  * in the addition algorithm that would cause the xy coordinates
3272  * of the sum to be wrong (since infinity has no xy coordinates).
3273  * HOWEVER, if the x-coordinates are different, infinity is the
3274  * wrong answer, and such degeneracies are exposed. This is the
3275  * root of https://github.com/bitcoin-core/secp256k1/issues/257
3276  * which this test is a regression test for.
3277  *
3278  * These points were generated in sage as
3279  * # secp256k1 params
3280  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3281  * C = EllipticCurve ([F (0), F (7)])
3282  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3283  * N = FiniteField(G.order())
3284  *
3285  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3286  * x = polygen(N)
3287  * lam = (1 - x^3).roots()[1][0]
3288  *
3289  * # random "bad pair"
3290  * P = C.random_element()
3291  * Q = -int(lam) * P
3292  * print " P: %x %x" % P.xy()
3293  * print " Q: %x %x" % Q.xy()
3294  * print "P + Q: %x %x" % (P + Q).xy()
3295  */
3297  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3298  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3299  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3300  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3301  );
3303  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3304  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3305  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3306  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3307  );
3309  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3310  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3311  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3312  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3313  );
3314  secp256k1_ge b;
3315  secp256k1_gej resj;
3316  secp256k1_ge res;
3317  secp256k1_ge_set_gej(&b, &bj);
3318 
3319  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3320  secp256k1_ge_set_gej(&res, &resj);
3321  ge_equals_gej(&res, &sumj);
3322 
3323  secp256k1_gej_add_ge(&resj, &aj, &b);
3324  secp256k1_ge_set_gej(&res, &resj);
3325  ge_equals_gej(&res, &sumj);
3326 
3327  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
3328  secp256k1_ge_set_gej(&res, &resj);
3329  ge_equals_gej(&res, &sumj);
3330 }
3331 
3332 void run_ge(void) {
3333  int i;
3334  for (i = 0; i < count * 32; i++) {
3335  test_ge();
3336  }
3339 }
3340 
3341 void test_ec_combine(void) {
3342  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3343  secp256k1_pubkey data[6];
3344  const secp256k1_pubkey* d[6];
3345  secp256k1_pubkey sd;
3346  secp256k1_pubkey sd2;
3347  secp256k1_gej Qj;
3348  secp256k1_ge Q;
3349  int i;
3350  for (i = 1; i <= 6; i++) {
3351  secp256k1_scalar s;
3353  secp256k1_scalar_add(&sum, &sum, &s);
3355  secp256k1_ge_set_gej(&Q, &Qj);
3356  secp256k1_pubkey_save(&data[i - 1], &Q);
3357  d[i - 1] = &data[i - 1];
3359  secp256k1_ge_set_gej(&Q, &Qj);
3360  secp256k1_pubkey_save(&sd, &Q);
3361  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
3362  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
3363  }
3364 }
3365 
3366 void run_ec_combine(void) {
3367  int i;
3368  for (i = 0; i < count * 8; i++) {
3369  test_ec_combine();
3370  }
3371 }
3372 
3374  /* The input itself, normalized. */
3375  secp256k1_fe fex = *x;
3376  /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
3377  secp256k1_ge ge_even, ge_odd;
3378  /* Return values of the above calls. */
3379  int res_even, res_odd;
3380 
3382 
3383  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
3384  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
3385 
3386  CHECK(res_even == res_odd);
3387 
3388  if (res_even) {
3389  secp256k1_fe_normalize_var(&ge_odd.x);
3390  secp256k1_fe_normalize_var(&ge_even.x);
3391  secp256k1_fe_normalize_var(&ge_odd.y);
3392  secp256k1_fe_normalize_var(&ge_even.y);
3393 
3394  /* No infinity allowed. */
3395  CHECK(!ge_even.infinity);
3396  CHECK(!ge_odd.infinity);
3397 
3398  /* Check that the x coordinates check out. */
3399  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
3400  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
3401 
3402  /* Check odd/even Y in ge_odd, ge_even. */
3403  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
3404  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
3405  }
3406 }
3407 
3409  int i;
3410  for (i = 0; i < count * 4; i++) {
3411  secp256k1_fe fe;
3412  random_fe_test(&fe);
3413  test_group_decompress(&fe);
3414  }
3415 }
3416 
3417 /***** ECMULT TESTS *****/
3418 
3419 void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
3420  /* Tests the pre_g / pre_g_128 tables for consistency.
3421  * For independent verification we take a "geometric" approach to verification.
3422  * We check that every entry is on-curve.
3423  * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
3424  * (1) p, gg, and -q are colinear.
3425  * (2) p, gg, and -q are all distinct.
3426  * where gg is twice the generator, where the generator is the first table entry.
3427  *
3428  * Checking the table's generators are correct is done in run_ecmult_pre_g.
3429  */
3430  secp256k1_gej g2;
3431  secp256k1_ge p, q, gg;
3432  secp256k1_fe dpx, dpy, dqx, dqy;
3433  size_t i;
3434 
3435  CHECK(0 < n);
3436 
3437  secp256k1_ge_from_storage(&p, &pre_g[0]);
3439 
3440  secp256k1_gej_set_ge(&g2, &p);
3441  secp256k1_gej_double_var(&g2, &g2, NULL);
3442  secp256k1_ge_set_gej_var(&gg, &g2);
3443  for (i = 1; i < n; ++i) {
3444  secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
3445  secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
3446  /* Check that p is not equal to gg */
3448 
3449  secp256k1_ge_from_storage(&q, &pre_g[i]);
3451 
3452  secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); secp256k1_fe_normalize_weak(&dqx);
3453  dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); secp256k1_fe_normalize_weak(&dqy);
3454  /* Check that -q is not equal to gg */
3456 
3457  /* Check that -q is not equal to p */
3458  CHECK(!secp256k1_fe_equal_var(&dpx, &dqx) || !secp256k1_fe_equal_var(&dpy, &dqy));
3459 
3460  /* Check that p, -q and gg are colinear */
3461  secp256k1_fe_mul(&dpx, &dpx, &dqy);
3462  secp256k1_fe_mul(&dpy, &dpy, &dqx);
3463  CHECK(secp256k1_fe_equal_var(&dpx, &dpy));
3464 
3465  p = q;
3466  }
3467 }
3468 
3469 void run_ecmult_pre_g(void) {
3471  secp256k1_gej gj;
3472  secp256k1_ge g;
3473  size_t i;
3474 
3475  /* Check that the pre_g and pre_g_128 tables are consistent. */
3478 
3479  /* Check the first entry from the pre_g table. */
3481  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
3482 
3483  /* Check the first entry from the pre_g_128 table. */
3485  for (i = 0; i < 128; ++i) {
3486  secp256k1_gej_double_var(&gj, &gj, NULL);
3487  }
3488  secp256k1_ge_set_gej(&g, &gj);
3489  secp256k1_ge_to_storage(&gs, &g);
3490  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
3491 }
3492 
3493 void run_ecmult_chain(void) {
3494  /* random starting point A (on the curve) */
3496  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
3497  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
3498  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
3499  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
3500  );
3501  /* two random initial factors xn and gn */
3503  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
3504  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
3505  );
3507  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
3508  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
3509  );
3510  /* two small multipliers to be applied to xn and gn in every iteration: */
3511  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
3512  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
3513  /* accumulators with the resulting coefficients to A and G */
3514  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3515  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3516  /* actual points */
3517  secp256k1_gej x;
3518  secp256k1_gej x2;
3519  int i;
3520 
3521  /* the point being computed */
3522  x = a;
3523  for (i = 0; i < 200*count; i++) {
3524  /* in each iteration, compute X = xn*X + gn*G; */
3525  secp256k1_ecmult(&x, &x, &xn, &gn);
3526  /* also compute ae and ge: the actual accumulated factors for A and G */
3527  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
3528  secp256k1_scalar_mul(&ae, &ae, &xn);
3529  secp256k1_scalar_mul(&ge, &ge, &xn);
3530  secp256k1_scalar_add(&ge, &ge, &gn);
3531  /* modify xn and gn */
3532  secp256k1_scalar_mul(&xn, &xn, &xf);
3533  secp256k1_scalar_mul(&gn, &gn, &gf);
3534 
3535  /* verify */
3536  if (i == 19999) {
3537  /* expected result after 19999 iterations */
3539  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
3540  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
3541  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
3542  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
3543  );
3544 
3545  secp256k1_gej_neg(&rp, &rp);
3546  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
3548  }
3549  }
3550  /* redo the computation, but directly with the resulting ae and ge coefficients: */
3551  secp256k1_ecmult(&x2, &a, &ae, &ge);
3552  secp256k1_gej_neg(&x2, &x2);
3553  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
3555 }
3556 
3558  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
3559  secp256k1_scalar x;
3560  secp256k1_scalar nx;
3561  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3562  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3563  secp256k1_gej res1, res2;
3564  secp256k1_ge res3;
3565  unsigned char pub[65];
3566  size_t psize = 65;
3568  secp256k1_scalar_negate(&nx, &x);
3569  secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
3570  secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
3571  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
3573  secp256k1_ge_set_gej(&res3, &res1);
3575  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
3576  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
3577  psize = 65;
3578  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
3579  /* check zero/one edge cases */
3580  secp256k1_ecmult(&res1, point, &zero, &zero);
3581  secp256k1_ge_set_gej(&res3, &res1);
3583  secp256k1_ecmult(&res1, point, &one, &zero);
3584  secp256k1_ge_set_gej(&res3, &res1);
3585  ge_equals_gej(&res3, point);
3586  secp256k1_ecmult(&res1, point, &zero, &one);
3587  secp256k1_ge_set_gej(&res3, &res1);
3589 }
3590 
3591 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
3592  *
3593  * They are computed as:
3594  * - For a in [-2, -1, 0, 1, 2]:
3595  * - For b in [-3, -1, 1, 3]:
3596  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
3597  */
3599  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
3600  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
3601  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
3602  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
3603  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
3604  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
3605  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
3606  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
3607  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
3608  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
3609  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
3610  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
3611  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
3612  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
3613  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
3614  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
3615  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
3616  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
3617  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
3618  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
3619 };
3620 
3621 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
3622  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
3623  secp256k1_scalar n1, n2;
3624  secp256k1_ge p;
3625  secp256k1_gej pj, p1j, p2j, ptj;
3626  static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3627 
3628  /* Generate random n1,n2 such that n1+n2 = -target. */
3630  secp256k1_scalar_add(&n2, &n1, target);
3631  secp256k1_scalar_negate(&n2, &n2);
3632 
3633  /* Generate a random input point. */
3634  if (mode != 0) {
3636  secp256k1_gej_set_ge(&pj, &p);
3637  }
3638 
3639  /* EC multiplications */
3640  if (mode == 0) {
3641  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
3642  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
3643  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
3644  } else if (mode == 1) {
3645  secp256k1_ecmult(&p1j, &pj, &n1, &zero);
3646  secp256k1_ecmult(&p2j, &pj, &n2, &zero);
3647  secp256k1_ecmult(&ptj, &pj, target, &zero);
3648  } else {
3649  secp256k1_ecmult_const(&p1j, &p, &n1, 256);
3650  secp256k1_ecmult_const(&p2j, &p, &n2, 256);
3651  secp256k1_ecmult_const(&ptj, &p, target, 256);
3652  }
3653 
3654  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
3655  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
3656  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
3658 }
3659 
3661  int i;
3662  unsigned j;
3663  for (i = 0; i < 4*count; ++i) {
3664  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
3668  }
3669  }
3670 }
3671 
3673  int i;
3674  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
3675  static const secp256k1_fe xr = SECP256K1_FE_CONST(
3676  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
3677  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
3678  );
3679  for (i = 0; i < 500; i++) {
3680  secp256k1_ge p;
3681  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
3682  secp256k1_gej j;
3684  secp256k1_gej_set_ge(&j, &p);
3686  }
3687  secp256k1_fe_sqr(&x, &x);
3688  }
3690  CHECK(secp256k1_fe_equal_var(&x, &xr));
3691 }
3692 
3694  /* random starting point A (on the curve) */
3696  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
3697  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
3698  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
3699  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
3700  );
3701  /* random initial factor xn */
3703  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
3704  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
3705  );
3706  /* expected xn * A (from sage) */
3707  secp256k1_ge expected_b = SECP256K1_GE_CONST(
3708  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
3709  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
3710  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
3711  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
3712  );
3713  secp256k1_gej b;
3714  secp256k1_ecmult_const(&b, &a, &xn, 256);
3715 
3717  ge_equals_gej(&expected_b, &b);
3718 }
3719 
3721  secp256k1_scalar a;
3722  secp256k1_scalar b;
3723  secp256k1_gej res1;
3724  secp256k1_gej res2;
3725  secp256k1_ge mid1;
3726  secp256k1_ge mid2;
3729 
3730  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
3731  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
3732  secp256k1_ge_set_gej(&mid1, &res1);
3733  secp256k1_ge_set_gej(&mid2, &res2);
3734  secp256k1_ecmult_const(&res1, &mid1, &b, 256);
3735  secp256k1_ecmult_const(&res2, &mid2, &a, 256);
3736  secp256k1_ge_set_gej(&mid1, &res1);
3737  secp256k1_ge_set_gej(&mid2, &res2);
3738  ge_equals_ge(&mid1, &mid2);
3739 }
3740 
3742  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3743  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3744  secp256k1_scalar negone;
3745  secp256k1_gej res1;
3746  secp256k1_ge res2;
3747  secp256k1_ge point;
3748  secp256k1_scalar_negate(&negone, &one);
3749 
3750  random_group_element_test(&point);
3751  secp256k1_ecmult_const(&res1, &point, &zero, 3);
3752  secp256k1_ge_set_gej(&res2, &res1);
3754  secp256k1_ecmult_const(&res1, &point, &one, 2);
3755  secp256k1_ge_set_gej(&res2, &res1);
3756  ge_equals_ge(&res2, &point);
3757  secp256k1_ecmult_const(&res1, &point, &negone, 256);
3758  secp256k1_gej_neg(&res1, &res1);
3759  secp256k1_ge_set_gej(&res2, &res1);
3760  ge_equals_ge(&res2, &point);
3761 }
3762 
3764  /* Check known result (randomly generated test problem from sage) */
3766  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
3767  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
3768  );
3769  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
3770  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
3771  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
3772  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
3773  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
3774  );
3775  secp256k1_gej point;
3776  secp256k1_ge res;
3777  int i;
3778 
3780  for (i = 0; i < 100; ++i) {
3781  secp256k1_ge tmp;
3782  secp256k1_ge_set_gej(&tmp, &point);
3783  secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
3784  }
3785  secp256k1_ge_set_gej(&res, &point);
3786  ge_equals_gej(&res, &expected_point);
3787 }
3788 
3794 }
3795 
3796 typedef struct {
3800 
3801 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3802  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
3803  *sc = data->sc[idx];
3804  *pt = data->pt[idx];
3805  return 1;
3806 }
3807 
3808 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3809  (void)sc;
3810  (void)pt;
3811  (void)idx;
3812  (void)cbdata;
3813  return 0;
3814 }
3815 
3817  int ncount;
3818  secp256k1_scalar szero;
3819  secp256k1_scalar sc[32];
3820  secp256k1_ge pt[32];
3821  secp256k1_gej r;
3822  secp256k1_gej r2;
3823  ecmult_multi_data data;
3824 
3825  data.sc = sc;
3826  data.pt = pt;
3827  secp256k1_scalar_set_int(&szero, 0);
3828 
3829  /* No points to multiply */
3830  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
3831 
3832  /* Check 1- and 2-point multiplies against ecmult */
3833  for (ncount = 0; ncount < count; ncount++) {
3834  secp256k1_ge ptg;
3835  secp256k1_gej ptgj;
3836  random_scalar_order(&sc[0]);
3837  random_scalar_order(&sc[1]);
3838 
3840  secp256k1_gej_set_ge(&ptgj, &ptg);
3841  pt[0] = ptg;
3842  pt[1] = secp256k1_ge_const_g;
3843 
3844  /* only G scalar */
3845  secp256k1_ecmult(&r2, &ptgj, &szero, &sc[0]);
3846  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
3847  secp256k1_gej_neg(&r2, &r2);
3848  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3850 
3851  /* 1-point */
3852  secp256k1_ecmult(&r2, &ptgj, &sc[0], &szero);
3853  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
3854  secp256k1_gej_neg(&r2, &r2);
3855  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3857 
3858  /* Try to multiply 1 point, but callback returns false */
3859  CHECK(!ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
3860 
3861  /* 2-point */
3862  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
3863  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
3864  secp256k1_gej_neg(&r2, &r2);
3865  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3867 
3868  /* 2-point with G scalar */
3869  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
3870  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
3871  secp256k1_gej_neg(&r2, &r2);
3872  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3874  }
3875 
3876  /* Check infinite outputs of various forms */
3877  for (ncount = 0; ncount < count; ncount++) {
3878  secp256k1_ge ptg;
3879  size_t i, j;
3880  size_t sizes[] = { 2, 10, 32 };
3881 
3882  for (j = 0; j < 3; j++) {
3883  for (i = 0; i < 32; i++) {
3884  random_scalar_order(&sc[i]);
3885  secp256k1_ge_set_infinity(&pt[i]);
3886  }
3887  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3889  }
3890 
3891  for (j = 0; j < 3; j++) {
3892  for (i = 0; i < 32; i++) {
3894  pt[i] = ptg;
3895  secp256k1_scalar_set_int(&sc[i], 0);
3896  }
3897  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3899  }
3900 
3901  for (j = 0; j < 3; j++) {
3903  for (i = 0; i < 16; i++) {
3904  random_scalar_order(&sc[2*i]);
3905  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
3906  pt[2 * i] = ptg;
3907  pt[2 * i + 1] = ptg;
3908  }
3909 
3910  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3912 
3913  random_scalar_order(&sc[0]);
3914  for (i = 0; i < 16; i++) {
3916 
3917  sc[2*i] = sc[0];
3918  sc[2*i+1] = sc[0];
3919  pt[2 * i] = ptg;
3920  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
3921  }
3922 
3923  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3925  }
3926 
3928  secp256k1_scalar_set_int(&sc[0], 0);
3929  pt[0] = ptg;
3930  for (i = 1; i < 32; i++) {
3931  pt[i] = ptg;
3932 
3933  random_scalar_order(&sc[i]);
3934  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
3935  secp256k1_scalar_negate(&sc[i], &sc[i]);
3936  }
3937 
3938  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
3940  }
3941 
3942  /* Check random points, constant scalar */
3943  for (ncount = 0; ncount < count; ncount++) {
3944  size_t i;
3946 
3947  random_scalar_order(&sc[0]);
3948  for (i = 0; i < 20; i++) {
3949  secp256k1_ge ptg;
3950  sc[i] = sc[0];
3952  pt[i] = ptg;
3953  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
3954  }
3955 
3956  secp256k1_ecmult(&r2, &r, &sc[0], &szero);
3957  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3958  secp256k1_gej_neg(&r2, &r2);
3959  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3961  }
3962 
3963  /* Check random scalars, constant point */
3964  for (ncount = 0; ncount < count; ncount++) {
3965  size_t i;
3966  secp256k1_ge ptg;
3967  secp256k1_gej p0j;
3968  secp256k1_scalar rs;
3969  secp256k1_scalar_set_int(&rs, 0);
3970 
3972  for (i = 0; i < 20; i++) {
3973  random_scalar_order(&sc[i]);
3974  pt[i] = ptg;
3975  secp256k1_scalar_add(&rs, &rs, &sc[i]);
3976  }
3977 
3978  secp256k1_gej_set_ge(&p0j, &pt[0]);
3979  secp256k1_ecmult(&r2, &p0j, &rs, &szero);
3980  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3981  secp256k1_gej_neg(&r2, &r2);
3982  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3984  }
3985 
3986  /* Sanity check that zero scalars don't cause problems */
3987  for (ncount = 0; ncount < 20; ncount++) {
3988  random_scalar_order(&sc[ncount]);
3989  random_group_element_test(&pt[ncount]);
3990  }
3991 
3992  secp256k1_scalar_clear(&sc[0]);
3993  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3994  secp256k1_scalar_clear(&sc[1]);
3995  secp256k1_scalar_clear(&sc[2]);
3996  secp256k1_scalar_clear(&sc[3]);
3997  secp256k1_scalar_clear(&sc[4]);
3998  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3999  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
4001 
4002  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4003  {
4004  const size_t TOP = 8;
4005  size_t s0i, s1i;
4006  size_t t0i, t1i;
4007  secp256k1_ge ptg;
4008  secp256k1_gej ptgj;
4009 
4011  secp256k1_gej_set_ge(&ptgj, &ptg);
4012 
4013  for(t0i = 0; t0i < TOP; t0i++) {
4014  for(t1i = 0; t1i < TOP; t1i++) {
4015  secp256k1_gej t0p, t1p;
4016  secp256k1_scalar t0, t1;
4017 
4018  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4019  secp256k1_scalar_cond_negate(&t0, t0i & 1);
4020  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4021  secp256k1_scalar_cond_negate(&t1, t1i & 1);
4022 
4023  secp256k1_ecmult(&t0p, &ptgj, &t0, &szero);
4024  secp256k1_ecmult(&t1p, &ptgj, &t1, &szero);
4025 
4026  for(s0i = 0; s0i < TOP; s0i++) {
4027  for(s1i = 0; s1i < TOP; s1i++) {
4028  secp256k1_scalar tmp1, tmp2;
4029  secp256k1_gej expected, actual;
4030 
4031  secp256k1_ge_set_gej(&pt[0], &t0p);
4032  secp256k1_ge_set_gej(&pt[1], &t1p);
4033 
4034  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4035  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4036  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4037  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4038 
4039  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4040  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4041  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4042 
4043  secp256k1_ecmult(&expected, &ptgj, &tmp1, &szero);
4044  CHECK(ecmult_multi(&ctx->error_callback, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
4045  secp256k1_gej_neg(&expected, &expected);
4046  secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
4047  CHECK(secp256k1_gej_is_infinity(&actual));
4048  }
4049  }
4050  }
4051  }
4052  }
4053 }
4054 
4056  secp256k1_scalar szero;
4057  secp256k1_scalar sc;
4058  secp256k1_ge pt;
4059  secp256k1_gej r;
4060  ecmult_multi_data data;
4061  secp256k1_scratch *scratch_empty;
4062 
4064  random_scalar_order(&sc);
4065  data.sc = &sc;
4066  data.pt = &pt;
4067  secp256k1_scalar_set_int(&szero, 0);
4068 
4069  /* Try to multiply 1 point, but scratch space is empty.*/
4070  scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
4071  CHECK(!ecmult_multi(&ctx->error_callback, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
4072  secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
4073 }
4074 
4076  int i;
4077 
4079  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
4080  /* Bucket_window of 8 is not used with endo */
4081  if (i == 8) {
4082  continue;
4083  }
4085  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
4087  }
4088  }
4089 }
4090 
4096  size_t scratch_size = secp256k1_testrand_int(256);
4098  secp256k1_scratch *scratch;
4099  size_t n_points_supported;
4100  int bucket_window = 0;
4101 
4102  for(; scratch_size < max_size; scratch_size+=256) {
4103  size_t i;
4104  size_t total_alloc;
4105  size_t checkpoint;
4106  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
4107  CHECK(scratch != NULL);
4108  checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
4109  n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
4110  if (n_points_supported == 0) {
4112  continue;
4113  }
4114  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
4115  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
4116  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
4117  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
4119  total_alloc--;
4120  }
4121  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
4122  secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
4124  }
4125  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
4126 }
4127 
4129  size_t n_batches, n_batch_points, max_n_batch_points, n;
4130 
4131  max_n_batch_points = 0;
4132  n = 1;
4133  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
4134 
4135  max_n_batch_points = 1;
4136  n = 0;
4137  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4138  CHECK(n_batches == 0);
4139  CHECK(n_batch_points == 0);
4140 
4141  max_n_batch_points = 2;
4142  n = 5;
4143  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4144  CHECK(n_batches == 3);
4145  CHECK(n_batch_points == 2);
4146 
4147  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
4149  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4150  CHECK(n_batches == 1);
4151  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
4152 
4153  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
4155  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4156  CHECK(n_batches == 2);
4157  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
4158 
4159  max_n_batch_points = 1;
4160  n = SIZE_MAX;
4161  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4162  CHECK(n_batches == SIZE_MAX);
4163  CHECK(n_batch_points == 1);
4164 
4165  max_n_batch_points = 2;
4166  n = SIZE_MAX;
4167  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4168  CHECK(n_batches == SIZE_MAX/2 + 1);
4169  CHECK(n_batch_points == 2);
4170 }
4171 
4177  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
4178  secp256k1_scalar scG;
4179  secp256k1_scalar szero;
4181  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
4182  secp256k1_gej r;
4183  secp256k1_gej r2;
4184  ecmult_multi_data data;
4185  int i;
4186  secp256k1_scratch *scratch;
4187 
4189  secp256k1_scalar_set_int(&szero, 0);
4190 
4191  /* Get random scalars and group elements and compute result */
4192  random_scalar_order(&scG);
4193  secp256k1_ecmult(&r2, &r2, &szero, &scG);
4194  for(i = 0; i < n_points; i++) {
4195  secp256k1_ge ptg;
4196  secp256k1_gej ptgj;
4198  secp256k1_gej_set_ge(&ptgj, &ptg);
4199  pt[i] = ptg;
4200  random_scalar_order(&sc[i]);
4201  secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
4202  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
4203  }
4204  data.sc = sc;
4205  data.pt = pt;
4206  secp256k1_gej_neg(&r2, &r2);
4207 
4208  /* Test with empty scratch space. It should compute the correct result using
4209  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
4211  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4212  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4215 
4216  /* Test with space for 1 point in pippenger. That's not enough because
4217  * ecmult_multi selects strauss which requires more memory. It should
4218  * therefore select the simple algorithm. */
4220  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4221  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4224 
4225  for(i = 1; i <= n_points; i++) {
4226  if (i > ECMULT_PIPPENGER_THRESHOLD) {
4227  int bucket_window = secp256k1_pippenger_bucket_window(i);
4228  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
4230  } else {
4231  size_t scratch_size = secp256k1_strauss_scratch_size(i);
4233  }
4234  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4235  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4238  }
4239  free(sc);
4240  free(pt);
4241 }
4242 
4244  secp256k1_scratch *scratch;
4245 
4248  scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
4256 
4257  /* Run test_ecmult_multi with space for exactly one point */
4261 
4264 }
4265 
4266 void test_wnaf(const secp256k1_scalar *number, int w) {
4267  secp256k1_scalar x, two, t;
4268  int wnaf[256];
4269  int zeroes = -1;
4270  int i;
4271  int bits;
4272  secp256k1_scalar_set_int(&x, 0);
4273  secp256k1_scalar_set_int(&two, 2);
4274  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
4275  CHECK(bits <= 256);
4276  for (i = bits-1; i >= 0; i--) {
4277  int v = wnaf[i];
4278  secp256k1_scalar_mul(&x, &x, &two);
4279  if (v) {
4280  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4281  zeroes=0;
4282  CHECK((v & 1) == 1); /* check non-zero elements are odd */
4283  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
4284  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4285  } else {
4286  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4287  zeroes++;
4288  }
4289  if (v >= 0) {
4291  } else {
4294  }
4295  secp256k1_scalar_add(&x, &x, &t);
4296  }
4297  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4298 }
4299 
4301  secp256k1_scalar neg1 = *number;
4302  secp256k1_scalar neg2 = *number;
4303  int sign1 = 1;
4304  int sign2 = 1;
4305 
4306  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
4307  secp256k1_scalar_negate(&neg1, &neg1);
4308  sign1 = -1;
4309  }
4311  CHECK(sign1 == sign2);
4312  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
4313 }
4314 
4315 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
4316  secp256k1_scalar x, shift;
4317  int wnaf[256] = {0};
4318  int i;
4319  int skew;
4320  int bits = 256;
4321  secp256k1_scalar num = *number;
4322  secp256k1_scalar scalar_skew;
4323 
4324  secp256k1_scalar_set_int(&x, 0);
4325  secp256k1_scalar_set_int(&shift, 1 << w);
4326  for (i = 0; i < 16; ++i) {
4327  secp256k1_scalar_shr_int(&num, 8);
4328  }
4329  bits = 128;
4330  skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
4331 
4332  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
4334  int v = wnaf[i];
4335  CHECK(v != 0); /* check nonzero */
4336  CHECK(v & 1); /* check parity */
4337  CHECK(v > -(1 << w)); /* check range above */
4338  CHECK(v < (1 << w)); /* check range below */
4339 
4340  secp256k1_scalar_mul(&x, &x, &shift);
4341  if (v >= 0) {
4343  } else {
4346  }
4347  secp256k1_scalar_add(&x, &x, &t);
4348  }
4349  /* Skew num because when encoding numbers as odd we use an offset */
4350  secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
4351  secp256k1_scalar_add(&num, &num, &scalar_skew);
4352  CHECK(secp256k1_scalar_eq(&x, &num));
4353 }
4354 
4355 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
4356  secp256k1_scalar x, shift;
4357  int wnaf[256] = {0};
4358  int i;
4359  int skew;
4360  secp256k1_scalar num = *number;
4361 
4362  secp256k1_scalar_set_int(&x, 0);
4363  secp256k1_scalar_set_int(&shift, 1 << w);
4364  for (i = 0; i < 16; ++i) {
4365  secp256k1_scalar_shr_int(&num, 8);
4366  }
4367  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4368 
4369  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4371  int v = wnaf[i];
4372  CHECK(v == 0 || v & 1); /* check parity */
4373  CHECK(v > -(1 << w)); /* check range above */
4374  CHECK(v < (1 << w)); /* check range below */
4375 
4376  secp256k1_scalar_mul(&x, &x, &shift);
4377  if (v >= 0) {
4379  } else {
4382  }
4383  secp256k1_scalar_add(&x, &x, &t);
4384  }
4385  /* If skew is 1 then add 1 to num */
4386  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
4387  CHECK(secp256k1_scalar_eq(&x, &num));
4388 }
4389 
4390 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
4391  * rest is 0.*/
4392 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
4393  int i;
4394  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
4395  CHECK(wnaf[i] == 0);
4396  }
4397  for (i = 7; i >= 0; --i) {
4398  CHECK(wnaf[i] == wnaf_expected[i]);
4399  }
4400 }
4401 
4403  int w = 4;
4404  int wnaf[256] = {0};
4405  int i;
4406  int skew;
4407  secp256k1_scalar num;
4408 
4409  secp256k1_scalar_set_int(&num, 0);
4410  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4411  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4412  int v = wnaf[i];
4413  CHECK(v == 0);
4414  }
4415  CHECK(skew == 0);
4416 
4417  secp256k1_scalar_set_int(&num, 1);
4418  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4419  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
4420  int v = wnaf[i];
4421  CHECK(v == 0);
4422  }
4423  CHECK(wnaf[0] == 1);
4424  CHECK(skew == 0);
4425 
4426  {
4427  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
4428  secp256k1_scalar_set_int(&num, 0xffffffff);
4429  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4430  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4431  CHECK(skew == 0);
4432  }
4433  {
4434  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
4435  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
4436  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4437  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4438  CHECK(skew == 1);
4439  }
4440  {
4441  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
4442  secp256k1_scalar_set_int(&num, 0x01010101);
4443  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4444  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4445  CHECK(skew == 0);
4446  }
4447  {
4448  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
4449  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
4450  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4451  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4452  CHECK(skew == 0);
4453  }
4454 }
4455 
4456 void run_wnaf(void) {
4457  int i;
4458  secp256k1_scalar n = {{0}};
4459 
4460  test_constant_wnaf(&n, 4);
4461  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
4462  * have easier-to-diagnose failure modes */
4463  n.d[0] = 1;
4464  test_constant_wnaf(&n, 4);
4465  n.d[0] = 2;
4466  test_constant_wnaf(&n, 4);
4467  /* Test -1, because it's a special case in wnaf_const */
4469  secp256k1_scalar_negate(&n, &n);
4470  test_constant_wnaf(&n, 4);
4471 
4472  /* Test -2, which may not lead to overflows in wnaf_const */
4474  secp256k1_scalar_negate(&n, &n);
4475  test_constant_wnaf(&n, 4);
4476 
4477  /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
4478  as corner cases of negation handling in wnaf_const */
4479  secp256k1_scalar_inverse(&n, &n);
4480  test_constant_wnaf(&n, 4);
4481 
4483  test_constant_wnaf(&n, 4);
4484 
4485  /* Test 0 for fixed wnaf */
4487  /* Random tests */
4488  for (i = 0; i < count; i++) {
4489  random_scalar_order(&n);
4490  test_wnaf(&n, 4+(i%10));
4492  test_constant_wnaf(&n, 4 + (i % 10));
4493  test_fixed_wnaf(&n, 4 + (i % 10));
4494  }
4495  secp256k1_scalar_set_int(&n, 0);
4496  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
4498  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
4500 }
4501 
4502 static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
4503  const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
4504  *sc = *indata;
4505  *pt = secp256k1_ge_const_g;
4506  CHECK(idx == 0);
4507  return 1;
4508 }
4509 
4511  /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
4512  secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
4513  secp256k1_ge r;
4514  const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4515  unsigned char bytes[65];
4516  size_t size = 65;
4520  secp256k1_ecmult(&rj2, &gj, x, &zero);
4521  secp256k1_ecmult(&rj3, &infj, &zero, x);
4522  secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
4523  secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &zero, test_ecmult_accumulate_cb, (void*)x, 1);
4525  secp256k1_ge_set_gej_var(&r, &rj1);
4526  ge_equals_gej(&r, &rj2);
4527  ge_equals_gej(&r, &rj3);
4528  ge_equals_gej(&r, &rj4);
4529  ge_equals_gej(&r, &rj5);
4530  ge_equals_gej(&r, &rj6);
4531  if (secp256k1_ge_is_infinity(&r)) {
4532  /* Store infinity as 0x00 */
4533  const unsigned char zerobyte[1] = {0};
4534  secp256k1_sha256_write(acc, zerobyte, 1);
4535  } else {
4536  /* Store other points using their uncompressed serialization. */
4537  secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
4538  CHECK(size == 65);
4539  secp256k1_sha256_write(acc, bytes, size);
4540  }
4541 }
4542 
4544  /* Test ecmult_gen for:
4545  * - For i in 0..36:
4546  * - Key i
4547  * - Key -i
4548  * - For i in 0..255:
4549  * - For j in 1..255 (only odd values):
4550  * - Key (j*2^i) mod order
4551  */
4552  secp256k1_scalar x;
4553  secp256k1_sha256 acc;
4554  unsigned char b32[32];
4555  int i, j;
4557 
4558  /* Expected hash of all the computed points; created with an independent
4559  * implementation. */
4560  static const unsigned char expected32[32] = {
4561  0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
4562  0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
4563  0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
4564  0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
4565  };
4567  for (i = 0; i <= 36; ++i) {
4568  secp256k1_scalar_set_int(&x, i);
4569  test_ecmult_accumulate(&acc, &x, scratch);
4570  secp256k1_scalar_negate(&x, &x);
4571  test_ecmult_accumulate(&acc, &x, scratch);
4572  };
4573  for (i = 0; i < 256; ++i) {
4574  for (j = 1; j < 256; j += 2) {
4575  int k;
4576  secp256k1_scalar_set_int(&x, j);
4577  for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
4578  test_ecmult_accumulate(&acc, &x, scratch);
4579  }
4580  }
4581  secp256k1_sha256_finalize(&acc, b32);
4582  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
4583 
4585 }
4586 
4589 }
4590 
4592  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
4593  secp256k1_scalar key;
4594  secp256k1_scalar b;
4595  unsigned char seed32[32];
4596  secp256k1_gej pgej;
4597  secp256k1_gej pgej2;
4598  secp256k1_gej i;
4599  secp256k1_ge pge;
4601  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
4602  secp256k1_testrand256(seed32);
4603  b = ctx->ecmult_gen_ctx.blind;
4604  i = ctx->ecmult_gen_ctx.initial;
4607  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
4608  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
4610  secp256k1_ge_set_gej(&pge, &pgej);
4611  ge_equals_gej(&pge, &pgej2);
4612 }
4613 
4615  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
4616  secp256k1_scalar b;
4617  secp256k1_gej initial;
4619  b = ctx->ecmult_gen_ctx.blind;
4620  initial = ctx->ecmult_gen_ctx.initial;
4624 }
4625 
4627  int i;
4629  for (i = 0; i < 10; i++) {
4631  }
4632 }
4633 
4634 /***** ENDOMORPHISH TESTS *****/
4636  secp256k1_scalar s, s1, slam;
4637  const unsigned char zero[32] = {0};
4638  unsigned char tmp[32];
4639 
4640  secp256k1_scalar_split_lambda(&s1, &slam, full);
4641 
4642  /* check slam*lambda + s1 == full */
4644  secp256k1_scalar_add(&s, &s, &s1);
4645  CHECK(secp256k1_scalar_eq(&s, full));
4646 
4647  /* check that both are <= 128 bits in size */
4648  if (secp256k1_scalar_is_high(&s1)) {
4649  secp256k1_scalar_negate(&s1, &s1);
4650  }
4651  if (secp256k1_scalar_is_high(&slam)) {
4652  secp256k1_scalar_negate(&slam, &slam);
4653  }
4654 
4655  secp256k1_scalar_get_b32(tmp, &s1);
4656  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
4657  secp256k1_scalar_get_b32(tmp, &slam);
4658  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
4659 }
4660 
4661 
4663  unsigned i;
4664  static secp256k1_scalar s;
4668  test_scalar_split(&s);
4671  test_scalar_split(&s);
4672 
4673  for (i = 0; i < 100U * count; ++i) {
4674  secp256k1_scalar full;
4675  random_scalar_order_test(&full);
4676  test_scalar_split(&full);
4677  }
4678  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
4680  }
4681 }
4682 
4683 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
4684  unsigned char pubkeyc[65];
4685  secp256k1_pubkey pubkey;
4686  secp256k1_ge ge;
4687  size_t pubkeyclen;
4688  int32_t ecount;
4689  ecount = 0;
4691  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
4692  /* Smaller sizes are tested exhaustively elsewhere. */
4693  int32_t i;
4694  memcpy(&pubkeyc[1], input, 64);
4695  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
4696  for (i = 0; i < 256; i++) {
4697  /* Try all type bytes. */
4698  int xpass;
4699  int ypass;
4700  int ysign;
4701  pubkeyc[0] = i;
4702  /* What sign does this point have? */
4703  ysign = (input[63] & 1) + 2;
4704  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
4705  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
4706  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
4707  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
4708  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
4709  if (xpass || ypass) {
4710  /* These cases must parse. */
4711  unsigned char pubkeyo[65];
4712  size_t outl;
4713  memset(&pubkey, 0, sizeof(pubkey));
4714  VG_UNDEF(&pubkey, sizeof(pubkey));
4715  ecount = 0;
4716  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4717  VG_CHECK(&pubkey, sizeof(pubkey));
4718  outl = 65;
4719  VG_UNDEF(pubkeyo, 65);
4720  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4721  VG_CHECK(pubkeyo, outl);
4722  CHECK(outl == 33);
4723  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
4724  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
4725  if (ypass) {
4726  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
4727  CHECK(pubkeyo[0] == ysign);
4728  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4729  memset(&pubkey, 0, sizeof(pubkey));
4730  VG_UNDEF(&pubkey, sizeof(pubkey));
4731  secp256k1_pubkey_save(&pubkey, &ge);
4732  VG_CHECK(&pubkey, sizeof(pubkey));
4733  outl = 65;
4734  VG_UNDEF(pubkeyo, 65);
4735  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4736  VG_CHECK(pubkeyo, outl);
4737  CHECK(outl == 65);
4738  CHECK(pubkeyo[0] == 4);
4739  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
4740  }
4741  CHECK(ecount == 0);
4742  } else {
4743  /* These cases must fail to parse. */
4744  memset(&pubkey, 0xfe, sizeof(pubkey));
4745  ecount = 0;
4746  VG_UNDEF(&pubkey, sizeof(pubkey));
4747  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
4748  VG_CHECK(&pubkey, sizeof(pubkey));
4749  CHECK(ecount == 0);
4750  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4751  CHECK(ecount == 1);
4752  }
4753  }
4754  }
4756 }
4757 
4759 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
4760  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
4761  {
4762  /* Point with leading and trailing zeros in x and y serialization. */
4763  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
4764  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4765  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
4766  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
4767  },
4768  {
4769  /* Point with x equal to a 3rd root of unity.*/
4770  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
4771  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
4772  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4773  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4774  },
4775  {
4776  /* Point with largest x. (1/2) */
4777  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4778  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
4779  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
4780  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
4781  },
4782  {
4783  /* Point with largest x. (2/2) */
4784  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4785  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
4786  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
4787  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
4788  },
4789  {
4790  /* Point with smallest x. (1/2) */
4791  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4792  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4793  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4794  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4795  },
4796  {
4797  /* Point with smallest x. (2/2) */
4798  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4799  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4800  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4801  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4802  },
4803  {
4804  /* Point with largest y. (1/3) */
4805  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4806  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4807  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4808  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4809  },
4810  {
4811  /* Point with largest y. (2/3) */
4812  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4813  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4814  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4815  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4816  },
4817  {
4818  /* Point with largest y. (3/3) */
4819  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4820  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4821  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4822  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4823  },
4824  {
4825  /* Point with smallest y. (1/3) */
4826  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4827  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4828  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4829  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4830  },
4831  {
4832  /* Point with smallest y. (2/3) */
4833  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4834  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4835  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4836  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4837  },
4838  {
4839  /* Point with smallest y. (3/3) */
4840  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4841  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4842  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4843  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
4844  }
4845  };
4846 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
4847  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
4848  {
4849  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
4850  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4851  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4852  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4853  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4854  },
4855  {
4856  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
4857  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4858  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4859  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4860  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4861  },
4862  {
4863  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
4864  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4865  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4866  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4867  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4868  },
4869  {
4870  /* x on curve, y is from y^2 = x^3 + 8. */
4871  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4872  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4873  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4874  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
4875  }
4876  };
4877 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
4878  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
4879  {
4880  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
4881  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
4882  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
4883  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4884  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4885  },
4886  {
4887  /* Valid if x overflow ignored (x = 1 mod p). */
4888  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4889  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4890  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4891  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4892  },
4893  {
4894  /* Valid if x overflow ignored (x = 1 mod p). */
4895  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4896  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4897  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4898  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4899  },
4900  {
4901  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4902  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4903  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4904  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
4905  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
4906  },
4907  {
4908  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4909  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4910  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4911  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
4912  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
4913  },
4914  {
4915  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4916  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4917  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4918  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
4919  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
4920  },
4921  {
4922  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4923  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4924  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4925  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
4926  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
4927  }
4928  };
4929  const unsigned char pubkeyc[66] = {
4930  /* Serialization of G. */
4931  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
4932  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
4933  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
4934  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
4935  0xB8, 0x00
4936  };
4937  unsigned char sout[65];
4938  unsigned char shortkey[2];
4939  secp256k1_ge ge;
4940  secp256k1_pubkey pubkey;
4941  size_t len;
4942  int32_t i;
4943  int32_t ecount;
4944  int32_t ecount2;
4945  ecount = 0;
4946  /* Nothing should be reading this far into pubkeyc. */
4947  VG_UNDEF(&pubkeyc[65], 1);
4949  /* Zero length claimed, fail, zeroize, no illegal arg error. */
4950  memset(&pubkey, 0xfe, sizeof(pubkey));
4951  ecount = 0;
4952  VG_UNDEF(shortkey, 2);
4953  VG_UNDEF(&pubkey, sizeof(pubkey));
4954  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
4955  VG_CHECK(&pubkey, sizeof(pubkey));
4956  CHECK(ecount == 0);
4957  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4958  CHECK(ecount == 1);
4959  /* Length one claimed, fail, zeroize, no illegal arg error. */
4960  for (i = 0; i < 256 ; i++) {
4961  memset(&pubkey, 0xfe, sizeof(pubkey));
4962  ecount = 0;
4963  shortkey[0] = i;
4964  VG_UNDEF(&shortkey[1], 1);
4965  VG_UNDEF(&pubkey, sizeof(pubkey));
4966  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
4967  VG_CHECK(&pubkey, sizeof(pubkey));
4968  CHECK(ecount == 0);
4969  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4970  CHECK(ecount == 1);
4971  }
4972  /* Length two claimed, fail, zeroize, no illegal arg error. */
4973  for (i = 0; i < 65536 ; i++) {
4974  memset(&pubkey, 0xfe, sizeof(pubkey));
4975  ecount = 0;
4976  shortkey[0] = i & 255;
4977  shortkey[1] = i >> 8;
4978  VG_UNDEF(&pubkey, sizeof(pubkey));
4979  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
4980  VG_CHECK(&pubkey, sizeof(pubkey));
4981  CHECK(ecount == 0);
4982  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4983  CHECK(ecount == 1);
4984  }
4985  memset(&pubkey, 0xfe, sizeof(pubkey));
4986  ecount = 0;
4987  VG_UNDEF(&pubkey, sizeof(pubkey));
4988  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
4989  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
4990  VG_CHECK(&pubkey, sizeof(pubkey));
4991  CHECK(ecount == 0);
4992  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4993  CHECK(ecount == 1);
4994  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
4995  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
4996  CHECK(ecount == 2);
4997  /* NULL input string. Illegal arg and zeroize output. */
4998  memset(&pubkey, 0xfe, sizeof(pubkey));
4999  ecount = 0;
5000  VG_UNDEF(&pubkey, sizeof(pubkey));
5001  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
5002  VG_CHECK(&pubkey, sizeof(pubkey));
5003  CHECK(ecount == 1);
5004  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5005  CHECK(ecount == 2);
5006  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5007  memset(&pubkey, 0xfe, sizeof(pubkey));
5008  ecount = 0;
5009  VG_UNDEF(&pubkey, sizeof(pubkey));
5010  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
5011  VG_CHECK(&pubkey, sizeof(pubkey));
5012  CHECK(ecount == 0);
5013  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5014  CHECK(ecount == 1);
5015  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5016  memset(&pubkey, 0xfe, sizeof(pubkey));
5017  ecount = 0;
5018  VG_UNDEF(&pubkey, sizeof(pubkey));
5019  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
5020  VG_CHECK(&pubkey, sizeof(pubkey));
5021  CHECK(ecount == 0);
5022  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5023  CHECK(ecount == 1);
5024  /* Valid parse. */
5025  memset(&pubkey, 0, sizeof(pubkey));
5026  ecount = 0;
5027  VG_UNDEF(&pubkey, sizeof(pubkey));
5028  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
5029  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
5030  VG_CHECK(&pubkey, sizeof(pubkey));
5031  CHECK(ecount == 0);
5032  VG_UNDEF(&ge, sizeof(ge));
5033  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
5034  VG_CHECK(&ge.x, sizeof(ge.x));
5035  VG_CHECK(&ge.y, sizeof(ge.y));
5036  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
5038  CHECK(ecount == 0);
5039  /* secp256k1_ec_pubkey_serialize illegal args. */
5040  ecount = 0;
5041  len = 65;
5043  CHECK(ecount == 1);
5044  CHECK(len == 0);
5046  CHECK(ecount == 2);
5047  len = 65;
5048  VG_UNDEF(sout, 65);
5050  VG_CHECK(sout, 65);
5051  CHECK(ecount == 3);
5052  CHECK(len == 0);
5053  len = 65;
5054  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
5055  CHECK(ecount == 4);
5056  CHECK(len == 0);
5057  len = 65;
5058  VG_UNDEF(sout, 65);
5060  VG_CHECK(sout, 65);
5061  CHECK(ecount == 4);
5062  CHECK(len == 65);
5063  /* Multiple illegal args. Should still set arg error only once. */
5064  ecount = 0;
5065  ecount2 = 11;
5066  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5067  CHECK(ecount == 1);
5068  /* Does the illegal arg callback actually change the behavior? */
5070  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5071  CHECK(ecount == 1);
5072  CHECK(ecount2 == 10);
5074  /* Try a bunch of prefabbed points with all possible encodings. */
5075  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
5076  ec_pubkey_parse_pointtest(valid[i], 1, 1);
5077  }
5078  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
5079  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
5080  }
5081  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
5082  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
5083  }
5084 }
5085 
5087  const unsigned char orderc[32] = {
5088  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5089  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5090  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5091  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
5092  };
5093  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
5094  unsigned char ctmp[33];
5095  unsigned char ctmp2[33];
5096  secp256k1_pubkey pubkey;
5097  secp256k1_pubkey pubkey2;
5098  secp256k1_pubkey pubkey_one;
5099  secp256k1_pubkey pubkey_negone;
5100  const secp256k1_pubkey *pubkeys[3];
5101  size_t len;
5102  int32_t ecount;
5103  /* Group order is too large, reject. */
5104  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
5105  VG_UNDEF(&pubkey, sizeof(pubkey));
5106  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
5107  VG_CHECK(&pubkey, sizeof(pubkey));
5108  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5109  /* Maximum value is too large, reject. */
5110  memset(ctmp, 255, 32);
5111  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5112  memset(&pubkey, 1, sizeof(pubkey));
5113  VG_UNDEF(&pubkey, sizeof(pubkey));
5114  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5115  VG_CHECK(&pubkey, sizeof(pubkey));
5116  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5117  /* Zero is too small, reject. */
5118  memset(ctmp, 0, 32);
5119  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5120  memset(&pubkey, 1, sizeof(pubkey));
5121  VG_UNDEF(&pubkey, sizeof(pubkey));
5122  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5123  VG_CHECK(&pubkey, sizeof(pubkey));
5124  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5125  /* One must be accepted. */
5126  ctmp[31] = 0x01;
5127  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5128  memset(&pubkey, 0, sizeof(pubkey));
5129  VG_UNDEF(&pubkey, sizeof(pubkey));
5130  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5131  VG_CHECK(&pubkey, sizeof(pubkey));
5132  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5133  pubkey_one = pubkey;
5134  /* Group order + 1 is too large, reject. */
5135  memcpy(ctmp, orderc, 32);
5136  ctmp[31] = 0x42;
5137  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5138  memset(&pubkey, 1, sizeof(pubkey));
5139  VG_UNDEF(&pubkey, sizeof(pubkey));
5140  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5141  VG_CHECK(&pubkey, sizeof(pubkey));
5142  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5143  /* -1 must be accepted. */
5144  ctmp[31] = 0x40;
5145  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5146  memset(&pubkey, 0, sizeof(pubkey));
5147  VG_UNDEF(&pubkey, sizeof(pubkey));
5148  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5149  VG_CHECK(&pubkey, sizeof(pubkey));
5150  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5151  pubkey_negone = pubkey;
5152  /* Tweak of zero leaves the value unchanged. */
5153  memset(ctmp2, 0, 32);
5154  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
5155  CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
5156  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
5157  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5158  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5159  /* Multiply tweak of zero zeroizes the output. */
5160  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5161  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5162  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
5163  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5164  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5165  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5166  seckey, the seckey is zeroized. */
5167  memcpy(ctmp, orderc, 32);
5168  memset(ctmp2, 0, 32);
5169  ctmp2[31] = 0x01;
5170  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
5171  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5172  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
5173  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5174  memcpy(ctmp, orderc, 32);
5175  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5176  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5177  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5178  tweak, the seckey is zeroized. */
5179  memcpy(ctmp, orderc, 32);
5180  ctmp[31] = 0x40;
5181  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
5182  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5183  memcpy(ctmp, orderc, 32);
5184  ctmp[31] = 0x40;
5185  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
5186  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5187  memcpy(ctmp, orderc, 32);
5188  ctmp[31] = 0x40;
5189  /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
5190  tweak, the pubkey is zeroized. */
5191  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
5192  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5193  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5194  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
5195  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5196  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5197  /* If the resulting key in secp256k1_ec_seckey_tweak_add and
5198  * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
5199  * case the pubkey is zeroized. */
5200  memcpy(ctmp, orderc, 32);
5201  ctmp[31] = 0x40;
5202  memset(ctmp2, 0, 32);
5203  ctmp2[31] = 1;
5204  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
5205  CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
5206  ctmp2[31] = 1;
5207  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5208  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5209  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5210  /* Tweak computation wraps and results in a key of 1. */
5211  ctmp2[31] = 2;
5212  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
5213  CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
5214  ctmp2[31] = 2;
5215  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5216  ctmp2[31] = 1;
5217  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
5218  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5219  /* Tweak mul * 2 = 1+1. */
5220  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5221  ctmp2[31] = 2;
5222  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
5223  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5224  /* Test argument errors. */
5225  ecount = 0;
5227  CHECK(ecount == 0);
5228  /* Zeroize pubkey on parse error. */
5229  memset(&pubkey, 0, 32);
5230  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5231  CHECK(ecount == 1);
5232  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5233  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5234  memset(&pubkey2, 0, 32);
5235  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
5236  CHECK(ecount == 2);
5237  CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
5238  /* Plain argument errors. */
5239  ecount = 0;
5240  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5241  CHECK(ecount == 0);
5242  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
5243  CHECK(ecount == 1);
5244  ecount = 0;
5245  memset(ctmp2, 0, 32);
5246  ctmp2[31] = 4;
5247  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
5248  CHECK(ecount == 1);
5249  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
5250  CHECK(ecount == 2);
5251  ecount = 0;
5252  memset(ctmp2, 0, 32);
5253  ctmp2[31] = 4;
5254  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
5255  CHECK(ecount == 1);
5256  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
5257  CHECK(ecount == 2);
5258  ecount = 0;
5259  memset(ctmp2, 0, 32);
5260  CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
5261  CHECK(ecount == 1);
5262  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
5263  CHECK(ecount == 2);
5264  ecount = 0;
5265  memset(ctmp2, 0, 32);
5266  ctmp2[31] = 1;
5267  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
5268  CHECK(ecount == 1);
5269  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
5270  CHECK(ecount == 2);
5271  ecount = 0;
5272  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
5273  CHECK(ecount == 1);
5274  memset(&pubkey, 1, sizeof(pubkey));
5275  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5276  CHECK(ecount == 2);
5277  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5278  /* secp256k1_ec_pubkey_combine tests. */
5279  ecount = 0;
5280  pubkeys[0] = &pubkey_one;
5281  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
5282  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
5283  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
5284  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5285  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5286  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
5287  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5288  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5289  CHECK(ecount == 1);
5290  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
5291  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5292  CHECK(ecount == 2);
5293  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5294  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5295  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
5296  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5297  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5298  CHECK(ecount == 3);
5299  pubkeys[0] = &pubkey_negone;
5300  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5301  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5302  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
5303  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5304  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5305  CHECK(ecount == 3);
5306  len = 33;
5307  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5308  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
5309  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5310  /* Result is infinity. */
5311  pubkeys[0] = &pubkey_one;
5312  pubkeys[1] = &pubkey_negone;
5313  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5314  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5315  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
5316  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5317  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5318  CHECK(ecount == 3);
5319  /* Passes through infinity but comes out one. */
5320  pubkeys[2] = &pubkey_one;
5321  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5322  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5323  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
5324  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5325  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5326  CHECK(ecount == 3);
5327  len = 33;
5328  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5329  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
5330  CHECK(