Bitcoin Core  26.1.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <string.h>
10 
11 #include <time.h>
12 
13 #ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14  #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15  #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16 #endif
17 #if defined(VERIFY) && defined(COVERAGE)
18  #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19 #endif
20 #include "secp256k1.c"
21 
22 #include "../include/secp256k1.h"
23 #include "../include/secp256k1_preallocated.h"
24 #include "testrand_impl.h"
25 #include "checkmem.h"
26 #include "util.h"
27 
28 #include "../contrib/lax_der_parsing.c"
29 #include "../contrib/lax_der_privatekey_parsing.c"
30 
31 #include "modinv32_impl.h"
32 #ifdef SECP256K1_WIDEMUL_INT128
33 #include "modinv64_impl.h"
34 #include "int128_impl.h"
35 #endif
36 
37 #define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
38 
39 static int COUNT = 64;
40 static secp256k1_context *CTX = NULL;
41 static secp256k1_context *STATIC_CTX = NULL;
42 
43 static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
44  const unsigned char *p = s;
45  size_t i;
46 
47  for (i = 0; i < n; i++) {
48  if (p[i] != value) {
49  return 0;
50  }
51  }
52  return 1;
53 }
54 
55 /* TODO Use CHECK_ILLEGAL(_VOID) everywhere and get rid of the uncounting callback */
56 /* CHECK that expr_or_stmt calls the illegal callback of ctx exactly once
57  *
58  * For checking functions that use ARG_CHECK_VOID */
59 #define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) do { \
60  int32_t _calls_to_illegal_callback = 0; \
61  secp256k1_callback _saved_illegal_cb = ctx->illegal_callback; \
62  secp256k1_context_set_illegal_callback(ctx, \
63  counting_illegal_callback_fn, &_calls_to_illegal_callback); \
64  { expr_or_stmt; } \
65  ctx->illegal_callback = _saved_illegal_cb; \
66  CHECK(_calls_to_illegal_callback == 1); \
67 } while(0);
68 
69 /* CHECK that expr calls the illegal callback of ctx exactly once and that expr == 0
70  *
71  * For checking functions that use ARG_CHECK */
72 #define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
73 
74 static void counting_illegal_callback_fn(const char* str, void* data) {
75  /* Dummy callback function that just counts. */
76  int32_t *p;
77  (void)str;
78  p = data;
79  CHECK(*p != INT32_MAX);
80  (*p)++;
81 }
82 
83 static void uncounting_illegal_callback_fn(const char* str, void* data) {
84  /* Dummy callback function that just counts (backwards). */
85  int32_t *p;
86  (void)str;
87  p = data;
88  CHECK(*p != INT32_MIN);
89  (*p)--;
90 }
91 
92 static void random_field_element_magnitude(secp256k1_fe *fe, int m) {
93  secp256k1_fe zero;
94  int n = secp256k1_testrand_int(m + 1);
95  secp256k1_fe_normalize(fe);
96  if (n == 0) {
97  return;
98  }
99  secp256k1_fe_clear(&zero);
100  secp256k1_fe_negate(&zero, &zero, 0);
101  secp256k1_fe_mul_int_unchecked(&zero, n - 1);
102  secp256k1_fe_add(fe, &zero);
103 #ifdef VERIFY
104  CHECK(fe->magnitude == n);
105 #endif
106 }
107 
108 static void random_fe_test(secp256k1_fe *x) {
109  unsigned char bin[32];
110  do {
111  secp256k1_testrand256_test(bin);
112  if (secp256k1_fe_set_b32_limit(x, bin)) {
113  return;
114  }
115  } while(1);
116 }
117 
118 static void random_fe_non_zero_test(secp256k1_fe *fe) {
119  do {
120  random_fe_test(fe);
121  } while(secp256k1_fe_is_zero(fe));
122 }
123 
124 static void random_fe_magnitude(secp256k1_fe *fe) {
125  random_field_element_magnitude(fe, 8);
126 }
127 
128 static void random_ge_x_magnitude(secp256k1_ge *ge) {
129  random_field_element_magnitude(&ge->x, SECP256K1_GE_X_MAGNITUDE_MAX);
130 }
131 
132 static void random_ge_y_magnitude(secp256k1_ge *ge) {
133  random_field_element_magnitude(&ge->y, SECP256K1_GE_Y_MAGNITUDE_MAX);
134 }
135 
136 static void random_gej_x_magnitude(secp256k1_gej *gej) {
137  random_field_element_magnitude(&gej->x, SECP256K1_GEJ_X_MAGNITUDE_MAX);
138 }
139 
140 static void random_gej_y_magnitude(secp256k1_gej *gej) {
141  random_field_element_magnitude(&gej->y, SECP256K1_GEJ_Y_MAGNITUDE_MAX);
142 }
143 
144 static void random_gej_z_magnitude(secp256k1_gej *gej) {
145  random_field_element_magnitude(&gej->z, SECP256K1_GEJ_Z_MAGNITUDE_MAX);
146 }
147 
148 static void random_group_element_test(secp256k1_ge *ge) {
149  secp256k1_fe fe;
150  do {
151  random_fe_test(&fe);
152  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
153  secp256k1_fe_normalize(&ge->y);
154  break;
155  }
156  } while(1);
157  ge->infinity = 0;
158 }
159 
160 static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
161  secp256k1_fe z2, z3;
162  random_fe_non_zero_test(&gej->z);
163  secp256k1_fe_sqr(&z2, &gej->z);
164  secp256k1_fe_mul(&z3, &z2, &gej->z);
165  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
166  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
167  gej->infinity = ge->infinity;
168 }
169 
170 static void random_gej_test(secp256k1_gej *gej) {
171  secp256k1_ge ge;
172  random_group_element_test(&ge);
173  random_group_element_jacobian_test(gej, &ge);
174 }
175 
176 static void random_scalar_order_test(secp256k1_scalar *num) {
177  do {
178  unsigned char b32[32];
179  int overflow = 0;
180  secp256k1_testrand256_test(b32);
181  secp256k1_scalar_set_b32(num, b32, &overflow);
182  if (overflow || secp256k1_scalar_is_zero(num)) {
183  continue;
184  }
185  break;
186  } while(1);
187 }
188 
189 static void random_scalar_order(secp256k1_scalar *num) {
190  do {
191  unsigned char b32[32];
192  int overflow = 0;
193  secp256k1_testrand256(b32);
194  secp256k1_scalar_set_b32(num, b32, &overflow);
195  if (overflow || secp256k1_scalar_is_zero(num)) {
196  continue;
197  }
198  break;
199  } while(1);
200 }
201 
202 static void random_scalar_order_b32(unsigned char *b32) {
203  secp256k1_scalar num;
204  random_scalar_order(&num);
205  secp256k1_scalar_get_b32(b32, &num);
206 }
207 
208 static void run_xoshiro256pp_tests(void) {
209  {
210  size_t i;
211  /* Sanity check that we run before the actual seeding. */
212  for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
213  CHECK(secp256k1_test_state[i] == 0);
214  }
215  }
216  {
217  int i;
218  unsigned char buf32[32];
219  unsigned char seed16[16] = {
220  'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
221  'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
222  };
223  unsigned char buf32_expected[32] = {
224  0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
225  0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
226  0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
227  0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
228  };
229  secp256k1_testrand_seed(seed16);
230  for (i = 0; i < 17; i++) {
231  secp256k1_testrand256(buf32);
232  }
233  CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
234  }
235 }
236 
237 static void run_selftest_tests(void) {
238  /* Test public API */
239  secp256k1_selftest();
240 }
241 
242 static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
243  return a->built == b->built
244  && secp256k1_scalar_eq(&a->blind, &b->blind)
245  && secp256k1_gej_eq_var(&a->initial, &b->initial);
246 }
247 
248 static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
249  return a->declassify == b->declassify
250  && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx)
251  && a->illegal_callback.fn == b->illegal_callback.fn
252  && a->illegal_callback.data == b->illegal_callback.data
253  && a->error_callback.fn == b->error_callback.fn
254  && a->error_callback.data == b->error_callback.data;
255 }
256 
257 static void run_deprecated_context_flags_test(void) {
258  /* Check that a context created with any of the flags in the flags array is
259  * identical to the NONE context. */
260  unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
261  SECP256K1_CONTEXT_VERIFY,
262  SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY };
263  secp256k1_context *none_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
264  int i;
265  for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
266  secp256k1_context *tmp_ctx;
267  CHECK(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE) == secp256k1_context_preallocated_size(flags[i]));
268  tmp_ctx = secp256k1_context_create(flags[i]);
269  CHECK(context_eq(none_ctx, tmp_ctx));
270  secp256k1_context_destroy(tmp_ctx);
271  }
272  secp256k1_context_destroy(none_ctx);
273 }
274 
275 static void run_ec_illegal_argument_tests(void) {
276  int ecount = 0;
277  int ecount2 = 10;
278  secp256k1_pubkey pubkey;
279  secp256k1_pubkey zero_pubkey;
280  secp256k1_ecdsa_signature sig;
281  unsigned char ctmp[32];
282 
283  /* Setup */
284  secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
285  secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount2);
286  memset(ctmp, 1, 32);
287  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
288 
289  /* Verify context-type checking illegal-argument errors. */
290  CHECK(secp256k1_ec_pubkey_create(STATIC_CTX, &pubkey, ctmp) == 0);
291  CHECK(ecount == 1);
292  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
293  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
294  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
295  CHECK(secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL) == 0);
296  CHECK(ecount == 2);
297  SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
298  CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
299  SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
300  CHECK(ecount2 == 10);
301  CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
302  CHECK(ecount2 == 10);
303  CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
304  CHECK(ecount == 2);
305  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
306  CHECK(ecount2 == 10);
307  CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
308  CHECK(ecount == 2);
309  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
310  CHECK(ecount2 == 10);
311  CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &pubkey) == 1);
312  CHECK(ecount == 2);
313  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
314  CHECK(ecount == 2);
315  CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &zero_pubkey) == 0);
316  CHECK(ecount == 3);
317  CHECK(secp256k1_ec_pubkey_negate(CTX, NULL) == 0);
318  CHECK(ecount2 == 11);
319  CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
320  CHECK(ecount == 3);
321 
322  /* Clean up */
323  secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
324  secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
325 }
326 
327 static void run_static_context_tests(int use_prealloc) {
328  /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
329  CHECK(secp256k1_context_no_precomp == secp256k1_context_static);
330 
331  {
332  unsigned char seed[32] = {0x17};
333 
334  /* Randomizing secp256k1_context_static is not supported. */
335  CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, seed));
336  CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, NULL));
337 
338  /* Destroying or cloning secp256k1_context_static is not supported. */
339  if (use_prealloc) {
340  CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone_size(STATIC_CTX));
341  {
342  secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
343  CHECK(my_static_ctx != NULL);
344  memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
345  CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone(STATIC_CTX, my_static_ctx));
346  CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
347  free(my_static_ctx);
348  }
349  CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_preallocated_destroy(STATIC_CTX));
350  } else {
351  CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_clone(STATIC_CTX));
352  CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_destroy(STATIC_CTX));
353  }
354  }
355 
356  {
357  /* Verify that setting and resetting illegal callback works */
358  int32_t dummy = 0;
359  secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &dummy);
360  CHECK(STATIC_CTX->illegal_callback.fn == counting_illegal_callback_fn);
361  CHECK(STATIC_CTX->illegal_callback.data == &dummy);
362  secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
363  CHECK(STATIC_CTX->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
364  CHECK(STATIC_CTX->illegal_callback.data == NULL);
365  }
366 }
367 
368 static void run_proper_context_tests(int use_prealloc) {
369  int32_t dummy = 0;
370  secp256k1_context *my_ctx, *my_ctx_fresh;
371  void *my_ctx_prealloc = NULL;
372  unsigned char seed[32] = {0x17};
373 
374  secp256k1_gej pubj;
375  secp256k1_ge pub;
376  secp256k1_scalar msg, key, nonce;
377  secp256k1_scalar sigr, sigs;
378 
379  /* Fresh reference context for comparison */
380  my_ctx_fresh = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
381 
382  if (use_prealloc) {
383  my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
384  CHECK(my_ctx_prealloc != NULL);
385  my_ctx = secp256k1_context_preallocated_create(my_ctx_prealloc, SECP256K1_CONTEXT_NONE);
386  } else {
387  my_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
388  }
389 
390  /* Randomize and reset randomization */
391  CHECK(context_eq(my_ctx, my_ctx_fresh));
392  CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
393  CHECK(!context_eq(my_ctx, my_ctx_fresh));
394  CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
395  CHECK(context_eq(my_ctx, my_ctx_fresh));
396 
397  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
398  secp256k1_context_set_error_callback(my_ctx, secp256k1_default_illegal_callback_fn, NULL);
399  CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
400  CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
401 
402  /* check if sizes for cloning are consistent */
403  CHECK(secp256k1_context_preallocated_clone_size(my_ctx) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
404 
405  /*** clone and destroy all of them to make sure cloning was complete ***/
406  {
407  secp256k1_context *ctx_tmp;
408 
409  if (use_prealloc) {
410  /* clone into a non-preallocated context and then again into a new preallocated one. */
411  ctx_tmp = my_ctx;
412  my_ctx = secp256k1_context_clone(my_ctx);
413  CHECK(context_eq(ctx_tmp, my_ctx));
414  secp256k1_context_preallocated_destroy(ctx_tmp);
415 
416  free(my_ctx_prealloc);
417  my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
418  CHECK(my_ctx_prealloc != NULL);
419  ctx_tmp = my_ctx;
420  my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
421  CHECK(context_eq(ctx_tmp, my_ctx));
422  secp256k1_context_destroy(ctx_tmp);
423  } else {
424  /* clone into a preallocated context and then again into a new non-preallocated one. */
425  void *prealloc_tmp;
426 
427  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
428  CHECK(prealloc_tmp != NULL);
429  ctx_tmp = my_ctx;
430  my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
431  CHECK(context_eq(ctx_tmp, my_ctx));
432  secp256k1_context_destroy(ctx_tmp);
433 
434  ctx_tmp = my_ctx;
435  my_ctx = secp256k1_context_clone(my_ctx);
436  CHECK(context_eq(ctx_tmp, my_ctx));
437  secp256k1_context_preallocated_destroy(ctx_tmp);
438  free(prealloc_tmp);
439  }
440  }
441 
442  /* Verify that the error callback makes it across the clone. */
443  CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
444  CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
445  /* And that it resets back to default. */
446  secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
447  CHECK(my_ctx->error_callback.fn == secp256k1_default_error_callback_fn);
448  CHECK(context_eq(my_ctx, my_ctx_fresh));
449 
450  /* Verify that setting and resetting illegal callback works */
451  secp256k1_context_set_illegal_callback(my_ctx, counting_illegal_callback_fn, &dummy);
452  CHECK(my_ctx->illegal_callback.fn == counting_illegal_callback_fn);
453  CHECK(my_ctx->illegal_callback.data == &dummy);
454  secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
455  CHECK(my_ctx->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
456  CHECK(my_ctx->illegal_callback.data == NULL);
457  CHECK(context_eq(my_ctx, my_ctx_fresh));
458 
459  /*** attempt to use them ***/
460  random_scalar_order_test(&msg);
461  random_scalar_order_test(&key);
462  secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
463  secp256k1_ge_set_gej(&pub, &pubj);
464 
465  /* obtain a working nonce */
466  do {
467  random_scalar_order_test(&nonce);
468  } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
469 
470  /* try signing */
471  CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
472 
473  /* try verifying */
474  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
475 
476  /* cleanup */
477  if (use_prealloc) {
478  secp256k1_context_preallocated_destroy(my_ctx);
479  free(my_ctx_prealloc);
480  } else {
481  secp256k1_context_destroy(my_ctx);
482  }
483  secp256k1_context_destroy(my_ctx_fresh);
484 
485  /* Defined as no-op. */
486  secp256k1_context_destroy(NULL);
487  secp256k1_context_preallocated_destroy(NULL);
488 }
489 
490 static void run_scratch_tests(void) {
491  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
492 
493  int32_t ecount = 0;
494  size_t checkpoint;
495  size_t checkpoint_2;
496  secp256k1_scratch_space *scratch;
497  secp256k1_scratch_space local_scratch;
498 
499  secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
500  secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
501 
502  /* Test public API */
503  scratch = secp256k1_scratch_space_create(CTX, 1000);
504  CHECK(scratch != NULL);
505  CHECK(ecount == 0);
506 
507  /* Test internal API */
508  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
509  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
510  CHECK(scratch->alloc_size == 0);
511  CHECK(scratch->alloc_size % ALIGNMENT == 0);
512 
513  /* Allocating 500 bytes succeeds */
514  checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
515  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
516  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
517  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
518  CHECK(scratch->alloc_size != 0);
519  CHECK(scratch->alloc_size % ALIGNMENT == 0);
520 
521  /* Allocating another 501 bytes fails */
522  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
523  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
524  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
525  CHECK(scratch->alloc_size != 0);
526  CHECK(scratch->alloc_size % ALIGNMENT == 0);
527 
528  /* ...but it succeeds once we apply the checkpoint to undo it */
529  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
530  CHECK(scratch->alloc_size == 0);
531  CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
532  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
533  CHECK(scratch->alloc_size != 0);
534 
535  /* try to apply a bad checkpoint */
536  checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
537  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
538  CHECK(ecount == 0);
539  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
540  CHECK(ecount == 1);
541  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
542  CHECK(ecount == 2);
543 
544  /* try to use badly initialized scratch space */
545  secp256k1_scratch_space_destroy(CTX, scratch);
546  memset(&local_scratch, 0, sizeof(local_scratch));
547  scratch = &local_scratch;
548  CHECK(!secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0));
549  CHECK(ecount == 3);
550  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) == NULL);
551  CHECK(ecount == 4);
552  secp256k1_scratch_space_destroy(CTX, scratch);
553  CHECK(ecount == 5);
554 
555  /* Test that large integers do not wrap around in a bad way */
556  scratch = secp256k1_scratch_space_create(CTX, 1000);
557  /* Try max allocation with a large number of objects. Only makes sense if
558  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
559  * space. */
560  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
561  /* Try allocating SIZE_MAX to test wrap around which only happens if
562  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
563  * space is too small. */
564  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
565  secp256k1_scratch_space_destroy(CTX, scratch);
566 
567  /* cleanup */
568  secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
569 
570  secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
571  secp256k1_context_set_error_callback(CTX, NULL, NULL);
572 }
573 
574 static void run_ctz_tests(void) {
575  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
576  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
577  int shift;
578  unsigned i;
579  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
580  for (shift = 0; shift < 32; ++shift) {
581  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
582  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
583  }
584  }
585  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
586  for (shift = 0; shift < 64; ++shift) {
587  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
588  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
589  }
590  }
591 }
592 
593 /***** HASH TESTS *****/
594 
595 static void run_sha256_known_output_tests(void) {
596  static const char *inputs[] = {
597  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
598  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
599  "For this sample, this 63-byte string will be used as input data",
600  "This is exactly 64 bytes long, not counting the terminating byte",
601  "aaaaa",
602  };
603  static const unsigned int repeat[] = {
604  1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
605  };
606  static const unsigned char outputs[][32] = {
607  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
608  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
609  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
610  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
611  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
612  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
613  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
614  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
615  {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
616  };
617  unsigned int i, ninputs;
618 
619  /* Skip last input vector for low iteration counts */
620  ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
621  CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
622 
623  for (i = 0; i < ninputs; i++) {
624  unsigned char out[32];
625  secp256k1_sha256 hasher;
626  unsigned int j;
627  /* 1. Run: simply write the input bytestrings */
628  j = repeat[i];
629  secp256k1_sha256_initialize(&hasher);
630  while (j > 0) {
631  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
632  j--;
633  }
634  secp256k1_sha256_finalize(&hasher, out);
635  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
636  /* 2. Run: split the input bytestrings randomly before writing */
637  if (strlen(inputs[i]) > 0) {
638  int split = secp256k1_testrand_int(strlen(inputs[i]));
639  secp256k1_sha256_initialize(&hasher);
640  j = repeat[i];
641  while (j > 0) {
642  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
643  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
644  j--;
645  }
646  secp256k1_sha256_finalize(&hasher, out);
647  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
648  }
649  }
650 }
651 
696 static void run_sha256_counter_tests(void) {
697  static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
698  static const secp256k1_sha256 midstates[] = {
699  {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
700  {0x00}, 0xfffc0},
701  {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
702  {0x00}, 0x1fffc0},
703  {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
704  {0x00}, 0x3fffc0},
705  {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
706  {0x00}, 0x7fffc0},
707  {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
708  {0x00}, 0xffffc0},
709  {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
710  {0x00}, 0x1ffffc0},
711  {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
712  {0x00}, 0x3ffffc0},
713  {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
714  {0x00}, 0x7ffffc0},
715  {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
716  {0x00}, 0xfffffc0},
717  {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
718  {0x00}, 0x1fffffc0},
719  {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
720  {0x00}, 0x3fffffc0},
721  {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
722  {0x00}, 0x7fffffc0},
723  {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
724  {0x00}, 0xffffffc0},
725  {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
726  {0x00}, 0x1ffffffc0},
727  };
728  static const unsigned char outputs[][32] = {
729  {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
730  {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
731  {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
732  {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
733  {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
734  {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
735  {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
736  {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
737  {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
738  {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
739  {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
740  {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
741  {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
742  {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
743  };
744  unsigned int i;
745  for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
746  unsigned char out[32];
747  secp256k1_sha256 hasher = midstates[i];
748  secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
749  secp256k1_sha256_finalize(&hasher, out);
750  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
751  }
752 }
753 
754 /* Tests for the equality of two sha256 structs. This function only produces a
755  * correct result if an integer multiple of 64 many bytes have been written
756  * into the hash functions. This function is used by some module tests. */
757 static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
758  /* Is buffer fully consumed? */
759  CHECK((sha1->bytes & 0x3F) == 0);
760 
761  CHECK(sha1->bytes == sha2->bytes);
762  CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
763 }
764 
765 static void run_hmac_sha256_tests(void) {
766  static const char *keys[6] = {
767  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
768  "\x4a\x65\x66\x65",
769  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
770  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
771  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
772  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
773  };
774  static const char *inputs[6] = {
775  "\x48\x69\x20\x54\x68\x65\x72\x65",
776  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
777  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
778  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
779  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
780  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
781  };
782  static const unsigned char outputs[6][32] = {
783  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
784  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
785  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
786  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
787  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
788  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
789  };
790  int i;
791  for (i = 0; i < 6; i++) {
792  secp256k1_hmac_sha256 hasher;
793  unsigned char out[32];
794  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
795  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
796  secp256k1_hmac_sha256_finalize(&hasher, out);
797  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
798  if (strlen(inputs[i]) > 0) {
799  int split = secp256k1_testrand_int(strlen(inputs[i]));
800  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
801  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
802  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
803  secp256k1_hmac_sha256_finalize(&hasher, out);
804  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
805  }
806  }
807 }
808 
809 static void run_rfc6979_hmac_sha256_tests(void) {
810  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
811  static const unsigned char out1[3][32] = {
812  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
813  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
814  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
815  };
816 
817  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
818  static const unsigned char out2[3][32] = {
819  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
820  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
821  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
822  };
823 
824  secp256k1_rfc6979_hmac_sha256 rng;
825  unsigned char out[32];
826  int i;
827 
828  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
829  for (i = 0; i < 3; i++) {
830  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
831  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
832  }
833  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
834 
835  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
836  for (i = 0; i < 3; i++) {
837  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
838  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
839  }
840  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
841 
842  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
843  for (i = 0; i < 3; i++) {
844  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
845  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
846  }
847  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
848 }
849 
850 static void run_tagged_sha256_tests(void) {
851  int ecount = 0;
852  unsigned char tag[32] = { 0 };
853  unsigned char msg[32] = { 0 };
854  unsigned char hash32[32];
855  unsigned char hash_expected[32] = {
856  0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
857  0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
858  0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
859  0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
860  };
861 
862  secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
863 
864  /* API test */
865  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
866  CHECK(secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
867  CHECK(ecount == 1);
868  CHECK(secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)) == 0);
869  CHECK(ecount == 2);
870  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0) == 0);
871  CHECK(ecount == 3);
872 
873  /* Static test vector */
874  memcpy(tag, "tag", 3);
875  memcpy(msg, "msg", 3);
876  CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
877  CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
878 }
879 
880 /***** MODINV TESTS *****/
881 
882 /* Compute the modular inverse of (odd) x mod 2^64. */
883 static uint64_t modinv2p64(uint64_t x) {
884  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
885  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
886  * why. Start with L=0, for which it is true for every odd x that
887  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
888  int l;
889  uint64_t w = 1;
890  CHECK(x & 1);
891  for (l = 0; l < 6; ++l) w *= (2 - w*x);
892  return w;
893 }
894 
895 
896 /* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
897  *
898  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
899  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
900 static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
901  uint16_t mul[32];
902  uint64_t c = 0;
903  int i, j;
904  int m_bitlen = 0;
905  int mul_bitlen = 0;
906 
907  if (b != NULL) {
908  /* Compute the product of a and b, and put it in mul. */
909  for (i = 0; i < 32; ++i) {
910  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
911  c += (uint64_t)a[j] * b[i - j];
912  }
913  mul[i] = c & 0xFFFF;
914  c >>= 16;
915  }
916  CHECK(c == 0);
917 
918  /* compute the highest set bit in mul */
919  for (i = 511; i >= 0; --i) {
920  if ((mul[i >> 4] >> (i & 15)) & 1) {
921  mul_bitlen = i;
922  break;
923  }
924  }
925  } else {
926  /* if b==NULL, set mul=a. */
927  memcpy(mul, a, 32);
928  memset(mul + 16, 0, 32);
929  /* compute the highest set bit in mul */
930  for (i = 255; i >= 0; --i) {
931  if ((mul[i >> 4] >> (i & 15)) & 1) {
932  mul_bitlen = i;
933  break;
934  }
935  }
936  }
937 
938  if (m) {
939  /* Compute the highest set bit in m. */
940  for (i = 255; i >= 0; --i) {
941  if ((m[i >> 4] >> (i & 15)) & 1) {
942  m_bitlen = i;
943  break;
944  }
945  }
946 
947  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
948  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
949  uint16_t mul2[32];
950  int64_t cs;
951 
952  /* Compute mul2 = mul - m<<i. */
953  cs = 0; /* accumulator */
954  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
955  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
956  uint16_t sub = 0;
957  int p;
958  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
959  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
960  if (bitpos >= 0 && bitpos < 256) {
961  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
962  }
963  }
964  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
965  cs += mul[j];
966  cs -= sub;
967  mul2[j] = (cs & 0xFFFF);
968  cs >>= 16;
969  }
970  /* If remainder of subtraction is 0, set mul = mul2. */
971  if (cs == 0) {
972  memcpy(mul, mul2, sizeof(mul));
973  }
974  }
975  /* Sanity check: test that all limbs higher than m's highest are zero */
976  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
977  CHECK(mul[i] == 0);
978  }
979  }
980  memcpy(out, mul, 32);
981 }
982 
983 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
984 static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
985  int i;
986  memset(out->v, 0, sizeof(out->v));
987  for (i = 0; i < 256; ++i) {
988  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
989  }
990 }
991 
992 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
993 static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
994  int i;
995  memset(out, 0, 32);
996  for (i = 0; i < 256; ++i) {
997  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
998  }
999 }
1000 
1001 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
1002 static void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
1003  int i;
1004  for (i = 0; i < 16; ++i) {
1005  int pos = secp256k1_testrand_bits(3);
1006  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
1007  x->v[pos] -= 0x40000000;
1008  x->v[pos + 1] += 1;
1009  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
1010  x->v[pos] += 0x40000000;
1011  x->v[pos + 1] -= 1;
1012  }
1013  }
1014 }
1015 
1016 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
1017 static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1018  uint16_t tmp[16];
1019  secp256k1_modinv32_signed30 x;
1020  secp256k1_modinv32_modinfo m;
1021  int i, vartime, nonzero;
1022 
1023  uint16_to_signed30(&x, in);
1024  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
1025  uint16_to_signed30(&m.modulus, mod);
1026 
1027  /* compute 1/modulus mod 2^30 */
1028  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
1029  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
1030 
1031  /* Test secp256k1_jacobi32_maybe_var. */
1032  if (nonzero) {
1033  int jac;
1034  uint16_t sqr[16], negone[16];
1035  mulmod256(sqr, in, in, mod);
1036  uint16_to_signed30(&x, sqr);
1037  /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1038  jac = secp256k1_jacobi32_maybe_var(&x, &m);
1039  CHECK(jac == 0 || jac == 1);
1040  /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1041  * jacobi symbols if and only if (mod % 4) == 3. */
1042  negone[0] = mod[0] - 1;
1043  for (i = 1; i < 16; ++i) negone[i] = mod[i];
1044  mulmod256(sqr, sqr, negone, mod);
1045  uint16_to_signed30(&x, sqr);
1046  jac = secp256k1_jacobi32_maybe_var(&x, &m);
1047  CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1048  }
1049 
1050  uint16_to_signed30(&x, in);
1051  mutate_sign_signed30(&m.modulus);
1052  for (vartime = 0; vartime < 2; ++vartime) {
1053  /* compute inverse */
1054  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1055 
1056  /* produce output */
1057  signed30_to_uint16(out, &x);
1058 
1059  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1060  mulmod256(tmp, out, in, mod);
1061  CHECK(tmp[0] == nonzero);
1062  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1063 
1064  /* invert again */
1065  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1066 
1067  /* check if the result is equal to the input */
1068  signed30_to_uint16(tmp, &x);
1069  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1070  }
1071 }
1072 
1073 #ifdef SECP256K1_WIDEMUL_INT128
1074 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1075 static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1076  int i;
1077  memset(out->v, 0, sizeof(out->v));
1078  for (i = 0; i < 256; ++i) {
1079  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1080  }
1081 }
1082 
1083 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1084 static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1085  int i;
1086  memset(out, 0, 32);
1087  for (i = 0; i < 256; ++i) {
1088  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1089  }
1090 }
1091 
1092 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1093 static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1094  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1095  int i;
1096  for (i = 0; i < 8; ++i) {
1097  int pos = secp256k1_testrand_bits(2);
1098  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1099  x->v[pos] -= (M62 + 1);
1100  x->v[pos + 1] += 1;
1101  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1102  x->v[pos] += (M62 + 1);
1103  x->v[pos + 1] -= 1;
1104  }
1105  }
1106 }
1107 
1108 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1109 static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1110  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1111  uint16_t tmp[16];
1112  secp256k1_modinv64_signed62 x;
1113  secp256k1_modinv64_modinfo m;
1114  int i, vartime, nonzero;
1115 
1116  uint16_to_signed62(&x, in);
1117  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1118  uint16_to_signed62(&m.modulus, mod);
1119 
1120  /* compute 1/modulus mod 2^62 */
1121  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1122  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1123 
1124  /* Test secp256k1_jacobi64_maybe_var. */
1125  if (nonzero) {
1126  int jac;
1127  uint16_t sqr[16], negone[16];
1128  mulmod256(sqr, in, in, mod);
1129  uint16_to_signed62(&x, sqr);
1130  /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1131  jac = secp256k1_jacobi64_maybe_var(&x, &m);
1132  CHECK(jac == 0 || jac == 1);
1133  /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1134  * jacobi symbols if and only if (mod % 4) == 3. */
1135  negone[0] = mod[0] - 1;
1136  for (i = 1; i < 16; ++i) negone[i] = mod[i];
1137  mulmod256(sqr, sqr, negone, mod);
1138  uint16_to_signed62(&x, sqr);
1139  jac = secp256k1_jacobi64_maybe_var(&x, &m);
1140  CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1141  }
1142 
1143  uint16_to_signed62(&x, in);
1144  mutate_sign_signed62(&m.modulus);
1145  for (vartime = 0; vartime < 2; ++vartime) {
1146  /* compute inverse */
1147  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1148 
1149  /* produce output */
1150  signed62_to_uint16(out, &x);
1151 
1152  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1153  mulmod256(tmp, out, in, mod);
1154  CHECK(tmp[0] == nonzero);
1155  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1156 
1157  /* invert again */
1158  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1159 
1160  /* check if the result is equal to the input */
1161  signed62_to_uint16(tmp, &x);
1162  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1163  }
1164 }
1165 #endif
1166 
1167 /* test if a and b are coprime */
1168 static int coprime(const uint16_t* a, const uint16_t* b) {
1169  uint16_t x[16], y[16], t[16];
1170  int i;
1171  int iszero;
1172  memcpy(x, a, 32);
1173  memcpy(y, b, 32);
1174 
1175  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1176  while (1) {
1177  iszero = 1;
1178  for (i = 0; i < 16; ++i) {
1179  if (x[i] != 0) {
1180  iszero = 0;
1181  break;
1182  }
1183  }
1184  if (iszero) break;
1185  mulmod256(t, y, NULL, x);
1186  memcpy(y, x, 32);
1187  memcpy(x, t, 32);
1188  }
1189 
1190  /* return whether y=1 */
1191  if (y[0] != 1) return 0;
1192  for (i = 1; i < 16; ++i) {
1193  if (y[i] != 0) return 0;
1194  }
1195  return 1;
1196 }
1197 
1198 static void run_modinv_tests(void) {
1199  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1200  static const uint16_t CASES[][3][16] = {
1201  /* Test cases triggering edge cases in divsteps */
1202 
1203  /* Test case known to need 713 divsteps */
1204  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1205  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1206  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1207  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1208  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1209  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1210  /* Test case known to need 589 divsteps, reaching delta=-140 and
1211  delta=141. */
1212  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1213  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1214  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1215  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1216  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1217  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1218  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1219  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1220  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1221  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1222  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1223  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1224  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1225  /* example needing 713 divsteps; delta=-2..3 */
1226  {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1227  0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1228  {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1229  0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1230  {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1231  0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1232  /* example needing 713 divsteps; delta=-2..3 */
1233  {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1234  0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1235  {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1236  0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1237  {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1238  0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1239  /* example needing 713 divsteps; delta=-2..3 */
1240  {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1241  0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1242  {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1243  0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1244  {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1245  0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1246  /* example reaching delta=-64..65; 661 divsteps */
1247  {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1248  0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1249  {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1250  0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1251  {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1252  0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1253  /* example reaching delta=-64..65; 661 divsteps */
1254  {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1255  0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1256  {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1257  0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1258  {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1259  0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1260  /* example reaching delta=-64..65; 661 divsteps */
1261  {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1262  0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1263  {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1264  0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1265  {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1266  0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1267  /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1268  {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1269  0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1270  {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1271  0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1272  {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1273  0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1274  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1275  {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1276  0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1277  {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1278  0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1279  {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1280  0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1281  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1282  {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1283  0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1284  {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1285  0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1286  {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1287  0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1288  /* example doing 446 (f,g/2) steps; 523 divsteps */
1289  {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1290  0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1291  {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1292  0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1293  {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1294  0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1295  /* example doing 446 (f,g/2) steps; 523 divsteps */
1296  {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1297  0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1298  {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1299  0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1300  {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1301  0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1302  /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1303  {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1304  0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1305  {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1306  0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1307  {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1308  0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1309  /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1310  {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1311  0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1312  {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1313  0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1314  {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1315  0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1316  /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1317  {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1318  0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1319  {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1320  0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1321  {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1322  0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1323  /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1324  {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1325  0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1326  {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1327  0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1328  {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1329  0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1330 
1331  /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1332 
1333  /* example needing 590 divsteps; delta=-5/2..7/2 */
1334  {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1335  0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1336  {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1337  0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1338  {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1339  0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1340  /* example needing 590 divsteps; delta=-3/2..5/2 */
1341  {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1342  0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1343  {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1344  0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1345  {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1346  0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1347  /* example needing 590 divsteps; delta=-3/2..5/2 */
1348  {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1349  0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1350  {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1351  0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1352  {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1353  0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1354  /* example needing 590 divsteps; delta=-5/2..7/2 */
1355  {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1356  0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1357  {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1358  0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1359  {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1360  0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1361  /* example needing 590 divsteps; delta=-3/2..5/2 */
1362  {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1363  0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1364  {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1365  0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1366  {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1367  0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1368  /* example reaching delta=-127/2..129/2; 571 divsteps */
1369  {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1370  0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1371  {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1372  0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1373  {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1374  0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1375  /* example reaching delta=-127/2..129/2; 571 divsteps */
1376  {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1377  0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1378  {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1379  0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1380  {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1381  0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1382  /* example reaching delta=-127/2..129/2; 571 divsteps */
1383  {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1384  0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1385  {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1386  0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1387  {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1388  0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1389  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1390  {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1391  0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1392  {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1393  0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1394  {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1395  0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1396  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1397  {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1398  0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1399  {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1400  0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1401  {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1402  0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1403  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1404  {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1405  0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1406  {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1407  0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1408  {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1409  0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1410  /* example doing 453 (f,g/2) steps; 514 divsteps */
1411  {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1412  0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1413  {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1414  0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1415  {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1416  0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1417  /* example doing 453 (f,g/2) steps; 514 divsteps */
1418  {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1419  0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1420  {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1421  0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1422  {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1423  0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1424  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1425  {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1426  0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1427  {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1428  0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1429  {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1430  0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1431  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1432  {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1433  0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1434  {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1435  0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1436  {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1437  0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1438  /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1439  {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1440  0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1441  {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1442  0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1443  {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1444  0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1445  /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1446  {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1447  0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1448  {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1449  0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1450  {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1451  0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1452 
1453  /* Test cases with the group order as modulus. */
1454 
1455  /* Test case with the group order as modulus, needing 635 divsteps. */
1456  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1457  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1458  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1459  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1460  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1461  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1462  /* example with group size as modulus needing 631 divsteps */
1463  {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1464  0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1465  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1466  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1467  {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1468  0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1469  /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1470  {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1471  0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1472  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1473  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1474  {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1475  0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1476  /* Test case with the group size as modulus, needing 981 divsteps with
1477  broken eta handling. */
1478  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1479  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1480  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1481  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1482  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1483  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1484  /* Test case with the group size as modulus, input = 0. */
1485  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1486  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1487  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1488  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1489  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1490  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1491  /* Test case with the group size as modulus, input = 1. */
1492  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1493  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1494  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1495  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1496  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1497  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1498  /* Test case with the group size as modulus, input = 2. */
1499  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1500  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1501  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1502  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1503  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1504  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1505  /* Test case with the group size as modulus, input = group - 1. */
1506  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1507  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1508  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1509  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1510  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1511  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1512 
1513  /* Test cases with the field size as modulus. */
1514 
1515  /* Test case with the field size as modulus, needing 637 divsteps. */
1516  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1517  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1518  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1519  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1520  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1521  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1522  /* example with field size as modulus needing 637 divsteps */
1523  {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1524  0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1525  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1526  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1527  {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1528  0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1529  /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1530  {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1531  0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1532  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1533  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1534  {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1535  0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1536  /* Test case with the field size as modulus, needing 935 divsteps with
1537  broken eta handling. */
1538  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1539  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1540  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1541  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1542  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1543  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1544  /* Test case with the field size as modulus, input = 0. */
1545  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1546  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1547  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1548  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1549  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1550  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1551  /* Test case with the field size as modulus, input = 1. */
1552  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1553  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1554  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1555  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1556  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1557  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1558  /* Test case with the field size as modulus, input = 2. */
1559  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1560  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1561  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1562  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1563  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1564  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1565  /* Test case with the field size as modulus, input = field - 1. */
1566  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1567  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1568  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1569  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1570  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1571  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1572 
1573  /* Selected from a large number of random inputs to reach small/large
1574  * d/e values in various configurations. */
1575  {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1576  0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1577  {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1578  0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1579  {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1580  0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1581  {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1582  0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1583  {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1584  0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1585  {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1586  0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1587  {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1588  0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1589  {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1590  0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1591  {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1592  0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1593  {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1594  0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1595  {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1596  0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1597  {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1598  0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1599  {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1600  0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1601  {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1602  0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1603  {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1604  0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1605  {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1606  0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1607  {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1608  0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1609  {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1610  0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1611  {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1612  0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1613  {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1614  0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1615  {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1616  0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1617  {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1618  0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1619  {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1620  0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1621  {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1622  0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1623  {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1624  0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1625  {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1626  0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1627  {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1628  0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1629  {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1630  0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1631  {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1632  0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1633  {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1634  0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1635  {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1636  0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1637  {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1638  0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1639  {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1640  0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1641  {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1642  0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1643  {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1644  0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1645  {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1646  0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1647  {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1648  0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1649  {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1650  0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1651  {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1652  0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1653  {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1654  0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1655  {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1656  0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1657  {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1658  0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1659  {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1660  0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1661  {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1662  0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1663  {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1664  0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1665  {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1666  0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1667  {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1668  0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1669  {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1670  0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1671  {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1672  0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1673  {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1674  0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1675  {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1676  0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1677  {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1678  0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1679  {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1680  0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1681  {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1682  0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1683  {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1684  0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1685  {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1686  0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1687  {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1688  0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1689  {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1690  0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1691  {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1692  0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1693  {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1694  0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1695  {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1696  0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1697  {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1698  0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1699  {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1700  0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1701  {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1702  0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1703  {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1704  0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1705  {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1706  0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1707  {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1708  0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1709  {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1710  0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1711  {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1712  0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1713  {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1714  0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1715  {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1716  0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1717  {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1718  0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1719  {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1720  0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1721  {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1722  0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1723  {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1724  0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1725  {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1726  0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1727  {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1728  0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1729  {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1730  0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1731  {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1732  0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1733  {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1734  0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1735  {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1736  0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1737  {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1738  0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1739  {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1740  0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1741  {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1742  0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1743  {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1744  0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1745  {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1746  0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1747  {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1748  0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1749  {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1750  0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1751  {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1752  0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1753  {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1754  0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1755  {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1756  0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1757  {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1758  0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1759  {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1760  0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1761  {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1762  0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1763  {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1764  0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1765  {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1766  0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1767  {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1768  0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1769  {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1770  0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1771  {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1772  0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1773  {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1774  0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1775  {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1776  0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1777  {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1778  0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1779  {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1780  0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1781  {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1782  0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1783  {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1784  0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1785  };
1786 
1787  int i, j, ok;
1788 
1789  /* Test known inputs/outputs */
1790  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1791  uint16_t out[16];
1792  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1793  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1794 #ifdef SECP256K1_WIDEMUL_INT128
1795  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1796  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1797 #endif
1798  }
1799 
1800  for (i = 0; i < 100 * COUNT; ++i) {
1801  /* 256-bit numbers in 16-uint16_t's notation */
1802  static const uint16_t ZERO[16] = {0};
1803  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1804  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1805  uint16_t id[16]; /* the inverse of xd mod md */
1806 
1807  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1808  do {
1809  /* generate random xd and md (with many subsequent 0s and 1s) */
1810  secp256k1_testrand256_test((unsigned char*)xd);
1811  secp256k1_testrand256_test((unsigned char*)md);
1812  md[0] |= 1; /* modulus must be odd */
1813  /* If modulus is 1, find another one. */
1814  ok = md[0] != 1;
1815  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1816  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1817  } while (!(ok && coprime(xd, md)));
1818 
1819  test_modinv32_uint16(id, xd, md);
1820 #ifdef SECP256K1_WIDEMUL_INT128
1821  test_modinv64_uint16(id, xd, md);
1822 #endif
1823 
1824  /* In a few cases, also test with input=0 */
1825  if (i < COUNT) {
1826  test_modinv32_uint16(id, ZERO, md);
1827 #ifdef SECP256K1_WIDEMUL_INT128
1828  test_modinv64_uint16(id, ZERO, md);
1829 #endif
1830  }
1831  }
1832 }
1833 
1834 /***** INT128 TESTS *****/
1835 
1836 #ifdef SECP256K1_WIDEMUL_INT128
1837 /* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1838 static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1839  int i;
1840  uint32_t carry = 0;
1841  for (i = 0; i < 16; ++i) {
1842  carry += a[i];
1843  carry += b[i];
1844  out[i] = carry;
1845  carry >>= 16;
1846  }
1847 }
1848 
1849 /* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1850 static void neg256(uint16_t* out, const uint16_t* a) {
1851  int i;
1852  uint32_t carry = 1;
1853  for (i = 0; i < 16; ++i) {
1854  carry += (uint16_t)~a[i];
1855  out[i] = carry;
1856  carry >>= 16;
1857  }
1858 }
1859 
1860 /* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1861 static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1862  uint16_t sign = sign_extend && (a[15] >> 15);
1863  int i, j;
1864  for (i = 15; i >= 0; --i) {
1865  uint16_t v = 0;
1866  for (j = 0; j < 16; ++j) {
1867  int frompos = i*16 + j + n;
1868  if (frompos >= 256) {
1869  v |= sign << j;
1870  } else {
1871  v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1872  }
1873  }
1874  out[i] = v;
1875  }
1876 }
1877 
1878 /* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1879 static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1880  int i;
1881  uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1882  for (i = 0; i < 4; ++i) {
1883  out[i] = v >> (16 * i);
1884  }
1885  for (i = 4; i < 16; ++i) {
1886  out[i] = sign;
1887  }
1888 }
1889 
1890 /* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1891 static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1892  int i;
1893  uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1894  for (i = 0; i < 4; ++i) {
1895  out[i] = lo >> (16 * i);
1896  }
1897  for (i = 4; i < 8; ++i) {
1898  out[i] = hi >> (16 * (i - 4));
1899  }
1900  for (i = 8; i < 16; ++i) {
1901  out[i] = sign;
1902  }
1903 }
1904 
1905 /* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1906 static int int256is127(const uint16_t* v) {
1907  int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1908  int i;
1909  for (i = 8; i < 16; ++i) {
1910  if (v[i] != 0) all_0 = 0;
1911  if (v[i] != 0xffff) all_1 = 0;
1912  }
1913  return all_0 || all_1;
1914 }
1915 
1916 static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1917  uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1918  load256two64(out, hi, lo, 0);
1919 }
1920 
1921 static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1922  uint64_t lo;
1923  int64_t hi;
1924  secp256k1_int128 c = *v;
1925  lo = secp256k1_i128_to_u64(&c);
1926  secp256k1_i128_rshift(&c, 64);
1927  hi = secp256k1_i128_to_i64(&c);
1928  load256two64(out, hi, lo, 1);
1929 }
1930 
1931 static void run_int128_test_case(void) {
1932  unsigned char buf[32];
1933  uint64_t v[4];
1934  secp256k1_int128 swa, swz;
1935  secp256k1_uint128 uwa, uwz;
1936  uint64_t ub, uc;
1937  int64_t sb, sc;
1938  uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1939  uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1940  int i;
1941 
1942  /* Generate 32-byte random value. */
1943  secp256k1_testrand256_test(buf);
1944  /* Convert into 4 64-bit integers. */
1945  for (i = 0; i < 4; ++i) {
1946  uint64_t vi = 0;
1947  int j;
1948  for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1949  v[i] = vi;
1950  }
1951  /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1952  secp256k1_u128_load(&uwa, v[1], v[0]);
1953  secp256k1_i128_load(&swa, v[1], v[0]);
1954  ub = v[2];
1955  sb = v[2];
1956  uc = v[3];
1957  sc = v[3];
1958  /* Load those also into 16-bit array representations. */
1959  load256u128(ruwa, &uwa);
1960  load256i128(rswa, &swa);
1961  load256u64(rub, ub, 0);
1962  load256u64(rsb, sb, 1);
1963  load256u64(ruc, uc, 0);
1964  load256u64(rsc, sc, 1);
1965  /* test secp256k1_u128_mul */
1966  mulmod256(ruwr, rub, ruc, NULL);
1967  secp256k1_u128_mul(&uwz, ub, uc);
1968  load256u128(ruwz, &uwz);
1969  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1970  /* test secp256k1_u128_accum_mul */
1971  mulmod256(ruwr, rub, ruc, NULL);
1972  add256(ruwr, ruwr, ruwa);
1973  uwz = uwa;
1974  secp256k1_u128_accum_mul(&uwz, ub, uc);
1975  load256u128(ruwz, &uwz);
1976  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1977  /* test secp256k1_u128_accum_u64 */
1978  add256(ruwr, rub, ruwa);
1979  uwz = uwa;
1980  secp256k1_u128_accum_u64(&uwz, ub);
1981  load256u128(ruwz, &uwz);
1982  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1983  /* test secp256k1_u128_rshift */
1984  rshift256(ruwr, ruwa, uc % 128, 0);
1985  uwz = uwa;
1986  secp256k1_u128_rshift(&uwz, uc % 128);
1987  load256u128(ruwz, &uwz);
1988  CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1989  /* test secp256k1_u128_to_u64 */
1990  CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1991  /* test secp256k1_u128_hi_u64 */
1992  CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1993  /* test secp256k1_u128_from_u64 */
1994  secp256k1_u128_from_u64(&uwz, ub);
1995  load256u128(ruwz, &uwz);
1996  CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1997  /* test secp256k1_u128_check_bits */
1998  {
1999  int uwa_bits = 0;
2000  int j;
2001  for (j = 0; j < 128; ++j) {
2002  if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
2003  }
2004  for (j = 0; j < 128; ++j) {
2005  CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
2006  }
2007  }
2008  /* test secp256k1_i128_mul */
2009  mulmod256(rswr, rsb, rsc, NULL);
2010  secp256k1_i128_mul(&swz, sb, sc);
2011  load256i128(rswz, &swz);
2012  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2013  /* test secp256k1_i128_accum_mul */
2014  mulmod256(rswr, rsb, rsc, NULL);
2015  add256(rswr, rswr, rswa);
2016  if (int256is127(rswr)) {
2017  swz = swa;
2018  secp256k1_i128_accum_mul(&swz, sb, sc);
2019  load256i128(rswz, &swz);
2020  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2021  }
2022  /* test secp256k1_i128_det */
2023  {
2024  uint16_t rsd[16], rse[16], rst[32];
2025  int64_t sd = v[0], se = v[1];
2026  load256u64(rsd, sd, 1);
2027  load256u64(rse, se, 1);
2028  mulmod256(rst, rsc, rsd, NULL);
2029  neg256(rst, rst);
2030  mulmod256(rswr, rsb, rse, NULL);
2031  add256(rswr, rswr, rst);
2032  secp256k1_i128_det(&swz, sb, sc, sd, se);
2033  load256i128(rswz, &swz);
2034  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2035  }
2036  /* test secp256k1_i128_rshift */
2037  rshift256(rswr, rswa, uc % 127, 1);
2038  swz = swa;
2039  secp256k1_i128_rshift(&swz, uc % 127);
2040  load256i128(rswz, &swz);
2041  CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2042  /* test secp256k1_i128_to_u64 */
2043  CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2044  /* test secp256k1_i128_from_i64 */
2045  secp256k1_i128_from_i64(&swz, sb);
2046  load256i128(rswz, &swz);
2047  CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2048  /* test secp256k1_i128_to_i64 */
2049  CHECK(secp256k1_i128_to_i64(&swz) == sb);
2050  /* test secp256k1_i128_eq_var */
2051  {
2052  int expect = (uc & 1);
2053  swz = swa;
2054  if (!expect) {
2055  /* Make sure swz != swa */
2056  uint64_t v0c = v[0], v1c = v[1];
2057  if (ub & 64) {
2058  v1c ^= (((uint64_t)1) << (ub & 63));
2059  } else {
2060  v0c ^= (((uint64_t)1) << (ub & 63));
2061  }
2062  secp256k1_i128_load(&swz, v1c, v0c);
2063  }
2064  CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2065  }
2066  /* test secp256k1_i128_check_pow2 (sign == 1) */
2067  {
2068  int expect = (uc & 1);
2069  int pos = ub % 127;
2070  if (expect) {
2071  /* If expect==1, set swz to exactly 2^pos. */
2072  uint64_t hi = 0;
2073  uint64_t lo = 0;
2074  if (pos >= 64) {
2075  hi = (((uint64_t)1) << (pos & 63));
2076  } else {
2077  lo = (((uint64_t)1) << (pos & 63));
2078  }
2079  secp256k1_i128_load(&swz, hi, lo);
2080  } else {
2081  /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2082  if (pos >= 64) {
2083  if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2084  } else {
2085  if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2086  }
2087  swz = swa;
2088  }
2089  CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2090  }
2091  /* test secp256k1_i128_check_pow2 (sign == -1) */
2092  {
2093  int expect = (uc & 1);
2094  int pos = ub % 127;
2095  if (expect) {
2096  /* If expect==1, set swz to exactly -2^pos. */
2097  uint64_t hi = ~(uint64_t)0;
2098  uint64_t lo = ~(uint64_t)0;
2099  if (pos >= 64) {
2100  hi <<= (pos & 63);
2101  lo = 0;
2102  } else {
2103  lo <<= (pos & 63);
2104  }
2105  secp256k1_i128_load(&swz, hi, lo);
2106  } else {
2107  /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2108  if (pos >= 64) {
2109  if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2110  } else {
2111  if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2112  }
2113  swz = swa;
2114  }
2115  CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2116  }
2117 }
2118 
2119 static void run_int128_tests(void) {
2120  { /* secp256k1_u128_accum_mul */
2121  secp256k1_uint128 res;
2122 
2123  /* Check secp256k1_u128_accum_mul overflow */
2124  secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2125  secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2126  CHECK(secp256k1_u128_to_u64(&res) == 2);
2127  CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2128  }
2129  { /* secp256k1_u128_accum_mul */
2130  secp256k1_int128 res;
2131 
2132  /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2133  secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2134  secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2135  CHECK(secp256k1_i128_to_u64(&res) == 2);
2136  secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2137  secp256k1_i128_accum_mul(&res, 1, 1);
2138  CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2139  secp256k1_i128_rshift(&res, 64);
2140  CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2141 
2142  /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2143  secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2144  CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2145  secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2146  CHECK(secp256k1_i128_to_u64(&res) == 0);
2147  secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2148  CHECK(secp256k1_i128_to_u64(&res) == 0);
2149  secp256k1_i128_rshift(&res, 64);
2150  CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2151  }
2152  {
2153  /* Randomized tests. */
2154  int i;
2155  for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2156  }
2157 }
2158 #endif
2159 
2160 /***** SCALAR TESTS *****/
2161 
2162 static void scalar_test(void) {
2163  secp256k1_scalar s;
2164  secp256k1_scalar s1;
2165  secp256k1_scalar s2;
2166  unsigned char c[32];
2167 
2168  /* Set 's' to a random scalar, with value 'snum'. */
2169  random_scalar_order_test(&s);
2170 
2171  /* Set 's1' to a random scalar, with value 's1num'. */
2172  random_scalar_order_test(&s1);
2173 
2174  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2175  random_scalar_order_test(&s2);
2176  secp256k1_scalar_get_b32(c, &s2);
2177 
2178  {
2179  int i;
2180  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2181  secp256k1_scalar n;
2182  secp256k1_scalar_set_int(&n, 0);
2183  for (i = 0; i < 256; i += 4) {
2184  secp256k1_scalar t;
2185  int j;
2186  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
2187  for (j = 0; j < 4; j++) {
2188  secp256k1_scalar_add(&n, &n, &n);
2189  }
2190  secp256k1_scalar_add(&n, &n, &t);
2191  }
2192  CHECK(secp256k1_scalar_eq(&n, &s));
2193  }
2194 
2195  {
2196  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2197  secp256k1_scalar n;
2198  int i = 0;
2199  secp256k1_scalar_set_int(&n, 0);
2200  while (i < 256) {
2201  secp256k1_scalar t;
2202  int j;
2203  int now = secp256k1_testrand_int(15) + 1;
2204  if (now + i > 256) {
2205  now = 256 - i;
2206  }
2207  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2208  for (j = 0; j < now; j++) {
2209  secp256k1_scalar_add(&n, &n, &n);
2210  }
2211  secp256k1_scalar_add(&n, &n, &t);
2212  i += now;
2213  }
2214  CHECK(secp256k1_scalar_eq(&n, &s));
2215  }
2216 
2217  {
2218  /* test secp256k1_scalar_shr_int */
2219  secp256k1_scalar r;
2220  int i;
2221  random_scalar_order_test(&r);
2222  for (i = 0; i < 100; ++i) {
2223  int low;
2224  int shift = 1 + secp256k1_testrand_int(15);
2225  int expected = r.d[0] % (1ULL << shift);
2226  low = secp256k1_scalar_shr_int(&r, shift);
2227  CHECK(expected == low);
2228  }
2229  }
2230 
2231  {
2232  /* Test commutativity of add. */
2233  secp256k1_scalar r1, r2;
2234  secp256k1_scalar_add(&r1, &s1, &s2);
2235  secp256k1_scalar_add(&r2, &s2, &s1);
2236  CHECK(secp256k1_scalar_eq(&r1, &r2));
2237  }
2238 
2239  {
2240  secp256k1_scalar r1, r2;
2241  secp256k1_scalar b;
2242  int i;
2243  /* Test add_bit. */
2244  int bit = secp256k1_testrand_bits(8);
2245  secp256k1_scalar_set_int(&b, 1);
2246  CHECK(secp256k1_scalar_is_one(&b));
2247  for (i = 0; i < bit; i++) {
2248  secp256k1_scalar_add(&b, &b, &b);
2249  }
2250  r1 = s1;
2251  r2 = s1;
2252  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2253  /* No overflow happened. */
2254  secp256k1_scalar_cadd_bit(&r2, bit, 1);
2255  CHECK(secp256k1_scalar_eq(&r1, &r2));
2256  /* cadd is a noop when flag is zero */
2257  secp256k1_scalar_cadd_bit(&r2, bit, 0);
2258  CHECK(secp256k1_scalar_eq(&r1, &r2));
2259  }
2260  }
2261 
2262  {
2263  /* Test commutativity of mul. */
2264  secp256k1_scalar r1, r2;
2265  secp256k1_scalar_mul(&r1, &s1, &s2);
2266  secp256k1_scalar_mul(&r2, &s2, &s1);
2267  CHECK(secp256k1_scalar_eq(&r1, &r2));
2268  }
2269 
2270  {
2271  /* Test associativity of add. */
2272  secp256k1_scalar r1, r2;
2273  secp256k1_scalar_add(&r1, &s1, &s2);
2274  secp256k1_scalar_add(&r1, &r1, &s);
2275  secp256k1_scalar_add(&r2, &s2, &s);
2276  secp256k1_scalar_add(&r2, &s1, &r2);
2277  CHECK(secp256k1_scalar_eq(&r1, &r2));
2278  }
2279 
2280  {
2281  /* Test associativity of mul. */
2282  secp256k1_scalar r1, r2;
2283  secp256k1_scalar_mul(&r1, &s1, &s2);
2284  secp256k1_scalar_mul(&r1, &r1, &s);
2285  secp256k1_scalar_mul(&r2, &s2, &s);
2286  secp256k1_scalar_mul(&r2, &s1, &r2);
2287  CHECK(secp256k1_scalar_eq(&r1, &r2));
2288  }
2289 
2290  {
2291  /* Test distributitivity of mul over add. */
2292  secp256k1_scalar r1, r2, t;
2293  secp256k1_scalar_add(&r1, &s1, &s2);
2294  secp256k1_scalar_mul(&r1, &r1, &s);
2295  secp256k1_scalar_mul(&r2, &s1, &s);
2296  secp256k1_scalar_mul(&t, &s2, &s);
2297  secp256k1_scalar_add(&r2, &r2, &t);
2298  CHECK(secp256k1_scalar_eq(&r1, &r2));
2299  }
2300 
2301  {
2302  /* Test multiplicative identity. */
2303  secp256k1_scalar r1;
2304  secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_one);
2305  CHECK(secp256k1_scalar_eq(&r1, &s1));
2306  }
2307 
2308  {
2309  /* Test additive identity. */
2310  secp256k1_scalar r1;
2311  secp256k1_scalar_add(&r1, &s1, &secp256k1_scalar_zero);
2312  CHECK(secp256k1_scalar_eq(&r1, &s1));
2313  }
2314 
2315  {
2316  /* Test zero product property. */
2317  secp256k1_scalar r1;
2318  secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_zero);
2319  CHECK(secp256k1_scalar_eq(&r1, &secp256k1_scalar_zero));
2320  }
2321 
2322 }
2323 
2324 static void run_scalar_set_b32_seckey_tests(void) {
2325  unsigned char b32[32];
2326  secp256k1_scalar s1;
2327  secp256k1_scalar s2;
2328 
2329  /* Usually set_b32 and set_b32_seckey give the same result */
2330  random_scalar_order_b32(b32);
2331  secp256k1_scalar_set_b32(&s1, b32, NULL);
2332  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2333  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2334 
2335  memset(b32, 0, sizeof(b32));
2336  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2337  memset(b32, 0xFF, sizeof(b32));
2338  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2339 }
2340 
2341 static void run_scalar_tests(void) {
2342  int i;
2343  for (i = 0; i < 128 * COUNT; i++) {
2344  scalar_test();
2345  }
2346  for (i = 0; i < COUNT; i++) {
2347  run_scalar_set_b32_seckey_tests();
2348  }
2349 
2350  {
2351  /* Check that the scalar constants secp256k1_scalar_zero and
2352  secp256k1_scalar_one contain the expected values. */
2353  secp256k1_scalar zero, one;
2354 
2355  CHECK(secp256k1_scalar_is_zero(&secp256k1_scalar_zero));
2356  secp256k1_scalar_set_int(&zero, 0);
2357  CHECK(secp256k1_scalar_eq(&zero, &secp256k1_scalar_zero));
2358 
2359  CHECK(secp256k1_scalar_is_one(&secp256k1_scalar_one));
2360  secp256k1_scalar_set_int(&one, 1);
2361  CHECK(secp256k1_scalar_eq(&one, &secp256k1_scalar_one));
2362  }
2363 
2364  {
2365  /* (-1)+1 should be zero. */
2366  secp256k1_scalar o;
2367  secp256k1_scalar_negate(&o, &secp256k1_scalar_one);
2368  secp256k1_scalar_add(&o, &o, &secp256k1_scalar_one);
2369  CHECK(secp256k1_scalar_is_zero(&o));
2370  secp256k1_scalar_negate(&o, &o);
2371  CHECK(secp256k1_scalar_is_zero(&o));
2372  }
2373 
2374  {
2375  /* Does check_overflow check catch all ones? */
2376  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2377  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2378  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2379  );
2380  CHECK(secp256k1_scalar_check_overflow(&overflowed));
2381  }
2382 
2383  {
2384  /* Static test vectors.
2385  * These were reduced from ~10^12 random vectors based on comparison-decision
2386  * and edge-case coverage on 32-bit and 64-bit implementations.
2387  * The responses were generated with Sage 5.9.
2388  */
2389  secp256k1_scalar x;
2390  secp256k1_scalar y;
2391  secp256k1_scalar z;
2392  secp256k1_scalar zz;
2393  secp256k1_scalar r1;
2394  secp256k1_scalar r2;
2395  secp256k1_scalar zzv;
2396  int overflow;
2397  unsigned char chal[33][2][32] = {
2398  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2399  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2400  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2401  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2402  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2403  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2404  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2405  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2406  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2407  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2408  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2409  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2410  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2411  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2412  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2413  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2414  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2415  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2416  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2417  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2418  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2419  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2420  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2421  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2422  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2423  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2424  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2425  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2426  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2427  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2428  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2429  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2430  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2431  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2432  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2433  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2434  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2435  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2436  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2437  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2438  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2439  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2440  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2441  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2442  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2443  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2444  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2445  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2446  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2447  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2448  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2449  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2450  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2451  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2452  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2453  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2454  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2455  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2456  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2457  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2458  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2459  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2460  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2461  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2462  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2463  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2464  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2465  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2466  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2467  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2468  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2469  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2470  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2471  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2472  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2473  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2474  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2475  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2476  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2477  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2478  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2479  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2480  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2481  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2482  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2483  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2484  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2485  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2486  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2487  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2488  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2489  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2490  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2491  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2492  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2493  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2494  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2495  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2496  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2497  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2498  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2499  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2500  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2501  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2502  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2503  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2504  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2505  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2506  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2507  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2508  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2509  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2510  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2511  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2512  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2513  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2514  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2515  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2516  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2517  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2518  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2519  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2520  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2521  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2522  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2523  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2524  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2525  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2526  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2527  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2528  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2529  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2530  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2531  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2532  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2533  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2534  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2535  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2536  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2537  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2538  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2539  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2540  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2541  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2542  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2543  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2544  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2545  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2546  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2547  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2548  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2549  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2550  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2551  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2552  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2553  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2554  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2555  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2556  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2557  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2558  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2559  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2560  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2561  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2562  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2563  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2564  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2565  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2566  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2567  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2568  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2569  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2570  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2571  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2572  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2573  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2574  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2575  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2576  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2577  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2578  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2579  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2580  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2581  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2582  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2583  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2584  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2585  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2586  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2587  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2588  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2589  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2590  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2591  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2592  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2593  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2594  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2595  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2596  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2597  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2598  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2599  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2600  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2601  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2602  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2603  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2604  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2605  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2606  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2607  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2608  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2609  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2610  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2611  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2612  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2613  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2614  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2615  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2616  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2617  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2618  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2619  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2620  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2621  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2622  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2623  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2624  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2625  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2626  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2627  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2628  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2629  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2630  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2631  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2632  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2633  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2634  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2635  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2636  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2637  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2638  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2639  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2640  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2641  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2642  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2643  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2644  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2645  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2646  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2647  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2648  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2649  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2650  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2651  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2652  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2653  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2654  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2655  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2656  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2657  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2658  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2659  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2660  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2661  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2662  };
2663  unsigned char res[33][2][32] = {
2664  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2665  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2666  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2667  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2668  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2669  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2670  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2671  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2672  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2673  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2674  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2675  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2676  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2677  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2678  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2679  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2680  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2681  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2682  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2683  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2684  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2685  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2686  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2687  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2688  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2689  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2690  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2691  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2692  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2693  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2694  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2695  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2696  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2697  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2698  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2699  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2700  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2701  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2702  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2703  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2704  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2705  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2706  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2707  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2708  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2709  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2710  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2711  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2712  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2713  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2714  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2715  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2716  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2717  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2718  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2719  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2720  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2721  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2722  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2723  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2724  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2725  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2726  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2727  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2728  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2729  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2730  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2731  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2732  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2733  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2734  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2735  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2736  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2737  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2738  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2739  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2740  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2741  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2742  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2743  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2744  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2745  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2746  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2747  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2748  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2749  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2750  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2751  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2752  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2753  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2754  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2755  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2756  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2757  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2758  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2759  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2760  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2761  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2762  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2763  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2764  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2765  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2766  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2767  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2768  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2769  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2770  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2771  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2772  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2773  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2774  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2775  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2776  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2777  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2778  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2779  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2780  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2781  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2782  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2783  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2784  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2785  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2786  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2787  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2788  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2789  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2790  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2791  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2792  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2793  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2794  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2795  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2796  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2797  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2798  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2799  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2800  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2801  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2802  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2803  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2804  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2805  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2806  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2807  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2808  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2809  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2810  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2811  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2812  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2813  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2814  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2815  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2816  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2817  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2818  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2819  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2820  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2821  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2822  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2823  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2824  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2825  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2826  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2827  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2828  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2829  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2830  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2831  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2832  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2833  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2834  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2835  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2836  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2837  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2838  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2839  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2840  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2841  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2842  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2843  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2844  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2845  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2846  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2847  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2848  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2849  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2850  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2851  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2852  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2853  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2854  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2855  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2856  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2857  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2858  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2859  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2860  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2861  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2862  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2863  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2864  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2865  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2866  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2867  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2868  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2869  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2870  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2871  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2872  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2873  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2874  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2875  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2876  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2877  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2878  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2879  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2880  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2881  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2882  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2883  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2884  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2885  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2886  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2887  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2888  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2889  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2890  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2891  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2892  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2893  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2894  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2895  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2896  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2897  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2898  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2899  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2900  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2901  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2902  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2903  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2904  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2905  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2906  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2907  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2908  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2909  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2910  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2911  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2912  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2913  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2914  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2915  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2916  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2917  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2918  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2919  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2920  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2921  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2922  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2923  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2924  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2925  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2926  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2927  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2928  };
2929  for (i = 0; i < 33; i++) {
2930  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2931  CHECK(!overflow);
2932  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2933  CHECK(!overflow);
2934  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2935  CHECK(!overflow);
2936  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2937  CHECK(!overflow);
2938  secp256k1_scalar_mul(&z, &x, &y);
2939  CHECK(!secp256k1_scalar_check_overflow(&z));
2940  CHECK(secp256k1_scalar_eq(&r1, &z));
2941  if (!secp256k1_scalar_is_zero(&y)) {
2942  secp256k1_scalar_inverse(&zz, &y);
2943  CHECK(!secp256k1_scalar_check_overflow(&zz));
2944  secp256k1_scalar_inverse_var(&zzv, &y);
2945  CHECK(secp256k1_scalar_eq(&zzv, &zz));
2946  secp256k1_scalar_mul(&z, &z, &zz);
2947  CHECK(!secp256k1_scalar_check_overflow(&z));
2948  CHECK(secp256k1_scalar_eq(&x, &z));
2949  secp256k1_scalar_mul(&zz, &zz, &y);
2950  CHECK(!secp256k1_scalar_check_overflow(&zz));
2951  CHECK(secp256k1_scalar_eq(&secp256k1_scalar_one, &zz));
2952  }
2953  }
2954  }
2955 }
2956 
2957 /***** FIELD TESTS *****/
2958 
2959 static void random_fe(secp256k1_fe *x) {
2960  unsigned char bin[32];
2961  do {
2962  secp256k1_testrand256(bin);
2963  if (secp256k1_fe_set_b32_limit(x, bin)) {
2964  return;
2965  }
2966  } while(1);
2967 }
2968 
2969 static void random_fe_non_zero(secp256k1_fe *nz) {
2970  int tries = 10;
2971  while (--tries >= 0) {
2972  random_fe(nz);
2973  secp256k1_fe_normalize(nz);
2974  if (!secp256k1_fe_is_zero(nz)) {
2975  break;
2976  }
2977  }
2978  /* Infinitesimal probability of spurious failure here */
2979  CHECK(tries >= 0);
2980 }
2981 
2982 static void random_fe_non_square(secp256k1_fe *ns) {
2983  secp256k1_fe r;
2984  random_fe_non_zero(ns);
2985  if (secp256k1_fe_sqrt(&r, ns)) {
2986  secp256k1_fe_negate(ns, ns, 1);
2987  }
2988 }
2989 
2990 static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2991  secp256k1_fe an = *a;
2992  secp256k1_fe bn = *b;
2993  secp256k1_fe_normalize_weak(&an);
2994  return secp256k1_fe_equal(&an, &bn);
2995 }
2996 
2997 static void run_field_convert(void) {
2998  static const unsigned char b32[32] = {
2999  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
3000  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
3001  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
3002  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
3003  };
3004  static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
3005  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
3006  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
3007  );
3008  static const secp256k1_fe fe = SECP256K1_FE_CONST(
3009  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
3010  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
3011  );
3012  secp256k1_fe fe2;
3013  unsigned char b322[32];
3014  secp256k1_fe_storage fes2;
3015  /* Check conversions to fe. */
3016  CHECK(secp256k1_fe_set_b32_limit(&fe2, b32));
3017  CHECK(secp256k1_fe_equal(&fe, &fe2));
3018  secp256k1_fe_from_storage(&fe2, &fes);
3019  CHECK(secp256k1_fe_equal(&fe, &fe2));
3020  /* Check conversion from fe. */
3021  secp256k1_fe_get_b32(b322, &fe);
3022  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
3023  secp256k1_fe_to_storage(&fes2, &fe);
3024  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
3025 }
3026 
3027 static void run_field_be32_overflow(void) {
3028  {
3029  static const unsigned char zero_overflow[32] = {
3030  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3031  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3032  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3033  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3034  };
3035  static const unsigned char zero[32] = { 0x00 };
3036  unsigned char out[32];
3037  secp256k1_fe fe;
3038  CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3039  secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3040  CHECK(secp256k1_fe_normalizes_to_zero(&fe) == 1);
3041  secp256k1_fe_normalize(&fe);
3042  CHECK(secp256k1_fe_is_zero(&fe) == 1);
3043  secp256k1_fe_get_b32(out, &fe);
3044  CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3045  }
3046  {
3047  static const unsigned char one_overflow[32] = {
3048  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3049  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3050  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3051  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3052  };
3053  static const unsigned char one[32] = {
3054  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3055  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3056  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3057  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3058  };
3059  unsigned char out[32];
3060  secp256k1_fe fe;
3061  CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3062  secp256k1_fe_set_b32_mod(&fe, one_overflow);
3063  secp256k1_fe_normalize(&fe);
3064  CHECK(secp256k1_fe_cmp_var(&fe, &secp256k1_fe_one) == 0);
3065  secp256k1_fe_get_b32(out, &fe);
3066  CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3067  }
3068  {
3069  static const unsigned char ff_overflow[32] = {
3070  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3071  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3072  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3073  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3074  };
3075  static const unsigned char ff[32] = {
3076  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3077  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3078  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3079  0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3080  };
3081  unsigned char out[32];
3082  secp256k1_fe fe;
3083  const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3084  CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3085  secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3086  secp256k1_fe_normalize(&fe);
3087  CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3088  secp256k1_fe_get_b32(out, &fe);
3089  CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3090  }
3091 }
3092 
3093 /* Returns true if two field elements have the same representation. */
3094 static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3095  int ret = 1;
3096  /* Compare the struct member that holds the limbs. */
3097  ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3098  return ret;
3099 }
3100 
3101 static void run_field_half(void) {
3102  secp256k1_fe t, u;
3103  int m;
3104 
3105  /* Check magnitude 0 input */
3106  secp256k1_fe_get_bounds(&t, 0);
3107  secp256k1_fe_half(&t);
3108 #ifdef VERIFY
3109  CHECK(t.magnitude == 1);
3110  CHECK(t.normalized == 0);
3111 #endif
3112  CHECK(secp256k1_fe_normalizes_to_zero(&t));
3113 
3114  /* Check non-zero magnitudes in the supported range */
3115  for (m = 1; m < 32; m++) {
3116  /* Check max-value input */
3117  secp256k1_fe_get_bounds(&t, m);
3118 
3119  u = t;
3120  secp256k1_fe_half(&u);
3121 #ifdef VERIFY
3122  CHECK(u.magnitude == (m >> 1) + 1);
3123  CHECK(u.normalized == 0);
3124 #endif
3125  secp256k1_fe_normalize_weak(&u);
3126  secp256k1_fe_add(&u, &u);
3127  CHECK(check_fe_equal(&t, &u));
3128 
3129  /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3130  * which will also cause all carries to be 1, since all limbs that can
3131  * generate a carry are initially even and all limbs of P are odd in
3132  * every existing field implementation. */
3133  secp256k1_fe_get_bounds(&t, m);
3134  CHECK(t.n[0] > 0);
3135  CHECK((t.n[0] & 1) == 0);
3136  --t.n[0];
3137 
3138  u = t;
3139  secp256k1_fe_half(&u);
3140 #ifdef VERIFY
3141  CHECK(u.magnitude == (m >> 1) + 1);
3142  CHECK(u.normalized == 0);
3143 #endif
3144  secp256k1_fe_normalize_weak(&u);
3145  secp256k1_fe_add(&u, &u);
3146  CHECK(check_fe_equal(&t, &u));
3147  }
3148 }
3149 
3150 static void run_field_misc(void) {
3151  secp256k1_fe x;
3152  secp256k1_fe y;
3153  secp256k1_fe z;
3154  secp256k1_fe q;
3155  int v;
3156  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3157  int i, j;
3158  for (i = 0; i < 1000 * COUNT; i++) {
3159  secp256k1_fe_storage xs, ys, zs;
3160  if (i & 1) {
3161  random_fe(&x);
3162  } else {
3163  random_fe_test(&x);
3164  }
3165  random_fe_non_zero(&y);
3166  v = secp256k1_testrand_bits(15);
3167  /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3168  secp256k1_fe_set_int(&q, v); /* q = v */
3169  z = x; /* z = x */
3170  secp256k1_fe_add(&z, &q); /* z = x+v */
3171  q = x; /* q = x */
3172  secp256k1_fe_add_int(&q, v); /* q = x+v */
3173  CHECK(check_fe_equal(&q, &z));
3174  /* Test the fe equality and comparison operations. */
3175  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3176  CHECK(secp256k1_fe_equal(&x, &x));
3177  z = x;
3178  secp256k1_fe_add(&z,&y);
3179  /* Test fe conditional move; z is not normalized here. */
3180  q = x;
3181  secp256k1_fe_cmov(&x, &z, 0);
3182 #ifdef VERIFY
3183  CHECK(!x.normalized);
3184  CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3185  CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3186 #endif
3187  x = q;
3188  secp256k1_fe_cmov(&x, &x, 1);
3189  CHECK(!fe_identical(&x, &z));
3190  CHECK(fe_identical(&x, &q));
3191  secp256k1_fe_cmov(&q, &z, 1);
3192 #ifdef VERIFY
3193  CHECK(!q.normalized);
3194  CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3195  CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3196 #endif
3197  CHECK(fe_identical(&q, &z));
3198  q = z;
3199  secp256k1_fe_normalize_var(&x);
3200  secp256k1_fe_normalize_var(&z);
3201  CHECK(!secp256k1_fe_equal(&x, &z));
3202  secp256k1_fe_normalize_var(&q);
3203  secp256k1_fe_cmov(&q, &z, (i&1));
3204 #ifdef VERIFY
3205  CHECK(q.normalized && q.magnitude == 1);
3206 #endif
3207  for (j = 0; j < 6; j++) {
3208  secp256k1_fe_negate_unchecked(&z, &z, j+1);
3209  secp256k1_fe_normalize_var(&q);
3210  secp256k1_fe_cmov(&q, &z, (j&1));
3211 #ifdef VERIFY
3212  CHECK(!q.normalized && q.magnitude == z.magnitude);
3213 #endif
3214  }
3215  secp256k1_fe_normalize_var(&z);
3216  /* Test storage conversion and conditional moves. */
3217  secp256k1_fe_to_storage(&xs, &x);
3218  secp256k1_fe_to_storage(&ys, &y);
3219  secp256k1_fe_to_storage(&zs, &z);
3220  secp256k1_fe_storage_cmov(&zs, &xs, 0);
3221  secp256k1_fe_storage_cmov(&zs, &zs, 1);
3222  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3223  secp256k1_fe_storage_cmov(&ys, &xs, 1);
3224  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3225  secp256k1_fe_from_storage(&x, &xs);
3226  secp256k1_fe_from_storage(&y, &ys);
3227  secp256k1_fe_from_storage(&z, &zs);
3228  /* Test that mul_int, mul, and add agree. */
3229  secp256k1_fe_add(&y, &x);
3230  secp256k1_fe_add(&y, &x);
3231  z = x;
3232  secp256k1_fe_mul_int(&z, 3);
3233  CHECK(check_fe_equal(&y, &z));
3234  secp256k1_fe_add(&y, &x);
3235  secp256k1_fe_add(&z, &x);
3236  CHECK(check_fe_equal(&z, &y));
3237  z = x;
3238  secp256k1_fe_mul_int(&z, 5);
3239  secp256k1_fe_mul(&q, &x, &fe5);
3240  CHECK(check_fe_equal(&z, &q));
3241  secp256k1_fe_negate(&x, &x, 1);
3242  secp256k1_fe_add(&z, &x);
3243  secp256k1_fe_add(&q, &x);
3244  CHECK(check_fe_equal(&y, &z));
3245  CHECK(check_fe_equal(&q, &y));
3246  /* Check secp256k1_fe_half. */
3247  z = x;
3248  secp256k1_fe_half(&z);
3249  secp256k1_fe_add(&z, &z);
3250  CHECK(check_fe_equal(&x, &z));
3251  secp256k1_fe_add(&z, &z);
3252  secp256k1_fe_half(&z);
3253  CHECK(check_fe_equal(&x, &z));
3254  }
3255 }
3256 
3257 static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3258 {
3259  secp256k1_fe c, an, bn;
3260  /* Variables in BE 32-byte format. */
3261  unsigned char a32[32], b32[32], c32[32];
3262  /* Variables in LE 16x uint16_t format. */
3263  uint16_t a16[16], b16[16], c16[16];
3264  /* Field modulus in LE 16x uint16_t format. */
3265  static const uint16_t m16[16] = {
3266  0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3267  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3268  };
3269  uint16_t t16[32];
3270  int i;
3271 
3272  /* Compute C = A * B in fe format. */
3273  c = *a;
3274  if (use_sqr) {
3275  secp256k1_fe_sqr(&c, &c);
3276  } else {
3277  secp256k1_fe_mul(&c, &c, b);
3278  }
3279 
3280  /* Convert A, B, C into LE 16x uint16_t format. */
3281  an = *a;
3282  bn = *b;
3283  secp256k1_fe_normalize_var(&c);
3284  secp256k1_fe_normalize_var(&an);
3285  secp256k1_fe_normalize_var(&bn);
3286  secp256k1_fe_get_b32(a32, &an);
3287  secp256k1_fe_get_b32(b32, &bn);
3288  secp256k1_fe_get_b32(c32, &c);
3289  for (i = 0; i < 16; ++i) {
3290  a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3291  b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3292  c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3293  }
3294  /* Compute T = A * B in LE 16x uint16_t format. */
3295  mulmod256(t16, a16, b16, m16);
3296  /* Compare */
3297  CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3298 }
3299 
3300 static void run_fe_mul(void) {
3301  int i;
3302  for (i = 0; i < 100 * COUNT; ++i) {
3303  secp256k1_fe a, b, c, d;
3304  random_fe(&a);
3305  random_fe_magnitude(&a);
3306  random_fe(&b);
3307  random_fe_magnitude(&b);
3308  random_fe_test(&c);
3309  random_fe_magnitude(&c);
3310  random_fe_test(&d);
3311  random_fe_magnitude(&d);
3312  test_fe_mul(&a, &a, 1);
3313  test_fe_mul(&c, &c, 1);
3314  test_fe_mul(&a, &b, 0);
3315  test_fe_mul(&a, &c, 0);
3316  test_fe_mul(&c, &b, 0);
3317  test_fe_mul(&c, &d, 0);
3318  }
3319 }
3320 
3321 static void run_sqr(void) {
3322  secp256k1_fe x, s;
3323 
3324  {
3325  int i;
3326  secp256k1_fe_set_int(&x, 1);
3327  secp256k1_fe_negate(&x, &x, 1);
3328 
3329  for (i = 1; i <= 512; ++i) {
3330  secp256k1_fe_mul_int(&x, 2);
3331  secp256k1_fe_normalize(&x);
3332  secp256k1_fe_sqr(&s, &x);
3333  }
3334  }
3335 }
3336 
3337 static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3338  secp256k1_fe r1, r2;
3339  int v = secp256k1_fe_sqrt(&r1, a);
3340  CHECK((v == 0) == (k == NULL));
3341 
3342  if (k != NULL) {
3343  /* Check that the returned root is +/- the given known answer */
3344  secp256k1_fe_negate(&r2, &r1, 1);
3345  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3346  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
3347  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
3348  }
3349 }
3350 
3351 static void run_sqrt(void) {
3352  secp256k1_fe ns, x, s, t;
3353  int i;
3354 
3355  /* Check sqrt(0) is 0 */
3356  secp256k1_fe_set_int(&x, 0);
3357  secp256k1_fe_sqr(&s, &x);
3358  test_sqrt(&s, &x);
3359 
3360  /* Check sqrt of small squares (and their negatives) */
3361  for (i = 1; i <= 100; i++) {
3362  secp256k1_fe_set_int(&x, i);
3363  secp256k1_fe_sqr(&s, &x);
3364  test_sqrt(&s, &x);
3365  secp256k1_fe_negate(&t, &s, 1);
3366  test_sqrt(&t, NULL);
3367  }
3368 
3369  /* Consistency checks for large random values */
3370  for (i = 0; i < 10; i++) {
3371  int j;
3372  random_fe_non_square(&ns);
3373  for (j = 0; j < COUNT; j++) {
3374  random_fe(&x);
3375  secp256k1_fe_sqr(&s, &x);
3376  CHECK(secp256k1_fe_is_square_var(&s));
3377  test_sqrt(&s, &x);
3378  secp256k1_fe_negate(&t, &s, 1);
3379  CHECK(!secp256k1_fe_is_square_var(&t));
3380  test_sqrt(&t, NULL);
3381  secp256k1_fe_mul(&t, &s, &ns);
3382  test_sqrt(&t, NULL);
3383  }
3384  }
3385 }
3386 
3387 /***** FIELD/SCALAR INVERSE TESTS *****/
3388 
3389 static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
3390  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3391  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3392 );
3393 
3394 static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
3395  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3396  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3397 );
3398 
3399 /* These tests test the following identities:
3400  *
3401  * for x==0: 1/x == 0
3402  * for x!=0: x*(1/x) == 1
3403  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3404  */
3405 
3406 static void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
3407 {
3408  secp256k1_scalar l, r, t;
3409 
3410  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3411  if (out) *out = l;
3412  if (secp256k1_scalar_is_zero(x)) {
3413  CHECK(secp256k1_scalar_is_zero(&l));
3414  return;
3415  }
3416  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3417  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3418  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3419  if (secp256k1_scalar_is_zero(&r)) return;
3420  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3421  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3422  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3423  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3424  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3425  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3426 }
3427 
3428 static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3429 {
3430  secp256k1_fe l, r, t;
3431 
3432  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3433  if (out) *out = l;
3434  t = *x; /* t = x */
3435  if (secp256k1_fe_normalizes_to_zero_var(&t)) {
3436  CHECK(secp256k1_fe_normalizes_to_zero(&l));
3437  return;
3438  }
3439  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3440  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3441  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3442  r = *x; /* r = x */
3443  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3444  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3445  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3446  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3447  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3448  secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3449  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3450  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3451 }
3452 
3453 static void run_inverse_tests(void)
3454 {
3455  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3456  static const secp256k1_fe fe_cases[][2] = {
3457  /* 0 */
3458  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3459  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3460  /* 1 */
3461  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3462  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3463  /* -1 */
3464  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3465  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3466  /* 2 */
3467  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3468  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3469  /* 2**128 */
3470  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3471  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3472  /* Input known to need 637 divsteps */
3473  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3474  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3475  /* Input known to need 567 divsteps starting with delta=1/2. */
3476  {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3477  SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3478  /* Input known to need 566 divsteps starting with delta=1/2. */
3479  {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3480  SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3481  /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3482  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3483  SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3484  {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3485  SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3486  {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3487  SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3488  {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3489  SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3490  {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3491  SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3492  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3493  SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3494  {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3495  SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3496  {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3497  SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3498  {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3499  SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3500  {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3501  SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3502  /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3503  {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3504  SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3505  {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3506  SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3507  {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3508  SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3509  {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3510  SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3511  {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3512  SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3513  {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3514  SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3515  {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3516  SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3517  {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3518  SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3519  {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3520  SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3521  {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3522  SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3523  {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3524  SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3525  {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3526  SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3527  {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3528  SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3529  {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3530  SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3531  {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3532  SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3533  {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3534  SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3535  {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3536  SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3537  {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3538  SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3539  {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3540  SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3541  {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3542  SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3543  {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3544  SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3545  {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3546  SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3547  {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3548  SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3549  {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3550  SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3551  {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3552  SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3553  {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3554  SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3555  {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3556  SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3557  {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3558  SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3559  };
3560  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3561  static const secp256k1_scalar scalar_cases[][2] = {
3562  /* 0 */
3563  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3564  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3565  /* 1 */
3566  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3567  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3568  /* -1 */
3569  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3570  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3571  /* 2 */
3572  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3573  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3574  /* 2**128 */
3575  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3576  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3577  /* Input known to need 635 divsteps */
3578  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3579  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3580  /* Input known to need 566 divsteps starting with delta=1/2. */
3581  {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3582  SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3583  /* Input known to need 565 divsteps starting with delta=1/2. */
3584  {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3585  SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3586  /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3587  {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3588  SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3589  {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3590  SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3591  {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3592  SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3593  {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3594  SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3595  {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3596  SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3597  {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3598  SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3599  {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3600  SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3601  {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3602  SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3603  {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3604  SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3605  {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3606  SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3607  {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3608  SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3609  {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3610  SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3611  {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3612  SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3613  {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3614  SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3615  {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3616  SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3617  {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3618  SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3619  {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3620  SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3621  {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3622  SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3623  {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3624  SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3625  {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3626  SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3627  {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3628  SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3629  {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3630  SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3631  {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3632  SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3633  {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3634  SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3635  {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3636  SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3637  {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3638  SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3639  {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3640  SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3641  {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3642  SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3643  {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3644  SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3645  };
3646  int i, var, testrand;
3647  unsigned char b32[32];
3648  secp256k1_fe x_fe;
3649  secp256k1_scalar x_scalar;
3650  memset(b32, 0, sizeof(b32));
3651  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3652  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3653  for (var = 0; var <= 1; ++var) {
3654  test_inverse_field(&x_fe, &fe_cases[i][0], var);
3655  check_fe_equal(&x_fe, &fe_cases[i][1]);
3656  test_inverse_field(&x_fe, &fe_cases[i][1], var);
3657  check_fe_equal(&x_fe, &fe_cases[i][0]);
3658  }
3659  }
3660  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3661  for (var = 0; var <= 1; ++var) {
3662  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3663  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3664  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3665  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3666  }
3667  }
3668  /* Test inputs 0..999 and their respective negations. */
3669  for (i = 0; i < 1000; ++i) {
3670  b32[31] = i & 0xff;
3671  b32[30] = (i >> 8) & 0xff;
3672  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3673  secp256k1_fe_set_b32_mod(&x_fe, b32);
3674  for (var = 0; var <= 1; ++var) {
3675  test_inverse_scalar(NULL, &x_scalar, var);
3676  test_inverse_field(NULL, &x_fe, var);
3677  }
3678  secp256k1_scalar_negate(&x_scalar, &x_scalar);
3679  secp256k1_fe_negate(&x_fe, &x_fe, 1);
3680  for (var = 0; var <= 1; ++var) {
3681  test_inverse_scalar(NULL, &x_scalar, var);
3682  test_inverse_field(NULL, &x_fe, var);
3683  }
3684  }
3685  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3686  for (testrand = 0; testrand <= 1; ++testrand) {
3687  for (i = 0; i < 64 * COUNT; ++i) {
3688  (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
3689  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3690  secp256k1_fe_set_b32_mod(&x_fe, b32);
3691  for (var = 0; var <= 1; ++var) {
3692  test_inverse_scalar(NULL, &x_scalar, var);
3693  test_inverse_field(NULL, &x_fe, var);
3694  }
3695  }
3696  }
3697 }
3698 
3699 /***** GROUP TESTS *****/
3700 
3701 static void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
3702  CHECK(a->infinity == b->infinity);
3703  if (a->infinity) {
3704  return;
3705  }
3706  CHECK(secp256k1_fe_equal(&a->x, &b->x));
3707  CHECK(secp256k1_fe_equal(&a->y, &b->y));
3708 }
3709 
3710 /* This compares jacobian points including their Z, not just their geometric meaning. */
3711 static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3712  secp256k1_gej a2;
3713  secp256k1_gej b2;
3714  int ret = 1;
3715  ret &= a->infinity == b->infinity;
3716  if (ret && !a->infinity) {
3717  a2 = *a;
3718  b2 = *b;
3719  secp256k1_fe_normalize(&a2.x);
3720  secp256k1_fe_normalize(&a2.y);
3721  secp256k1_fe_normalize(&a2.z);
3722  secp256k1_fe_normalize(&b2.x);
3723  secp256k1_fe_normalize(&b2.y);
3724  secp256k1_fe_normalize(&b2.z);
3725  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3726  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3727  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3728  }
3729  return ret;
3730 }
3731 
3732 static void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3733  secp256k1_fe z2s;
3734  secp256k1_fe u1, u2, s1, s2;
3735  CHECK(a->infinity == b->infinity);
3736  if (a->infinity) {
3737  return;
3738  }
3739  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3740  secp256k1_fe_sqr(&z2s, &b->z);
3741  secp256k1_fe_mul(&u1, &a->x, &z2s);
3742  u2 = b->x;
3743  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3744  s2 = b->y;
3745  CHECK(secp256k1_fe_equal(&u1, &u2));
3746  CHECK(secp256k1_fe_equal(&s1, &s2));
3747 }
3748 
3749 static void test_ge(void) {
3750  int i, i1;
3751  int runs = 6;
3752  /* 25 points are used:
3753  * - infinity
3754  * - for each of four random points p1 p2 p3 p4, we add the point, its
3755  * negation, and then those two again but with randomized Z coordinate.
3756  * - The same is then done for lambda*p1 and lambda^2*p1.
3757  */
3758  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3759  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3760  secp256k1_fe zf, r;
3761  secp256k1_fe zfi2, zfi3;
3762 
3763  secp256k1_gej_set_infinity(&gej[0]);
3764  secp256k1_ge_clear(&ge[0]);
3765  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3766  for (i = 0; i < runs; i++) {
3767  int j;
3768  secp256k1_ge g;
3769  random_group_element_test(&g);
3770  if (i >= runs - 2) {
3771  secp256k1_ge_mul_lambda(&g, &ge[1]);
3772  }
3773  if (i >= runs - 1) {
3774  secp256k1_ge_mul_lambda(&g, &g);
3775  }
3776  ge[1 + 4 * i] = g;
3777  ge[2 + 4 * i] = g;
3778  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3779  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3780  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3781  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3782  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3783  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3784  for (j = 0; j < 4; j++) {
3785  random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3786  random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3787  random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3788  random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3789  random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3790  }
3791  }
3792 
3793  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3794  random_fe_non_zero_test(&zf);
3795  random_fe_magnitude(&zf);
3796  secp256k1_fe_inv_var(&zfi3, &zf);
3797  secp256k1_fe_sqr(&zfi2, &zfi3);
3798  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3799 
3800  /* Generate random r */
3801  random_fe_non_zero_test(&r);
3802 
3803  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3804  int i2;
3805  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3806  /* Compute reference result using gej + gej (var). */
3807  secp256k1_gej refj, resj;
3808  secp256k1_ge ref;
3809  secp256k1_fe zr;
3810  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3811  /* Check Z ratio. */
3812  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3813  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3814  CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3815  }
3816  secp256k1_ge_set_gej_var(&ref, &refj);
3817 
3818  /* Test gej + ge with Z ratio result (var). */
3819  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3820  ge_equals_gej(&ref, &resj);
3821  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3822  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3823  CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3824  }
3825 
3826  /* Test gej + ge (var, with additional Z factor). */
3827  {
3828  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3829  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3830  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3831  random_ge_x_magnitude(&ge2_zfi);
3832  random_ge_y_magnitude(&ge2_zfi);
3833  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3834  ge_equals_gej(&ref, &resj);
3835  }
3836 
3837  /* Test gej + ge (const). */
3838  if (i2 != 0) {
3839  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3840  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3841  ge_equals_gej(&ref, &resj);
3842  }
3843 
3844  /* Test doubling (var). */
3845  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3846  secp256k1_fe zr2;
3847  /* Normal doubling with Z ratio result. */
3848  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3849  ge_equals_gej(&ref, &resj);
3850  /* Check Z ratio. */
3851  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3852  CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3853  /* Normal doubling. */
3854  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3855  ge_equals_gej(&ref, &resj);
3856  /* Constant-time doubling. */
3857  secp256k1_gej_double(&resj, &gej[i2]);
3858  ge_equals_gej(&ref, &resj);
3859  }
3860 
3861  /* Test adding opposites. */
3862  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3863  CHECK(secp256k1_ge_is_infinity(&ref));
3864  }
3865 
3866  /* Test adding infinity. */
3867  if (i1 == 0) {
3868  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3869  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3870  ge_equals_gej(&ref, &gej[i2]);
3871  }
3872  if (i2 == 0) {
3873  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3874  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3875  ge_equals_gej(&ref, &gej[i1]);
3876  }
3877  }
3878  }
3879 
3880  /* Test adding all points together in random order equals infinity. */
3881  {
3882  secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3883  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3884  for (i = 0; i < 4 * runs + 1; i++) {
3885  gej_shuffled[i] = gej[i];
3886  }
3887  for (i = 0; i < 4 * runs + 1; i++) {
3888  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3889  if (swap != i) {
3890  secp256k1_gej t = gej_shuffled[i];
3891  gej_shuffled[i] = gej_shuffled[swap];
3892  gej_shuffled[swap] = t;
3893  }
3894  }
3895  for (i = 0; i < 4 * runs + 1; i++) {
3896  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3897  }
3898  CHECK(secp256k1_gej_is_infinity(&sum));
3899  free(gej_shuffled);
3900  }
3901 
3902  /* Test batch gej -> ge conversion without known z ratios. */
3903  {
3904  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3905  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3906  for (i = 0; i < 4 * runs + 1; i++) {
3907  secp256k1_fe s;
3908  random_fe_non_zero(&s);
3909  secp256k1_gej_rescale(&gej[i], &s);
3910  ge_equals_gej(&ge_set_all[i], &gej[i]);
3911  }
3912  free(ge_set_all);
3913  }
3914 
3915  /* Test that all elements have X coordinates on the curve. */
3916  for (i = 1; i < 4 * runs + 1; i++) {
3917  secp256k1_fe n;
3918  CHECK(secp256k1_ge_x_on_curve_var(&ge[i].x));
3919  /* And the same holds after random rescaling. */
3920  secp256k1_fe_mul(&n, &zf, &ge[i].x);
3921  CHECK(secp256k1_ge_x_frac_on_curve_var(&n, &zf));
3922  }
3923 
3924  /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3925  {
3926  secp256k1_fe n;
3927  secp256k1_ge q;
3928  int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3929  secp256k1_fe_mul(&n, &zf, &r);
3930  ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3931  ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3932  ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3933  CHECK(ret_on_curve == ret_frac_on_curve);
3934  CHECK(ret_on_curve == ret_set_xo);
3935  if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
3936  }
3937 
3938  /* Test batch gej -> ge conversion with many infinities. */
3939  for (i = 0; i < 4 * runs + 1; i++) {
3940  int odd;
3941  random_group_element_test(&ge[i]);
3942  odd = secp256k1_fe_is_odd(&ge[i].x);
3943  CHECK(odd == 0 || odd == 1);
3944  /* randomly set half the points to infinity */
3945  if (odd == i % 2) {
3946  secp256k1_ge_set_infinity(&ge[i]);
3947  }
3948  secp256k1_gej_set_ge(&gej[i], &ge[i]);
3949  }
3950  /* batch convert */
3951  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3952  /* check result */
3953  for (i = 0; i < 4 * runs + 1; i++) {
3954  ge_equals_gej(&ge[i], &gej[i]);
3955  }
3956 
3957  /* Test batch gej -> ge conversion with all infinities. */
3958  for (i = 0; i < 4 * runs + 1; i++) {
3959  secp256k1_gej_set_infinity(&gej[i]);
3960  }
3961  /* batch convert */
3962  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3963  /* check result */
3964  for (i = 0; i < 4 * runs + 1; i++) {
3965  CHECK(secp256k1_ge_is_infinity(&ge[i]));
3966  }
3967 
3968  free(ge);
3969  free(gej);
3970 }
3971 
3972 static void test_intialized_inf(void) {
3973  secp256k1_ge p;
3974  secp256k1_gej pj, npj, infj1, infj2, infj3;
3975  secp256k1_fe zinv;
3976 
3977  /* Test that adding P+(-P) results in a fully initialized infinity*/
3978  random_group_element_test(&p);
3979  secp256k1_gej_set_ge(&pj, &p);
3980  secp256k1_gej_neg(&npj, &pj);
3981 
3982  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3983  CHECK(secp256k1_gej_is_infinity(&infj1));
3984  CHECK(secp256k1_fe_is_zero(&infj1.x));
3985  CHECK(secp256k1_fe_is_zero(&infj1.y));
3986  CHECK(secp256k1_fe_is_zero(&infj1.z));
3987 
3988  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3989  CHECK(secp256k1_gej_is_infinity(&infj2));
3990  CHECK(secp256k1_fe_is_zero(&infj2.x));
3991  CHECK(secp256k1_fe_is_zero(&infj2.y));
3992  CHECK(secp256k1_fe_is_zero(&infj2.z));
3993 
3994  secp256k1_fe_set_int(&zinv, 1);
3995  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3996  CHECK(secp256k1_gej_is_infinity(&infj3));
3997  CHECK(secp256k1_fe_is_zero(&infj3.x));
3998  CHECK(secp256k1_fe_is_zero(&infj3.y));
3999  CHECK(secp256k1_fe_is_zero(&infj3.z));
4000 
4001 
4002 }
4003 
4004 static void test_add_neg_y_diff_x(void) {
4005  /* The point of this test is to check that we can add two points
4006  * whose y-coordinates are negatives of each other but whose x
4007  * coordinates differ. If the x-coordinates were the same, these
4008  * points would be negatives of each other and their sum is
4009  * infinity. This is cool because it "covers up" any degeneracy
4010  * in the addition algorithm that would cause the xy coordinates
4011  * of the sum to be wrong (since infinity has no xy coordinates).
4012  * HOWEVER, if the x-coordinates are different, infinity is the
4013  * wrong answer, and such degeneracies are exposed. This is the
4014  * root of https://github.com/bitcoin-core/secp256k1/issues/257
4015  * which this test is a regression test for.
4016  *
4017  * These points were generated in sage as
4018  *
4019  * load("secp256k1_params.sage")
4020  *
4021  * # random "bad pair"
4022  * P = C.random_element()
4023  * Q = -int(LAMBDA) * P
4024  * print(" P: %x %x" % P.xy())
4025  * print(" Q: %x %x" % Q.xy())
4026  * print("P + Q: %x %x" % (P + Q).xy())
4027  */
4028  secp256k1_gej aj = SECP256K1_GEJ_CONST(
4029  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
4030  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
4031  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
4032  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
4033  );
4034  secp256k1_gej bj = SECP256K1_GEJ_CONST(
4035  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
4036  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
4037  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
4038  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
4039  );
4040  secp256k1_gej sumj = SECP256K1_GEJ_CONST(
4041  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
4042  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
4043  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
4044  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
4045  );
4046  secp256k1_ge b;
4047  secp256k1_gej resj;
4048  secp256k1_ge res;
4049  secp256k1_ge_set_gej(&b, &bj);
4050 
4051  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4052  secp256k1_ge_set_gej(&res, &resj);
4053  ge_equals_gej(&res, &sumj);
4054 
4055  secp256k1_gej_add_ge(&resj, &aj, &b);
4056  secp256k1_ge_set_gej(&res, &resj);
4057  ge_equals_gej(&res, &sumj);
4058 
4059  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4060  secp256k1_ge_set_gej(&res, &resj);
4061  ge_equals_gej(&res, &sumj);
4062 }
4063 
4064 static void run_ge(void) {
4065  int i;
4066  for (i = 0; i < COUNT * 32; i++) {
4067  test_ge();
4068  }
4069  test_add_neg_y_diff_x();
4070  test_intialized_inf();
4071 }
4072 
4073 static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4074  secp256k1_gej t = *a;
4075  secp256k1_gej_cmov(&t, b, 0);
4076  CHECK(gej_xyz_equals_gej(&t, a));
4077  secp256k1_gej_cmov(&t, b, 1);
4078  CHECK(gej_xyz_equals_gej(&t, b));
4079 }
4080 
4081 static void run_gej(void) {
4082  int i;
4083  secp256k1_gej a, b;
4084 
4085  /* Tests for secp256k1_gej_cmov */
4086  for (i = 0; i < COUNT; i++) {
4087  secp256k1_gej_set_infinity(&a);
4088  secp256k1_gej_set_infinity(&b);
4089  test_gej_cmov(&a, &b);
4090 
4091  random_gej_test(&a);
4092  test_gej_cmov(&a, &b);
4093  test_gej_cmov(&b, &a);
4094 
4095  b = a;
4096  test_gej_cmov(&a, &b);
4097 
4098  random_gej_test(&b);
4099  test_gej_cmov(&a, &b);
4100  test_gej_cmov(&b, &a);
4101  }
4102 
4103  /* Tests for secp256k1_gej_eq_var */
4104  for (i = 0; i < COUNT; i++) {
4105  secp256k1_fe fe;
4106  random_gej_test(&a);
4107  random_gej_test(&b);
4108  CHECK(!secp256k1_gej_eq_var(&a, &b));
4109 
4110  b = a;
4111  random_fe_non_zero_test(&fe);
4112  secp256k1_gej_rescale(&a, &fe);
4113  CHECK(secp256k1_gej_eq_var(&a, &b));
4114  }
4115 }
4116 
4117 static void test_ec_combine(void) {
4118  secp256k1_scalar sum = secp256k1_scalar_zero;
4119  secp256k1_pubkey data[6];
4120  const secp256k1_pubkey* d[6];
4121  secp256k1_pubkey sd;
4122  secp256k1_pubkey sd2;
4123  secp256k1_gej Qj;
4124  secp256k1_ge Q;
4125  int i;
4126  for (i = 1; i <= 6; i++) {
4127  secp256k1_scalar s;
4128  random_scalar_order_test(&s);
4129  secp256k1_scalar_add(&sum, &sum, &s);
4130  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &s);
4131  secp256k1_ge_set_gej(&Q, &Qj);
4132  secp256k1_pubkey_save(&data[i - 1], &Q);
4133  d[i - 1] = &data[i - 1];
4134  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &sum);
4135  secp256k1_ge_set_gej(&Q, &Qj);
4136  secp256k1_pubkey_save(&sd, &Q);
4137  CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4138  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4139  }
4140 }
4141 
4142 static void run_ec_combine(void) {
4143  int i;
4144  for (i = 0; i < COUNT * 8; i++) {
4145  test_ec_combine();
4146  }
4147 }
4148 
4149 static void test_group_decompress(const secp256k1_fe* x) {
4150  /* The input itself, normalized. */
4151  secp256k1_fe fex = *x;
4152  /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
4153  secp256k1_ge ge_even, ge_odd;
4154  /* Return values of the above calls. */
4155  int res_even, res_odd;
4156 
4157  secp256k1_fe_normalize_var(&fex);
4158 
4159  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4160  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4161 
4162  CHECK(res_even == res_odd);
4163 
4164  if (res_even) {
4165  secp256k1_fe_normalize_var(&ge_odd.x);
4166  secp256k1_fe_normalize_var(&ge_even.x);
4167  secp256k1_fe_normalize_var(&ge_odd.y);
4168  secp256k1_fe_normalize_var(&ge_even.y);
4169 
4170  /* No infinity allowed. */
4171  CHECK(!ge_even.infinity);
4172  CHECK(!ge_odd.infinity);
4173 
4174  /* Check that the x coordinates check out. */
4175  CHECK(secp256k1_fe_equal(&ge_even.x, x));
4176  CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4177 
4178  /* Check odd/even Y in ge_odd, ge_even. */
4179  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4180  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4181  }
4182 }
4183 
4184 static void run_group_decompress(void) {
4185  int i;
4186  for (i = 0; i < COUNT * 4; i++) {
4187  secp256k1_fe fe;
4188  random_fe_test(&fe);
4189  test_group_decompress(&fe);
4190  }
4191 }
4192 
4193 /***** ECMULT TESTS *****/
4194 
4195 static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4196  /* Tests the pre_g / pre_g_128 tables for consistency.
4197  * For independent verification we take a "geometric" approach to verification.
4198  * We check that every entry is on-curve.
4199  * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4200  * (1) p, gg, and -q are colinear.
4201  * (2) p, gg, and -q are all distinct.
4202  * where gg is twice the generator, where the generator is the first table entry.
4203  *
4204  * Checking the table's generators are correct is done in run_ecmult_pre_g.
4205  */
4206  secp256k1_gej g2;
4207  secp256k1_ge p, q, gg;
4208  secp256k1_fe dpx, dpy, dqx, dqy;
4209  size_t i;
4210 
4211  CHECK(0 < n);
4212 
4213  secp256k1_ge_from_storage(&p, &pre_g[0]);
4214  CHECK(secp256k1_ge_is_valid_var(&p));
4215 
4216  secp256k1_gej_set_ge(&g2, &p);
4217  secp256k1_gej_double_var(&g2, &g2, NULL);
4218  secp256k1_ge_set_gej_var(&gg, &g2);
4219  for (i = 1; i < n; ++i) {
4220  secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4221  secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4222  /* Check that p is not equal to gg */
4223  CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
4224 
4225  secp256k1_ge_from_storage(&q, &pre_g[i]);
4226  CHECK(secp256k1_ge_is_valid_var(&q));
4227 
4228  secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4229  dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4230  /* Check that -q is not equal to gg */
4231  CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
4232 
4233  /* Check that -q is not equal to p */
4234  CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4235 
4236  /* Check that p, -q and gg are colinear */
4237  secp256k1_fe_mul(&dpx, &dpx, &dqy);
4238  secp256k1_fe_mul(&dpy, &dpy, &dqx);
4239  CHECK(secp256k1_fe_equal(&dpx, &dpy));
4240 
4241  p = q;
4242  }
4243 }
4244 
4245 static void run_ecmult_pre_g(void) {
4246  secp256k1_ge_storage gs;
4247  secp256k1_gej gj;
4248  secp256k1_ge g;
4249  size_t i;
4250 
4251  /* Check that the pre_g and pre_g_128 tables are consistent. */
4252  test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
4253  test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
4254 
4255  /* Check the first entry from the pre_g table. */
4256  secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
4257  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4258 
4259  /* Check the first entry from the pre_g_128 table. */
4260  secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
4261  for (i = 0; i < 128; ++i) {
4262  secp256k1_gej_double_var(&gj, &gj, NULL);
4263  }
4264  secp256k1_ge_set_gej(&g, &gj);
4265  secp256k1_ge_to_storage(&gs, &g);
4266  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4267 }
4268 
4269 static void run_ecmult_chain(void) {
4270  /* random starting point A (on the curve) */
4271  secp256k1_gej a = SECP256K1_GEJ_CONST(
4272  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4273  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4274  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4275  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4276  );
4277  /* two random initial factors xn and gn */
4278  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4279  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4280  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4281  );
4282  secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
4283  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4284  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4285  );
4286  /* two small multipliers to be applied to xn and gn in every iteration: */
4287  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4288  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4289  /* accumulators with the resulting coefficients to A and G */
4290  secp256k1_scalar ae = secp256k1_scalar_one;
4291  secp256k1_scalar ge = secp256k1_scalar_zero;
4292  /* actual points */
4293  secp256k1_gej x;
4294  secp256k1_gej x2;
4295  int i;
4296 
4297  /* the point being computed */
4298  x = a;
4299  for (i = 0; i < 200*COUNT; i++) {
4300  /* in each iteration, compute X = xn*X + gn*G; */
4301  secp256k1_ecmult(&x, &x, &xn, &gn);
4302  /* also compute ae and ge: the actual accumulated factors for A and G */
4303  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4304  secp256k1_scalar_mul(&ae, &ae, &xn);
4305  secp256k1_scalar_mul(&ge, &ge, &xn);
4306  secp256k1_scalar_add(&ge, &ge, &gn);
4307  /* modify xn and gn */
4308  secp256k1_scalar_mul(&xn, &xn, &xf);
4309  secp256k1_scalar_mul(&gn, &gn, &gf);
4310 
4311  /* verify */
4312  if (i == 19999) {
4313  /* expected result after 19999 iterations */
4314  secp256k1_gej rp = SECP256K1_GEJ_CONST(
4315  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4316  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4317  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4318  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4319  );
4320  CHECK(secp256k1_gej_eq_var(&rp, &x));
4321  }
4322  }
4323  /* redo the computation, but directly with the resulting ae and ge coefficients: */
4324  secp256k1_ecmult(&x2, &a, &ae, &ge);
4325  CHECK(secp256k1_gej_eq_var(&x, &x2));
4326 }
4327 
4328 static void test_point_times_order(const secp256k1_gej *point) {
4329  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4330  secp256k1_scalar x;
4331  secp256k1_scalar nx;
4332  secp256k1_gej res1, res2;
4333  secp256k1_ge res3;
4334  unsigned char pub[65];
4335  size_t psize = 65;
4336  random_scalar_order_test(&x);
4337  secp256k1_scalar_negate(&nx, &x);
4338  secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4339  secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4340  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4341  CHECK(secp256k1_gej_is_infinity(&res1));
4342  secp256k1_ge_set_gej(&res3, &res1);
4343  CHECK(secp256k1_ge_is_infinity(&res3));
4344  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4345  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4346  psize = 65;
4347  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4348  /* check zero/one edge cases */
4349  secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_zero);
4350  secp256k1_ge_set_gej(&res3, &res1);
4351  CHECK(secp256k1_ge_is_infinity(&res3));
4352  secp256k1_ecmult(&res1, point, &secp256k1_scalar_one, &secp256k1_scalar_zero);
4353  secp256k1_ge_set_gej(&res3, &res1);
4354  ge_equals_gej(&res3, point);
4355  secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_one);
4356  secp256k1_ge_set_gej(&res3, &res1);
4357  ge_equals_ge(&res3, &secp256k1_ge_const_g);
4358 }
4359 
4360 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4361  *
4362  * They are computed as:
4363  * - For a in [-2, -1, 0, 1, 2]:
4364  * - For b in [-3, -1, 1, 3]:
4365  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4366  */
4367 static const secp256k1_scalar scalars_near_split_bounds[20] = {
4368  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4369  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4370  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4371  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4372  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4373  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4374  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4375  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4376  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4377  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4378  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4379  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4380  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4381  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4382  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4383  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4384  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4385  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4386  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4387  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4388 };
4389 
4390 static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4391  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4392  secp256k1_scalar n1, n2;
4393  secp256k1_ge p;
4394  secp256k1_gej pj, p1j, p2j, ptj;
4395 
4396  /* Generate random n1,n2 such that n1+n2 = -target. */
4397  random_scalar_order_test(&n1);
4398  secp256k1_scalar_add(&n2, &n1, target);
4399  secp256k1_scalar_negate(&n2, &n2);
4400 
4401  /* Generate a random input point. */
4402  if (mode != 0) {
4403  random_group_element_test(&p);
4404  secp256k1_gej_set_ge(&pj, &p);
4405  }
4406 
4407  /* EC multiplications */
4408  if (mode == 0) {
4409  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1);
4410  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2);
4411  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4412  } else if (mode == 1) {
4413  secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4414  secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4415  secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4416  } else {
4417  secp256k1_ecmult_const(&p1j, &p, &n1);
4418  secp256k1_ecmult_const(&p2j, &p, &n2);
4419  secp256k1_ecmult_const(&ptj, &p, target);
4420  }
4421 
4422  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4423  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4424  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4425  CHECK(secp256k1_gej_is_infinity(&ptj));
4426 }
4427 
4428 static void run_ecmult_near_split_bound(void) {
4429  int i;
4430  unsigned j;
4431  for (i = 0; i < 4*COUNT; ++i) {
4432  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4433  test_ecmult_target(&scalars_near_split_bounds[j], 0);
4434  test_ecmult_target(&scalars_near_split_bounds[j], 1);
4435  test_ecmult_target(&scalars_near_split_bounds[j], 2);
4436  }
4437  }
4438 }
4439 
4440 static void run_point_times_order(void) {
4441  int i;
4442  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4443  static const secp256k1_fe xr = SECP256K1_FE_CONST(
4444  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4445  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4446  );
4447  for (i = 0; i < 500; i++) {
4448  secp256k1_ge p;
4449  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4450  secp256k1_gej j;
4451  CHECK(secp256k1_ge_is_valid_var(&p));
4452  secp256k1_gej_set_ge(&j, &p);
4453  test_point_times_order(&j);
4454  }
4455  secp256k1_fe_sqr(&x, &x);
4456  }
4457  secp256k1_fe_normalize_var(&x);
4458  CHECK(secp256k1_fe_equal(&x, &xr));
4459 }
4460 
4461 static void ecmult_const_random_mult(void) {
4462  /* random starting point A (on the curve) */
4463  secp256k1_ge a = SECP256K1_GE_CONST(
4464  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4465  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4466  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4467  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4468  );
4469  /* random initial factor xn */
4470  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4471  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4472  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4473  );
4474  /* expected xn * A (from sage) */
4475  secp256k1_ge expected_b = SECP256K1_GE_CONST(
4476  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4477  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4478  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4479  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4480  );
4481  secp256k1_gej b;
4482  secp256k1_ecmult_const(&b, &a, &xn);
4483 
4484  CHECK(secp256k1_ge_is_valid_var(&a));
4485  ge_equals_gej(&expected_b, &b);
4486 }
4487 
4488 static void ecmult_const_commutativity(void) {
4489  secp256k1_scalar a;
4490  secp256k1_scalar b;
4491  secp256k1_gej res1;
4492  secp256k1_gej res2;
4493  secp256k1_ge mid1;
4494  secp256k1_ge mid2;
4495  random_scalar_order_test(&a);
4496  random_scalar_order_test(&b);
4497 
4498  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
4499  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
4500  secp256k1_ge_set_gej(&mid1, &res1);
4501  secp256k1_ge_set_gej(&mid2, &res2);
4502  secp256k1_ecmult_const(&res1, &mid1, &b);
4503  secp256k1_ecmult_const(&res2, &mid2, &a);
4504  secp256k1_ge_set_gej(&mid1, &res1);
4505  secp256k1_ge_set_gej(&mid2, &res2);
4506  ge_equals_ge(&mid1, &mid2);
4507 }
4508 
4509 static void ecmult_const_mult_zero_one(void) {
4510  secp256k1_scalar negone;
4511  secp256k1_gej res1;
4512  secp256k1_ge res2;
4513  secp256k1_ge point;
4514  secp256k1_scalar_negate(&negone, &secp256k1_scalar_one);
4515 
4516  random_group_element_test(&point);
4517  secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_zero);
4518  secp256k1_ge_set_gej(&res2, &res1);
4519  CHECK(secp256k1_ge_is_infinity(&res2));
4520  secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_one);
4521  secp256k1_ge_set_gej(&res2, &res1);
4522  ge_equals_ge(&res2, &point);
4523  secp256k1_ecmult_const(&res1, &point, &negone);
4524  secp256k1_gej_neg(&res1, &res1);
4525  secp256k1_ge_set_gej(&res2, &res1);
4526  ge_equals_ge(&res2, &point);
4527 }
4528 
4529 static void ecmult_const_mult_xonly(void) {
4530  int i;
4531 
4532  /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4533  for (i = 0; i < 2*COUNT; ++i) {
4534  secp256k1_ge base;
4535  secp256k1_gej basej, resj;
4536  secp256k1_fe n, d, resx, v;
4537  secp256k1_scalar q;
4538  int res;
4539  /* Random base point. */
4540  random_group_element_test(&base);
4541  /* Random scalar to multiply it with. */
4542  random_scalar_order_test(&q);
4543  /* If i is odd, n=d*base.x for random non-zero d */
4544  if (i & 1) {
4545  random_fe_non_zero_test(&d);
4546  secp256k1_fe_mul(&n, &base.x, &d);
4547  } else {
4548  n = base.x;
4549  }
4550  /* Perform x-only multiplication. */
4551  res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4552  CHECK(res);
4553  /* Perform normal multiplication. */
4554  secp256k1_gej_set_ge(&basej, &base);
4555  secp256k1_ecmult(&resj, &basej, &q, NULL);
4556  /* Check that resj's X coordinate corresponds with resx. */
4557  secp256k1_fe_sqr(&v, &resj.z);
4558  secp256k1_fe_mul(&v, &v, &resx);
4559  CHECK(check_fe_equal(&v, &resj.x));
4560  }
4561 
4562  /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4563  for (i = 0; i < 2*COUNT; ++i) {
4564  secp256k1_fe x, n, d, r;
4565  int res;
4566  secp256k1_scalar q;
4567  random_scalar_order_test(&q);
4568  /* Generate random X coordinate not on the curve. */
4569  do {
4570  random_fe_test(&x);
4571  } while (secp256k1_ge_x_on_curve_var(&x));
4572  /* If i is odd, n=d*x for random non-zero d. */
4573  if (i & 1) {
4574  random_fe_non_zero_test(&d);
4575  secp256k1_fe_mul(&n, &x, &d);
4576  } else {
4577  n = x;
4578  }
4579  res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4580  CHECK(res == 0);
4581  }
4582 }
4583 
4584 static void ecmult_const_chain_multiply(void) {
4585  /* Check known result (randomly generated test problem from sage) */
4586  const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
4587  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4588  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4589  );
4590  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4591  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4592  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4593  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4594  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4595  );
4596  secp256k1_gej point;
4597  secp256k1_ge res;
4598  int i;
4599 
4600  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4601  for (i = 0; i < 100; ++i) {
4602  secp256k1_ge tmp;
4603  secp256k1_ge_set_gej(&tmp, &point);
4604  secp256k1_ecmult_const(&point, &tmp, &scalar);
4605  }
4606  secp256k1_ge_set_gej(&res, &point);
4607  ge_equals_gej(&res, &expected_point);
4608 }
4609 
4610 static void run_ecmult_const_tests(void) {
4611  ecmult_const_mult_zero_one();
4612  ecmult_const_random_mult();
4613  ecmult_const_commutativity();
4614  ecmult_const_chain_multiply();
4615  ecmult_const_mult_xonly();
4616 }
4617 
4618 typedef struct {
4619  secp256k1_scalar *sc;
4620  secp256k1_ge *pt;
4621 } ecmult_multi_data;
4622 
4623 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4624  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4625  *sc = data->sc[idx];
4626  *pt = data->pt[idx];
4627  return 1;
4628 }
4629 
4630 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4631  (void)sc;
4632  (void)pt;
4633  (void)idx;
4634  (void)cbdata;
4635  return 0;
4636 }
4637 
4638 static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4639  int ncount;
4640  secp256k1_scalar sc[32];
4641  secp256k1_ge pt[32];
4642  secp256k1_gej r;
4643  secp256k1_gej r2;
4644  ecmult_multi_data data;
4645 
4646  data.sc = sc;
4647  data.pt = pt;
4648 
4649  /* No points to multiply */
4650  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4651 
4652  /* Check 1- and 2-point multiplies against ecmult */
4653  for (ncount = 0; ncount < COUNT; ncount++) {
4654  secp256k1_ge ptg;
4655  secp256k1_gej ptgj;
4656  random_scalar_order(&sc[0]);
4657  random_scalar_order(&sc[1]);
4658 
4659  random_group_element_test(&ptg);
4660  secp256k1_gej_set_ge(&ptgj, &ptg);
4661  pt[0] = ptg;
4662  pt[1] = secp256k1_ge_const_g;
4663 
4664  /* only G scalar */
4665  secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4666  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4667  CHECK(secp256k1_gej_eq_var(&r, &r2));
4668 
4669  /* 1-point */
4670  secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4671  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4672  CHECK(secp256k1_gej_eq_var(&r, &r2));
4673 
4674  /* Try to multiply 1 point, but callback returns false */
4675  CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4676 
4677  /* 2-point */
4678  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4679  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4680  CHECK(secp256k1_gej_eq_var(&r, &r2));
4681 
4682  /* 2-point with G scalar */
4683  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4684  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4685  CHECK(secp256k1_gej_eq_var(&r, &r2));
4686  }
4687 
4688  /* Check infinite outputs of various forms */
4689  for (ncount = 0; ncount < COUNT; ncount++) {
4690  secp256k1_ge ptg;
4691  size_t i, j;
4692  size_t sizes[] = { 2, 10, 32 };
4693 
4694  for (j = 0; j < 3; j++) {
4695  for (i = 0; i < 32; i++) {
4696  random_scalar_order(&sc[i]);
4697  secp256k1_ge_set_infinity(&pt[i]);
4698  }
4699  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4700  CHECK(secp256k1_gej_is_infinity(&r));
4701  }
4702 
4703  for (j = 0; j < 3; j++) {
4704  for (i = 0; i < 32; i++) {
4705  random_group_element_test(&ptg);
4706  pt[i] = ptg;
4707  secp256k1_scalar_set_int(&sc[i], 0);
4708  }
4709  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4710  CHECK(secp256k1_gej_is_infinity(&r));
4711  }
4712 
4713  for (j = 0; j < 3; j++) {
4714  random_group_element_test(&ptg);
4715  for (i = 0; i < 16; i++) {
4716  random_scalar_order(&sc[2*i]);
4717  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4718  pt[2 * i] = ptg;
4719  pt[2 * i + 1] = ptg;
4720  }
4721 
4722  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4723  CHECK(secp256k1_gej_is_infinity(&r));
4724 
4725  random_scalar_order(&sc[0]);
4726  for (i = 0; i < 16; i++) {
4727  random_group_element_test(&ptg);
4728 
4729  sc[2*i] = sc[0];
4730  sc[2*i+1] = sc[0];
4731  pt[2 * i] = ptg;
4732  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4733  }
4734 
4735  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4736  CHECK(secp256k1_gej_is_infinity(&r));
4737  }
4738 
4739  random_group_element_test(&ptg);
4740  secp256k1_scalar_set_int(&sc[0], 0);
4741  pt[0] = ptg;
4742  for (i = 1; i < 32; i++) {
4743  pt[i] = ptg;
4744 
4745  random_scalar_order(&sc[i]);
4746  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4747  secp256k1_scalar_negate(&sc[i], &sc[i]);
4748  }
4749 
4750  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4751  CHECK(secp256k1_gej_is_infinity(&r));
4752  }
4753 
4754  /* Check random points, constant scalar */
4755  for (ncount = 0; ncount < COUNT; ncount++) {
4756  size_t i;
4757  secp256k1_gej_set_infinity(&r);
4758 
4759  random_scalar_order(&sc[0]);
4760  for (i = 0; i < 20; i++) {
4761  secp256k1_ge ptg;
4762  sc[i] = sc[0];
4763  random_group_element_test(&ptg);
4764  pt[i] = ptg;
4765  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4766  }
4767 
4768  secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4769  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4770  CHECK(secp256k1_gej_eq_var(&r, &r2));
4771  }
4772 
4773  /* Check random scalars, constant point */
4774  for (ncount = 0; ncount < COUNT; ncount++) {
4775  size_t i;
4776  secp256k1_ge ptg;
4777  secp256k1_gej p0j;
4778  secp256k1_scalar rs;
4779  secp256k1_scalar_set_int(&rs, 0);
4780 
4781  random_group_element_test(&ptg);
4782  for (i = 0; i < 20; i++) {
4783  random_scalar_order(&sc[i]);
4784  pt[i] = ptg;
4785  secp256k1_scalar_add(&rs, &rs, &sc[i]);
4786  }
4787 
4788  secp256k1_gej_set_ge(&p0j, &pt[0]);
4789  secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4790  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4791  CHECK(secp256k1_gej_eq_var(&r, &r2));
4792  }
4793 
4794  /* Sanity check that zero scalars don't cause problems */
4795  for (ncount = 0; ncount < 20; ncount++) {
4796  random_scalar_order(&sc[ncount]);
4797  random_group_element_test(&pt[ncount]);
4798  }
4799 
4800  secp256k1_scalar_clear(&sc[0]);
4801  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4802  secp256k1_scalar_clear(&sc[1]);
4803  secp256k1_scalar_clear(&sc[2]);
4804  secp256k1_scalar_clear(&sc[3]);
4805  secp256k1_scalar_clear(&sc[4]);
4806  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4807  CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4808  CHECK(secp256k1_gej_is_infinity(&r));
4809 
4810  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4811  {
4812  const size_t TOP = 8;
4813  size_t s0i, s1i;
4814  size_t t0i, t1i;
4815  secp256k1_ge ptg;
4816  secp256k1_gej ptgj;
4817 
4818  random_group_element_test(&ptg);
4819  secp256k1_gej_set_ge(&ptgj, &ptg);
4820 
4821  for(t0i = 0; t0i < TOP; t0i++) {
4822  for(t1i = 0; t1i < TOP; t1i++) {
4823  secp256k1_gej t0p, t1p;
4824  secp256k1_scalar t0, t1;
4825 
4826  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4827  secp256k1_scalar_cond_negate(&t0, t0i & 1);
4828  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4829  secp256k1_scalar_cond_negate(&t1, t1i & 1);
4830 
4831  secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4832  secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4833 
4834  for(s0i = 0; s0i < TOP; s0i++) {
4835  for(s1i = 0; s1i < TOP; s1i++) {
4836  secp256k1_scalar tmp1, tmp2;
4837  secp256k1_gej expected, actual;
4838 
4839  secp256k1_ge_set_gej(&pt[0], &t0p);
4840  secp256k1_ge_set_gej(&pt[1], &t1p);
4841 
4842  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4843  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4844  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4845  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4846 
4847  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4848  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4849  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4850 
4851  secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4852  CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4853  CHECK(secp256k1_gej_eq_var(&actual, &expected));
4854  }
4855  }
4856  }
4857  }
4858  }
4859 }
4860 
4861 static int test_ecmult_multi_random(secp256k1_scratch *scratch) {
4862  /* Large random test for ecmult_multi_* functions which exercises:
4863  * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4864  * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4865  * - Including or excluding an nonzero a*G term (or such a term at all).
4866  * - Final expected result equal to infinity or not (roughly 50%).
4867  * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4868  */
4869 
4870  /* These 4 variables define the eventual input to the ecmult_multi function.
4871  * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4872  * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4873  * which form its normal inputs. */
4874  int filled = 0;
4875  secp256k1_scalar g_scalar = secp256k1_scalar_zero;
4876  secp256k1_scalar scalars[128];
4877  secp256k1_gej gejs[128];
4878  /* The expected result, and the computed result. */
4879  secp256k1_gej expected, computed;
4880  /* Temporaries. */
4881  secp256k1_scalar sc_tmp;
4882  secp256k1_ge ge_tmp;
4883  /* Variables needed for the actual input to ecmult_multi. */
4884  secp256k1_ge ges[128];
4885  ecmult_multi_data data;
4886 
4887  int i;
4888  /* Which multiplication function to use */
4889  int fn = secp256k1_testrand_int(3);
4890  secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4891  fn == 1 ? secp256k1_ecmult_strauss_batch_single :
4892  secp256k1_ecmult_pippenger_batch_single;
4893  /* Simulate exponentially distributed num. */
4894  int num_bits = 2 + secp256k1_testrand_int(6);
4895  /* Number of (scalar, point) inputs (excluding g). */
4896  int num = secp256k1_testrand_int((1 << num_bits) + 1);
4897  /* Number of those which are nonzero. */
4898  int num_nonzero = secp256k1_testrand_int(num + 1);
4899  /* Whether we're aiming to create an input with nonzero expected result. */
4900  int nonzero_result = secp256k1_testrand_bits(1);
4901  /* Whether we will provide nonzero g multiplicand. In some cases our hand
4902  * is forced here based on num_nonzero and nonzero_result. */
4903  int g_nonzero = num_nonzero == 0 ? nonzero_result :
4904  num_nonzero == 1 && !nonzero_result ? 1 :
4905  (int)secp256k1_testrand_bits(1);
4906  /* Which g_scalar pointer to pass into ecmult_multi(). */
4907  const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4908  /* How many EC multiplications were performed in this function. */
4909  int mults = 0;
4910  /* How many randomization steps to apply to the input list. */
4911  int rands = (int)secp256k1_testrand_bits(3);
4912  if (rands > num_nonzero) rands = num_nonzero;
4913 
4914  secp256k1_gej_set_infinity(&expected);
4915  secp256k1_gej_set_infinity(&gejs[0]);
4916  secp256k1_scalar_set_int(&scalars[0], 0);
4917 
4918  if (g_nonzero) {
4919  /* If g_nonzero, set g_scalar to nonzero value r. */
4920  random_scalar_order_test(&g_scalar);
4921  if (!nonzero_result) {
4922  /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4923  CHECK(num_nonzero > filled);
4924  random_scalar_order_test(&sc_tmp);
4925  secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4926  secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4927  secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4928  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4929  ++filled;
4930  ++mults;
4931  }
4932  }
4933 
4934  if (nonzero_result && filled < num_nonzero) {
4935  /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4936  random_scalar_order_test(&scalars[filled]);
4937  random_group_element_test(&ge_tmp);
4938  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4939  ++filled;
4940  }
4941 
4942  if (nonzero_result) {
4943  /* Compute the expected result using normal ecmult. */
4944  CHECK(filled <= 1);
4945  secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4946  mults += filled + g_nonzero;
4947  }
4948 
4949  /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4950  CHECK(filled <= 1 + !nonzero_result);
4951  CHECK(filled <= num_nonzero);
4952 
4953  /* Add entries to scalars,gejs so that there are num of them. All the added entries
4954  * either have scalar=0 or point=infinity, so these do not change the expected result. */
4955  while (filled < num) {
4956  if (secp256k1_testrand_bits(1)) {
4957  secp256k1_gej_set_infinity(&gejs[filled]);
4958  random_scalar_order_test(&scalars[filled]);
4959  } else {
4960  secp256k1_scalar_set_int(&scalars[filled], 0);
4961  random_group_element_test(&ge_tmp);
4962  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4963  }
4964  ++filled;
4965  }
4966 
4967  /* Now perform cheapish transformations on gejs and scalars, for indices
4968  * 0..num_nonzero-1, which do not change the expected result, but may
4969  * convert some of them to be both non-0-scalar and non-infinity-point. */
4970  for (i = 0; i < rands; ++i) {
4971  int j;
4972  secp256k1_scalar v, iv;
4973  /* Shuffle the entries. */
4974  for (j = 0; j < num_nonzero; ++j) {
4975  int k = secp256k1_testrand_int(num_nonzero - j);
4976  if (k != 0) {
4977  secp256k1_gej gej = gejs[j];
4978  secp256k1_scalar sc = scalars[j];
4979  gejs[j] = gejs[j + k];
4980  scalars[j] = scalars[j + k];
4981  gejs[j + k] = gej;
4982  scalars[j + k] = sc;
4983  }
4984  }
4985  /* Perturb all consecutive pairs of inputs:
4986  * a*P + b*Q -> (a+b)*P + b*(Q-P). */
4987  for (j = 0; j + 1 < num_nonzero; j += 2) {
4988  secp256k1_gej gej;
4989  secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
4990  secp256k1_gej_neg(&gej, &gejs[j]);
4991  secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
4992  }
4993  /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
4994  CHECK(num_nonzero >= 1);
4995  random_scalar_order_test(&v);
4996  secp256k1_scalar_inverse(&iv, &v);
4997  secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
4998  secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
4999  ++mults;
5000  }
5001 
5002  /* Shuffle all entries (0..num-1). */
5003  for (i = 0; i < num; ++i) {
5004  int j = secp256k1_testrand_int(num - i);
5005  if (j != 0) {
5006  secp256k1_gej gej = gejs[i];
5007  secp256k1_scalar sc = scalars[i];
5008  gejs[i] = gejs[i + j];
5009  scalars[i] = scalars[i + j];
5010  gejs[i + j] = gej;
5011  scalars[i + j] = sc;
5012  }
5013  }
5014 
5015  /* Compute affine versions of all inputs. */
5016  secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5017  /* Invoke ecmult_multi code. */
5018  data.sc = scalars;
5019  data.pt = ges;
5020  CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5021  mults += num_nonzero + g_nonzero;
5022  /* Compare with expected result. */
5023  CHECK(secp256k1_gej_eq_var(&computed, &expected));
5024  return mults;
5025 }
5026 
5027 static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
5028  secp256k1_scalar sc;
5029  secp256k1_ge pt;
5030  secp256k1_gej r;
5031  ecmult_multi_data data;
5032  secp256k1_scratch *scratch_empty;
5033 
5034  random_group_element_test(&pt);
5035  random_scalar_order(&sc);
5036  data.sc = &sc;
5037  data.pt = &pt;
5038 
5039  /* Try to multiply 1 point, but scratch space is empty.*/
5040  scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5041  CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5042  secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty);
5043 }
5044 
5045 static void test_secp256k1_pippenger_bucket_window_inv(void) {
5046  int i;
5047 
5048  CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
5049  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5050  /* Bucket_window of 8 is not used with endo */
5051  if (i == 8) {
5052  continue;
5053  }
5054  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
5055  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5056  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
5057  }
5058  }
5059 }
5060 
5065 static void test_ecmult_multi_pippenger_max_points(void) {
5066  size_t scratch_size = secp256k1_testrand_bits(8);
5067  size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
5068  secp256k1_scratch *scratch;
5069  size_t n_points_supported;
5070  int bucket_window = 0;
5071 
5072  for(; scratch_size < max_size; scratch_size+=256) {
5073  size_t i;
5074  size_t total_alloc;
5075  size_t checkpoint;
5076  scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5077  CHECK(scratch != NULL);
5078  checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5079  n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5080  if (n_points_supported == 0) {
5081  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5082  continue;
5083  }
5084  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5085  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5086  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5087  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5088  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 1));
5089  total_alloc--;
5090  }
5091  CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5092  secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
5093  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5094  }
5095  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5096 }
5097 
5098 static void test_ecmult_multi_batch_size_helper(void) {
5099  size_t n_batches, n_batch_points, max_n_batch_points, n;
5100 
5101  max_n_batch_points = 0;
5102  n = 1;
5103  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5104 
5105  max_n_batch_points = 1;
5106  n = 0;
5107  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5108  CHECK(n_batches == 0);
5109  CHECK(n_batch_points == 0);
5110 
5111  max_n_batch_points = 2;
5112  n = 5;
5113  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5114  CHECK(n_batches == 3);
5115  CHECK(n_batch_points == 2);
5116 
5117  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5118  n = ECMULT_MAX_POINTS_PER_BATCH;
5119  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5120  CHECK(n_batches == 1);
5121  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5122 
5123  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5124  n = ECMULT_MAX_POINTS_PER_BATCH + 1;
5125  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5126  CHECK(n_batches == 2);
5127  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5128 
5129  max_n_batch_points = 1;
5130  n = SIZE_MAX;
5131  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5132  CHECK(n_batches == SIZE_MAX);
5133  CHECK(n_batch_points == 1);
5134 
5135  max_n_batch_points = 2;
5136  n = SIZE_MAX;
5137  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5138  CHECK(n_batches == SIZE_MAX/2 + 1);
5139  CHECK(n_batch_points == 2);
5140 }
5141 
5146 static void test_ecmult_multi_batching(void) {
5147  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5148  secp256k1_scalar scG;
5149  secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_scalar) * n_points);
5150  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5151  secp256k1_gej r;
5152  secp256k1_gej r2;
5153  ecmult_multi_data data;
5154  int i;
5155  secp256k1_scratch *scratch;
5156 
5157  secp256k1_gej_set_infinity(&r2);
5158 
5159  /* Get random scalars and group elements and compute result */
5160  random_scalar_order(&scG);
5161  secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5162  for(i = 0; i < n_points; i++) {
5163  secp256k1_ge ptg;
5164  secp256k1_gej ptgj;
5165  random_group_element_test(&ptg);
5166  secp256k1_gej_set_ge(&ptgj, &ptg);
5167  pt[i] = ptg;
5168  random_scalar_order(&sc[i]);
5169  secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5170  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5171  }
5172  data.sc = sc;
5173  data.pt = pt;
5174  secp256k1_gej_neg(&r2, &r2);
5175 
5176  /* Test with empty scratch space. It should compute the correct result using
5177  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5178  scratch = secp256k1_scratch_create(&CTX->error_callback, 0);
5179  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5180  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5181  CHECK(secp256k1_gej_is_infinity(&r));
5182  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5183 
5184  /* Test with space for 1 point in pippenger. That's not enough because
5185  * ecmult_multi selects strauss which requires more memory. It should
5186  * therefore select the simple algorithm. */
5187  scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5188  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5189  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5190  CHECK(secp256k1_gej_is_infinity(&r));
5191  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5192 
5193  for(i = 1; i <= n_points; i++) {
5194  if (i > ECMULT_PIPPENGER_THRESHOLD) {
5195  int bucket_window = secp256k1_pippenger_bucket_window(i);
5196  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5197  scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5198  } else {
5199  size_t scratch_size = secp256k1_strauss_scratch_size(i);
5200  scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5201  }
5202  CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5203  secp256k1_gej_add_var(&r, &r, &r2, NULL);
5204  CHECK(secp256k1_gej_is_infinity(&r));
5205  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5206  }
5207  free(sc);
5208  free(pt);
5209 }
5210 
5211 static void run_ecmult_multi_tests(void) {
5212  secp256k1_scratch *scratch;
5213  int64_t todo = (int64_t)320 * COUNT;
5214 
5215  test_secp256k1_pippenger_bucket_window_inv();
5216  test_ecmult_multi_pippenger_max_points();
5217  scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5218  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5219  test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
5220  test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
5221  test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
5222  test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
5223  test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
5224  while (todo > 0) {
5225  todo -= test_ecmult_multi_random(scratch);
5226  }
5227  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5228 
5229  /* Run test_ecmult_multi with space for exactly one point */
5230  scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5231  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5232  secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5233 
5234  test_ecmult_multi_batch_size_helper();
5235  test_ecmult_multi_batching();
5236 }
5237 
5238 static void test_wnaf(const secp256k1_scalar *number, int w) {
5239  secp256k1_scalar x, two, t;
5240  int wnaf[256];
5241  int zeroes = -1;
5242  int i;
5243  int bits;
5244  secp256k1_scalar_set_int(&x, 0);
5245  secp256k1_scalar_set_int(&two, 2);
5246  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5247  CHECK(bits <= 256);
5248  for (i = bits-1; i >= 0; i--) {
5249  int v = wnaf[i];
5250  secp256k1_scalar_mul(&x, &x, &two);
5251  if (v) {
5252  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5253  zeroes=0;
5254  CHECK((v & 1) == 1); /* check non-zero elements are odd */
5255  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5256  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5257  } else {
5258  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5259  zeroes++;
5260  }
5261  if (v >= 0) {
5262  secp256k1_scalar_set_int(&t, v);
5263  } else {
5264  secp256k1_scalar_set_int(&t, -v);
5265  secp256k1_scalar_negate(&t, &t);
5266  }
5267  secp256k1_scalar_add(&x, &x, &t);
5268  }
5269  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5270 }
5271 
5272 static void test_constant_wnaf_negate(const secp256k1_scalar *number) {
5273  secp256k1_scalar neg1 = *number;
5274  secp256k1_scalar neg2 = *number;
5275  int sign1 = 1;
5276  int sign2 = 1;
5277 
5278  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
5279  secp256k1_scalar_negate(&neg1, &neg1);
5280  sign1 = -1;
5281  }
5282  sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
5283  CHECK(sign1 == sign2);
5284  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
5285 }
5286 
5287 static void test_constant_wnaf(const secp256k1_scalar *number, int w) {
5288  secp256k1_scalar x, shift;
5289  int wnaf[256] = {0};
5290  int i;
5291  int skew;
5292  int bits = 256;
5293  secp256k1_scalar num = *number;
5294  secp256k1_scalar scalar_skew;
5295 
5296  secp256k1_scalar_set_int(&x, 0);
5297  secp256k1_scalar_set_int(&shift, 1 << w);
5298  for (i = 0; i < 16; ++i) {
5299  secp256k1_scalar_shr_int(&num, 8);
5300  }
5301  bits = 128;
5302  skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
5303 
5304  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
5305  secp256k1_scalar t;
5306  int v = wnaf[i];
5307  CHECK(v != 0); /* check nonzero */
5308  CHECK(v & 1); /* check parity */
5309  CHECK(v > -(1 << w)); /* check range above */
5310  CHECK(v < (1 << w)); /* check range below */
5311 
5312  secp256k1_scalar_mul(&x, &x, &shift);
5313  if (v >= 0) {
5314  secp256k1_scalar_set_int(&t, v);
5315  } else {
5316  secp256k1_scalar_set_int(&t, -v);
5317  secp256k1_scalar_negate(&t, &t);
5318  }
5319  secp256k1_scalar_add(&x, &x, &t);
5320  }
5321  /* Skew num because when encoding numbers as odd we use an offset */
5322  secp256k1_scalar_set_int(&scalar_skew, skew);
5323  secp256k1_scalar_add(&num, &num, &scalar_skew);
5324  CHECK(secp256k1_scalar_eq(&x, &num));
5325 }
5326 
5327 static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5328  secp256k1_scalar x, shift;
5329  int wnaf[256] = {0};
5330  int i;
5331  int skew;
5332  secp256k1_scalar num = *number;
5333 
5334  secp256k1_scalar_set_int(&x, 0);
5335  secp256k1_scalar_set_int(&shift, 1 << w);
5336  for (i = 0; i < 16; ++i) {
5337  secp256k1_scalar_shr_int(&num, 8);
5338  }
5339  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5340 
5341  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5342  secp256k1_scalar t;
5343  int v = wnaf[i];
5344  CHECK(v == 0 || v & 1); /* check parity */
5345  CHECK(v > -(1 << w)); /* check range above */
5346  CHECK(v < (1 << w)); /* check range below */
5347 
5348  secp256k1_scalar_mul(&x, &x, &shift);
5349  if (v >= 0) {
5350  secp256k1_scalar_set_int(&t, v);
5351  } else {
5352  secp256k1_scalar_set_int(&t, -v);
5353  secp256k1_scalar_negate(&t, &t);
5354  }
5355  secp256k1_scalar_add(&x, &x, &t);
5356  }
5357  /* If skew is 1 then add 1 to num */
5358  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5359  CHECK(secp256k1_scalar_eq(&x, &num));
5360 }
5361 
5362 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5363  * rest is 0.*/
5364 static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5365  int i;
5366  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5367  CHECK(wnaf[i] == 0);
5368  }
5369  for (i = 7; i >= 0; --i) {
5370  CHECK(wnaf[i] == wnaf_expected[i]);
5371  }
5372 }
5373 
5374 static void test_fixed_wnaf_small(void) {
5375  int w = 4;
5376  int wnaf[256] = {0};
5377  int i;
5378  int skew;
5379  secp256k1_scalar num;
5380 
5381  secp256k1_scalar_set_int(&num, 0);
5382  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5383  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5384  int v = wnaf[i];
5385  CHECK(v == 0);
5386  }
5387  CHECK(skew == 0);
5388 
5389  secp256k1_scalar_set_int(&num, 1);
5390  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5391  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5392  int v = wnaf[i];
5393  CHECK(v == 0);
5394  }
5395  CHECK(wnaf[0] == 1);
5396  CHECK(skew == 0);
5397 
5398  {
5399  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5400  secp256k1_scalar_set_int(&num, 0xffffffff);
5401  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5402  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5403  CHECK(skew == 0);
5404  }
5405  {
5406  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5407  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5408  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5409  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5410  CHECK(skew == 1);
5411  }
5412  {
5413  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5414  secp256k1_scalar_set_int(&num, 0x01010101);
5415  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5416  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5417  CHECK(skew == 0);
5418  }
5419  {
5420  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5421  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5422  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5423  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5424  CHECK(skew == 0);
5425  }
5426 }
5427 
5428 static void run_wnaf(void) {
5429  int i;
5430  secp256k1_scalar n = {{0}};
5431 
5432  test_constant_wnaf(&n, 4);
5433  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
5434  * have easier-to-diagnose failure modes */
5435  n.d[0] = 1;
5436  test_constant_wnaf(&n, 4);
5437  n.d[0] = 2;
5438  test_constant_wnaf(&n, 4);
5439  /* Test -1, because it's a special case in wnaf_const */
5440  n = secp256k1_scalar_one;
5441  secp256k1_scalar_negate(&n, &n);
5442  test_constant_wnaf(&n, 4);
5443 
5444  /* Test -2, which may not lead to overflows in wnaf_const */
5445  secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
5446  secp256k1_scalar_negate(&n, &n);
5447  test_constant_wnaf(&n, 4);
5448 
5449  /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
5450  as corner cases of negation handling in wnaf_const */
5451  secp256k1_scalar_inverse(&n, &n);
5452  test_constant_wnaf(&n, 4);
5453 
5454  secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
5455  test_constant_wnaf(&n, 4);
5456 
5457  /* Test 0 for fixed wnaf */
5458  test_fixed_wnaf_small();
5459  /* Random tests */
5460  for (i = 0; i < COUNT; i++) {
5461  random_scalar_order(&n);
5462  test_wnaf(&n, 4+(i%10));
5463  test_constant_wnaf_negate(&n);
5464  test_constant_wnaf(&n, 4 + (i % 10));
5465  test_fixed_wnaf(&n, 4 + (i % 10));
5466  }
5467  secp256k1_scalar_set_int(&n, 0);
5468  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5469  CHECK(secp256k1_scalar_is_zero(&n));
5470  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5471  CHECK(secp256k1_scalar_is_zero(&n));
5472 }
5473 
5474 static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5475  const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5476  *sc = *indata;
5477  *pt = secp256k1_ge_const_g;
5478  CHECK(idx == 0);
5479  return 1;
5480 }
5481 
5482 static void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
5483  /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5484  secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5485  secp256k1_ge r;
5486  unsigned char bytes[65];
5487  size_t size = 65;
5488  secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
5489  secp256k1_gej_set_infinity(&infj);
5490  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &rj1, x);
5491  secp256k1_ecmult(&rj2, &gj, x, &secp256k1_scalar_zero);
5492  secp256k1_ecmult(&rj3, &infj, &secp256k1_scalar_zero, x);
5493  secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
5494  secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &secp256k1_scalar_zero, test_ecmult_accumulate_cb, (void*)x, 1);
5495  secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x);
5496  secp256k1_ge_set_gej_var(&r, &rj1);
5497  ge_equals_gej(&r, &rj2);
5498  ge_equals_gej(&r, &rj3);
5499  ge_equals_gej(&r, &rj4);
5500  ge_equals_gej(&r, &rj5);
5501  ge_equals_gej(&r, &rj6);
5502  if (secp256k1_ge_is_infinity(&r)) {
5503  /* Store infinity as 0x00 */
5504  const unsigned char zerobyte[1] = {0};
5505  secp256k1_sha256_write(acc, zerobyte, 1);
5506  } else {
5507  /* Store other points using their uncompressed serialization. */
5508  secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5509  CHECK(size == 65);
5510  secp256k1_sha256_write(acc, bytes, size);
5511  }
5512 }
5513 
5514 static void test_ecmult_constants_2bit(void) {
5515  /* Using test_ecmult_accumulate, test ecmult for:
5516  * - For i in 0..36:
5517  * - Key i
5518  * - Key -i
5519  * - For i in 0..255:
5520  * - For j in 1..255 (only odd values):
5521  * - Key (j*2^i) mod order
5522  */
5523  secp256k1_scalar x;
5524  secp256k1_sha256 acc;
5525  unsigned char b32[32];
5526  int i, j;
5527  secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5528 
5529  /* Expected hash of all the computed points; created with an independent
5530  * implementation. */
5531  static const unsigned char expected32[32] = {
5532  0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5533  0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5534  0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5535  0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5536  };
5537  secp256k1_sha256_initialize(&acc);
5538  for (i = 0; i <= 36; ++i) {
5539  secp256k1_scalar_set_int(&x, i);
5540  test_ecmult_accumulate(&acc, &x, scratch);
5541  secp256k1_scalar_negate(&x, &x);
5542  test_ecmult_accumulate(&acc, &x, scratch);
5543  };
5544  for (i = 0; i < 256; ++i) {
5545  for (j = 1; j < 256; j += 2) {
5546  int k;
5547  secp256k1_scalar_set_int(&x, j);
5548  for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5549  test_ecmult_accumulate(&acc, &x, scratch);
5550  }
5551  }
5552  secp256k1_sha256_finalize(&acc, b32);
5553  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5554 
5555  secp256k1_scratch_space_destroy(CTX, scratch);
5556 }
5557 
5558 static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5559  /* Using test_ecmult_accumulate, test ecmult for:
5560  * - Key 0
5561  * - Key 1
5562  * - Key -1
5563  * - For i in range(iter):
5564  * - Key SHA256(LE32(prefix) || LE16(i))
5565  */
5566  secp256k1_scalar x;
5567  secp256k1_sha256 acc;
5568  unsigned char b32[32];
5569  unsigned char inp[6];
5570  size_t i;
5571  secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5572 
5573  inp[0] = prefix & 0xFF;
5574  inp[1] = (prefix >> 8) & 0xFF;
5575  inp[2] = (prefix >> 16) & 0xFF;
5576  inp[3] = (prefix >> 24) & 0xFF;
5577  secp256k1_sha256_initialize(&acc);
5578  secp256k1_scalar_set_int(&x, 0);
5579  test_ecmult_accumulate(&acc, &x, scratch);
5580  secp256k1_scalar_set_int(&x, 1);
5581  test_ecmult_accumulate(&acc, &x, scratch);
5582  secp256k1_scalar_negate(&x, &x);
5583  test_ecmult_accumulate(&acc, &x, scratch);
5584 
5585  for (i = 0; i < iter; ++i) {
5586  secp256k1_sha256 gen;
5587  inp[4] = i & 0xff;
5588  inp[5] = (i >> 8) & 0xff;
5589  secp256k1_sha256_initialize(&gen);
5590  secp256k1_sha256_write(&gen, inp, sizeof(inp));
5591  secp256k1_sha256_finalize(&gen, b32);
5592  secp256k1_scalar_set_b32(&x, b32, NULL);
5593  test_ecmult_accumulate(&acc, &x, scratch);
5594  }
5595  secp256k1_sha256_finalize(&acc, b32);
5596  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5597 
5598  secp256k1_scratch_space_destroy(CTX, scratch);
5599 }
5600 
5601 static void run_ecmult_constants(void) {
5602  /* Expected hashes of all points in the tests below. Computed using an
5603  * independent implementation. */
5604  static const unsigned char expected32_6bit20[32] = {
5605  0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5606  0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5607  0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5608  0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5609  };
5610  static const unsigned char expected32_8bit8[32] = {
5611  0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5612  0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5613  0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5614  0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5615  };
5616  /* For every combination of 6 bit positions out of 256, restricted to
5617  * 20-bit windows (i.e., the first and last bit position are no more than
5618  * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5619  * this test. */
5620  CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5621  test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5622  }
5623 
5624  /* For every combination of 8 consecutive bit positions, all 256 bit
5625  * patterns occur in the input scalars used in this test. */
5626  CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5627  test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5628  }
5629 
5630  CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5631  test_ecmult_constants_2bit();
5632  }
5633 }
5634 
5635 static void test_ecmult_gen_blind(void) {
5636  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5637  secp256k1_scalar key;
5638  secp256k1_scalar b;
5639  unsigned char seed32[32];
5640  secp256k1_gej pgej;
5641  secp256k1_gej pgej2;
5642  secp256k1_gej i;
5643  secp256k1_ge pge;
5644  random_scalar_order_test(&key);
5645  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5646  secp256k1_testrand256(seed32);
5647  b = CTX->ecmult_gen_ctx.blind;
5648  i = CTX->ecmult_gen_ctx.initial;
5649  secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, seed32);
5650  CHECK(!secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5651  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5652  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5653  CHECK(!gej_xyz_equals_gej(&i, &CTX->ecmult_gen_ctx.initial));
5654  secp256k1_ge_set_gej(&pge, &pgej);
5655  ge_equals_gej(&pge, &pgej2);
5656 }
5657 
5658 static void test_ecmult_gen_blind_reset(void) {
5659  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5660  secp256k1_scalar b;
5661  secp256k1_gej initial;
5662  secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5663  b = CTX->ecmult_gen_ctx.blind;
5664  initial = CTX->ecmult_gen_ctx.initial;
5665  secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5666  CHECK(secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5667  CHECK(gej_xyz_equals_gej(&initial, &CTX->ecmult_gen_ctx.initial));
5668 }
5669 
5670 static void run_ecmult_gen_blind(void) {
5671  int i;
5672  test_ecmult_gen_blind_reset();
5673  for (i = 0; i < 10; i++) {
5674  test_ecmult_gen_blind();
5675  }
5676 }
5677 
5678 /***** ENDOMORPHISH TESTS *****/
5679 static void test_scalar_split(const secp256k1_scalar* full) {
5680  secp256k1_scalar s, s1, slam;
5681  const unsigned char zero[32] = {0};
5682  unsigned char tmp[32];
5683 
5684  secp256k1_scalar_split_lambda(&s1, &slam, full);
5685 
5686  /* check slam*lambda + s1 == full */
5687  secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5688  secp256k1_scalar_add(&s, &s, &s1);
5689  CHECK(secp256k1_scalar_eq(&s, full));
5690 
5691  /* check that both are <= 128 bits in size */
5692  if (secp256k1_scalar_is_high(&s1)) {
5693  secp256k1_scalar_negate(&s1, &s1);
5694  }
5695  if (secp256k1_scalar_is_high(&slam)) {
5696  secp256k1_scalar_negate(&slam, &slam);
5697  }
5698 
5699  secp256k1_scalar_get_b32(tmp, &s1);
5700  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5701  secp256k1_scalar_get_b32(tmp, &slam);
5702  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5703 }
5704 
5705 
5706 static void run_endomorphism_tests(void) {
5707  unsigned i;
5708  static secp256k1_scalar s;
5709  test_scalar_split(&secp256k1_scalar_zero);
5710  test_scalar_split(&secp256k1_scalar_one);
5711  secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5712  test_scalar_split(&s);
5713  test_scalar_split(&secp256k1_const_lambda);
5714  secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5715  test_scalar_split(&s);
5716 
5717  for (i = 0; i < 100U * COUNT; ++i) {
5718  secp256k1_scalar full;
5719  random_scalar_order_test(&full);
5720  test_scalar_split(&full);
5721  }
5722  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5723  test_scalar_split(&scalars_near_split_bounds[i]);
5724  }
5725 }
5726 
5727 static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5728  unsigned char pubkeyc[65];
5729  secp256k1_pubkey pubkey;
5730  secp256k1_ge ge;
5731  size_t pubkeyclen;
5732  int32_t ecount;
5733  ecount = 0;
5734  secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
5735  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5736  /* Smaller sizes are tested exhaustively elsewhere. */
5737  int32_t i;
5738  memcpy(&pubkeyc[1], input, 64);
5739  SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5740  for (i = 0; i < 256; i++) {
5741  /* Try all type bytes. */
5742  int xpass;
5743  int ypass;
5744  int ysign;
5745  pubkeyc[0] = i;
5746  /* What sign does this point have? */
5747  ysign = (input[63] & 1) + 2;
5748  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5749  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5750  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5751  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5752  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5753  if (xpass || ypass) {
5754  /* These cases must parse. */
5755  unsigned char pubkeyo[65];
5756  size_t outl;
5757  memset(&pubkey, 0, sizeof(pubkey));
5758  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5759  ecount = 0;
5760  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5761  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5762  outl = 65;
5763  SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5764  CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5765  SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5766  CHECK(outl == 33);
5767  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5768  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5769  if (ypass) {
5770  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5771  CHECK(pubkeyo[0] == ysign);
5772  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5773  memset(&pubkey, 0, sizeof(pubkey));
5774  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5775  secp256k1_pubkey_save(&pubkey, &ge);
5776  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5777  outl = 65;
5778  SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5779  CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5780  SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5781  CHECK(outl == 65);
5782  CHECK(pubkeyo[0] == 4);
5783  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5784  }
5785  CHECK(ecount == 0);
5786  } else {
5787  /* These cases must fail to parse. */
5788  memset(&pubkey, 0xfe, sizeof(pubkey));
5789  ecount = 0;
5790  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5791  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5792  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5793  CHECK(ecount == 0);
5794  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
5795  CHECK(ecount == 1);
5796  }
5797  }
5798  }
5799  secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
5800 }
5801 
5802 static void run_ec_pubkey_parse_test(void) {
5803 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
5804  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5805  {
5806  /* Point with leading and trailing zeros in x and y serialization. */
5807  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5808  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5809  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5810  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5811  },
5812  {
5813  /* Point with x equal to a 3rd root of unity.*/
5814  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5815  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5816  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5817  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5818  },
5819  {
5820  /* Point with largest x. (1/2) */
5821  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5822  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5823  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5824  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5825  },
5826  {
5827  /* Point with largest x. (2/2) */
5828  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5829  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5830  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5831  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5832  },
5833  {
5834  /* Point with smallest x. (1/2) */
5835  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5836  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5837  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5838  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5839  },
5840  {
5841  /* Point with smallest x. (2/2) */
5842  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5843  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5844  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5845  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5846  },
5847  {
5848  /* Point with largest y. (1/3) */
5849  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5850  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5851  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5852  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5853  },
5854  {
5855  /* Point with largest y. (2/3) */
5856  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5857  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5858  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5859  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5860  },
5861  {
5862  /* Point with largest y. (3/3) */
5863  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5864  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5865  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5866  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5867  },
5868  {
5869  /* Point with smallest y. (1/3) */
5870  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5871  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5872  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5873  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5874  },
5875  {
5876  /* Point with smallest y. (2/3) */
5877  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5878  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5879  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5880  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5881  },
5882  {
5883  /* Point with smallest y. (3/3) */
5884  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5885  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5886  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5887  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5888  }
5889  };
5890 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5891  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5892  {
5893  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5894  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5895  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5896  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5897  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5898  },
5899  {
5900  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5901  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5902  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5903  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5904  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5905  },
5906  {
5907  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5908  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5909  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5910  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5911  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5912  },
5913  {
5914  /* x on curve, y is from y^2 = x^3 + 8. */
5915  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5916  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5917  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5918  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5919  }
5920  };
5921 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5922  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5923  {
5924  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5925  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5926  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5927  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5928  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5929  },
5930  {
5931  /* Valid if x overflow ignored (x = 1 mod p). */
5932  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5933  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5934  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5935  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5936  },
5937  {
5938  /* Valid if x overflow ignored (x = 1 mod p). */
5939  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5940  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5941  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5942  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5943  },
5944  {
5945  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5946  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5947  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5948  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5949  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5950  },
5951  {
5952  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5953  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5954  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5955  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5956  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5957  },
5958  {
5959  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5960  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5961  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5962  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5963  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5964  },
5965  {
5966  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5967  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5968  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5969  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5970  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5971  }
5972  };
5973  const unsigned char pubkeyc[66] = {
5974  /* Serialization of G. */
5975  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5976  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5977  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5978  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5979  0xB8, 0x00
5980  };
5981  unsigned char sout[65];
5982  unsigned char shortkey[2];
5983  secp256k1_ge ge;
5984  secp256k1_pubkey pubkey;
5985  size_t len;
5986  int32_t i;
5987  int32_t ecount;
5988  int32_t ecount2;
5989  ecount = 0;
5990  /* Nothing should be reading this far into pubkeyc. */
5991  SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
5992  secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
5993  /* Zero length claimed, fail, zeroize, no illegal arg error. */
5994  memset(&pubkey, 0xfe, sizeof(pubkey));
5995  ecount = 0;
5996  SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
5997  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5998  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
5999  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6000  CHECK(ecount == 0);
6001  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6002  CHECK(ecount == 1);
6003  /* Length one claimed, fail, zeroize, no illegal arg error. */
6004  for (i = 0; i < 256 ; i++) {
6005  memset(&pubkey, 0xfe, sizeof(pubkey));
6006  ecount = 0;
6007  shortkey[0] = i;
6008  SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
6009  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6010  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
6011  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6012  CHECK(ecount == 0);
6013  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6014  CHECK(ecount == 1);
6015  }
6016  /* Length two claimed, fail, zeroize, no illegal arg error. */
6017  for (i = 0; i < 65536 ; i++) {
6018  memset(&pubkey, 0xfe, sizeof(pubkey));
6019  ecount = 0;
6020  shortkey[0] = i & 255;
6021  shortkey[1] = i >> 8;
6022  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6023  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
6024  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6025  CHECK(ecount == 0);
6026  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6027  CHECK(ecount == 1);
6028  }
6029  memset(&pubkey, 0xfe, sizeof(pubkey));
6030  ecount = 0;
6031  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6032  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
6033  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
6034  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6035  CHECK(ecount == 0);
6036  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6037  CHECK(ecount == 1);
6038  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
6039  CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65) == 0);
6040  CHECK(ecount == 2);
6041  /* NULL input string. Illegal arg and zeroize output. */
6042  memset(&pubkey, 0xfe, sizeof(pubkey));
6043  ecount = 0;
6044  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6045  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65) == 0);
6046  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6047  CHECK(ecount == 1);
6048  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6049  CHECK(ecount == 2);
6050  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
6051  memset(&pubkey, 0xfe, sizeof(pubkey));
6052  ecount = 0;
6053  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6054  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
6055  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6056  CHECK(ecount == 0);
6057  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6058  CHECK(ecount == 1);
6059  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
6060  memset(&pubkey, 0xfe, sizeof(pubkey));
6061  ecount = 0;
6062  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6063  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
6064  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6065  CHECK(ecount == 0);
6066  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6067  CHECK(ecount == 1);
6068  /* Valid parse. */
6069  memset(&pubkey, 0, sizeof(pubkey));
6070  ecount = 0;
6071  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6072  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
6073  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
6074  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6075  CHECK(ecount == 0);
6076  SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
6077  CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
6078  SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
6079  SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
6080  SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity));
6081  ge_equals_ge(&secp256k1_ge_const_g, &ge);
6082  CHECK(ecount == 0);
6083  /* secp256k1_ec_pubkey_serialize illegal args. */
6084  ecount = 0;
6085  len = 65;
6086  CHECK(secp256k1_ec_pubkey_serialize(CTX, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
6087  CHECK(ecount == 1);
6088  CHECK(len == 0);
6089  CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
6090  CHECK(ecount == 2);
6091  len = 65;
6092  SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
6093  CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
6094  SECP256K1_CHECKMEM_CHECK(sout, 65);
6095  CHECK(ecount == 3);
6096  CHECK(len == 0);
6097  len = 65;
6098  CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0) == 0);
6099  CHECK(ecount == 4);
6100  CHECK(len == 0);
6101  len = 65;
6102  SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
6103  CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
6104  SECP256K1_CHECKMEM_CHECK(sout, 65);
6105  CHECK(ecount == 4);
6106  CHECK(len == 65);
6107  /* Multiple illegal args. Should still set arg error only once. */
6108  ecount = 0;
6109  ecount2 = 11;
6110  CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65) == 0);
6111  CHECK(ecount == 1);
6112  /* Does the illegal arg callback actually change the behavior? */
6113  secp256k1_context_set_illegal_callback(CTX, uncounting_illegal_callback_fn, &ecount2);
6114  CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65) == 0);
6115  CHECK(ecount == 1);
6116  CHECK(ecount2 == 10);
6117  secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6118  /* Try a bunch of prefabbed points with all possible encodings. */
6119  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6120  ec_pubkey_parse_pointtest(valid[i], 1, 1);
6121  }
6122  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6123  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6124  }
6125  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6126  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6127  }
6128 }
6129 
6130 static void run_eckey_edge_case_test(void) {
6131  const unsigned char orderc[32] = {
6132  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6133  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6134  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6135  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
6136  };
6137  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6138  unsigned char ctmp[33];
6139  unsigned char ctmp2[33];
6140  secp256k1_pubkey pubkey;
6141  secp256k1_pubkey pubkey2;
6142  secp256k1_pubkey pubkey_one;
6143  secp256k1_pubkey pubkey_negone;
6144  const secp256k1_pubkey *pubkeys[3];
6145  size_t len;
6146  int32_t ecount;
6147  /* Group order is too large, reject. */
6148  CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6149  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6150  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6151  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6152  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6153  /* Maximum value is too large, reject. */
6154  memset(ctmp, 255, 32);
6155  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6156  memset(&pubkey, 1, sizeof(pubkey));
6157  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6158  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6159  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6160  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6161  /* Zero is too small, reject. */
6162  memset(ctmp, 0, 32);
6163  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6164  memset(&pubkey, 1, sizeof(pubkey));
6165  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6166  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6167  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6168  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6169  /* One must be accepted. */
6170  ctmp[31] = 0x01;
6171  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6172  memset(&pubkey, 0, sizeof(pubkey));
6173  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6174  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6175  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6176  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6177  pubkey_one = pubkey;
6178  /* Group order + 1 is too large, reject. */
6179  memcpy(ctmp, orderc, 32);
6180  ctmp[31] = 0x42;
6181  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6182  memset(&pubkey, 1, sizeof(pubkey));
6183  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6184  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6185  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6186  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6187  /* -1 must be accepted. */
6188  ctmp[31] = 0x40;
6189  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6190  memset(&pubkey, 0, sizeof(pubkey));
6191  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6192  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6193  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6194  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6195  pubkey_negone = pubkey;
6196  /* Tweak of zero leaves the value unchanged. */
6197  memset(ctmp2, 0, 32);
6198  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6199  CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6200  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6201  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6202  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6203  /* Multiply tweak of zero zeroizes the output. */
6204  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6205  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6206  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6207  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6208  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6209  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6210  seckey, the seckey is zeroized. */
6211  memcpy(ctmp, orderc, 32);
6212  memset(ctmp2, 0, 32);
6213  ctmp2[31] = 0x01;
6214  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6215  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6216  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6217  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6218  memcpy(ctmp, orderc, 32);
6219  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6220  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6221  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6222  tweak, the seckey is zeroized. */
6223  memcpy(ctmp, orderc, 32);
6224  ctmp[31] = 0x40;
6225  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6226  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6227  memcpy(ctmp, orderc, 32);
6228  ctmp[31] = 0x40;
6229  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6230  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6231  memcpy(ctmp, orderc, 32);
6232  ctmp[31] = 0x40;
6233  /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6234  tweak, the pubkey is zeroized. */
6235  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6236  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6237  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6238  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6239  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6240  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6241  /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6242  * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6243  * case the pubkey is zeroized. */
6244  memcpy(ctmp, orderc, 32);
6245  ctmp[31] = 0x40;
6246  memset(ctmp2, 0, 32);
6247  ctmp2[31] = 1;
6248  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6249  CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6250  ctmp2[31] = 1;
6251  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6252  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6253  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6254  /* Tweak computation wraps and results in a key of 1. */
6255  ctmp2[31] = 2;
6256  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6257  CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6258  ctmp2[31] = 2;
6259  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6260  ctmp2[31] = 1;
6261  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6262  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6263  /* Tweak mul * 2 = 1+1. */
6264  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6265  ctmp2[31] = 2;
6266  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6267  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6268  /* Test argument errors. */
6269  ecount = 0;
6270  secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
6271  CHECK(ecount == 0);
6272  /* Zeroize pubkey on parse error. */
6273  memset(&pubkey, 0, 32);
6274  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6275  CHECK(ecount == 1);
6276  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6277  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6278  memset(&pubkey2, 0, 32);
6279  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 0);
6280  CHECK(ecount == 2);
6281  CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6282  /* Plain argument errors. */
6283  ecount = 0;
6284  CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6285  CHECK(ecount == 0);
6286  CHECK(secp256k1_ec_seckey_verify(CTX, NULL) == 0);
6287  CHECK(ecount == 1);
6288  ecount = 0;
6289  memset(ctmp2, 0, 32);
6290  ctmp2[31] = 4;
6291  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, NULL, ctmp2) == 0);
6292  CHECK(ecount == 1);
6293  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, NULL) == 0);
6294  CHECK(ecount == 2);
6295  ecount = 0;
6296  memset(ctmp2, 0, 32);
6297  ctmp2[31] = 4;
6298  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, NULL, ctmp2) == 0);
6299  CHECK(ecount == 1);
6300  CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, NULL) == 0);
6301  CHECK(ecount == 2);
6302  ecount = 0;
6303  memset(ctmp2, 0, 32);
6304  CHECK(secp256k1_ec_seckey_tweak_add(CTX, NULL, ctmp2) == 0);
6305  CHECK(ecount == 1);
6306  CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, NULL) == 0);
6307  CHECK(ecount == 2);
6308  ecount = 0;
6309  memset(ctmp2, 0, 32);
6310  ctmp2[31] = 1;
6311  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, NULL, ctmp2) == 0);
6312  CHECK(ecount == 1);
6313  CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, NULL) == 0);
6314  CHECK(ecount == 2);
6315  ecount = 0;
6316  CHECK(secp256k1_ec_pubkey_create(CTX, NULL, ctmp) == 0);
6317  CHECK(ecount == 1);
6318  memset(&pubkey, 1, sizeof(pubkey));
6319  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, NULL) == 0);
6320  CHECK(ecount == 2);
6321  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6322  /* secp256k1_ec_pubkey_combine tests. */
6323  ecount = 0;
6324  pubkeys[0] = &pubkey_one;
6325  SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6326  SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6327  SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6328  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6329  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6330  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0) == 0);
6331  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6332  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6333  CHECK(ecount == 1);
6334  CHECK(secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1) == 0);
6335  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6336  CHECK(ecount == 2);
6337  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6338  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6339  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1) == 0);
6340  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6341  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6342  CHECK(ecount == 3);
6343  pubkeys[0] = &pubkey_negone;
6344  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6345  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6346  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6347  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6348  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6349  CHECK(ecount == 3);
6350  len = 33;
6351  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6352  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6353  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6354  /* Result is infinity. */
6355  pubkeys[0] = &pubkey_one;
6356  pubkeys[1] = &pubkey_negone;
6357  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6358  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6359  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6360  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6361  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6362  CHECK(ecount == 3);
6363  /* Passes through infinity but comes out one. */
6364  pubkeys[2] = &pubkey_one;
6365  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6366  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6367  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6368  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6369  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6370  CHECK(ecount == 3);
6371  len = 33;
6372  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6373  CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6374  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6375  /* Adds to two. */
6376  pubkeys[1] = &pubkey_one;
6377  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6378  SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6379  CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6380  SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6381  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6382  CHECK(ecount == 3);
6383  secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6384 }
6385 
6386 static void run_eckey_negate_test(void) {
6387  unsigned char seckey[32];
6388  unsigned char seckey_tmp[32];
6389 
6390  random_scalar_order_b32(seckey);
6391  memcpy(seckey_tmp, seckey, 32);
6392 
6393  /* Verify negation changes the key and changes it back */
6394  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6395  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6396  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6397  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6398 
6399  /* Check that privkey alias gives same result */
6400  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6401  CHECK(secp256k1_ec_privkey_negate(CTX, seckey_tmp) == 1);
6402  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6403 
6404  /* Negating all 0s fails */
6405  memset(seckey, 0, 32);
6406  memset(seckey_tmp, 0, 32);
6407  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6408  /* Check that seckey is not modified */
6409  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6410 
6411  /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6412  * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6413  * doesn't just set seckey to a constant value in case of failure. */
6414  random_scalar_order_b32(seckey);
6415  memset(seckey, 0xFF, 16);
6416  memset(seckey_tmp, 0, 32);
6417  CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6418  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6419 }
6420 
6421 static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6422  secp256k1_scalar nonce;
6423  do {
6424  random_scalar_order_test(&nonce);
6425  } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6426 }
6427 
6428 static void test_ecdsa_sign_verify(void) {
6429  secp256k1_gej pubj;
6430  secp256k1_ge pub;
6431  secp256k1_scalar one;
6432  secp256k1_scalar msg, key;
6433  secp256k1_scalar sigr, sigs;
6434  int getrec;
6435  int recid;
6436  random_scalar_order_test(&msg);
6437  random_scalar_order_test(&key);
6438  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6439  secp256k1_ge_set_gej(&pub, &pubj);
6440  getrec = secp256k1_testrand_bits(1);
6441  /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6442  See the commit messages of the commit that introduced this comment for details. */
6443  if (getrec) {
6444  random_sign(&sigr, &sigs, &key, &msg, &recid);
6445  CHECK(recid >= 0 && recid < 4);
6446  } else {
6447  random_sign(&sigr, &sigs, &key, &msg, NULL);
6448  }
6449  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6450  secp256k1_scalar_set_int(&one, 1);
6451  secp256k1_scalar_add(&msg, &msg, &one);
6452  CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6453 }
6454 
6455 static void run_ecdsa_sign_verify(void) {
6456  int i;
6457  for (i = 0; i < 10*COUNT; i++) {
6458  test_ecdsa_sign_verify();
6459  }
6460 }
6461 
6463 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6464  (void)msg32;
6465  (void)key32;
6466  (void)algo16;
6467  memcpy(nonce32, data, 32);
6468  return (counter == 0);
6469 }
6470 
6471 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6472  /* Dummy nonce generator that has a fatal error on the first counter value. */
6473  if (counter == 0) {
6474  return 0;
6475  }
6476  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6477 }
6478 
6479 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6480  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6481  if (counter < 3) {
6482  memset(nonce32, counter==0 ? 0 : 255, 32);
6483  if (counter == 2) {
6484  nonce32[31]--;
6485  }
6486  return 1;
6487  }
6488  if (counter < 5) {
6489  static const unsigned char order[] = {
6490  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6491  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6492  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6493  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6494  };
6495  memcpy(nonce32, order, 32);
6496  if (counter == 4) {
6497  nonce32[31]++;
6498  }
6499  return 1;
6500  }
6501  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6502  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6503  if (counter > 5) {
6504  return 0;
6505  }
6506  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6507 }
6508 
6509 static int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
6510  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6511  return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6512 }
6513 
6514 static void test_ecdsa_end_to_end(void) {
6515  unsigned char extra[32] = {0x00};
6516  unsigned char privkey[32];
6517  unsigned char message[32];
6518  unsigned char privkey2[32];
6519  secp256k1_ecdsa_signature signature[6];
6520  secp256k1_scalar r, s;
6521  unsigned char sig[74];
6522  size_t siglen = 74;
6523  unsigned char pubkeyc[65];
6524  size_t pubkeyclen = 65;
6525  secp256k1_pubkey pubkey;
6526  secp256k1_pubkey pubkey_tmp;
6527  unsigned char seckey[300];
6528  size_t seckeylen = 300;
6529 
6530  /* Generate a random key and message. */
6531  {
6532  secp256k1_scalar msg, key;
6533  random_scalar_order_test(&msg);
6534  random_scalar_order_test(&key);
6535  secp256k1_scalar_get_b32(privkey, &key);
6536  secp256k1_scalar_get_b32(message, &msg);
6537  }
6538 
6539  /* Construct and verify corresponding public key. */
6540  CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6541  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6542 
6543  /* Verify exporting and importing public key. */
6544  CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
6545  memset(&pubkey, 0, sizeof(pubkey));
6546  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6547 
6548  /* Verify negation changes the key and changes it back */
6549  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6550  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6551  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6552  CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6553  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6554 
6555  /* Verify private key import and export. */
6556  CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6557  CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6558  CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6559 
6560  /* Optionally tweak the keys using addition. */
6561  if (secp256k1_testrand_int(3) == 0) {
6562  int ret1;
6563  int ret2;
6564  int ret3;
6565  unsigned char rnd[32];
6566  unsigned char privkey_tmp[32];
6567  secp256k1_pubkey pubkey2;
6568  secp256k1_testrand256_test(rnd);
6569  memcpy(privkey_tmp, privkey, 32);
6570  ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6571  ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6572  /* Check that privkey alias gives same result */
6573  ret3 = secp256k1_ec_privkey_tweak_add(CTX, privkey_tmp, rnd);
6574  CHECK(ret1 == ret2);
6575  CHECK(ret2 == ret3);
6576  if (ret1 == 0) {
6577  return;
6578  }
6579  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6580  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6581  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6582  }
6583 
6584  /* Optionally tweak the keys using multiplication. */
6585  if (secp256k1_testrand_int(3) == 0) {
6586  int ret1;
6587  int ret2;
6588  int ret3;
6589  unsigned char rnd[32];
6590  unsigned char privkey_tmp[32];
6591  secp256k1_pubkey pubkey2;
6592  secp256k1_testrand256_test(rnd);
6593  memcpy(privkey_tmp, privkey, 32);
6594  ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6595  ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6596  /* Check that privkey alias gives same result */
6597  ret3 = secp256k1_ec_privkey_tweak_mul(CTX, privkey_tmp, rnd);
6598  CHECK(ret1 == ret2);
6599  CHECK(ret2 == ret3);
6600  if (ret1 == 0) {
6601  return;
6602  }
6603  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6604  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6605  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6606  }
6607 
6608  /* Sign. */
6609  CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6610  CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6611  CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6612  extra[31] = 1;
6613  CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6614  extra[31] = 0;
6615  extra[0] = 1;
6616  CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6617  CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6618  CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6619  CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6620  CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6621  CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6622  CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6623  CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6624  /* Verify. */
6625  CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6626  CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6627  CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6628  CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6629  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6630  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6631  secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6632  secp256k1_scalar_negate(&s, &s);
6633  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6634  CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6635  CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6636  CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6637  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6638  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6639  CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6640  secp256k1_scalar_negate(&s, &s);
6641  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6642  CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6643  CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6644  CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6645 
6646  /* Serialize/parse DER and verify again */
6647  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6648  memset(&signature[0], 0, sizeof(signature[0]));
6649  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6650  CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6651  /* Serialize/destroy/parse DER and verify again. */
6652  siglen = 74;
6653  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6654  sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6655  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6656  secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6657 }
6658 
6659 static void test_random_pubkeys(void) {
6660  secp256k1_ge elem;
6661  secp256k1_ge elem2;
6662  unsigned char in[65];
6663  /* Generate some randomly sized pubkeys. */
6664  size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6665  if (secp256k1_testrand_bits(2) == 0) {
6666  len = secp256k1_testrand_bits(6);
6667  }
6668  if (len == 65) {
6669  in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6670  } else {
6671  in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6672  }
6673  if (secp256k1_testrand_bits(3) == 0) {
6674  in[0] = secp256k1_testrand_bits(8);
6675  }
6676  if (len > 1) {
6677  secp256k1_testrand256(&in[1]);
6678  }
6679  if (len > 33) {
6680  secp256k1_testrand256(&in[33]);
6681  }
6682  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6683  unsigned char out[65];
6684  unsigned char firstb;
6685  int res;
6686  size_t size = len;
6687  firstb = in[0];
6688  /* If the pubkey can be parsed, it should round-trip... */
6689  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6690  CHECK(size == len);
6691  CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6692  /* ... except for the type of hybrid inputs. */
6693  if ((in[0] != 6) && (in[0] != 7)) {
6694  CHECK(in[0] == out[0]);
6695  }
6696  size = 65;
6697  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6698  CHECK(size == 65);
6699  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6700  ge_equals_ge(&elem,&elem2);
6701  /* Check that the X9.62 hybrid type is checked. */
6702  in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6703  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6704  if (firstb == 2 || firstb == 3) {
6705  if (in[0] == firstb + 4) {
6706  CHECK(res);
6707  } else {
6708  CHECK(!res);
6709  }
6710  }
6711  if (res) {
6712  ge_equals_ge(&elem,&elem2);
6713  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6714  CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6715  }
6716  }
6717 }
6718 
6719 static void run_pubkey_comparison(void) {
6720  unsigned char pk1_ser[33] = {
6721  0x02,
6722  0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6723  0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6724  };
6725  const unsigned char pk2_ser[33] = {
6726  0x02,
6727  0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6728  0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6729  };
6730  secp256k1_pubkey pk1;
6731  secp256k1_pubkey pk2;
6732  int32_t ecount = 0;
6733 
6734  CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6735  CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6736 
6737  secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
6738  CHECK(secp256k1_ec_pubkey_cmp(CTX, NULL, &pk2) < 0);
6739  CHECK(ecount == 1);
6740  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, NULL) > 0);
6741  CHECK(ecount == 2);
6742  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6743  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6744  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6745  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6746  CHECK(ecount == 2);
6747  {
6748  secp256k1_pubkey pk_tmp;
6749  memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6750  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0);
6751  CHECK(ecount == 3);
6752  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6753  CHECK(ecount == 5);
6754  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0);
6755  CHECK(ecount == 6);
6756  }
6757 
6758  secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6759 
6760  /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6761  * an uncompressed encoding, these would have the opposite ordering */
6762  pk1_ser[0] = 3;
6763  CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6764  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6765  CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6766 }
6767 
6768 static void run_random_pubkeys(void) {
6769  int i;
6770  for (i = 0; i < 10*COUNT; i++) {
6771  test_random_pubkeys();
6772  }
6773 }
6774 
6775 static void run_ecdsa_end_to_end(void) {
6776  int i;
6777  for (i = 0; i < 64*COUNT; i++) {
6778  test_ecdsa_end_to_end();
6779  }
6780 }
6781 
6782 static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6783  static const unsigned char zeroes[32] = {0};
6784 
6785  int ret = 0;
6786 
6787  secp256k1_ecdsa_signature sig_der;
6788  unsigned char roundtrip_der[2048];
6789  unsigned char compact_der[64];
6790  size_t len_der = 2048;
6791  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6792 
6793  secp256k1_ecdsa_signature sig_der_lax;
6794  unsigned char roundtrip_der_lax[2048];
6795  unsigned char compact_der_lax[64];
6796  size_t len_der_lax = 2048;
6797  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6798 
6799  parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
6800  if (parsed_der) {
6801  ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
6802  valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6803  }
6804  if (valid_der) {
6805  ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
6806  roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6807  }
6808 
6809  parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
6810  if (parsed_der_lax) {
6811  ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
6812  valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6813  }
6814  if (valid_der_lax) {
6815  ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6816  roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6817  }
6818 
6819  if (certainly_der) {
6820  ret |= (!parsed_der) << 2;
6821  }
6822  if (certainly_not_der) {
6823  ret |= (parsed_der) << 17;
6824  }
6825  if (valid_der) {
6826  ret |= (!roundtrips_der) << 3;
6827  }
6828 
6829  if (valid_der) {
6830  ret |= (!roundtrips_der_lax) << 12;
6831  ret |= (len_der != len_der_lax) << 13;
6832  ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6833  }
6834  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6835  if (parsed_der) {
6836  ret |= (!parsed_der_lax) << 16;
6837  }
6838 
6839  return ret;
6840 }
6841 
6842 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6843  size_t i;
6844  for (i = 0; i < ptrlen; i++) {
6845  int shift = ptrlen - 1 - i;
6846  if (shift >= 4) {
6847  ptr[i] = 0;
6848  } else {
6849  ptr[i] = (val >> shift) & 0xFF;
6850  }
6851  }
6852 }
6853 
6854 static void damage_array(unsigned char *sig, size_t *len) {
6855  int pos;
6856  int action = secp256k1_testrand_bits(3);
6857  if (action < 1 && *len > 3) {
6858  /* Delete a byte. */
6859  pos = secp256k1_testrand_int(*len);
6860  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6861  (*len)--;
6862  return;
6863  } else if (action < 2 && *len < 2048) {
6864  /* Insert a byte. */
6865  pos = secp256k1_testrand_int(1 + *len);
6866  memmove(sig + pos + 1, sig + pos, *len - pos);
6867  sig[pos] = secp256k1_testrand_bits(8);
6868  (*len)++;
6869  return;
6870  } else if (action < 4) {
6871  /* Modify a byte. */
6872  sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6873  return;
6874  } else { /* action < 8 */
6875  /* Modify a bit. */
6876  sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6877  return;
6878  }
6879 }
6880 
6881 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6882  int der;
6883  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6884  size_t tlen, elen, glen;
6885  int indet;
6886  int n;
6887 
6888  *len = 0;
6889  der = secp256k1_testrand_bits(2) == 0;
6890  *certainly_der = der;
6891  *certainly_not_der = 0;
6892  indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6893 
6894  for (n = 0; n < 2; n++) {
6895  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6896  nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6897  /* The length of the number in bytes (the first byte of which will always be nonzero) */
6898  nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6899  CHECK(nlen[n] <= 232);
6900  /* The top bit of the number. */
6901  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6902  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6903  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6904  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6905  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6906  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6907  *certainly_not_der = 1;
6908  }
6909  CHECK(nlen[n] + nzlen[n] <= 300);
6910  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6911  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6912  if (!der) {
6913  /* nlenlen[n] max 127 bytes */
6914  int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6915  nlenlen[n] += add;
6916  if (add != 0) {
6917  *certainly_not_der = 1;
6918  }
6919  }
6920  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6921  }
6922 
6923  /* The total length of the data to go, so far */
6924  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6925  CHECK(tlen <= 856);
6926 
6927  /* The length of the garbage inside the tuple. */
6928  elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6929  if (elen != 0) {
6930  *certainly_not_der = 1;
6931  }
6932  tlen += elen;
6933  CHECK(tlen <= 980);
6934 
6935  /* The length of the garbage after the end of the tuple. */
6936  glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6937  if (glen != 0) {
6938  *certainly_not_der = 1;
6939  }
6940  CHECK(tlen + glen <= 990);
6941 
6942  /* Write the tuple header. */
6943  sig[(*len)++] = 0x30;
6944  if (indet) {
6945  /* Indeterminate length */
6946  sig[(*len)++] = 0x80;
6947  *certainly_not_der = 1;
6948  } else {
6949  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6950  if (!der) {
6951  int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6952  tlenlen += add;
6953  if (add != 0) {
6954  *certainly_not_der = 1;
6955  }
6956  }
6957  if (tlenlen == 0) {
6958  /* Short length notation */
6959  sig[(*len)++] = tlen;
6960  } else {
6961  /* Long length notation */
6962  sig[(*len)++] = 128 + tlenlen;
6963  assign_big_endian(sig + *len, tlenlen, tlen);
6964  *len += tlenlen;
6965  }
6966  tlen += tlenlen;
6967  }
6968  tlen += 2;
6969  CHECK(tlen + glen <= 1119);
6970 
6971  for (n = 0; n < 2; n++) {
6972  /* Write the integer header. */
6973  sig[(*len)++] = 0x02;
6974  if (nlenlen[n] == 0) {
6975  /* Short length notation */
6976  sig[(*len)++] = nlen[n] + nzlen[n];
6977  } else {
6978  /* Long length notation. */
6979  sig[(*len)++] = 128 + nlenlen[n];
6980  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6981  *len += nlenlen[n];
6982  }
6983  /* Write zero padding */
6984  while (nzlen[n] > 0) {
6985  sig[(*len)++] = 0x00;
6986  nzlen[n]--;
6987  }
6988  if (nlen[n] == 32 && !nlow[n]) {
6989  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6990  int i;
6991  for (i = 0; i < 16; i++) {
6992  sig[(*len)++] = 0xFF;
6993  }
6994  nlen[n] -= 16;
6995  }
6996  /* Write first byte of number */
6997  if (nlen[n] > 0) {
6998  sig[(*len)++] = nhbyte[n];
6999  nlen[n]--;
7000  }
7001  /* Generate remaining random bytes of number */
7002  secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
7003  *len += nlen[n];
7004  nlen[n] = 0;
7005  }
7006 
7007  /* Generate random garbage inside tuple. */
7008  secp256k1_testrand_bytes_test(sig + *len, elen);
7009  *len += elen;
7010 
7011  /* Generate end-of-contents bytes. */
7012  if (indet) {
7013  sig[(*len)++] = 0;
7014  sig[(*len)++] = 0;
7015  tlen += 2;
7016  }
7017  CHECK(tlen + glen <= 1121);
7018 
7019  /* Generate random garbage outside tuple. */
7020  secp256k1_testrand_bytes_test(sig + *len, glen);
7021  *len += glen;
7022  tlen += glen;
7023  CHECK(tlen <= 1121);
7024  CHECK(tlen == *len);
7025 }
7026 
7027 static void run_ecdsa_der_parse(void) {
7028  int i,j;
7029  for (i = 0; i < 200 * COUNT; i++) {
7030  unsigned char buffer[2048];
7031  size_t buflen = 0;
7032  int certainly_der = 0;
7033  int certainly_not_der = 0;
7034  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
7035  CHECK(buflen <= 2048);
7036  for (j = 0; j < 16; j++) {
7037  int ret = 0;
7038  if (j > 0) {
7039  damage_array(buffer, &buflen);
7040  /* We don't know anything anymore about the DERness of the result */
7041  certainly_der = 0;
7042  certainly_not_der = 0;
7043  }
7044  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
7045  if (ret != 0) {
7046  size_t k;
7047  fprintf(stderr, "Failure %x on ", ret);
7048  for (k = 0; k < buflen; k++) {
7049  fprintf(stderr, "%02x ", buffer[k]);
7050  }
7051  fprintf(stderr, "\n");
7052  }
7053  CHECK(ret == 0);
7054  }
7055  }
7056 }
7057 
7058 /* Tests several edge cases. */
7059 static void test_ecdsa_edge_cases(void) {
7060  int t;
7061  secp256k1_ecdsa_signature sig;
7062 
7063  /* Test the case where ECDSA recomputes a point that is infinity. */
7064  {
7065  secp256k1_gej keyj;
7066  secp256k1_ge key;
7067  secp256k1_scalar msg;
7068  secp256k1_scalar sr, ss;
7069  secp256k1_scalar_set_int(&ss, 1);
7070  secp256k1_scalar_negate(&ss, &ss);
7071  secp256k1_scalar_inverse(&ss, &ss);
7072  secp256k1_scalar_set_int(&sr, 1);
7073  secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr);
7074  secp256k1_ge_set_gej(&key, &keyj);
7075  msg = ss;
7076  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7077  }
7078 
7079  /* Verify signature with r of zero fails. */
7080  {
7081  const unsigned char pubkey_mods_zero[33] = {
7082  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7083  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7084  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7085  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7086  0x41
7087  };
7088  secp256k1_ge key;
7089  secp256k1_scalar msg;
7090  secp256k1_scalar sr, ss;
7091  secp256k1_scalar_set_int(&ss, 1);
7092  secp256k1_scalar_set_int(&msg, 0);
7093  secp256k1_scalar_set_int(&sr, 0);
7094  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
7095  CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
7096  }
7097 
7098  /* Verify signature with s of zero fails. */
7099  {
7100  const unsigned char pubkey[33] = {
7101  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7102  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7103  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7104  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7105  0x01
7106  };
7107  secp256k1_ge key;
7108  secp256k1_scalar msg;
7109  secp256k1_scalar sr, ss;
7110  secp256k1_scalar_set_int(&ss, 0);
7111  secp256k1_scalar_set_int(&msg, 0);
7112  secp256k1_scalar_set_int(&sr, 1);
7113  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7114  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7115  }
7116 
7117  /* Verify signature with message 0 passes. */
7118  {
7119  const unsigned char pubkey[33] = {
7120  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7121  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7122  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7123  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7124  0x02
7125  };
7126  const unsigned char pubkey2[33] = {
7127  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7128  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7129  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7130  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7131  0x43
7132  };
7133  secp256k1_ge key;
7134  secp256k1_ge key2;
7135  secp256k1_scalar msg;
7136  secp256k1_scalar sr, ss;
7137  secp256k1_scalar_set_int(&ss, 2);
7138  secp256k1_scalar_set_int(&msg, 0);
7139  secp256k1_scalar_set_int(&sr, 2);
7140  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7141  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7142  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7143  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7144  secp256k1_scalar_negate(&ss, &ss);
7145  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7146  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7147  secp256k1_scalar_set_int(&ss, 1);
7148  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7149  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7150  }
7151 
7152  /* Verify signature with message 1 passes. */
7153  {
7154  const unsigned char pubkey[33] = {
7155  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
7156  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
7157  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7158  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7159  0x25
7160  };
7161  const unsigned char pubkey2[33] = {
7162  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7163  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7164  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7165  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7166  0x62
7167  };
7168  const unsigned char csr[32] = {
7169  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7170  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7171  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7172  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7173  };
7174  secp256k1_ge key;
7175  secp256k1_ge key2;
7176  secp256k1_scalar msg;
7177  secp256k1_scalar sr, ss;
7178  secp256k1_scalar_set_int(&ss, 1);
7179  secp256k1_scalar_set_int(&msg, 1);
7180  secp256k1_scalar_set_b32(&sr, csr, NULL);
7181  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7182  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7183  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7184  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7185  secp256k1_scalar_negate(&ss, &ss);
7186  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7187  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7188  secp256k1_scalar_set_int(&ss, 2);
7189  secp256k1_scalar_inverse_var(&ss, &ss);
7190  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7191  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7192  }
7193 
7194  /* Verify signature with message -1 passes. */
7195  {
7196  const unsigned char pubkey[33] = {
7197  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7198  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7199  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7200  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7201  0xf1
7202  };
7203  const unsigned char csr[32] = {
7204  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7205  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7206  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7207  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7208  };
7209  secp256k1_ge key;
7210  secp256k1_scalar msg;
7211  secp256k1_scalar sr, ss;
7212  secp256k1_scalar_set_int(&ss, 1);
7213  secp256k1_scalar_set_int(&msg, 1);
7214  secp256k1_scalar_negate(&msg, &msg);
7215  secp256k1_scalar_set_b32(&sr, csr, NULL);
7216  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7217  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7218  secp256k1_scalar_negate(&ss, &ss);
7219  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7220  secp256k1_scalar_set_int(&ss, 3);
7221  secp256k1_scalar_inverse_var(&ss, &ss);
7222  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7223  }
7224 
7225  /* Signature where s would be zero. */
7226  {
7227  secp256k1_pubkey pubkey;
7228  size_t siglen;
7229  int32_t ecount;
7230  unsigned char signature[72];
7231  static const unsigned char nonce[32] = {
7232  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7233  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7234  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7235  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7236  };
7237  static const unsigned char nonce2[32] = {
7238  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7239  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7240  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7241  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7242  };
7243  const unsigned char key[32] = {
7244  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7245  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7246  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7247  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7248  };
7249  unsigned char msg[32] = {
7250  0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7251  0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7252  0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7253  0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7254  };
7255  ecount = 0;
7256  secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
7257  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
7258  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7259  msg[31] = 0xaa;
7260  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
7261  CHECK(ecount == 0);
7262  CHECK(secp256k1_ecdsa_sign(CTX, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
7263  CHECK(ecount == 1);
7264  CHECK(secp256k1_ecdsa_sign(CTX, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
7265  CHECK(ecount == 2);
7266  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
7267  CHECK(ecount == 3);
7268  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7269  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7270  CHECK(secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey) == 0);
7271  CHECK(ecount == 4);
7272  CHECK(secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey) == 0);
7273  CHECK(ecount == 5);
7274  CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, NULL) == 0);
7275  CHECK(ecount == 6);
7276  CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7277  CHECK(ecount == 6);
7278  CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, NULL) == 0);
7279  CHECK(ecount == 7);
7280  /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7281  CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 0);
7282  CHECK(ecount == 8);
7283  siglen = 72;
7284  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, NULL, &siglen, &sig) == 0);
7285  CHECK(ecount == 9);
7286  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, NULL, &sig) == 0);
7287  CHECK(ecount == 10);
7288  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL) == 0);
7289  CHECK(ecount == 11);
7290  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7291  CHECK(ecount == 11);
7292  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen) == 0);
7293  CHECK(ecount == 12);
7294  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, NULL, siglen) == 0);
7295  CHECK(ecount == 13);
7296  CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7297  CHECK(ecount == 13);
7298  siglen = 10;
7299  /* Too little room for a signature does not fail via ARGCHECK. */
7300  CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7301  CHECK(ecount == 13);
7302  ecount = 0;
7303  CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, NULL) == 0);
7304  CHECK(ecount == 1);
7305  CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, NULL, &sig) == 0);
7306  CHECK(ecount == 2);
7307  CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, NULL) == 0);
7308  CHECK(ecount == 3);
7309  CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1);
7310  CHECK(ecount == 3);
7311  CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, NULL, signature) == 0);
7312  CHECK(ecount == 4);
7313  CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, NULL) == 0);
7314  CHECK(ecount == 5);
7315  CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7316  CHECK(ecount == 5);
7317  memset(signature, 255, 64);
7318  CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7319  CHECK(ecount == 5);
7320  secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
7321  }
7322 
7323  /* Nonce function corner cases. */
7324  for (t = 0; t < 2; t++) {
7325  static const unsigned char zero[32] = {0x00};
7326  int i;
7327  unsigned char key[32];
7328  unsigned char msg[32];
7329  secp256k1_ecdsa_signature sig2;
7330  secp256k1_scalar sr[512], ss;
7331  const unsigned char *extra;
7332  extra = t == 0 ? NULL : zero;
7333  memset(msg, 0, 32);
7334  msg[31] = 1;
7335  /* High key results in signature failure. */
7336  memset(key, 0xFF, 32);
7337  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7338  CHECK(is_empty_signature(&sig));
7339  /* Zero key results in signature failure. */
7340  memset(key, 0, 32);
7341  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7342  CHECK(is_empty_signature(&sig));
7343  /* Nonce function failure results in signature failure. */
7344  key[31] = 1;
7345  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7346  CHECK(is_empty_signature(&sig));
7347  /* The retry loop successfully makes its way to the first good value. */
7348  CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7349  CHECK(!is_empty_signature(&sig));
7350  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7351  CHECK(!is_empty_signature(&sig2));
7352  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7353  /* The default nonce function is deterministic. */
7354  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7355  CHECK(!is_empty_signature(&sig2));
7356  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7357  /* The default nonce function changes output with different messages. */
7358  for(i = 0; i < 256; i++) {
7359  int j;
7360  msg[0] = i;
7361  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7362  CHECK(!is_empty_signature(&sig2));
7363  secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7364  for (j = 0; j < i; j++) {
7365  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7366  }
7367  }
7368  msg[0] = 0;
7369  msg[31] = 2;
7370  /* The default nonce function changes output with different keys. */
7371  for(i = 256; i < 512; i++) {
7372  int j;
7373  key[0] = i - 256;
7374  CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7375  CHECK(!is_empty_signature(&sig2));
7376  secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7377  for (j = 0; j < i; j++) {
7378  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7379  }
7380  }
7381  key[0] = 0;
7382  }
7383 
7384  {
7385  /* Check that optional nonce arguments do not have equivalent effect. */
7386  const unsigned char zeros[32] = {0};
7387  unsigned char nonce[32];
7388  unsigned char nonce2[32];
7389  unsigned char nonce3[32];
7390  unsigned char nonce4[32];
7391  SECP256K1_CHECKMEM_UNDEFINE(nonce,32);
7392  SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7393  SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7394  SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7395  CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7396  SECP256K1_CHECKMEM_CHECK(nonce,32);
7397  CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7398  SECP256K1_CHECKMEM_CHECK(nonce2,32);
7399  CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7400  SECP256K1_CHECKMEM_CHECK(nonce3,32);
7401  CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7402  SECP256K1_CHECKMEM_CHECK(nonce4,32);
7403  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7404  CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7405  CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7406  CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7407  CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7408  CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7409  }
7410 
7411 
7412  /* Privkey export where pubkey is the point at infinity. */
7413  {
7414  unsigned char privkey[300];
7415  unsigned char seckey[32] = {
7416  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7417  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7418  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7419  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7420  };
7421  size_t outlen = 300;
7422  CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7423  outlen = 300;
7424  CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7425  }
7426 }
7427 
7428 static void run_ecdsa_edge_cases(void) {
7429  test_ecdsa_edge_cases();
7430 }
7431 
7436 static void test_ecdsa_wycheproof(void) {
7437  #include "wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h"
7438 
7439  int t;
7440  for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) {
7441  secp256k1_ecdsa_signature signature;
7442  secp256k1_sha256 hasher;
7443  secp256k1_pubkey pubkey;
7444  const unsigned char *msg, *sig, *pk;
7445  unsigned char out[32] = {0};
7446  int actual_verify = 0;
7447 
7448  memset(&pubkey, 0, sizeof(pubkey));
7449  pk = &wycheproof_ecdsa_public_keys[testvectors[t].pk_offset];
7450  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7451 
7452  secp256k1_sha256_initialize(&hasher);
7453  msg = &wycheproof_ecdsa_messages[testvectors[t].msg_offset];
7454  secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len);
7455  secp256k1_sha256_finalize(&hasher, out);
7456 
7457  sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset];
7458  if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7459  actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7460  }
7461  CHECK(testvectors[t].expected_verify == actual_verify);
7462  }
7463 }
7464 
7465 /* Tests cases from Wycheproof test suite. */
7466 static void run_ecdsa_wycheproof(void) {
7467  test_ecdsa_wycheproof();
7468 }
7469 
7470 #ifdef ENABLE_MODULE_ECDH
7471 # include "modules/ecdh/tests_impl.h"
7472 #endif
7473 
7474 #ifdef ENABLE_MODULE_RECOVERY
7475 # include "modules/recovery/tests_impl.h"
7476 #endif
7477 
7478 #ifdef ENABLE_MODULE_EXTRAKEYS
7479 # include "modules/extrakeys/tests_impl.h"
7480 #endif
7481 
7482 #ifdef ENABLE_MODULE_SCHNORRSIG
7483 # include "modules/schnorrsig/tests_impl.h"
7484 #endif
7485 
7486 #ifdef ENABLE_MODULE_ELLSWIFT
7487 # include "modules/ellswift/tests_impl.h"
7488 #endif
7489 
7490 static void run_secp256k1_memczero_test(void) {
7491  unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7492  unsigned char buf2[sizeof(buf1)];
7493 
7494  /* secp256k1_memczero(..., ..., 0) is a noop. */
7495  memcpy(buf2, buf1, sizeof(buf1));
7496  secp256k1_memczero(buf1, sizeof(buf1), 0);
7497  CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7498 
7499  /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7500  memset(buf2, 0, sizeof(buf2));
7501  secp256k1_memczero(buf1, sizeof(buf1) , 1);
7502  CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7503 }
7504 
7505 static void run_secp256k1_byteorder_tests(void) {
7506  {
7507  const uint32_t x = 0xFF03AB45;
7508  const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7509  unsigned char buf[4];
7510  uint32_t x_;
7511 
7512  secp256k1_write_be32(buf, x);
7513  CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7514 
7515  x_ = secp256k1_read_be32(buf);
7516  CHECK(x == x_);
7517  }
7518 
7519  {
7520  const uint64_t x = 0xCAFE0123BEEF4567;
7521  const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7522  unsigned char buf[8];
7523  uint64_t x_;
7524 
7525  secp256k1_write_be64(buf, x);
7526  CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7527 
7528  x_ = secp256k1_read_be64(buf);
7529  CHECK(x == x_);
7530  }
7531 }
7532 
7533 static void int_cmov_test(void) {
7534  int r = INT_MAX;
7535  int a = 0;
7536 
7537  secp256k1_int_cmov(&r, &a, 0);
7538  CHECK(r == INT_MAX);
7539 
7540  r = 0; a = INT_MAX;
7541  secp256k1_int_cmov(&r, &a, 1);
7542  CHECK(r == INT_MAX);
7543 
7544  a = 0;
7545  secp256k1_int_cmov(&r, &a, 1);
7546  CHECK(r == 0);
7547 
7548  a = 1;
7549  secp256k1_int_cmov(&r, &a, 1);
7550  CHECK(r == 1);
7551 
7552  r = 1; a = 0;
7553  secp256k1_int_cmov(&r, &a, 0);
7554  CHECK(r == 1);
7555 
7556 }
7557 
7558 static void fe_cmov_test(void) {
7559  static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7560  static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7561  static const secp256k1_fe max = SECP256K1_FE_CONST(
7562  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7563  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7564  );
7565  secp256k1_fe r = max;
7566  secp256k1_fe a = zero;
7567 
7568  secp256k1_fe_cmov(&r, &a, 0);
7569  CHECK(fe_identical(&r, &max));
7570 
7571  r = zero; a = max;
7572  secp256k1_fe_cmov(&r, &a, 1);
7573  CHECK(fe_identical(&r, &max));
7574 
7575  a = zero;
7576  secp256k1_fe_cmov(&r, &a, 1);
7577  CHECK(fe_identical(&r, &zero));
7578 
7579  a = one;
7580  secp256k1_fe_cmov(&r, &a, 1);
7581  CHECK(fe_identical(&r, &one));
7582 
7583  r = one; a = zero;
7584  secp256k1_fe_cmov(&r, &a, 0);
7585  CHECK(fe_identical(&r, &one));
7586 }
7587 
7588 static void fe_storage_cmov_test(void) {
7589  static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7590  static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7591  static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
7592  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7593  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7594  );
7595  secp256k1_fe_storage r = max;
7596  secp256k1_fe_storage a = zero;
7597 
7598  secp256k1_fe_storage_cmov(&r, &a, 0);
7599  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7600 
7601  r = zero; a = max;
7602  secp256k1_fe_storage_cmov(&r, &a, 1);
7603  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7604 
7605  a = zero;
7606  secp256k1_fe_storage_cmov(&r, &a, 1);
7607  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7608 
7609  a = one;
7610  secp256k1_fe_storage_cmov(&r, &a, 1);
7611  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7612 
7613  r = one; a = zero;
7614  secp256k1_fe_storage_cmov(&r, &a, 0);
7615  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7616 }
7617 
7618 static void scalar_cmov_test(void) {
7619  static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7620  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
7621  0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
7622  );
7623  secp256k1_scalar r = max;
7624  secp256k1_scalar a = secp256k1_scalar_zero;
7625 
7626  secp256k1_scalar_cmov(&r, &a, 0);
7627  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7628 
7629  r = secp256k1_scalar_zero; a = max;
7630  secp256k1_scalar_cmov(&r, &a, 1);
7631  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7632 
7633  a = secp256k1_scalar_zero;
7634  secp256k1_scalar_cmov(&r, &a, 1);
7635  CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0);
7636 
7637  a = secp256k1_scalar_one;
7638  secp256k1_scalar_cmov(&r, &a, 1);
7639  CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7640 
7641  r = secp256k1_scalar_one; a = secp256k1_scalar_zero;
7642  secp256k1_scalar_cmov(&r, &a, 0);
7643  CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7644 }
7645 
7646 static void ge_storage_cmov_test(void) {
7647  static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7648  static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7649  static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7650  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7651  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7652  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7653  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7654  );
7655  secp256k1_ge_storage r = max;
7656  secp256k1_ge_storage a = zero;
7657 
7658  secp256k1_ge_storage_cmov(&r, &a, 0);
7659  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7660 
7661  r = zero; a = max;
7662  secp256k1_ge_storage_cmov(&r, &a, 1);
7663  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7664 
7665  a = zero;
7666  secp256k1_ge_storage_cmov(&r, &a, 1);
7667  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7668 
7669  a = one;
7670  secp256k1_ge_storage_cmov(&r, &a, 1);
7671  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7672 
7673  r = one; a = zero;
7674  secp256k1_ge_storage_cmov(&r, &a, 0);
7675  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7676 }
7677 
7678 static void run_cmov_tests(void) {
7679  int_cmov_test();
7680  fe_cmov_test();
7681  fe_storage_cmov_test();
7682  scalar_cmov_test();
7683  ge_storage_cmov_test();
7684 }
7685 
7686 int main(int argc, char **argv) {
7687  /* Disable buffering for stdout to improve reliability of getting
7688  * diagnostic information. Happens right at the start of main because
7689  * setbuf must be used before any other operation on the stream. */
7690  setbuf(stdout, NULL);
7691  /* Also disable buffering for stderr because it's not guaranteed that it's
7692  * unbuffered on all systems. */
7693  setbuf(stderr, NULL);
7694 
7695  /* find iteration count */
7696  if (argc > 1) {
7697  COUNT = strtol(argv[1], NULL, 0);
7698  } else {
7699  const char* env = getenv("SECP256K1_TEST_ITERS");
7700  if (env && strlen(env) > 0) {
7701  COUNT = strtol(env, NULL, 0);
7702  }
7703  }
7704  if (COUNT <= 0) {
7705  fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7706  return EXIT_FAILURE;
7707  }
7708  printf("test count = %i\n", COUNT);
7709 
7710  /* run test RNG tests (must run before we really initialize the test RNG) */
7711  run_xoshiro256pp_tests();
7712 
7713  /* find random seed */
7714  secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7715 
7716  /*** Setup test environment ***/
7717 
7718  /* Create a global context available to all tests */
7719  CTX = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
7720  /* Randomize the context only with probability 15/16
7721  to make sure we test without context randomization from time to time.
7722  TODO Reconsider this when recalibrating the tests. */
7723  if (secp256k1_testrand_bits(4)) {
7724  unsigned char rand32[32];
7725  secp256k1_testrand256(rand32);
7726  CHECK(secp256k1_context_randomize(CTX, rand32));
7727  }
7728  /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
7729  that write to the context. The API does not support cloning the static context, so we use
7730  memcpy instead. The user is not supposed to copy a context but we should still ensure that
7731  the API functions handle copies of the static context gracefully. */
7732  STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
7733  CHECK(STATIC_CTX != NULL);
7734  memcpy(STATIC_CTX, secp256k1_context_static, sizeof(secp256k1_context));
7735  CHECK(!secp256k1_context_is_proper(STATIC_CTX));
7736 
7737  /*** Run actual tests ***/
7738 
7739  /* selftest tests */
7740  run_selftest_tests();
7741 
7742  /* context tests */
7743  run_proper_context_tests(0); run_proper_context_tests(1);
7744  run_static_context_tests(0); run_static_context_tests(1);
7745  run_deprecated_context_flags_test();
7746 
7747  /* scratch tests */
7748  run_scratch_tests();
7749 
7750  /* integer arithmetic tests */
7751 #ifdef SECP256K1_WIDEMUL_INT128
7752  run_int128_tests();
7753 #endif
7754  run_ctz_tests();
7755  run_modinv_tests();
7756  run_inverse_tests();
7757 
7758  /* hash tests */
7759  run_sha256_known_output_tests();
7760  run_sha256_counter_tests();
7761  run_hmac_sha256_tests();
7762  run_rfc6979_hmac_sha256_tests();
7763  run_tagged_sha256_tests();
7764 
7765  /* scalar tests */
7766  run_scalar_tests();
7767 
7768  /* field tests */
7769  run_field_half();
7770  run_field_misc();
7771  run_field_convert();
7772  run_field_be32_overflow();
7773  run_fe_mul();
7774  run_sqr();
7775  run_sqrt();
7776 
7777  /* group tests */
7778  run_ge();
7779  run_gej();
7780  run_group_decompress();
7781 
7782  /* ecmult tests */
7783  run_ecmult_pre_g();
7784  run_wnaf();
7785  run_point_times_order();
7786  run_ecmult_near_split_bound();
7787  run_ecmult_chain();
7788  run_ecmult_constants();
7789  run_ecmult_gen_blind();
7790  run_ecmult_const_tests();
7791  run_ecmult_multi_tests();
7792  run_ec_combine();
7793 
7794  /* endomorphism tests */
7795  run_endomorphism_tests();
7796 
7797  /* EC point parser test */
7798  run_ec_pubkey_parse_test();
7799 
7800  /* EC key edge cases */
7801  run_eckey_edge_case_test();
7802 
7803  /* EC key arithmetic test */
7804  run_eckey_negate_test();
7805 
7806 #ifdef ENABLE_MODULE_ECDH
7807  /* ecdh tests */
7808  run_ecdh_tests();
7809 #endif
7810 
7811  /* ecdsa tests */
7812  run_ec_illegal_argument_tests();
7813  run_pubkey_comparison();
7814  run_random_pubkeys();
7815  run_ecdsa_der_parse();
7816  run_ecdsa_sign_verify();
7817  run_ecdsa_end_to_end();
7818  run_ecdsa_edge_cases();
7819  run_ecdsa_wycheproof();
7820 
7821 #ifdef ENABLE_MODULE_RECOVERY
7822  /* ECDSA pubkey recovery tests */
7823  run_recovery_tests();
7824 #endif
7825 
7826 #ifdef ENABLE_MODULE_EXTRAKEYS
7827  run_extrakeys_tests();
7828 #endif
7829 
7830 #ifdef ENABLE_MODULE_SCHNORRSIG
7831  run_schnorrsig_tests();
7832 #endif
7833 
7834 #ifdef ENABLE_MODULE_ELLSWIFT
7835  run_ellswift_tests();
7836 #endif
7837 
7838  /* util tests */
7839  run_secp256k1_memczero_test();
7840  run_secp256k1_byteorder_tests();
7841 
7842  run_cmov_tests();
7843 
7844  /*** Tear down test environment ***/
7845  free(STATIC_CTX);
7846  secp256k1_context_destroy(CTX);
7847 
7848  secp256k1_testrand_finish();
7849 
7850  printf("no problems found\n");
7851  return 0;
7852 }
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:558
run_random_pubkeys
static void run_random_pubkeys(void)
Definition: tests.c:6768
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
run_xoshiro256pp_tests
static void run_xoshiro256pp_tests(void)
Definition: tests.c:208
run_field_convert
static void run_field_convert(void)
Definition: tests.c:2997
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:68
test_gej_cmov
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4073
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
ecmult_const_chain_multiply
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4584
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:628
secp256k1_fe_set_b32_mod
#define secp256k1_fe_set_b32_mod
Definition: field.h:88
run_ecdsa_end_to_end
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6775
secp256k1_modinv32_modinfo
Definition: modinv32.h:19
random_fe_non_zero_test
static void random_fe_non_zero_test(secp256k1_fe *fe)
Definition: tests.c:118
tests_impl.h
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:20
secp256k1_u128_check_bits
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:40
secp256k1_fe
This field implementation represents the value as 10 uint32_t limbs in base 2^26. ...
Definition: field_10x26.h:14
run_wnaf
static void run_wnaf(void)
Definition: tests.c:5428
ret
int ret
Definition: bitcoin-cli.cpp:1264
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:4620
coprime
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1168
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:703
secp256k1_fe_add_int
#define secp256k1_fe_add_int
Definition: field.h:103
secp256k1_fe_negate_unchecked
#define secp256k1_fe_negate_unchecked
Definition: field.h:91
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:198
secp256k1_ecmult_gen_context::built
int built
Definition: ecmult_gen.h:33
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:728
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:645
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:412
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:15
secp256k1_u128_accum_u64
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:19
secp256k1_fe_set_b32_limit
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
ECMULT_TABLE_SIZE
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:816
random_scalar_order_b32
static void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:202
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p...
Definition: field.h:66
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
run_sqrt
static void run_sqrt(void)
Definition: tests.c:3351
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:425
run_modinv_tests
static void run_modinv_tests(void)
Definition: tests.c:1198
run_rfc6979_hmac_sha256_tests
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:809
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
secp256k1_uint128
Definition: int128_struct.h:7
secp256k1_fe_is_zero
#define secp256k1_fe_is_zero
Definition: field.h:85
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
test_group_decompress
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4149
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
tests_impl.h
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
tests_impl.h
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_fe_inv_var
#define secp256k1_fe_inv_var
Definition: field.h:100
tests_wycheproof_generate.expected_verify
int expected_verify
Definition: tests_wycheproof_generate.py:46
secp256k1_fe_mul
#define secp256k1_fe_mul
Definition: field.h:94
secp256k1_i128_mul
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:49
test_fe_mul
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3257
secp256k1_jacobi32_maybe_var
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
test_secp256k1_pippenger_bucket_window_inv
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5045
nonce
unsigned int nonce
Definition: miner_tests.cpp:72
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_modinv64_modinfo
Definition: modinv64.h:23
run_selftest_tests
static void run_selftest_tests(void)
Definition: tests.c:237
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:16
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:750
test_constant_wnaf
static void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5287
secp256k1_testrand_seed
static SECP256K1_INLINE void secp256k1_testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6471
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:727
ge_storage_cmov_test
static void ge_storage_cmov_test(void)
Definition: tests.c:7646
ALIGNMENT
#define ALIGNMENT
Definition: util.h:161
run_ecdsa_wycheproof
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7466
secp256k1_fe_normalizes_to_zero
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
random_fe_non_zero
static void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:2969
SECP256K1_CHECKMEM_UNDEFINE
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:83
secp256k1_fe_mul_int_unchecked
#define secp256k1_fe_mul_int_unchecked
Definition: field.h:92
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:465
secp256k1_context_static
SECP256K1_API const secp256k1_context * secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:236
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
secp256k1_fe_clear
#define secp256k1_fe_clear
Definition: field.h:84
secp256k1_u128_mul
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:11
cs
static void pool cs
Definition: mempool_eviction.cpp:13
test_wnaf
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5238
secp256k1_fe_equal
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
test_fixed_wnaf
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5327
random_gej_test
static void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:170
SECP256K1_GEJ_Z_MAGNITUDE_MAX
#define SECP256K1_GEJ_Z_MAGNITUDE_MAX
Definition: group.h:53
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
run_pubkey_comparison
static void run_pubkey_comparison(void)
Definition: tests.c:6719
run_scratch_tests
static void run_scratch_tests(void)
Definition: tests.c:490
test_ecmult_multi_random
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4861
secp256k1_fe_mul_int
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:237
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6479
scalar_cmov_test
static void scalar_cmov_test(void)
Definition: tests.c:7618
ge_equals_gej
static void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:3732
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8236
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:55
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6842
prefix
const char * prefix
Definition: rest.cpp:1004
CHECK_ILLEGAL_VOID
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:59
modinv32_impl.h
secp256k1_u128_rshift
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:23
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:310
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context_preallocated_create.
Definition: secp256k1.h:205
secp256k1_read_be32
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:346
secp256k1_fe_is_square_var
#define secp256k1_fe_is_square_var
Definition: field.h:104
secp256k1_fe_half
#define secp256k1_fe_half
Definition: field.h:102
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_fe_sqr
#define secp256k1_fe_sqr
Definition: field.h:95
ec_pubkey_parse_pointtest
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5727
secp256k1_write_be64
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:374
secp256k1_fe_normalize_weak
#define secp256k1_fe_normalize_weak
Definition: field.h:79
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
random_gej_y_magnitude
static void random_gej_y_magnitude(secp256k1_gej *gej)
Definition: tests.c:140
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
expect
#define expect(bit)
Definition: univalue_read.cpp:259
SECP256K1_CHECKMEM_CHECK
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:85
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:613
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
run_extrakeys_tests
static void run_extrakeys_tests(void)
Definition: tests_impl.h:553
secp256k1_fe_add
#define secp256k1_fe_add
Definition: field.h:93
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:258
secp256k1_jacobi64_maybe_var
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_sha256
Definition: hash.h:13
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b&#39;s Z coordinate passed as bzinv)...
secp256k1_i128_from_i64
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
Definition: int128_native_impl.h:80
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
secp256k1_test_state
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
wycheproof_ecdsa_public_keys
static const unsigned char wycheproof_ecdsa_public_keys[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:73
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:290
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory...
Definition: secp256k1.c:91
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
run_field_misc
static void run_field_misc(void)
Definition: tests.c:3150
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
Definition: ecmult_const_impl.h:69
testrand_impl.h
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:68
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:659
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:77
run_fe_mul
static void run_fe_mul(void)
Definition: tests.c:3300
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:175
secp256k1_context_struct
Definition: secp256k1.c:60
secp256k1_selftest
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static) ...
Definition: secp256k1.c:85
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:757
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:675
test_modinv32_uint16
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:1017
secp256k1_fe_cmov
#define secp256k1_fe_cmov
Definition: field.h:96
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:209
test_ecdsa_end_to_end
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6514
run_recovery_tests
static void run_recovery_tests(void)
Definition: tests_impl.h:362
secp256k1_ge_x_on_curve_var
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
is_empty_signature
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6509
run_tagged_sha256_tests
static void run_tagged_sha256_tests(void)
Definition: tests.c:850
run_field_be32_overflow
static void run_field_be32_overflow(void)
Definition: tests.c:3027
mutate_sign_signed30
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:1002
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:353
test_ecdsa_sign_verify
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6428
run_ec_combine
static void run_ec_combine(void)
Definition: tests.c:4142
run_ellswift_tests
void run_ellswift_tests(void)
Definition: tests_impl.h:179
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
test_ecmult_multi_pippenger_max_points
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5065
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6854
secp256k1_fe_normalizes_to_zero_var
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
test_ecmult_target
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4390
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
run_scalar_tests
static void run_scalar_tests(void)
Definition: tests.c:2341
test_ecdsa_edge_cases
static void test_ecdsa_edge_cases(void)
Definition: tests.c:7059
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
SECP256K1_GEJ_X_MAGNITUDE_MAX
#define SECP256K1_GEJ_X_MAGNITUDE_MAX
Definition: group.h:51
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
test_fixed_wnaf_small
static void test_fixed_wnaf_small(void)
Definition: tests.c:5374
sum
volatile double sum
Definition: examples.cpp:10
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:11
ecdsa_secp256k1_sha256_bitcoin_test.h
test_ecmult_multi
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4638
secp256k1_ecmult_const_xonly
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only, specified as fraction n/d (numerator/denominator).
ecmult_multi_data
Definition: tests.c:4618
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:70
test_constant_wnaf_negate
static void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:5272
secp256k1_i128_rshift
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:66
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:3394
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:595
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:64
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:41
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:686
secp256k1_i128_accum_mul
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:53
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:216
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:215
secp256k1_int128
int128_t secp256k1_int128
Definition: int128_native.h:17
random_gej_z_magnitude
static void random_gej_z_magnitude(secp256k1_gej *gej)
Definition: tests.c:144
test_ecmult_multi_batch_size_helper
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5098
secp256k1_i128_load
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
Definition: int128_native_impl.h:45
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
all_bytes_equal
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:43
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
run_sqr
static void run_sqr(void)
Definition: tests.c:3321
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
test_ge
static void test_ge(void)
Definition: tests.c:3749
run_endomorphism_tests
static void run_endomorphism_tests(void)
Definition: tests.c:5706
secp256k1_ge_x_frac_on_curve_var
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
random_ge_y_magnitude
static void random_ge_y_magnitude(secp256k1_ge *ge)
Definition: tests.c:132
secp256k1_write_be32
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:354
random_sign
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6421
test_intialized_inf
static void test_intialized_inf(void)
Definition: tests.c:3972
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:572
test_fixed_wnaf_small_helper
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5364
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:328
random_scalar_order_test
static void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:176
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:14
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_u128_hi_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:32
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:36
test_inverse_scalar
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3406
random_group_element_jacobian_test
static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:160
run_sha256_counter_tests
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:696
run_ecmult_multi_tests
static void run_ecmult_multi_tests(void)
Definition: tests.c:5211
secp256k1_scratch_space_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:222
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4623
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
random_scalar_order
static void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:189
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:607
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
run_ecmult_const_tests
static void run_ecmult_const_tests(void)
Definition: tests.c:4610
secp256k1_u128_from_u64
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:36
test_ecmult_accumulate_cb
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5474
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3389
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL...
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:403
CTX
static secp256k1_context * CTX
Definition: tests.c:40
random_fe_test
static void random_fe_test(secp256k1_fe *x)
Definition: tests.c:108
run_ecmult_chain
static void run_ecmult_chain(void)
Definition: tests.c:4269
run_ecmult_constants
static void run_ecmult_constants(void)
Definition: tests.c:5601
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
tests_impl.h
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:45
secp256k1_gej::infinity
int infinity
Definition: group.h:32
test_ecmult_multi_batch_single
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5027
ecmult_const_mult_zero_one
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4509
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_fe_inv
#define secp256k1_fe_inv
Definition: field.h:99
tests_wycheproof_generate.out
string out
Definition: tests_wycheproof_generate.py:28
testvectors
static const wycheproof_ecdsa_testvector testvectors[SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:636
secp256k1_modinv32_signed30
Definition: modinv32.h:15
secp256k1_u128_accum_mul
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:15
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
test_random_pubkeys
static void test_random_pubkeys(void)
Definition: tests.c:6659
wycheproof_ecdsa_testvector::msg_offset
size_t msg_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:6
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise...
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:16
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:578
secp256k1_fe_is_odd
#define secp256k1_fe_is_odd
Definition: field.h:86
secp256k1_i128_det
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
Definition: int128_native_impl.h:59
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:418
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:760
tests_impl.h
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
fe_storage_cmov_test
static void fe_storage_cmov_test(void)
Definition: tests.c:7588
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
secp256k1_fe_get_bounds
#define secp256k1_fe_get_bounds
Definition: field.h:101
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
secp256k1_fe_set_int
#define secp256k1_fe_set_int
Definition: field.h:83
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:272
run_ecdh_tests
static void run_ecdh_tests(void)
Definition: tests_impl.h:158
secp256k1_i128_to_i64
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:75
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
miniscript::internal::ZERO
static const auto ZERO
A stack consisting of a single zero-length element (interpreted as 0 by the script interpreter in num...
Definition: miniscript.h:326
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:87
run_ecdsa_sign_verify
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6455
secp256k1_modinv64_signed62
Definition: modinv64.h:19
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
test_inverse_field
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3428
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
test_ecmult_constants_sha
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5558
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
test_pre_g_table
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4195
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:299
secp256k1_fe_to_storage
#define secp256k1_fe_to_storage
Definition: field.h:97
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
run_ecdsa_der_parse
static void run_ecdsa_der_parse(void)
Definition: tests.c:7027
run_scalar_set_b32_seckey_tests
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2324
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:22
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:358
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:31
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast...
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
run_eckey_edge_case_test
static void run_eckey_edge_case_test(void)
Definition: tests.c:6130
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:62
secp256k1_ge::infinity
int infinity
Definition: group.h:19
secp256k1_sha256::bytes
uint64_t bytes
Definition: hash.h:16
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
main
int main(int argc, char **argv)
Definition: tests.c:7686
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:339
uint16_to_signed30
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:984
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
check_fe_equal
static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2990
wycheproof_ecdsa_messages
static const unsigned char wycheproof_ecdsa_messages[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:13
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:363
secp256k1_u128_load
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
Definition: int128_native_impl.h:7
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
CONDITIONAL_TEST
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:37
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
random_fe_magnitude
static void random_fe_magnitude(secp256k1_fe *fe)
Definition: tests.c:124
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y...
test_ecmult_gen_blind_reset
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5658
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
scalar_test
static void scalar_test(void)
Definition: tests.c:2162
secp256k1_gej_cmov
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:208
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4630
flags
int flags
Definition: bitcoin-tx.cpp:528
test_ecdsa_der_parse
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6782
run_ecmult_gen_blind
static void run_ecmult_gen_blind(void)
Definition: tests.c:5670
secp256k1_tagged_sha256
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:786
mulmod256
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:900
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory...
Definition: secp256k1.c:111
run_eckey_negate_test
static void run_eckey_negate_test(void)
Definition: tests.c:6386
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
SECP256K1_GE_X_MAGNITUDE_MAX
#define SECP256K1_GE_X_MAGNITUDE_MAX
Maximum allowed magnitudes for group element coordinates in affine (x, y) and jacobian (x...
Definition: group.h:49
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:162
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:198
run_secp256k1_byteorder_tests
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7505
secp256k1_i128_eq_var
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
Definition: int128_native_impl.h:84
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
ge_equals_ge
static void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:3701
run_ge
static void run_ge(void)
Definition: tests.c:4064
test_ecmult_gen_blind
static void test_ecmult_gen_blind(void)
Definition: tests.c:5635
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:400
test_scalar_split
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5679
run_field_half
static void run_field_half(void)
Definition: tests.c:3101
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
SECP256K1_GEJ_Y_MAGNITUDE_MAX
#define SECP256K1_GEJ_Y_MAGNITUDE_MAX
Definition: group.h:52
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:632
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
test_ecmult_accumulate
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5482
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space...
Definition: ecmult_impl.h:737
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:379
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
wycheproof_ecdsa_testvector::sig_offset
size_t sig_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:8
test_ecmult_multi_batching
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5146
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6881
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
random_group_element_test
static void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:148
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
test_ec_combine
static void test_ec_combine(void)
Definition: tests.c:4117
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
secp256k1_fe_normalize
#define secp256k1_fe_normalize
Definition: field.h:78
random_ge_x_magnitude
static void random_ge_x_magnitude(secp256k1_ge *ge)
Definition: tests.c:128
gej_xyz_equals_gej
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3711
SECP256K1_GE_Y_MAGNITUDE_MAX
#define SECP256K1_GE_Y_MAGNITUDE_MAX
Definition: group.h:50
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:217
secp256k1_default_error_callback_fn
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:82
run_ecmult_pre_g
static void run_ecmult_pre_g(void)
Definition: tests.c:4245
test_ecdsa_wycheproof
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7436
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:4619
secp256k1_fe_normalize_var
#define secp256k1_fe_normalize_var
Definition: field.h:80
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted...
Definition: tests.c:6463
context_eq
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:248
ecmult_const_commutativity
static void ecmult_const_commutativity(void)
Definition: tests.c:4488
run_deprecated_context_flags_test
static void run_deprecated_context_flags_test(void)
Definition: tests.c:257
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
run_ctz_tests
static void run_ctz_tests(void)
Definition: tests.c:574
wycheproof_ecdsa_testvector::pk_offset
size_t pk_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:5
secp256k1_i128_check_pow2
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
Definition: int128_native_impl.h:88
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:287
secp256k1_fe_negate
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:215
run_hmac_sha256_tests
static void run_hmac_sha256_tests(void)
Definition: tests.c:765
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4367
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:90
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
run_inverse_tests
static void run_inverse_tests(void)
Definition: tests.c:3453
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:63
run_static_context_tests
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:327
secp256k1_read_be64
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:362
ecmult_gen_context_eq
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:242
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
run_ecmult_near_split_bound
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4428
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
ecmult_const_mult_xonly
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4529
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:74
run_group_decompress
static void run_group_decompress(void)
Definition: tests.c:4184
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:74
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:798
secp256k1_callback::data
const void * data
Definition: util.h:69
test_sqrt
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3337
secp256k1_scratch_space_struct
Definition: scratch.h:12
modinv64_impl.h
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:162
run_gej
static void run_gej(void)
Definition: tests.c:4081
secp256k1_fe_storage
Definition: field_10x26.h:50
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:231
random_fe
static void random_fe(secp256k1_fe *x)
Definition: tests.c:2959
secp256k1_i128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:71
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
random_field_element_magnitude
static void random_field_element_magnitude(secp256k1_fe *fe, int m)
Definition: tests.c:92
ecmult_const_random_mult
static void ecmult_const_random_mult(void)
Definition: tests.c:4461
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:723
run_ec_pubkey_parse_test
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5802
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
fe_identical
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3094
int_cmov_test
static void int_cmov_test(void)
Definition: tests.c:7533
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:151
run_secp256k1_memczero_test
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7490
tinyformat::printf
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1077
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:72
run_ecdsa_edge_cases
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7428
run_schnorrsig_tests
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:1003
secp256k1_fe_cmp_var
#define secp256k1_fe_cmp_var
Definition: field.h:87
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is: ...
Definition: scalar_impl.h:81
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:37
int128_impl.h
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
secp256k1_scratch_space_destroy
SECP256K1_API void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:227
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:42
COUNT
static int COUNT
Definition: tests.c:39
modinv2p64
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:883
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:147
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
run_sha256_known_output_tests
static void run_sha256_known_output_tests(void)
Definition: tests.c:595
random_gej_x_magnitude
static void random_gej_x_magnitude(secp256k1_gej *gej)
Definition: tests.c:136
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:83
fe_cmov_test
static void fe_cmov_test(void)
Definition: tests.c:7558
wycheproof_ecdsa_signatures
static const unsigned char wycheproof_ecdsa_signatures[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:173
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
signed30_to_uint16
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:993
test_ecmult_constants_2bit
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5514
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:15
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:444
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
secp256k1_fe_from_storage
#define secp256k1_fe_from_storage
Definition: field.h:98
run_ec_illegal_argument_tests
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:275
run_proper_context_tests
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:368
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:313
secp256k1_context_is_proper
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:81
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_gej_eq_var
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
test_add_neg_y_diff_x
static void test_add_neg_y_diff_x(void)
Definition: tests.c:4004
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:74
secp256k1_u128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:28
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
random_fe_non_square
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2982
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
run_cmov_tests
static void run_cmov_tests(void)
Definition: tests.c:7678
run_point_times_order
static void run_point_times_order(void)
Definition: tests.c:4440
test_point_times_order
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4328
Generated on Thu Mar 28 2024 12:00:00 for Bitcoin Core by   doxygen 1.8.14