Bitcoin Core  24.1.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "../include/secp256k1.h"
19 #include "../include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
21 #include "util.h"
22 
23 #include "../contrib/lax_der_parsing.c"
24 #include "../contrib/lax_der_privatekey_parsing.c"
25 
26 #include "modinv32_impl.h"
27 #ifdef SECP256K1_WIDEMUL_INT128
28 #include "modinv64_impl.h"
29 #endif
30 
31 #define CONDITIONAL_TEST(cnt, nam) if (count < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
32 
33 static int count = 64;
34 static secp256k1_context *ctx = NULL;
35 
36 static void counting_illegal_callback_fn(const char* str, void* data) {
37  /* Dummy callback function that just counts. */
38  int32_t *p;
39  (void)str;
40  p = data;
41  (*p)++;
42 }
43 
44 static void uncounting_illegal_callback_fn(const char* str, void* data) {
45  /* Dummy callback function that just counts (backwards). */
46  int32_t *p;
47  (void)str;
48  p = data;
49  (*p)--;
50 }
51 
52 void random_field_element_test(secp256k1_fe *fe) {
53  do {
54  unsigned char b32[32];
55  secp256k1_testrand256_test(b32);
56  if (secp256k1_fe_set_b32(fe, b32)) {
57  break;
58  }
59  } while(1);
60 }
61 
62 void random_field_element_magnitude(secp256k1_fe *fe) {
63  secp256k1_fe zero;
64  int n = secp256k1_testrand_int(9);
65  secp256k1_fe_normalize(fe);
66  if (n == 0) {
67  return;
68  }
69  secp256k1_fe_clear(&zero);
70  secp256k1_fe_negate(&zero, &zero, 0);
71  secp256k1_fe_mul_int(&zero, n - 1);
72  secp256k1_fe_add(fe, &zero);
73 #ifdef VERIFY
74  CHECK(fe->magnitude == n);
75 #endif
76 }
77 
78 void random_group_element_test(secp256k1_ge *ge) {
79  secp256k1_fe fe;
80  do {
81  random_field_element_test(&fe);
82  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
83  secp256k1_fe_normalize(&ge->y);
84  break;
85  }
86  } while(1);
87  ge->infinity = 0;
88 }
89 
90 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
91  secp256k1_fe z2, z3;
92  do {
93  random_field_element_test(&gej->z);
94  if (!secp256k1_fe_is_zero(&gej->z)) {
95  break;
96  }
97  } while(1);
98  secp256k1_fe_sqr(&z2, &gej->z);
99  secp256k1_fe_mul(&z3, &z2, &gej->z);
100  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
101  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
102  gej->infinity = ge->infinity;
103 }
104 
105 void random_gej_test(secp256k1_gej *gej) {
106  secp256k1_ge ge;
107  random_group_element_test(&ge);
108  random_group_element_jacobian_test(gej, &ge);
109 }
110 
111 void random_scalar_order_test(secp256k1_scalar *num) {
112  do {
113  unsigned char b32[32];
114  int overflow = 0;
115  secp256k1_testrand256_test(b32);
116  secp256k1_scalar_set_b32(num, b32, &overflow);
117  if (overflow || secp256k1_scalar_is_zero(num)) {
118  continue;
119  }
120  break;
121  } while(1);
122 }
123 
124 void random_scalar_order(secp256k1_scalar *num) {
125  do {
126  unsigned char b32[32];
127  int overflow = 0;
128  secp256k1_testrand256(b32);
129  secp256k1_scalar_set_b32(num, b32, &overflow);
130  if (overflow || secp256k1_scalar_is_zero(num)) {
131  continue;
132  }
133  break;
134  } while(1);
135 }
136 
137 void random_scalar_order_b32(unsigned char *b32) {
138  secp256k1_scalar num;
139  random_scalar_order(&num);
140  secp256k1_scalar_get_b32(b32, &num);
141 }
142 
143 void run_context_tests(int use_prealloc) {
144  secp256k1_pubkey pubkey;
145  secp256k1_pubkey zero_pubkey;
146  secp256k1_ecdsa_signature sig;
147  unsigned char ctmp[32];
148  int32_t ecount;
149  int32_t ecount2;
150  secp256k1_context *none;
151  secp256k1_context *sign;
152  secp256k1_context *vrfy;
153  secp256k1_context *both;
154  secp256k1_context *sttc;
155  void *none_prealloc = NULL;
156  void *sign_prealloc = NULL;
157  void *vrfy_prealloc = NULL;
158  void *both_prealloc = NULL;
159  void *sttc_prealloc = NULL;
160 
161  secp256k1_gej pubj;
162  secp256k1_ge pub;
163  secp256k1_scalar msg, key, nonce;
164  secp256k1_scalar sigr, sigs;
165 
166  if (use_prealloc) {
167  none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
168  sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
169  vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
170  both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
171  sttc_prealloc = malloc(secp256k1_context_preallocated_clone_size(secp256k1_context_no_precomp));
172  CHECK(none_prealloc != NULL);
173  CHECK(sign_prealloc != NULL);
174  CHECK(vrfy_prealloc != NULL);
175  CHECK(both_prealloc != NULL);
176  CHECK(sttc_prealloc != NULL);
177  none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
178  sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
179  vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
180  both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
181  sttc = secp256k1_context_preallocated_clone(secp256k1_context_no_precomp, sttc_prealloc);
182  } else {
183  none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
184  sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
185  vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
186  both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
187  sttc = secp256k1_context_clone(secp256k1_context_no_precomp);
188  }
189 
190  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
191 
192  ecount = 0;
193  ecount2 = 10;
194  secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
195  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
196  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
197  secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
198  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
199  CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
200 
201  /* check if sizes for cloning are consistent */
202  CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
203  CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
204  CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
205  CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
206  CHECK(secp256k1_context_preallocated_clone_size(sttc) >= sizeof(secp256k1_context));
207 
208  /*** clone and destroy all of them to make sure cloning was complete ***/
209  {
210  secp256k1_context *ctx_tmp;
211 
212  if (use_prealloc) {
213  /* clone into a non-preallocated context and then again into a new preallocated one. */
214  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
215  free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
216  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
217 
218  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
219  free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
220  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
221 
222  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
223  free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
224  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
225 
226  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
227  free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
228  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
229  } else {
230  /* clone into a preallocated context and then again into a new non-preallocated one. */
231  void *prealloc_tmp;
232 
233  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
234  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
235  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
236  free(prealloc_tmp);
237 
238  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
239  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
240  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
241  free(prealloc_tmp);
242 
243  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
244  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
245  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
246  free(prealloc_tmp);
247 
248  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
249  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
250  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
251  free(prealloc_tmp);
252  }
253  }
254 
255  /* Verify that the error callback makes it across the clone. */
256  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
257  CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
258  /* And that it resets back to default. */
259  secp256k1_context_set_error_callback(sign, NULL, NULL);
260  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
261 
262  /*** attempt to use them ***/
263  random_scalar_order_test(&msg);
264  random_scalar_order_test(&key);
265  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
266  secp256k1_ge_set_gej(&pub, &pubj);
267 
268  /* Verify context-type checking illegal-argument errors. */
269  memset(ctmp, 1, 32);
270  CHECK(secp256k1_ec_pubkey_create(sttc, &pubkey, ctmp) == 0);
271  CHECK(ecount == 1);
272  VG_UNDEF(&pubkey, sizeof(pubkey));
273  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
274  VG_CHECK(&pubkey, sizeof(pubkey));
275  CHECK(secp256k1_ecdsa_sign(sttc, &sig, ctmp, ctmp, NULL, NULL) == 0);
276  CHECK(ecount == 2);
277  VG_UNDEF(&sig, sizeof(sig));
278  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
279  VG_CHECK(&sig, sizeof(sig));
280  CHECK(ecount2 == 10);
281  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 1);
282  CHECK(ecount2 == 10);
283  CHECK(secp256k1_ecdsa_verify(sttc, &sig, ctmp, &pubkey) == 1);
284  CHECK(ecount == 2);
285  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 1);
286  CHECK(ecount2 == 10);
287  CHECK(secp256k1_ec_pubkey_tweak_add(sttc, &pubkey, ctmp) == 1);
288  CHECK(ecount == 2);
289  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 1);
290  CHECK(ecount2 == 10);
291  CHECK(secp256k1_ec_pubkey_negate(sttc, &pubkey) == 1);
292  CHECK(ecount == 2);
293  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
294  CHECK(ecount == 2);
295  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
296  CHECK(ecount2 == 11);
297  CHECK(secp256k1_ec_pubkey_negate(sttc, &zero_pubkey) == 0);
298  CHECK(ecount == 3);
299  CHECK(secp256k1_ec_pubkey_tweak_mul(sttc, &pubkey, ctmp) == 1);
300  CHECK(ecount == 3);
301  CHECK(secp256k1_context_randomize(sttc, ctmp) == 1);
302  CHECK(ecount == 3);
303  CHECK(secp256k1_context_randomize(sttc, NULL) == 1);
304  CHECK(ecount == 3);
305  CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
306  CHECK(ecount2 == 11);
307  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
308  CHECK(ecount2 == 11);
309  secp256k1_context_set_illegal_callback(sttc, NULL, NULL);
310  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
311 
312  /* obtain a working nonce */
313  do {
314  random_scalar_order_test(&nonce);
315  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
316 
317  /* try signing */
318  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
319  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
320 
321  /* try verifying */
322  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
323  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
324 
325  /* cleanup */
326  if (use_prealloc) {
327  secp256k1_context_preallocated_destroy(none);
328  secp256k1_context_preallocated_destroy(sign);
329  secp256k1_context_preallocated_destroy(vrfy);
330  secp256k1_context_preallocated_destroy(both);
331  secp256k1_context_preallocated_destroy(sttc);
332  free(none_prealloc);
333  free(sign_prealloc);
334  free(vrfy_prealloc);
335  free(both_prealloc);
336  free(sttc_prealloc);
337  } else {
338  secp256k1_context_destroy(none);
339  secp256k1_context_destroy(sign);
340  secp256k1_context_destroy(vrfy);
341  secp256k1_context_destroy(both);
342  secp256k1_context_destroy(sttc);
343  }
344  /* Defined as no-op. */
345  secp256k1_context_destroy(NULL);
346  secp256k1_context_preallocated_destroy(NULL);
347 
348 }
349 
350 void run_scratch_tests(void) {
351  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
352 
353  int32_t ecount = 0;
354  size_t checkpoint;
355  size_t checkpoint_2;
356  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
357  secp256k1_scratch_space *scratch;
358  secp256k1_scratch_space local_scratch;
359 
360  /* Test public API */
361  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
362  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
363 
364  scratch = secp256k1_scratch_space_create(none, 1000);
365  CHECK(scratch != NULL);
366  CHECK(ecount == 0);
367 
368  /* Test internal API */
369  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
370  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
371  CHECK(scratch->alloc_size == 0);
372  CHECK(scratch->alloc_size % ALIGNMENT == 0);
373 
374  /* Allocating 500 bytes succeeds */
375  checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
376  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
377  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
378  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
379  CHECK(scratch->alloc_size != 0);
380  CHECK(scratch->alloc_size % ALIGNMENT == 0);
381 
382  /* Allocating another 501 bytes fails */
383  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
384  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
385  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
386  CHECK(scratch->alloc_size != 0);
387  CHECK(scratch->alloc_size % ALIGNMENT == 0);
388 
389  /* ...but it succeeds once we apply the checkpoint to undo it */
390  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
391  CHECK(scratch->alloc_size == 0);
392  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
393  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
394  CHECK(scratch->alloc_size != 0);
395 
396  /* try to apply a bad checkpoint */
397  checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
398  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
399  CHECK(ecount == 0);
400  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
401  CHECK(ecount == 1);
402  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
403  CHECK(ecount == 2);
404 
405  /* try to use badly initialized scratch space */
406  secp256k1_scratch_space_destroy(none, scratch);
407  memset(&local_scratch, 0, sizeof(local_scratch));
408  scratch = &local_scratch;
409  CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
410  CHECK(ecount == 3);
411  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
412  CHECK(ecount == 4);
413  secp256k1_scratch_space_destroy(none, scratch);
414  CHECK(ecount == 5);
415 
416  /* Test that large integers do not wrap around in a bad way */
417  scratch = secp256k1_scratch_space_create(none, 1000);
418  /* Try max allocation with a large number of objects. Only makes sense if
419  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
420  * space. */
421  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
422  /* Try allocating SIZE_MAX to test wrap around which only happens if
423  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
424  * space is too small. */
425  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
426  secp256k1_scratch_space_destroy(none, scratch);
427 
428  /* cleanup */
429  secp256k1_scratch_space_destroy(none, NULL); /* no-op */
430  secp256k1_context_destroy(none);
431 }
432 
433 void run_ctz_tests(void) {
434  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
435  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
436  int shift;
437  unsigned i;
438  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
439  for (shift = 0; shift < 32; ++shift) {
440  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
441  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
442  }
443  }
444  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
445  for (shift = 0; shift < 64; ++shift) {
446  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
447  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
448  }
449  }
450 }
451 
452 /***** HASH TESTS *****/
453 
454 void run_sha256_known_output_tests(void) {
455  static const char *inputs[] = {
456  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
457  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
458  "For this sample, this 63-byte string will be used as input data",
459  "This is exactly 64 bytes long, not counting the terminating byte",
460  "aaaaa",
461  };
462  static const unsigned int repeat[] = {
463  1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
464  };
465  static const unsigned char outputs[][32] = {
466  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
467  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
468  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
469  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
470  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
471  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
472  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
473  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
474  {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
475  };
476  unsigned int i, ninputs;
477 
478  /* Skip last input vector for low iteration counts */
479  ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
480  CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
481 
482  for (i = 0; i < ninputs; i++) {
483  unsigned char out[32];
484  secp256k1_sha256 hasher;
485  unsigned int j;
486  /* 1. Run: simply write the input bytestrings */
487  j = repeat[i];
488  secp256k1_sha256_initialize(&hasher);
489  while (j > 0) {
490  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
491  j--;
492  }
493  secp256k1_sha256_finalize(&hasher, out);
494  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
495  /* 2. Run: split the input bytestrings randomly before writing */
496  if (strlen(inputs[i]) > 0) {
497  int split = secp256k1_testrand_int(strlen(inputs[i]));
498  secp256k1_sha256_initialize(&hasher);
499  j = repeat[i];
500  while (j > 0) {
501  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
502  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
503  j--;
504  }
505  secp256k1_sha256_finalize(&hasher, out);
506  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
507  }
508  }
509 }
510 
555 void run_sha256_counter_tests(void) {
556  static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
557  static const secp256k1_sha256 midstates[] = {
558  {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
559  {0x00}, 0xfffc0},
560  {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
561  {0x00}, 0x1fffc0},
562  {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
563  {0x00}, 0x3fffc0},
564  {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
565  {0x00}, 0x7fffc0},
566  {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
567  {0x00}, 0xffffc0},
568  {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
569  {0x00}, 0x1ffffc0},
570  {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
571  {0x00}, 0x3ffffc0},
572  {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
573  {0x00}, 0x7ffffc0},
574  {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
575  {0x00}, 0xfffffc0},
576  {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
577  {0x00}, 0x1fffffc0},
578  {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
579  {0x00}, 0x3fffffc0},
580  {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
581  {0x00}, 0x7fffffc0},
582  {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
583  {0x00}, 0xffffffc0},
584  {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
585  {0x00}, 0x1ffffffc0},
586  };
587  static const unsigned char outputs[][32] = {
588  {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
589  {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
590  {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
591  {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
592  {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
593  {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
594  {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
595  {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
596  {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
597  {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
598  {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
599  {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
600  {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
601  {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
602  };
603  unsigned int i;
604  for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
605  unsigned char out[32];
606  secp256k1_sha256 hasher = midstates[i];
607  secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
608  secp256k1_sha256_finalize(&hasher, out);
609  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
610  }
611 }
612 
613 void run_hmac_sha256_tests(void) {
614  static const char *keys[6] = {
615  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
616  "\x4a\x65\x66\x65",
617  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
618  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
619  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
620  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
621  };
622  static const char *inputs[6] = {
623  "\x48\x69\x20\x54\x68\x65\x72\x65",
624  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
625  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
626  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
627  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
628  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
629  };
630  static const unsigned char outputs[6][32] = {
631  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
632  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
633  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
634  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
635  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
636  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
637  };
638  int i;
639  for (i = 0; i < 6; i++) {
640  secp256k1_hmac_sha256 hasher;
641  unsigned char out[32];
642  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
643  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
644  secp256k1_hmac_sha256_finalize(&hasher, out);
645  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
646  if (strlen(inputs[i]) > 0) {
647  int split = secp256k1_testrand_int(strlen(inputs[i]));
648  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
649  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
650  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
651  secp256k1_hmac_sha256_finalize(&hasher, out);
652  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
653  }
654  }
655 }
656 
657 void run_rfc6979_hmac_sha256_tests(void) {
658  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
659  static const unsigned char out1[3][32] = {
660  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
661  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
662  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
663  };
664 
665  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
666  static const unsigned char out2[3][32] = {
667  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
668  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
669  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
670  };
671 
672  secp256k1_rfc6979_hmac_sha256 rng;
673  unsigned char out[32];
674  int i;
675 
676  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
677  for (i = 0; i < 3; i++) {
678  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
679  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
680  }
681  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
682 
683  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
684  for (i = 0; i < 3; i++) {
685  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
686  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
687  }
688  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
689 
690  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
691  for (i = 0; i < 3; i++) {
692  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
693  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
694  }
695  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
696 }
697 
698 void run_tagged_sha256_tests(void) {
699  int ecount = 0;
700  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
701  unsigned char tag[32] = { 0 };
702  unsigned char msg[32] = { 0 };
703  unsigned char hash32[32];
704  unsigned char hash_expected[32] = {
705  0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
706  0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
707  0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
708  0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
709  };
710 
711  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
712 
713  /* API test */
714  CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
715  CHECK(secp256k1_tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
716  CHECK(ecount == 1);
717  CHECK(secp256k1_tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0);
718  CHECK(ecount == 2);
719  CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0);
720  CHECK(ecount == 3);
721 
722  /* Static test vector */
723  memcpy(tag, "tag", 3);
724  memcpy(msg, "msg", 3);
725  CHECK(secp256k1_tagged_sha256(none, hash32, tag, 3, msg, 3) == 1);
726  CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
727  secp256k1_context_destroy(none);
728 }
729 
730 /***** RANDOM TESTS *****/
731 
732 void test_rand_bits(int rand32, int bits) {
733  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
734  * get a false negative chance below once in a billion */
735  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
736  /* We try multiplying the results with various odd numbers, which shouldn't
737  * influence the uniform distribution modulo a power of 2. */
738  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
739  /* We only select up to 6 bits from the output to analyse */
740  unsigned int usebits = bits > 6 ? 6 : bits;
741  unsigned int maxshift = bits - usebits;
742  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
743  number, track all observed outcomes, one per bit in a uint64_t. */
744  uint64_t x[6][27] = {{0}};
745  unsigned int i, shift, m;
746  /* Multiply the output of all rand calls with the odd number m, which
747  should not change the uniformity of its distribution. */
748  for (i = 0; i < rounds[usebits]; i++) {
749  uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
750  CHECK((((uint64_t)r) >> bits) == 0);
751  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
752  uint32_t rm = r * mults[m];
753  for (shift = 0; shift <= maxshift; shift++) {
754  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
755  }
756  }
757  }
758  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
759  for (shift = 0; shift <= maxshift; shift++) {
760  /* Test that the lower usebits bits of x[shift] are 1 */
761  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
762  }
763  }
764 }
765 
766 /* Subrange must be a whole divisor of range, and at most 64 */
767 void test_rand_int(uint32_t range, uint32_t subrange) {
768  /* (1-1/subrange)^rounds < 1/10^9 */
769  int rounds = (subrange * 2073) / 100;
770  int i;
771  uint64_t x = 0;
772  CHECK((range % subrange) == 0);
773  for (i = 0; i < rounds; i++) {
774  uint32_t r = secp256k1_testrand_int(range);
775  CHECK(r < range);
776  r = r % subrange;
777  x |= (((uint64_t)1) << r);
778  }
779  /* Test that the lower subrange bits of x are 1. */
780  CHECK(((~x) << (64 - subrange)) == 0);
781 }
782 
783 void run_rand_bits(void) {
784  size_t b;
785  test_rand_bits(1, 32);
786  for (b = 1; b <= 32; b++) {
787  test_rand_bits(0, b);
788  }
789 }
790 
791 void run_rand_int(void) {
792  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
793  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
794  unsigned int m, s;
795  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
796  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
797  test_rand_int(ms[m] * ss[s], ss[s]);
798  }
799  }
800 }
801 
802 /***** MODINV TESTS *****/
803 
804 /* Compute the modular inverse of (odd) x mod 2^64. */
805 uint64_t modinv2p64(uint64_t x) {
806  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
807  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
808  * why. Start with L=0, for which it is true for every odd x that
809  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
810  int l;
811  uint64_t w = 1;
812  CHECK(x & 1);
813  for (l = 0; l < 6; ++l) w *= (2 - w*x);
814  return w;
815 }
816 
817 /* compute out = (a*b) mod m; if b=NULL, treat b=1.
818  *
819  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
820  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
821 void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
822  uint16_t mul[32];
823  uint64_t c = 0;
824  int i, j;
825  int m_bitlen = 0;
826  int mul_bitlen = 0;
827 
828  if (b != NULL) {
829  /* Compute the product of a and b, and put it in mul. */
830  for (i = 0; i < 32; ++i) {
831  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
832  c += (uint64_t)a[j] * b[i - j];
833  }
834  mul[i] = c & 0xFFFF;
835  c >>= 16;
836  }
837  CHECK(c == 0);
838 
839  /* compute the highest set bit in mul */
840  for (i = 511; i >= 0; --i) {
841  if ((mul[i >> 4] >> (i & 15)) & 1) {
842  mul_bitlen = i;
843  break;
844  }
845  }
846  } else {
847  /* if b==NULL, set mul=a. */
848  memcpy(mul, a, 32);
849  memset(mul + 16, 0, 32);
850  /* compute the highest set bit in mul */
851  for (i = 255; i >= 0; --i) {
852  if ((mul[i >> 4] >> (i & 15)) & 1) {
853  mul_bitlen = i;
854  break;
855  }
856  }
857  }
858 
859  /* Compute the highest set bit in m. */
860  for (i = 255; i >= 0; --i) {
861  if ((m[i >> 4] >> (i & 15)) & 1) {
862  m_bitlen = i;
863  break;
864  }
865  }
866 
867  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
868  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
869  uint16_t mul2[32];
870  int64_t cs;
871 
872  /* Compute mul2 = mul - m<<i. */
873  cs = 0; /* accumulator */
874  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
875  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
876  uint16_t sub = 0;
877  int p;
878  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
879  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
880  if (bitpos >= 0 && bitpos < 256) {
881  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
882  }
883  }
884  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
885  cs += mul[j];
886  cs -= sub;
887  mul2[j] = (cs & 0xFFFF);
888  cs >>= 16;
889  }
890  /* If remainder of subtraction is 0, set mul = mul2. */
891  if (cs == 0) {
892  memcpy(mul, mul2, sizeof(mul));
893  }
894  }
895  /* Sanity check: test that all limbs higher than m's highest are zero */
896  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
897  CHECK(mul[i] == 0);
898  }
899  memcpy(out, mul, 32);
900 }
901 
902 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
903 void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
904  int i;
905  memset(out->v, 0, sizeof(out->v));
906  for (i = 0; i < 256; ++i) {
907  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
908  }
909 }
910 
911 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
912 void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
913  int i;
914  memset(out, 0, 32);
915  for (i = 0; i < 256; ++i) {
916  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
917  }
918 }
919 
920 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
921 void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
922  int i;
923  for (i = 0; i < 16; ++i) {
924  int pos = secp256k1_testrand_bits(3);
925  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
926  x->v[pos] -= 0x40000000;
927  x->v[pos + 1] += 1;
928  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
929  x->v[pos] += 0x40000000;
930  x->v[pos + 1] -= 1;
931  }
932  }
933 }
934 
935 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
936 void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
937  uint16_t tmp[16];
938  secp256k1_modinv32_signed30 x;
939  secp256k1_modinv32_modinfo m;
940  int i, vartime, nonzero;
941 
942  uint16_to_signed30(&x, in);
943  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
944  uint16_to_signed30(&m.modulus, mod);
945  mutate_sign_signed30(&m.modulus);
946 
947  /* compute 1/modulus mod 2^30 */
948  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
949  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
950 
951  for (vartime = 0; vartime < 2; ++vartime) {
952  /* compute inverse */
953  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
954 
955  /* produce output */
956  signed30_to_uint16(out, &x);
957 
958  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
959  mulmod256(tmp, out, in, mod);
960  CHECK(tmp[0] == nonzero);
961  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
962 
963  /* invert again */
964  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
965 
966  /* check if the result is equal to the input */
967  signed30_to_uint16(tmp, &x);
968  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
969  }
970 }
971 
972 #ifdef SECP256K1_WIDEMUL_INT128
973 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
974 void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
975  int i;
976  memset(out->v, 0, sizeof(out->v));
977  for (i = 0; i < 256; ++i) {
978  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
979  }
980 }
981 
982 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
983 void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
984  int i;
985  memset(out, 0, 32);
986  for (i = 0; i < 256; ++i) {
987  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
988  }
989 }
990 
991 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
992 void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
993  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
994  int i;
995  for (i = 0; i < 8; ++i) {
996  int pos = secp256k1_testrand_bits(2);
997  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
998  x->v[pos] -= (M62 + 1);
999  x->v[pos + 1] += 1;
1000  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1001  x->v[pos] += (M62 + 1);
1002  x->v[pos + 1] -= 1;
1003  }
1004  }
1005 }
1006 
1007 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1008 void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1009  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1010  uint16_t tmp[16];
1011  secp256k1_modinv64_signed62 x;
1012  secp256k1_modinv64_modinfo m;
1013  int i, vartime, nonzero;
1014 
1015  uint16_to_signed62(&x, in);
1016  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1017  uint16_to_signed62(&m.modulus, mod);
1018  mutate_sign_signed62(&m.modulus);
1019 
1020  /* compute 1/modulus mod 2^62 */
1021  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1022  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1023 
1024  for (vartime = 0; vartime < 2; ++vartime) {
1025  /* compute inverse */
1026  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1027 
1028  /* produce output */
1029  signed62_to_uint16(out, &x);
1030 
1031  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1032  mulmod256(tmp, out, in, mod);
1033  CHECK(tmp[0] == nonzero);
1034  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1035 
1036  /* invert again */
1037  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1038 
1039  /* check if the result is equal to the input */
1040  signed62_to_uint16(tmp, &x);
1041  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1042  }
1043 }
1044 #endif
1045 
1046 /* test if a and b are coprime */
1047 int coprime(const uint16_t* a, const uint16_t* b) {
1048  uint16_t x[16], y[16], t[16];
1049  int i;
1050  int iszero;
1051  memcpy(x, a, 32);
1052  memcpy(y, b, 32);
1053 
1054  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1055  while (1) {
1056  iszero = 1;
1057  for (i = 0; i < 16; ++i) {
1058  if (x[i] != 0) {
1059  iszero = 0;
1060  break;
1061  }
1062  }
1063  if (iszero) break;
1064  mulmod256(t, y, NULL, x);
1065  memcpy(y, x, 32);
1066  memcpy(x, t, 32);
1067  }
1068 
1069  /* return whether y=1 */
1070  if (y[0] != 1) return 0;
1071  for (i = 1; i < 16; ++i) {
1072  if (y[i] != 0) return 0;
1073  }
1074  return 1;
1075 }
1076 
1077 void run_modinv_tests(void) {
1078  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1079  static const uint16_t CASES[][3][16] = {
1080  /* Test cases triggering edge cases in divsteps */
1081 
1082  /* Test case known to need 713 divsteps */
1083  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1084  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1085  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1086  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1087  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1088  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1089  /* Test case known to need 589 divsteps, reaching delta=-140 and
1090  delta=141. */
1091  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1092  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1093  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1094  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1095  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1096  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1097  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1098  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1099  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1100  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1101  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1102  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1103  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1104  /* example needing 713 divsteps; delta=-2..3 */
1105  {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1106  0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1107  {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1108  0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1109  {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1110  0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1111  /* example needing 713 divsteps; delta=-2..3 */
1112  {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1113  0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1114  {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1115  0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1116  {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1117  0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1118  /* example needing 713 divsteps; delta=-2..3 */
1119  {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1120  0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1121  {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1122  0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1123  {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1124  0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1125  /* example reaching delta=-64..65; 661 divsteps */
1126  {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1127  0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1128  {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1129  0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1130  {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1131  0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1132  /* example reaching delta=-64..65; 661 divsteps */
1133  {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1134  0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1135  {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1136  0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1137  {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1138  0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1139  /* example reaching delta=-64..65; 661 divsteps */
1140  {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1141  0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1142  {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1143  0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1144  {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1145  0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1146  /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1147  {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1148  0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1149  {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1150  0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1151  {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1152  0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1153  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1154  {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1155  0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1156  {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1157  0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1158  {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1159  0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1160  /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1161  {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1162  0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1163  {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1164  0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1165  {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1166  0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1167  /* example doing 446 (f,g/2) steps; 523 divsteps */
1168  {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1169  0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1170  {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1171  0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1172  {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1173  0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1174  /* example doing 446 (f,g/2) steps; 523 divsteps */
1175  {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1176  0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1177  {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1178  0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1179  {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1180  0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1181  /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1182  {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1183  0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1184  {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1185  0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1186  {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1187  0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1188  /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1189  {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1190  0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1191  {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1192  0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1193  {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1194  0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1195  /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1196  {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1197  0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1198  {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1199  0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1200  {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1201  0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1202  /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1203  {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1204  0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1205  {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1206  0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1207  {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1208  0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1209 
1210  /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1211 
1212  /* example needing 590 divsteps; delta=-5/2..7/2 */
1213  {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1214  0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1215  {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1216  0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1217  {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1218  0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1219  /* example needing 590 divsteps; delta=-3/2..5/2 */
1220  {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1221  0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1222  {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1223  0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1224  {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1225  0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1226  /* example needing 590 divsteps; delta=-3/2..5/2 */
1227  {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1228  0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1229  {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1230  0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1231  {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1232  0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1233  /* example needing 590 divsteps; delta=-5/2..7/2 */
1234  {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1235  0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1236  {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1237  0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1238  {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1239  0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1240  /* example needing 590 divsteps; delta=-3/2..5/2 */
1241  {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1242  0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1243  {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1244  0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1245  {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1246  0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1247  /* example reaching delta=-127/2..129/2; 571 divsteps */
1248  {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1249  0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1250  {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1251  0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1252  {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1253  0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1254  /* example reaching delta=-127/2..129/2; 571 divsteps */
1255  {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1256  0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1257  {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1258  0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1259  {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1260  0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1261  /* example reaching delta=-127/2..129/2; 571 divsteps */
1262  {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1263  0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1264  {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1265  0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1266  {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1267  0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1268  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1269  {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1270  0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1271  {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1272  0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1273  {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1274  0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1275  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1276  {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1277  0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1278  {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1279  0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1280  {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1281  0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1282  /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1283  {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1284  0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1285  {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1286  0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1287  {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1288  0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1289  /* example doing 453 (f,g/2) steps; 514 divsteps */
1290  {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1291  0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1292  {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1293  0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1294  {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1295  0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1296  /* example doing 453 (f,g/2) steps; 514 divsteps */
1297  {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1298  0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1299  {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1300  0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1301  {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1302  0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1303  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1304  {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1305  0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1306  {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1307  0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1308  {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1309  0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1310  /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1311  {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1312  0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1313  {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1314  0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1315  {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1316  0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1317  /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1318  {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1319  0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1320  {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1321  0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1322  {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1323  0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1324  /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1325  {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1326  0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1327  {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1328  0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1329  {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1330  0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1331 
1332  /* Test cases with the group order as modulus. */
1333 
1334  /* Test case with the group order as modulus, needing 635 divsteps. */
1335  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1336  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1337  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1338  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1339  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1340  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1341  /* example with group size as modulus needing 631 divsteps */
1342  {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1343  0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1344  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1345  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1346  {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1347  0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1348  /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1349  {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1350  0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1351  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1352  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1353  {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1354  0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1355  /* Test case with the group size as modulus, needing 981 divsteps with
1356  broken eta handling. */
1357  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1358  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1359  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1360  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1361  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1362  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1363  /* Test case with the group size as modulus, input = 0. */
1364  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1365  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1366  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1367  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1368  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1369  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1370  /* Test case with the group size as modulus, input = 1. */
1371  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1372  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1373  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1374  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1375  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1376  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1377  /* Test case with the group size as modulus, input = 2. */
1378  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1379  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1380  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1381  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1382  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1383  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1384  /* Test case with the group size as modulus, input = group - 1. */
1385  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1386  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1387  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1388  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1389  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1390  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1391 
1392  /* Test cases with the field size as modulus. */
1393 
1394  /* Test case with the field size as modulus, needing 637 divsteps. */
1395  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1396  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1397  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1398  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1399  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1400  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1401  /* example with field size as modulus needing 637 divsteps */
1402  {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1403  0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1404  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1405  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1406  {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1407  0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1408  /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1409  {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1410  0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1411  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1412  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1413  {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1414  0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1415  /* Test case with the field size as modulus, needing 935 divsteps with
1416  broken eta handling. */
1417  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1418  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1419  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1420  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1421  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1422  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1423  /* Test case with the field size as modulus, input = 0. */
1424  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1425  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1426  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1427  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1428  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1429  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1430  /* Test case with the field size as modulus, input = 1. */
1431  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1432  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1433  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1434  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1435  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1436  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1437  /* Test case with the field size as modulus, input = 2. */
1438  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1439  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1440  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1441  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1442  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1443  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1444  /* Test case with the field size as modulus, input = field - 1. */
1445  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1446  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1447  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1448  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1449  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1450  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1451 
1452  /* Selected from a large number of random inputs to reach small/large
1453  * d/e values in various configurations. */
1454  {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1455  0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1456  {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1457  0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1458  {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1459  0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1460  {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1461  0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1462  {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1463  0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1464  {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1465  0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1466  {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1467  0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1468  {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1469  0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1470  {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1471  0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1472  {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1473  0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1474  {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1475  0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1476  {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1477  0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1478  {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1479  0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1480  {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1481  0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1482  {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1483  0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1484  {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1485  0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1486  {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1487  0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1488  {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1489  0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1490  {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1491  0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1492  {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1493  0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1494  {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1495  0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1496  {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1497  0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1498  {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1499  0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1500  {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1501  0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1502  {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1503  0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1504  {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1505  0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1506  {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1507  0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1508  {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1509  0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1510  {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1511  0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1512  {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1513  0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1514  {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1515  0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1516  {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1517  0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1518  {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1519  0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1520  {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1521  0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1522  {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1523  0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1524  {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1525  0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1526  {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1527  0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1528  {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1529  0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1530  {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1531  0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1532  {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1533  0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1534  {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1535  0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1536  {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1537  0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1538  {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1539  0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1540  {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1541  0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1542  {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1543  0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1544  {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1545  0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1546  {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1547  0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1548  {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1549  0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1550  {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1551  0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1552  {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1553  0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1554  {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1555  0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1556  {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1557  0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1558  {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1559  0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1560  {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1561  0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1562  {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1563  0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1564  {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1565  0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1566  {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1567  0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1568  {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1569  0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1570  {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1571  0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1572  {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1573  0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1574  {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1575  0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1576  {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1577  0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1578  {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1579  0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1580  {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1581  0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1582  {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1583  0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1584  {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1585  0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1586  {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1587  0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1588  {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1589  0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1590  {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1591  0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1592  {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1593  0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1594  {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1595  0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1596  {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1597  0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1598  {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1599  0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1600  {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1601  0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1602  {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1603  0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1604  {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1605  0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1606  {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1607  0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1608  {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1609  0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1610  {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1611  0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1612  {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1613  0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1614  {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1615  0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1616  {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1617  0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1618  {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1619  0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1620  {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1621  0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1622  {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1623  0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1624  {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1625  0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1626  {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1627  0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1628  {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1629  0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1630  {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1631  0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1632  {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1633  0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1634  {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1635  0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1636  {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1637  0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1638  {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1639  0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1640  {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1641  0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1642  {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1643  0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1644  {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1645  0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1646  {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1647  0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1648  {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1649  0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1650  {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1651  0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1652  {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1653  0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1654  {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1655  0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1656  {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1657  0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1658  {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1659  0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1660  {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1661  0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1662  {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1663  0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1664  };
1665 
1666  int i, j, ok;
1667 
1668  /* Test known inputs/outputs */
1669  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1670  uint16_t out[16];
1671  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1672  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1673 #ifdef SECP256K1_WIDEMUL_INT128
1674  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1675  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1676 #endif
1677  }
1678 
1679  for (i = 0; i < 100 * count; ++i) {
1680  /* 256-bit numbers in 16-uint16_t's notation */
1681  static const uint16_t ZERO[16] = {0};
1682  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1683  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1684  uint16_t id[16]; /* the inverse of xd mod md */
1685 
1686  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1687  do {
1688  /* generate random xd and md (with many subsequent 0s and 1s) */
1689  secp256k1_testrand256_test((unsigned char*)xd);
1690  secp256k1_testrand256_test((unsigned char*)md);
1691  md[0] |= 1; /* modulus must be odd */
1692  /* If modulus is 1, find another one. */
1693  ok = md[0] != 1;
1694  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1695  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1696  } while (!(ok && coprime(xd, md)));
1697 
1698  test_modinv32_uint16(id, xd, md);
1699 #ifdef SECP256K1_WIDEMUL_INT128
1700  test_modinv64_uint16(id, xd, md);
1701 #endif
1702 
1703  /* In a few cases, also test with input=0 */
1704  if (i < count) {
1705  test_modinv32_uint16(id, ZERO, md);
1706 #ifdef SECP256K1_WIDEMUL_INT128
1707  test_modinv64_uint16(id, ZERO, md);
1708 #endif
1709  }
1710  }
1711 }
1712 
1713 /***** SCALAR TESTS *****/
1714 
1715 
1716 void scalar_test(void) {
1717  secp256k1_scalar s;
1718  secp256k1_scalar s1;
1719  secp256k1_scalar s2;
1720  unsigned char c[32];
1721 
1722  /* Set 's' to a random scalar, with value 'snum'. */
1723  random_scalar_order_test(&s);
1724 
1725  /* Set 's1' to a random scalar, with value 's1num'. */
1726  random_scalar_order_test(&s1);
1727 
1728  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1729  random_scalar_order_test(&s2);
1730  secp256k1_scalar_get_b32(c, &s2);
1731 
1732  {
1733  int i;
1734  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1735  secp256k1_scalar n;
1736  secp256k1_scalar_set_int(&n, 0);
1737  for (i = 0; i < 256; i += 4) {
1738  secp256k1_scalar t;
1739  int j;
1740  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1741  for (j = 0; j < 4; j++) {
1742  secp256k1_scalar_add(&n, &n, &n);
1743  }
1744  secp256k1_scalar_add(&n, &n, &t);
1745  }
1746  CHECK(secp256k1_scalar_eq(&n, &s));
1747  }
1748 
1749  {
1750  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1751  secp256k1_scalar n;
1752  int i = 0;
1753  secp256k1_scalar_set_int(&n, 0);
1754  while (i < 256) {
1755  secp256k1_scalar t;
1756  int j;
1757  int now = secp256k1_testrand_int(15) + 1;
1758  if (now + i > 256) {
1759  now = 256 - i;
1760  }
1761  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1762  for (j = 0; j < now; j++) {
1763  secp256k1_scalar_add(&n, &n, &n);
1764  }
1765  secp256k1_scalar_add(&n, &n, &t);
1766  i += now;
1767  }
1768  CHECK(secp256k1_scalar_eq(&n, &s));
1769  }
1770 
1771  {
1772  /* test secp256k1_scalar_shr_int */
1773  secp256k1_scalar r;
1774  int i;
1775  random_scalar_order_test(&r);
1776  for (i = 0; i < 100; ++i) {
1777  int low;
1778  int shift = 1 + secp256k1_testrand_int(15);
1779  int expected = r.d[0] % (1 << shift);
1780  low = secp256k1_scalar_shr_int(&r, shift);
1781  CHECK(expected == low);
1782  }
1783  }
1784 
1785  {
1786  /* Test commutativity of add. */
1787  secp256k1_scalar r1, r2;
1788  secp256k1_scalar_add(&r1, &s1, &s2);
1789  secp256k1_scalar_add(&r2, &s2, &s1);
1790  CHECK(secp256k1_scalar_eq(&r1, &r2));
1791  }
1792 
1793  {
1794  secp256k1_scalar r1, r2;
1795  secp256k1_scalar b;
1796  int i;
1797  /* Test add_bit. */
1798  int bit = secp256k1_testrand_bits(8);
1799  secp256k1_scalar_set_int(&b, 1);
1800  CHECK(secp256k1_scalar_is_one(&b));
1801  for (i = 0; i < bit; i++) {
1802  secp256k1_scalar_add(&b, &b, &b);
1803  }
1804  r1 = s1;
1805  r2 = s1;
1806  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1807  /* No overflow happened. */
1808  secp256k1_scalar_cadd_bit(&r2, bit, 1);
1809  CHECK(secp256k1_scalar_eq(&r1, &r2));
1810  /* cadd is a noop when flag is zero */
1811  secp256k1_scalar_cadd_bit(&r2, bit, 0);
1812  CHECK(secp256k1_scalar_eq(&r1, &r2));
1813  }
1814  }
1815 
1816  {
1817  /* Test commutativity of mul. */
1818  secp256k1_scalar r1, r2;
1819  secp256k1_scalar_mul(&r1, &s1, &s2);
1820  secp256k1_scalar_mul(&r2, &s2, &s1);
1821  CHECK(secp256k1_scalar_eq(&r1, &r2));
1822  }
1823 
1824  {
1825  /* Test associativity of add. */
1826  secp256k1_scalar r1, r2;
1827  secp256k1_scalar_add(&r1, &s1, &s2);
1828  secp256k1_scalar_add(&r1, &r1, &s);
1829  secp256k1_scalar_add(&r2, &s2, &s);
1830  secp256k1_scalar_add(&r2, &s1, &r2);
1831  CHECK(secp256k1_scalar_eq(&r1, &r2));
1832  }
1833 
1834  {
1835  /* Test associativity of mul. */
1836  secp256k1_scalar r1, r2;
1837  secp256k1_scalar_mul(&r1, &s1, &s2);
1838  secp256k1_scalar_mul(&r1, &r1, &s);
1839  secp256k1_scalar_mul(&r2, &s2, &s);
1840  secp256k1_scalar_mul(&r2, &s1, &r2);
1841  CHECK(secp256k1_scalar_eq(&r1, &r2));
1842  }
1843 
1844  {
1845  /* Test distributitivity of mul over add. */
1846  secp256k1_scalar r1, r2, t;
1847  secp256k1_scalar_add(&r1, &s1, &s2);
1848  secp256k1_scalar_mul(&r1, &r1, &s);
1849  secp256k1_scalar_mul(&r2, &s1, &s);
1850  secp256k1_scalar_mul(&t, &s2, &s);
1851  secp256k1_scalar_add(&r2, &r2, &t);
1852  CHECK(secp256k1_scalar_eq(&r1, &r2));
1853  }
1854 
1855  {
1856  /* Test multiplicative identity. */
1857  secp256k1_scalar r1, v1;
1858  secp256k1_scalar_set_int(&v1,1);
1859  secp256k1_scalar_mul(&r1, &s1, &v1);
1860  CHECK(secp256k1_scalar_eq(&r1, &s1));
1861  }
1862 
1863  {
1864  /* Test additive identity. */
1865  secp256k1_scalar r1, v0;
1866  secp256k1_scalar_set_int(&v0,0);
1867  secp256k1_scalar_add(&r1, &s1, &v0);
1868  CHECK(secp256k1_scalar_eq(&r1, &s1));
1869  }
1870 
1871  {
1872  /* Test zero product property. */
1873  secp256k1_scalar r1, v0;
1874  secp256k1_scalar_set_int(&v0,0);
1875  secp256k1_scalar_mul(&r1, &s1, &v0);
1876  CHECK(secp256k1_scalar_eq(&r1, &v0));
1877  }
1878 
1879 }
1880 
1881 void run_scalar_set_b32_seckey_tests(void) {
1882  unsigned char b32[32];
1883  secp256k1_scalar s1;
1884  secp256k1_scalar s2;
1885 
1886  /* Usually set_b32 and set_b32_seckey give the same result */
1887  random_scalar_order_b32(b32);
1888  secp256k1_scalar_set_b32(&s1, b32, NULL);
1889  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1890  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1891 
1892  memset(b32, 0, sizeof(b32));
1893  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1894  memset(b32, 0xFF, sizeof(b32));
1895  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1896 }
1897 
1898 void run_scalar_tests(void) {
1899  int i;
1900  for (i = 0; i < 128 * count; i++) {
1901  scalar_test();
1902  }
1903  for (i = 0; i < count; i++) {
1904  run_scalar_set_b32_seckey_tests();
1905  }
1906 
1907  {
1908  /* (-1)+1 should be zero. */
1909  secp256k1_scalar s, o;
1910  secp256k1_scalar_set_int(&s, 1);
1911  CHECK(secp256k1_scalar_is_one(&s));
1912  secp256k1_scalar_negate(&o, &s);
1913  secp256k1_scalar_add(&o, &o, &s);
1914  CHECK(secp256k1_scalar_is_zero(&o));
1915  secp256k1_scalar_negate(&o, &o);
1916  CHECK(secp256k1_scalar_is_zero(&o));
1917  }
1918 
1919  {
1920  /* Does check_overflow check catch all ones? */
1921  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1922  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1923  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1924  );
1925  CHECK(secp256k1_scalar_check_overflow(&overflowed));
1926  }
1927 
1928  {
1929  /* Static test vectors.
1930  * These were reduced from ~10^12 random vectors based on comparison-decision
1931  * and edge-case coverage on 32-bit and 64-bit implementations.
1932  * The responses were generated with Sage 5.9.
1933  */
1934  secp256k1_scalar x;
1935  secp256k1_scalar y;
1936  secp256k1_scalar z;
1937  secp256k1_scalar zz;
1938  secp256k1_scalar one;
1939  secp256k1_scalar r1;
1940  secp256k1_scalar r2;
1941  secp256k1_scalar zzv;
1942  int overflow;
1943  unsigned char chal[33][2][32] = {
1944  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1945  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1946  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1947  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1948  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1949  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1950  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1951  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1952  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1953  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1954  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1955  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1956  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1957  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1958  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1959  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1960  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1961  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1962  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1963  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1964  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1965  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1966  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1967  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1968  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1969  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1970  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1971  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1972  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1973  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1974  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1975  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1976  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1977  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1978  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1979  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1980  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1981  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1982  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1983  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1984  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1985  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1986  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1987  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1988  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1989  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1990  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1991  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1992  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1993  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1994  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1995  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1996  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1997  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1998  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1999  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2000  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2001  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2002  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2003  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2004  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2005  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2006  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2007  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2008  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2009  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2010  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2011  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2012  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2013  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2014  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2015  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2016  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2017  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2018  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2019  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2020  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2021  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2022  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2023  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2024  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2025  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2026  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2027  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2028  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2029  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2030  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2031  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2032  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2033  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2034  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2035  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2036  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2037  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2038  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2039  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2040  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2041  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2042  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2043  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2044  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2045  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2046  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2047  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2048  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2049  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2050  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2051  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2052  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2053  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2054  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2055  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2056  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2057  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2058  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2059  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2060  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2061  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2062  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2063  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2064  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2065  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2066  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2067  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2068  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2069  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2070  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2071  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2072  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2073  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2074  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2075  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2076  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2077  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2078  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2079  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2080  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2081  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2082  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2083  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2084  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2085  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2086  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2087  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2088  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2089  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2090  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2091  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2092  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2093  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2094  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2095  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2096  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2097  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2098  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2099  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2100  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2101  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2102  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2103  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2104  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2105  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2106  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2107  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2108  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2109  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2110  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2111  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2112  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2113  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2114  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2115  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2116  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2117  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2118  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2119  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2120  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2121  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2122  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2123  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2124  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2125  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2126  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2127  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2128  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2129  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2130  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2131  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2132  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2133  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2134  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2135  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2136  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2137  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2138  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2139  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2140  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2141  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2142  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2143  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2144  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2145  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2146  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2147  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2148  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2149  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2150  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2151  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2152  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2153  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2154  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2155  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2156  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2157  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2158  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2159  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2160  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2161  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2162  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2163  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2164  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2165  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2166  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2167  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2168  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2169  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2170  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2171  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2172  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2173  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2174  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2175  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2176  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2177  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2178  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2179  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2180  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2181  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2182  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2183  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2184  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2185  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2186  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2187  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2188  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2189  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2190  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2191  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2192  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2193  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2194  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2195  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2196  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2197  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2198  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2199  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2200  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2201  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2202  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2203  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2204  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2205  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2206  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2207  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2208  };
2209  unsigned char res[33][2][32] = {
2210  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2211  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2212  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2213  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2214  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2215  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2216  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2217  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2218  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2219  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2220  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2221  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2222  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2223  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2224  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2225  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2226  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2227  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2228  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2229  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2230  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2231  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2232  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2233  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2234  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2235  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2236  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2237  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2238  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2239  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2240  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2241  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2242  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2243  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2244  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2245  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2246  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2247  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2248  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2249  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2250  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2251  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2252  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2253  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2254  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2255  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2256  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2257  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2258  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2259  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2260  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2261  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2262  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2263  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2264  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2265  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2266  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2267  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2268  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2269  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2270  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2271  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2272  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2273  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2274  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2275  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2276  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2277  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2278  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2279  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2280  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2281  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2282  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2283  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2284  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2285  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2286  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2287  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2288  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2289  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2290  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2291  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2292  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2293  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2294  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2295  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2296  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2297  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2298  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2299  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2300  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2301  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2302  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2303  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2304  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2305  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2306  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2307  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2308  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2309  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2310  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2311  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2312  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2313  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2314  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2315  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2316  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2317  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2318  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2319  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2320  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2321  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2322  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2323  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2324  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2325  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2326  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2327  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2328  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2329  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2330  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2331  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2332  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2333  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2334  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2335  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2336  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2337  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2338  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2339  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2340  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2341  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2342  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2343  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2344  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2345  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2346  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2347  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2348  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2349  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2350  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2351  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2352  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2353  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2354  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2355  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2356  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2357  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2358  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2359  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2360  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2361  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2362  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2363  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2364  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2365  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2366  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2367  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2368  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2369  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2370  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2371  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2372  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2373  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2374  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2375  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2376  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2377  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2378  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2379  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2380  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2381  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2382  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2383  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2384  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2385  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2386  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2387  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2388  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2389  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2390  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2391  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2392  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2393  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2394  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2395  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2396  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2397  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2398  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2399  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2400  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2401  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2402  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2403  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2404  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2405  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2406  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2407  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2408  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2409  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2410  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2411  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2412  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2413  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2414  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2415  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2416  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2417  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2418  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2419  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2420  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2421  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2422  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2423  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2424  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2425  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2426  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2427  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2428  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2429  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2430  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2431  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2432  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2433  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2434  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2435  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2436  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2437  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2438  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2439  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2440  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2441  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2442  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2443  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2444  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2445  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2446  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2447  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2448  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2449  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2450  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2451  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2452  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2453  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2454  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2455  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2456  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2457  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2458  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2459  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2460  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2461  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2462  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2463  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2464  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2465  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2466  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2467  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2468  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2469  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2470  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2471  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2472  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2473  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2474  };
2475  secp256k1_scalar_set_int(&one, 1);
2476  for (i = 0; i < 33; i++) {
2477  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2478  CHECK(!overflow);
2479  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2480  CHECK(!overflow);
2481  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2482  CHECK(!overflow);
2483  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2484  CHECK(!overflow);
2485  secp256k1_scalar_mul(&z, &x, &y);
2486  CHECK(!secp256k1_scalar_check_overflow(&z));
2487  CHECK(secp256k1_scalar_eq(&r1, &z));
2488  if (!secp256k1_scalar_is_zero(&y)) {
2489  secp256k1_scalar_inverse(&zz, &y);
2490  CHECK(!secp256k1_scalar_check_overflow(&zz));
2491  secp256k1_scalar_inverse_var(&zzv, &y);
2492  CHECK(secp256k1_scalar_eq(&zzv, &zz));
2493  secp256k1_scalar_mul(&z, &z, &zz);
2494  CHECK(!secp256k1_scalar_check_overflow(&z));
2495  CHECK(secp256k1_scalar_eq(&x, &z));
2496  secp256k1_scalar_mul(&zz, &zz, &y);
2497  CHECK(!secp256k1_scalar_check_overflow(&zz));
2498  CHECK(secp256k1_scalar_eq(&one, &zz));
2499  }
2500  }
2501  }
2502 }
2503 
2504 /***** FIELD TESTS *****/
2505 
2506 void random_fe(secp256k1_fe *x) {
2507  unsigned char bin[32];
2508  do {
2509  secp256k1_testrand256(bin);
2510  if (secp256k1_fe_set_b32(x, bin)) {
2511  return;
2512  }
2513  } while(1);
2514 }
2515 
2516 void random_fe_test(secp256k1_fe *x) {
2517  unsigned char bin[32];
2518  do {
2519  secp256k1_testrand256_test(bin);
2520  if (secp256k1_fe_set_b32(x, bin)) {
2521  return;
2522  }
2523  } while(1);
2524 }
2525 
2526 void random_fe_non_zero(secp256k1_fe *nz) {
2527  int tries = 10;
2528  while (--tries >= 0) {
2529  random_fe(nz);
2530  secp256k1_fe_normalize(nz);
2531  if (!secp256k1_fe_is_zero(nz)) {
2532  break;
2533  }
2534  }
2535  /* Infinitesimal probability of spurious failure here */
2536  CHECK(tries >= 0);
2537 }
2538 
2539 void random_fe_non_square(secp256k1_fe *ns) {
2540  secp256k1_fe r;
2541  random_fe_non_zero(ns);
2542  if (secp256k1_fe_sqrt(&r, ns)) {
2543  secp256k1_fe_negate(ns, ns, 1);
2544  }
2545 }
2546 
2547 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2548  secp256k1_fe an = *a;
2549  secp256k1_fe bn = *b;
2550  secp256k1_fe_normalize_weak(&an);
2551  secp256k1_fe_normalize_var(&bn);
2552  return secp256k1_fe_equal_var(&an, &bn);
2553 }
2554 
2555 void run_field_convert(void) {
2556  static const unsigned char b32[32] = {
2557  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2558  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2559  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2560  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2561  };
2562  static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
2563  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2564  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2565  );
2566  static const secp256k1_fe fe = SECP256K1_FE_CONST(
2567  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2568  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2569  );
2570  secp256k1_fe fe2;
2571  unsigned char b322[32];
2572  secp256k1_fe_storage fes2;
2573  /* Check conversions to fe. */
2574  CHECK(secp256k1_fe_set_b32(&fe2, b32));
2575  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2576  secp256k1_fe_from_storage(&fe2, &fes);
2577  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2578  /* Check conversion from fe. */
2579  secp256k1_fe_get_b32(b322, &fe);
2580  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2581  secp256k1_fe_to_storage(&fes2, &fe);
2582  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2583 }
2584 
2585 /* Returns true if two field elements have the same representation. */
2586 int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
2587  int ret = 1;
2588 #ifdef VERIFY
2589  ret &= (a->magnitude == b->magnitude);
2590  ret &= (a->normalized == b->normalized);
2591 #endif
2592  /* Compare the struct member that holds the limbs. */
2593  ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
2594  return ret;
2595 }
2596 
2597 void run_field_half(void) {
2598  secp256k1_fe t, u;
2599  int m;
2600 
2601  /* Check magnitude 0 input */
2602  secp256k1_fe_get_bounds(&t, 0);
2603  secp256k1_fe_half(&t);
2604 #ifdef VERIFY
2605  CHECK(t.magnitude == 1);
2606  CHECK(t.normalized == 0);
2607 #endif
2608  CHECK(secp256k1_fe_normalizes_to_zero(&t));
2609 
2610  /* Check non-zero magnitudes in the supported range */
2611  for (m = 1; m < 32; m++) {
2612  /* Check max-value input */
2613  secp256k1_fe_get_bounds(&t, m);
2614 
2615  u = t;
2616  secp256k1_fe_half(&u);
2617 #ifdef VERIFY
2618  CHECK(u.magnitude == (m >> 1) + 1);
2619  CHECK(u.normalized == 0);
2620 #endif
2621  secp256k1_fe_normalize_weak(&u);
2622  secp256k1_fe_add(&u, &u);
2623  CHECK(check_fe_equal(&t, &u));
2624 
2625  /* Check worst-case input: ensure the LSB is 1 so that P will be added,
2626  * which will also cause all carries to be 1, since all limbs that can
2627  * generate a carry are initially even and all limbs of P are odd in
2628  * every existing field implementation. */
2629  secp256k1_fe_get_bounds(&t, m);
2630  CHECK(t.n[0] > 0);
2631  CHECK((t.n[0] & 1) == 0);
2632  --t.n[0];
2633 
2634  u = t;
2635  secp256k1_fe_half(&u);
2636 #ifdef VERIFY
2637  CHECK(u.magnitude == (m >> 1) + 1);
2638  CHECK(u.normalized == 0);
2639 #endif
2640  secp256k1_fe_normalize_weak(&u);
2641  secp256k1_fe_add(&u, &u);
2642  CHECK(check_fe_equal(&t, &u));
2643  }
2644 }
2645 
2646 void run_field_misc(void) {
2647  secp256k1_fe x;
2648  secp256k1_fe y;
2649  secp256k1_fe z;
2650  secp256k1_fe q;
2651  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2652  int i, j;
2653  for (i = 0; i < 1000 * count; i++) {
2654  secp256k1_fe_storage xs, ys, zs;
2655  if (i & 1) {
2656  random_fe(&x);
2657  } else {
2658  random_fe_test(&x);
2659  }
2660  random_fe_non_zero(&y);
2661  /* Test the fe equality and comparison operations. */
2662  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
2663  CHECK(secp256k1_fe_equal_var(&x, &x));
2664  z = x;
2665  secp256k1_fe_add(&z,&y);
2666  /* Test fe conditional move; z is not normalized here. */
2667  q = x;
2668  secp256k1_fe_cmov(&x, &z, 0);
2669 #ifdef VERIFY
2670  CHECK(x.normalized && x.magnitude == 1);
2671 #endif
2672  secp256k1_fe_cmov(&x, &x, 1);
2673  CHECK(!fe_identical(&x, &z));
2674  CHECK(fe_identical(&x, &q));
2675  secp256k1_fe_cmov(&q, &z, 1);
2676 #ifdef VERIFY
2677  CHECK(!q.normalized && q.magnitude == z.magnitude);
2678 #endif
2679  CHECK(fe_identical(&q, &z));
2680  secp256k1_fe_normalize_var(&x);
2681  secp256k1_fe_normalize_var(&z);
2682  CHECK(!secp256k1_fe_equal_var(&x, &z));
2683  secp256k1_fe_normalize_var(&q);
2684  secp256k1_fe_cmov(&q, &z, (i&1));
2685 #ifdef VERIFY
2686  CHECK(q.normalized && q.magnitude == 1);
2687 #endif
2688  for (j = 0; j < 6; j++) {
2689  secp256k1_fe_negate(&z, &z, j+1);
2690  secp256k1_fe_normalize_var(&q);
2691  secp256k1_fe_cmov(&q, &z, (j&1));
2692 #ifdef VERIFY
2693  CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2694 #endif
2695  }
2696  secp256k1_fe_normalize_var(&z);
2697  /* Test storage conversion and conditional moves. */
2698  secp256k1_fe_to_storage(&xs, &x);
2699  secp256k1_fe_to_storage(&ys, &y);
2700  secp256k1_fe_to_storage(&zs, &z);
2701  secp256k1_fe_storage_cmov(&zs, &xs, 0);
2702  secp256k1_fe_storage_cmov(&zs, &zs, 1);
2703  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2704  secp256k1_fe_storage_cmov(&ys, &xs, 1);
2705  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2706  secp256k1_fe_from_storage(&x, &xs);
2707  secp256k1_fe_from_storage(&y, &ys);
2708  secp256k1_fe_from_storage(&z, &zs);
2709  /* Test that mul_int, mul, and add agree. */
2710  secp256k1_fe_add(&y, &x);
2711  secp256k1_fe_add(&y, &x);
2712  z = x;
2713  secp256k1_fe_mul_int(&z, 3);
2714  CHECK(check_fe_equal(&y, &z));
2715  secp256k1_fe_add(&y, &x);
2716  secp256k1_fe_add(&z, &x);
2717  CHECK(check_fe_equal(&z, &y));
2718  z = x;
2719  secp256k1_fe_mul_int(&z, 5);
2720  secp256k1_fe_mul(&q, &x, &fe5);
2721  CHECK(check_fe_equal(&z, &q));
2722  secp256k1_fe_negate(&x, &x, 1);
2723  secp256k1_fe_add(&z, &x);
2724  secp256k1_fe_add(&q, &x);
2725  CHECK(check_fe_equal(&y, &z));
2726  CHECK(check_fe_equal(&q, &y));
2727  /* Check secp256k1_fe_half. */
2728  z = x;
2729  secp256k1_fe_half(&z);
2730  secp256k1_fe_add(&z, &z);
2731  CHECK(check_fe_equal(&x, &z));
2732  secp256k1_fe_add(&z, &z);
2733  secp256k1_fe_half(&z);
2734  CHECK(check_fe_equal(&x, &z));
2735  }
2736 }
2737 
2738 void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
2739 {
2740  secp256k1_fe c, an, bn;
2741  /* Variables in BE 32-byte format. */
2742  unsigned char a32[32], b32[32], c32[32];
2743  /* Variables in LE 16x uint16_t format. */
2744  uint16_t a16[16], b16[16], c16[16];
2745  /* Field modulus in LE 16x uint16_t format. */
2746  static const uint16_t m16[16] = {
2747  0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2748  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2749  };
2750  uint16_t t16[32];
2751  int i;
2752 
2753  /* Compute C = A * B in fe format. */
2754  c = *a;
2755  if (use_sqr) {
2756  secp256k1_fe_sqr(&c, &c);
2757  } else {
2758  secp256k1_fe_mul(&c, &c, b);
2759  }
2760 
2761  /* Convert A, B, C into LE 16x uint16_t format. */
2762  an = *a;
2763  bn = *b;
2764  secp256k1_fe_normalize_var(&c);
2765  secp256k1_fe_normalize_var(&an);
2766  secp256k1_fe_normalize_var(&bn);
2767  secp256k1_fe_get_b32(a32, &an);
2768  secp256k1_fe_get_b32(b32, &bn);
2769  secp256k1_fe_get_b32(c32, &c);
2770  for (i = 0; i < 16; ++i) {
2771  a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
2772  b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
2773  c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
2774  }
2775  /* Compute T = A * B in LE 16x uint16_t format. */
2776  mulmod256(t16, a16, b16, m16);
2777  /* Compare */
2778  CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
2779 }
2780 
2781 void run_fe_mul(void) {
2782  int i;
2783  for (i = 0; i < 100 * count; ++i) {
2784  secp256k1_fe a, b, c, d;
2785  random_fe(&a);
2786  random_field_element_magnitude(&a);
2787  random_fe(&b);
2788  random_field_element_magnitude(&b);
2789  random_fe_test(&c);
2790  random_field_element_magnitude(&c);
2791  random_fe_test(&d);
2792  random_field_element_magnitude(&d);
2793  test_fe_mul(&a, &a, 1);
2794  test_fe_mul(&c, &c, 1);
2795  test_fe_mul(&a, &b, 0);
2796  test_fe_mul(&a, &c, 0);
2797  test_fe_mul(&c, &b, 0);
2798  test_fe_mul(&c, &d, 0);
2799  }
2800 }
2801 
2802 void run_sqr(void) {
2803  secp256k1_fe x, s;
2804 
2805  {
2806  int i;
2807  secp256k1_fe_set_int(&x, 1);
2808  secp256k1_fe_negate(&x, &x, 1);
2809 
2810  for (i = 1; i <= 512; ++i) {
2811  secp256k1_fe_mul_int(&x, 2);
2812  secp256k1_fe_normalize(&x);
2813  secp256k1_fe_sqr(&s, &x);
2814  }
2815  }
2816 }
2817 
2818 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2819  secp256k1_fe r1, r2;
2820  int v = secp256k1_fe_sqrt(&r1, a);
2821  CHECK((v == 0) == (k == NULL));
2822 
2823  if (k != NULL) {
2824  /* Check that the returned root is +/- the given known answer */
2825  secp256k1_fe_negate(&r2, &r1, 1);
2826  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2827  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2828  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2829  }
2830 }
2831 
2832 void run_sqrt(void) {
2833  secp256k1_fe ns, x, s, t;
2834  int i;
2835 
2836  /* Check sqrt(0) is 0 */
2837  secp256k1_fe_set_int(&x, 0);
2838  secp256k1_fe_sqr(&s, &x);
2839  test_sqrt(&s, &x);
2840 
2841  /* Check sqrt of small squares (and their negatives) */
2842  for (i = 1; i <= 100; i++) {
2843  secp256k1_fe_set_int(&x, i);
2844  secp256k1_fe_sqr(&s, &x);
2845  test_sqrt(&s, &x);
2846  secp256k1_fe_negate(&t, &s, 1);
2847  test_sqrt(&t, NULL);
2848  }
2849 
2850  /* Consistency checks for large random values */
2851  for (i = 0; i < 10; i++) {
2852  int j;
2853  random_fe_non_square(&ns);
2854  for (j = 0; j < count; j++) {
2855  random_fe(&x);
2856  secp256k1_fe_sqr(&s, &x);
2857  test_sqrt(&s, &x);
2858  secp256k1_fe_negate(&t, &s, 1);
2859  test_sqrt(&t, NULL);
2860  secp256k1_fe_mul(&t, &s, &ns);
2861  test_sqrt(&t, NULL);
2862  }
2863  }
2864 }
2865 
2866 /***** FIELD/SCALAR INVERSE TESTS *****/
2867 
2868 static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
2869  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2870  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2871 );
2872 
2873 static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
2874  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2875  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2876 );
2877 
2878 /* These tests test the following identities:
2879  *
2880  * for x==0: 1/x == 0
2881  * for x!=0: x*(1/x) == 1
2882  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2883  */
2884 
2885 void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
2886 {
2887  secp256k1_scalar l, r, t;
2888 
2889  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
2890  if (out) *out = l;
2891  if (secp256k1_scalar_is_zero(x)) {
2892  CHECK(secp256k1_scalar_is_zero(&l));
2893  return;
2894  }
2895  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2896  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2897  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2898  if (secp256k1_scalar_is_zero(&r)) return;
2899  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
2900  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2901  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
2902  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2903  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2904  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2905 }
2906 
2907 void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2908 {
2909  secp256k1_fe l, r, t;
2910 
2911  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2912  if (out) *out = l;
2913  t = *x; /* t = x */
2914  if (secp256k1_fe_normalizes_to_zero_var(&t)) {
2915  CHECK(secp256k1_fe_normalizes_to_zero(&l));
2916  return;
2917  }
2918  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2919  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2920  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2921  r = *x; /* r = x */
2922  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2923  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
2924  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2925  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2926  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2927  secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2928  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2929  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
2930 }
2931 
2932 void run_inverse_tests(void)
2933 {
2934  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2935  static const secp256k1_fe fe_cases[][2] = {
2936  /* 0 */
2937  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2938  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2939  /* 1 */
2940  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2941  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2942  /* -1 */
2943  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2944  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2945  /* 2 */
2946  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2947  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2948  /* 2**128 */
2949  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2950  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2951  /* Input known to need 637 divsteps */
2952  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2953  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
2954  /* Input known to need 567 divsteps starting with delta=1/2. */
2955  {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
2956  SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
2957  /* Input known to need 566 divsteps starting with delta=1/2. */
2958  {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
2959  SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
2960  /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
2961  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
2962  SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
2963  {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
2964  SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
2965  {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
2966  SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
2967  {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
2968  SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
2969  {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
2970  SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
2971  {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
2972  SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
2973  {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
2974  SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
2975  {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
2976  SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
2977  {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
2978  SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
2979  {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
2980  SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
2981  /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
2982  {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
2983  SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
2984  {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
2985  SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
2986  {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
2987  SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
2988  {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
2989  SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
2990  {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
2991  SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
2992  {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
2993  SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
2994  {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
2995  SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
2996  {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
2997  SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
2998  {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
2999  SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3000  {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3001  SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3002  {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3003  SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3004  {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3005  SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3006  {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3007  SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3008  {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3009  SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3010  {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3011  SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3012  {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3013  SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3014  {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3015  SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3016  {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3017  SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3018  {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3019  SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3020  {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3021  SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3022  {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3023  SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3024  {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3025  SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3026  {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3027  SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3028  {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3029  SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3030  {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3031  SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3032  {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3033  SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3034  {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3035  SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3036  {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3037  SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3038  };
3039  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3040  static const secp256k1_scalar scalar_cases[][2] = {
3041  /* 0 */
3042  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3043  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3044  /* 1 */
3045  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3046  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3047  /* -1 */
3048  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3049  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3050  /* 2 */
3051  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3052  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3053  /* 2**128 */
3054  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3055  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3056  /* Input known to need 635 divsteps */
3057  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3058  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3059  /* Input known to need 566 divsteps starting with delta=1/2. */
3060  {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3061  SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3062  /* Input known to need 565 divsteps starting with delta=1/2. */
3063  {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3064  SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3065  /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3066  {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3067  SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3068  {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3069  SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3070  {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3071  SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3072  {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3073  SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3074  {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3075  SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3076  {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3077  SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3078  {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3079  SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3080  {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3081  SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3082  {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3083  SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3084  {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3085  SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3086  {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3087  SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3088  {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3089  SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3090  {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3091  SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3092  {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3093  SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3094  {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3095  SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3096  {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3097  SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3098  {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3099  SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3100  {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3101  SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3102  {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3103  SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3104  {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3105  SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3106  {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3107  SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3108  {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3109  SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3110  {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3111  SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3112  {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3113  SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3114  {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3115  SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3116  {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3117  SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3118  {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3119  SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3120  {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3121  SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3122  {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3123  SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3124  };
3125  int i, var, testrand;
3126  unsigned char b32[32];
3127  secp256k1_fe x_fe;
3128  secp256k1_scalar x_scalar;
3129  memset(b32, 0, sizeof(b32));
3130  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3131  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3132  for (var = 0; var <= 1; ++var) {
3133  test_inverse_field(&x_fe, &fe_cases[i][0], var);
3134  check_fe_equal(&x_fe, &fe_cases[i][1]);
3135  test_inverse_field(&x_fe, &fe_cases[i][1], var);
3136  check_fe_equal(&x_fe, &fe_cases[i][0]);
3137  }
3138  }
3139  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3140  for (var = 0; var <= 1; ++var) {
3141  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3142  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3143  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3144  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3145  }
3146  }
3147  /* Test inputs 0..999 and their respective negations. */
3148  for (i = 0; i < 1000; ++i) {
3149  b32[31] = i & 0xff;
3150  b32[30] = (i >> 8) & 0xff;
3151  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3152  secp256k1_fe_set_b32(&x_fe, b32);
3153  for (var = 0; var <= 1; ++var) {
3154  test_inverse_scalar(NULL, &x_scalar, var);
3155  test_inverse_field(NULL, &x_fe, var);
3156  }
3157  secp256k1_scalar_negate(&x_scalar, &x_scalar);
3158  secp256k1_fe_negate(&x_fe, &x_fe, 1);
3159  for (var = 0; var <= 1; ++var) {
3160  test_inverse_scalar(NULL, &x_scalar, var);
3161  test_inverse_field(NULL, &x_fe, var);
3162  }
3163  }
3164  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3165  for (testrand = 0; testrand <= 1; ++testrand) {
3166  for (i = 0; i < 64 * count; ++i) {
3167  (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
3168  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3169  secp256k1_fe_set_b32(&x_fe, b32);
3170  for (var = 0; var <= 1; ++var) {
3171  test_inverse_scalar(NULL, &x_scalar, var);
3172  test_inverse_field(NULL, &x_fe, var);
3173  }
3174  }
3175  }
3176 }
3177 
3178 /***** GROUP TESTS *****/
3179 
3180 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
3181  CHECK(a->infinity == b->infinity);
3182  if (a->infinity) {
3183  return;
3184  }
3185  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
3186  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
3187 }
3188 
3189 /* This compares jacobian points including their Z, not just their geometric meaning. */
3190 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3191  secp256k1_gej a2;
3192  secp256k1_gej b2;
3193  int ret = 1;
3194  ret &= a->infinity == b->infinity;
3195  if (ret && !a->infinity) {
3196  a2 = *a;
3197  b2 = *b;
3198  secp256k1_fe_normalize(&a2.x);
3199  secp256k1_fe_normalize(&a2.y);
3200  secp256k1_fe_normalize(&a2.z);
3201  secp256k1_fe_normalize(&b2.x);
3202  secp256k1_fe_normalize(&b2.y);
3203  secp256k1_fe_normalize(&b2.z);
3204  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3205  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3206  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3207  }
3208  return ret;
3209 }
3210 
3211 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3212  secp256k1_fe z2s;
3213  secp256k1_fe u1, u2, s1, s2;
3214  CHECK(a->infinity == b->infinity);
3215  if (a->infinity) {
3216  return;
3217  }
3218  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3219  secp256k1_fe_sqr(&z2s, &b->z);
3220  secp256k1_fe_mul(&u1, &a->x, &z2s);
3221  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
3222  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3223  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
3224  CHECK(secp256k1_fe_equal_var(&u1, &u2));
3225  CHECK(secp256k1_fe_equal_var(&s1, &s2));
3226 }
3227 
3228 void test_ge(void) {
3229  int i, i1;
3230  int runs = 6;
3231  /* 25 points are used:
3232  * - infinity
3233  * - for each of four random points p1 p2 p3 p4, we add the point, its
3234  * negation, and then those two again but with randomized Z coordinate.
3235  * - The same is then done for lambda*p1 and lambda^2*p1.
3236  */
3237  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3238  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3239  secp256k1_fe zf;
3240  secp256k1_fe zfi2, zfi3;
3241 
3242  secp256k1_gej_set_infinity(&gej[0]);
3243  secp256k1_ge_clear(&ge[0]);
3244  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3245  for (i = 0; i < runs; i++) {
3246  int j;
3247  secp256k1_ge g;
3248  random_group_element_test(&g);
3249  if (i >= runs - 2) {
3250  secp256k1_ge_mul_lambda(&g, &ge[1]);
3251  }
3252  if (i >= runs - 1) {
3253  secp256k1_ge_mul_lambda(&g, &g);
3254  }
3255  ge[1 + 4 * i] = g;
3256  ge[2 + 4 * i] = g;
3257  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3258  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3259  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3260  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3261  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3262  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3263  for (j = 0; j < 4; j++) {
3264  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
3265  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
3266  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
3267  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
3268  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3269  }
3270  }
3271 
3272  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3273  do {
3274  random_field_element_test(&zf);
3275  } while(secp256k1_fe_is_zero(&zf));
3276  random_field_element_magnitude(&zf);
3277  secp256k1_fe_inv_var(&zfi3, &zf);
3278  secp256k1_fe_sqr(&zfi2, &zfi3);
3279  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3280 
3281  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3282  int i2;
3283  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3284  /* Compute reference result using gej + gej (var). */
3285  secp256k1_gej refj, resj;
3286  secp256k1_ge ref;
3287  secp256k1_fe zr;
3288  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3289  /* Check Z ratio. */
3290  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3291  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3292  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3293  }
3294  secp256k1_ge_set_gej_var(&ref, &refj);
3295 
3296  /* Test gej + ge with Z ratio result (var). */
3297  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3298  ge_equals_gej(&ref, &resj);
3299  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3300  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3301  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3302  }
3303 
3304  /* Test gej + ge (var, with additional Z factor). */
3305  {
3306  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3307  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3308  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3309  random_field_element_magnitude(&ge2_zfi.x);
3310  random_field_element_magnitude(&ge2_zfi.y);
3311  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3312  ge_equals_gej(&ref, &resj);
3313  }
3314 
3315  /* Test gej + ge (const). */
3316  if (i2 != 0) {
3317  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3318  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3319  ge_equals_gej(&ref, &resj);
3320  }
3321 
3322  /* Test doubling (var). */
3323  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3324  secp256k1_fe zr2;
3325  /* Normal doubling with Z ratio result. */
3326  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3327  ge_equals_gej(&ref, &resj);
3328  /* Check Z ratio. */
3329  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3330  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3331  /* Normal doubling. */
3332  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3333  ge_equals_gej(&ref, &resj);
3334  /* Constant-time doubling. */
3335  secp256k1_gej_double(&resj, &gej[i2]);
3336  ge_equals_gej(&ref, &resj);
3337  }
3338 
3339  /* Test adding opposites. */
3340  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3341  CHECK(secp256k1_ge_is_infinity(&ref));
3342  }
3343 
3344  /* Test adding infinity. */
3345  if (i1 == 0) {
3346  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3347  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3348  ge_equals_gej(&ref, &gej[i2]);
3349  }
3350  if (i2 == 0) {
3351  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3352  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3353  ge_equals_gej(&ref, &gej[i1]);
3354  }
3355  }
3356  }
3357 
3358  /* Test adding all points together in random order equals infinity. */
3359  {
3360  secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3361  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3362  for (i = 0; i < 4 * runs + 1; i++) {
3363  gej_shuffled[i] = gej[i];
3364  }
3365  for (i = 0; i < 4 * runs + 1; i++) {
3366  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3367  if (swap != i) {
3368  secp256k1_gej t = gej_shuffled[i];
3369  gej_shuffled[i] = gej_shuffled[swap];
3370  gej_shuffled[swap] = t;
3371  }
3372  }
3373  for (i = 0; i < 4 * runs + 1; i++) {
3374  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3375  }
3376  CHECK(secp256k1_gej_is_infinity(&sum));
3377  free(gej_shuffled);
3378  }
3379 
3380  /* Test batch gej -> ge conversion without known z ratios. */
3381  {
3382  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3383  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3384  for (i = 0; i < 4 * runs + 1; i++) {
3385  secp256k1_fe s;
3386  random_fe_non_zero(&s);
3387  secp256k1_gej_rescale(&gej[i], &s);
3388  ge_equals_gej(&ge_set_all[i], &gej[i]);
3389  }
3390  free(ge_set_all);
3391  }
3392 
3393  /* Test batch gej -> ge conversion with many infinities. */
3394  for (i = 0; i < 4 * runs + 1; i++) {
3395  int odd;
3396  random_group_element_test(&ge[i]);
3397  odd = secp256k1_fe_is_odd(&ge[i].x);
3398  CHECK(odd == 0 || odd == 1);
3399  /* randomly set half the points to infinity */
3400  if (odd == i % 2) {
3401  secp256k1_ge_set_infinity(&ge[i]);
3402  }
3403  secp256k1_gej_set_ge(&gej[i], &ge[i]);
3404  }
3405  /* batch convert */
3406  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3407  /* check result */
3408  for (i = 0; i < 4 * runs + 1; i++) {
3409  ge_equals_gej(&ge[i], &gej[i]);
3410  }
3411 
3412  /* Test batch gej -> ge conversion with all infinities. */
3413  for (i = 0; i < 4 * runs + 1; i++) {
3414  secp256k1_gej_set_infinity(&gej[i]);
3415  }
3416  /* batch convert */
3417  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3418  /* check result */
3419  for (i = 0; i < 4 * runs + 1; i++) {
3420  CHECK(secp256k1_ge_is_infinity(&ge[i]));
3421  }
3422 
3423  free(ge);
3424  free(gej);
3425 }
3426 
3427 
3428 void test_intialized_inf(void) {
3429  secp256k1_ge p;
3430  secp256k1_gej pj, npj, infj1, infj2, infj3;
3431  secp256k1_fe zinv;
3432 
3433  /* Test that adding P+(-P) results in a fully initialized infinity*/
3434  random_group_element_test(&p);
3435  secp256k1_gej_set_ge(&pj, &p);
3436  secp256k1_gej_neg(&npj, &pj);
3437 
3438  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3439  CHECK(secp256k1_gej_is_infinity(&infj1));
3440  CHECK(secp256k1_fe_is_zero(&infj1.x));
3441  CHECK(secp256k1_fe_is_zero(&infj1.y));
3442  CHECK(secp256k1_fe_is_zero(&infj1.z));
3443 
3444  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3445  CHECK(secp256k1_gej_is_infinity(&infj2));
3446  CHECK(secp256k1_fe_is_zero(&infj2.x));
3447  CHECK(secp256k1_fe_is_zero(&infj2.y));
3448  CHECK(secp256k1_fe_is_zero(&infj2.z));
3449 
3450  secp256k1_fe_set_int(&zinv, 1);
3451  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3452  CHECK(secp256k1_gej_is_infinity(&infj3));
3453  CHECK(secp256k1_fe_is_zero(&infj3.x));
3454  CHECK(secp256k1_fe_is_zero(&infj3.y));
3455  CHECK(secp256k1_fe_is_zero(&infj3.z));
3456 
3457 
3458 }
3459 
3460 void test_add_neg_y_diff_x(void) {
3461  /* The point of this test is to check that we can add two points
3462  * whose y-coordinates are negatives of each other but whose x
3463  * coordinates differ. If the x-coordinates were the same, these
3464  * points would be negatives of each other and their sum is
3465  * infinity. This is cool because it "covers up" any degeneracy
3466  * in the addition algorithm that would cause the xy coordinates
3467  * of the sum to be wrong (since infinity has no xy coordinates).
3468  * HOWEVER, if the x-coordinates are different, infinity is the
3469  * wrong answer, and such degeneracies are exposed. This is the
3470  * root of https://github.com/bitcoin-core/secp256k1/issues/257
3471  * which this test is a regression test for.
3472  *
3473  * These points were generated in sage as
3474  * # secp256k1 params
3475  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3476  * C = EllipticCurve ([F (0), F (7)])
3477  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3478  * N = FiniteField(G.order())
3479  *
3480  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3481  * x = polygen(N)
3482  * lam = (1 - x^3).roots()[1][0]
3483  *
3484  * # random "bad pair"
3485  * P = C.random_element()
3486  * Q = -int(lam) * P
3487  * print " P: %x %x" % P.xy()
3488  * print " Q: %x %x" % Q.xy()
3489  * print "P + Q: %x %x" % (P + Q).xy()
3490  */
3491  secp256k1_gej aj = SECP256K1_GEJ_CONST(
3492  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3493  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3494  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3495  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3496  );
3497  secp256k1_gej bj = SECP256K1_GEJ_CONST(
3498  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3499  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3500  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3501  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3502  );
3503  secp256k1_gej sumj = SECP256K1_GEJ_CONST(
3504  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3505  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3506  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3507  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3508  );
3509  secp256k1_ge b;
3510  secp256k1_gej resj;
3511  secp256k1_ge res;
3512  secp256k1_ge_set_gej(&b, &bj);
3513 
3514  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3515  secp256k1_ge_set_gej(&res, &resj);
3516  ge_equals_gej(&res, &sumj);
3517 
3518  secp256k1_gej_add_ge(&resj, &aj, &b);
3519  secp256k1_ge_set_gej(&res, &resj);
3520  ge_equals_gej(&res, &sumj);
3521 
3522  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
3523  secp256k1_ge_set_gej(&res, &resj);
3524  ge_equals_gej(&res, &sumj);
3525 }
3526 
3527 void run_ge(void) {
3528  int i;
3529  for (i = 0; i < count * 32; i++) {
3530  test_ge();
3531  }
3532  test_add_neg_y_diff_x();
3533  test_intialized_inf();
3534 }
3535 
3536 void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
3537  secp256k1_gej t = *a;
3538  secp256k1_gej_cmov(&t, b, 0);
3539  CHECK(gej_xyz_equals_gej(&t, a));
3540  secp256k1_gej_cmov(&t, b, 1);
3541  CHECK(gej_xyz_equals_gej(&t, b));
3542 }
3543 
3544 void run_gej(void) {
3545  int i;
3546  secp256k1_gej a, b;
3547 
3548  /* Tests for secp256k1_gej_cmov */
3549  for (i = 0; i < count; i++) {
3550  secp256k1_gej_set_infinity(&a);
3551  secp256k1_gej_set_infinity(&b);
3552  test_gej_cmov(&a, &b);
3553 
3554  random_gej_test(&a);
3555  test_gej_cmov(&a, &b);
3556  test_gej_cmov(&b, &a);
3557 
3558  b = a;
3559  test_gej_cmov(&a, &b);
3560 
3561  random_gej_test(&b);
3562  test_gej_cmov(&a, &b);
3563  test_gej_cmov(&b, &a);
3564  }
3565 }
3566 
3567 void test_ec_combine(void) {
3568  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3569  secp256k1_pubkey data[6];
3570  const secp256k1_pubkey* d[6];
3571  secp256k1_pubkey sd;
3572  secp256k1_pubkey sd2;
3573  secp256k1_gej Qj;
3574  secp256k1_ge Q;
3575  int i;
3576  for (i = 1; i <= 6; i++) {
3577  secp256k1_scalar s;
3578  random_scalar_order_test(&s);
3579  secp256k1_scalar_add(&sum, &sum, &s);
3580  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
3581  secp256k1_ge_set_gej(&Q, &Qj);
3582  secp256k1_pubkey_save(&data[i - 1], &Q);
3583  d[i - 1] = &data[i - 1];
3584  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
3585  secp256k1_ge_set_gej(&Q, &Qj);
3586  secp256k1_pubkey_save(&sd, &Q);
3587  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
3588  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
3589  }
3590 }
3591 
3592 void run_ec_combine(void) {
3593  int i;
3594  for (i = 0; i < count * 8; i++) {
3595  test_ec_combine();
3596  }
3597 }
3598 
3599 void test_group_decompress(const secp256k1_fe* x) {
3600  /* The input itself, normalized. */
3601  secp256k1_fe fex = *x;
3602  /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
3603  secp256k1_ge ge_even, ge_odd;
3604  /* Return values of the above calls. */
3605  int res_even, res_odd;
3606 
3607  secp256k1_fe_normalize_var(&fex);
3608 
3609  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
3610  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
3611 
3612  CHECK(res_even == res_odd);
3613 
3614  if (res_even) {
3615  secp256k1_fe_normalize_var(&ge_odd.x);
3616  secp256k1_fe_normalize_var(&ge_even.x);
3617  secp256k1_fe_normalize_var(&ge_odd.y);
3618  secp256k1_fe_normalize_var(&ge_even.y);
3619 
3620  /* No infinity allowed. */
3621  CHECK(!ge_even.infinity);
3622  CHECK(!ge_odd.infinity);
3623 
3624  /* Check that the x coordinates check out. */
3625  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
3626  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
3627 
3628  /* Check odd/even Y in ge_odd, ge_even. */
3629  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
3630  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
3631  }
3632 }
3633 
3634 void run_group_decompress(void) {
3635  int i;
3636  for (i = 0; i < count * 4; i++) {
3637  secp256k1_fe fe;
3638  random_fe_test(&fe);
3639  test_group_decompress(&fe);
3640  }
3641 }
3642 
3643 /***** ECMULT TESTS *****/
3644 
3645 void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
3646  /* Tests the pre_g / pre_g_128 tables for consistency.
3647  * For independent verification we take a "geometric" approach to verification.
3648  * We check that every entry is on-curve.
3649  * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
3650  * (1) p, gg, and -q are colinear.
3651  * (2) p, gg, and -q are all distinct.
3652  * where gg is twice the generator, where the generator is the first table entry.
3653  *
3654  * Checking the table's generators are correct is done in run_ecmult_pre_g.
3655  */
3656  secp256k1_gej g2;
3657  secp256k1_ge p, q, gg;
3658  secp256k1_fe dpx, dpy, dqx, dqy;
3659  size_t i;
3660 
3661  CHECK(0 < n);
3662 
3663  secp256k1_ge_from_storage(&p, &pre_g[0]);
3664  CHECK(secp256k1_ge_is_valid_var(&p));
3665 
3666  secp256k1_gej_set_ge(&g2, &p);
3667  secp256k1_gej_double_var(&g2, &g2, NULL);
3668  secp256k1_ge_set_gej_var(&gg, &g2);
3669  for (i = 1; i < n; ++i) {
3670  secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
3671  secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
3672  /* Check that p is not equal to gg */
3673  CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
3674 
3675  secp256k1_ge_from_storage(&q, &pre_g[i]);
3676  CHECK(secp256k1_ge_is_valid_var(&q));
3677 
3678  secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); secp256k1_fe_normalize_weak(&dqx);
3679  dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); secp256k1_fe_normalize_weak(&dqy);
3680  /* Check that -q is not equal to gg */
3681  CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
3682 
3683  /* Check that -q is not equal to p */
3684  CHECK(!secp256k1_fe_equal_var(&dpx, &dqx) || !secp256k1_fe_equal_var(&dpy, &dqy));
3685 
3686  /* Check that p, -q and gg are colinear */
3687  secp256k1_fe_mul(&dpx, &dpx, &dqy);
3688  secp256k1_fe_mul(&dpy, &dpy, &dqx);
3689  CHECK(secp256k1_fe_equal_var(&dpx, &dpy));
3690 
3691  p = q;
3692  }
3693 }
3694 
3695 void run_ecmult_pre_g(void) {
3696  secp256k1_ge_storage gs;
3697  secp256k1_gej gj;
3698  secp256k1_ge g;
3699  size_t i;
3700 
3701  /* Check that the pre_g and pre_g_128 tables are consistent. */
3702  test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
3703  test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
3704 
3705  /* Check the first entry from the pre_g table. */
3706  secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
3707  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
3708 
3709  /* Check the first entry from the pre_g_128 table. */
3710  secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
3711  for (i = 0; i < 128; ++i) {
3712  secp256k1_gej_double_var(&gj, &gj, NULL);
3713  }
3714  secp256k1_ge_set_gej(&g, &gj);
3715  secp256k1_ge_to_storage(&gs, &g);
3716  CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
3717 }
3718 
3719 void run_ecmult_chain(void) {
3720  /* random starting point A (on the curve) */
3721  secp256k1_gej a = SECP256K1_GEJ_CONST(
3722  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
3723  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
3724  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
3725  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
3726  );
3727  /* two random initial factors xn and gn */
3728  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
3729  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
3730  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
3731  );
3732  secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
3733  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
3734  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
3735  );
3736  /* two small multipliers to be applied to xn and gn in every iteration: */
3737  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
3738  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
3739  /* accumulators with the resulting coefficients to A and G */
3740  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3741  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3742  /* actual points */
3743  secp256k1_gej x;
3744  secp256k1_gej x2;
3745  int i;
3746 
3747  /* the point being computed */
3748  x = a;
3749  for (i = 0; i < 200*count; i++) {
3750  /* in each iteration, compute X = xn*X + gn*G; */
3751  secp256k1_ecmult(&x, &x, &xn, &gn);
3752  /* also compute ae and ge: the actual accumulated factors for A and G */
3753  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
3754  secp256k1_scalar_mul(&ae, &ae, &xn);
3755  secp256k1_scalar_mul(&ge, &ge, &xn);
3756  secp256k1_scalar_add(&ge, &ge, &gn);
3757  /* modify xn and gn */
3758  secp256k1_scalar_mul(&xn, &xn, &xf);
3759  secp256k1_scalar_mul(&gn, &gn, &gf);
3760 
3761  /* verify */
3762  if (i == 19999) {
3763  /* expected result after 19999 iterations */
3764  secp256k1_gej rp = SECP256K1_GEJ_CONST(
3765  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
3766  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
3767  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
3768  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
3769  );
3770 
3771  secp256k1_gej_neg(&rp, &rp);
3772  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
3773  CHECK(secp256k1_gej_is_infinity(&rp));
3774  }
3775  }
3776  /* redo the computation, but directly with the resulting ae and ge coefficients: */
3777  secp256k1_ecmult(&x2, &a, &ae, &ge);
3778  secp256k1_gej_neg(&x2, &x2);
3779  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
3780  CHECK(secp256k1_gej_is_infinity(&x2));
3781 }
3782 
3783 void test_point_times_order(const secp256k1_gej *point) {
3784  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
3785  secp256k1_scalar x;
3786  secp256k1_scalar nx;
3787  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3788  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3789  secp256k1_gej res1, res2;
3790  secp256k1_ge res3;
3791  unsigned char pub[65];
3792  size_t psize = 65;
3793  random_scalar_order_test(&x);
3794  secp256k1_scalar_negate(&nx, &x);
3795  secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
3796  secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
3797  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
3798  CHECK(secp256k1_gej_is_infinity(&res1));
3799  secp256k1_ge_set_gej(&res3, &res1);
3800  CHECK(secp256k1_ge_is_infinity(&res3));
3801  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
3802  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
3803  psize = 65;
3804  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
3805  /* check zero/one edge cases */
3806  secp256k1_ecmult(&res1, point, &zero, &zero);
3807  secp256k1_ge_set_gej(&res3, &res1);
3808  CHECK(secp256k1_ge_is_infinity(&res3));
3809  secp256k1_ecmult(&res1, point, &one, &zero);
3810  secp256k1_ge_set_gej(&res3, &res1);
3811  ge_equals_gej(&res3, point);
3812  secp256k1_ecmult(&res1, point, &zero, &one);
3813  secp256k1_ge_set_gej(&res3, &res1);
3814  ge_equals_ge(&res3, &secp256k1_ge_const_g);
3815 }
3816 
3817 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
3818  *
3819  * They are computed as:
3820  * - For a in [-2, -1, 0, 1, 2]:
3821  * - For b in [-3, -1, 1, 3]:
3822  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
3823  */
3824 static const secp256k1_scalar scalars_near_split_bounds[20] = {
3825  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
3826  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
3827  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
3828  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
3829  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
3830  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
3831  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
3832  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
3833  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
3834  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
3835  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
3836  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
3837  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
3838  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
3839  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
3840  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
3841  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
3842  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
3843  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
3844  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
3845 };
3846 
3847 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
3848  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
3849  secp256k1_scalar n1, n2;
3850  secp256k1_ge p;
3851  secp256k1_gej pj, p1j, p2j, ptj;
3852  static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3853 
3854  /* Generate random n1,n2 such that n1+n2 = -target. */
3855  random_scalar_order_test(&n1);
3856  secp256k1_scalar_add(&n2, &n1, target);
3857  secp256k1_scalar_negate(&n2, &n2);
3858 
3859  /* Generate a random input point. */
3860  if (mode != 0) {
3861  random_group_element_test(&p);
3862  secp256k1_gej_set_ge(&pj, &p);
3863  }
3864 
3865  /* EC multiplications */
3866  if (mode == 0) {
3867  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
3868  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
3869  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
3870  } else if (mode == 1) {
3871  secp256k1_ecmult(&p1j, &pj, &n1, &zero);
3872  secp256k1_ecmult(&p2j, &pj, &n2, &zero);
3873  secp256k1_ecmult(&ptj, &pj, target, &zero);
3874  } else {
3875  secp256k1_ecmult_const(&p1j, &p, &n1, 256);
3876  secp256k1_ecmult_const(&p2j, &p, &n2, 256);
3877  secp256k1_ecmult_const(&ptj, &p, target, 256);
3878  }
3879 
3880  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
3881  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
3882  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
3883  CHECK(secp256k1_gej_is_infinity(&ptj));
3884 }
3885 
3886 void run_ecmult_near_split_bound(void) {
3887  int i;
3888  unsigned j;
3889  for (i = 0; i < 4*count; ++i) {
3890  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
3891  test_ecmult_target(&scalars_near_split_bounds[j], 0);
3892  test_ecmult_target(&scalars_near_split_bounds[j], 1);
3893  test_ecmult_target(&scalars_near_split_bounds[j], 2);
3894  }
3895  }
3896 }
3897 
3898 void run_point_times_order(void) {
3899  int i;
3900  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
3901  static const secp256k1_fe xr = SECP256K1_FE_CONST(
3902  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
3903  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
3904  );
3905  for (i = 0; i < 500; i++) {
3906  secp256k1_ge p;
3907  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
3908  secp256k1_gej j;
3909  CHECK(secp256k1_ge_is_valid_var(&p));
3910  secp256k1_gej_set_ge(&j, &p);
3911  test_point_times_order(&j);
3912  }
3913  secp256k1_fe_sqr(&x, &x);
3914  }
3915  secp256k1_fe_normalize_var(&x);
3916  CHECK(secp256k1_fe_equal_var(&x, &xr));
3917 }
3918 
3919 void ecmult_const_random_mult(void) {
3920  /* random starting point A (on the curve) */
3921  secp256k1_ge a = SECP256K1_GE_CONST(
3922  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
3923  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
3924  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
3925  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
3926  );
3927  /* random initial factor xn */
3928  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
3929  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
3930  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
3931  );
3932  /* expected xn * A (from sage) */
3933  secp256k1_ge expected_b = SECP256K1_GE_CONST(
3934  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
3935  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
3936  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
3937  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
3938  );
3939  secp256k1_gej b;
3940  secp256k1_ecmult_const(&b, &a, &xn, 256);
3941 
3942  CHECK(secp256k1_ge_is_valid_var(&a));
3943  ge_equals_gej(&expected_b, &b);
3944 }
3945 
3946 void ecmult_const_commutativity(void) {
3947  secp256k1_scalar a;
3948  secp256k1_scalar b;
3949  secp256k1_gej res1;
3950  secp256k1_gej res2;
3951  secp256k1_ge mid1;
3952  secp256k1_ge mid2;
3953  random_scalar_order_test(&a);
3954  random_scalar_order_test(&b);
3955 
3956  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
3957  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
3958  secp256k1_ge_set_gej(&mid1, &res1);
3959  secp256k1_ge_set_gej(&mid2, &res2);
3960  secp256k1_ecmult_const(&res1, &mid1, &b, 256);
3961  secp256k1_ecmult_const(&res2, &mid2, &a, 256);
3962  secp256k1_ge_set_gej(&mid1, &res1);
3963  secp256k1_ge_set_gej(&mid2, &res2);
3964  ge_equals_ge(&mid1, &mid2);
3965 }
3966 
3967 void ecmult_const_mult_zero_one(void) {
3968  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3969  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3970  secp256k1_scalar negone;
3971  secp256k1_gej res1;
3972  secp256k1_ge res2;
3973  secp256k1_ge point;
3974  secp256k1_scalar_negate(&negone, &one);
3975 
3976  random_group_element_test(&point);
3977  secp256k1_ecmult_const(&res1, &point, &zero, 3);
3978  secp256k1_ge_set_gej(&res2, &res1);
3979  CHECK(secp256k1_ge_is_infinity(&res2));
3980  secp256k1_ecmult_const(&res1, &point, &one, 2);
3981  secp256k1_ge_set_gej(&res2, &res1);
3982  ge_equals_ge(&res2, &point);
3983  secp256k1_ecmult_const(&res1, &point, &negone, 256);
3984  secp256k1_gej_neg(&res1, &res1);
3985  secp256k1_ge_set_gej(&res2, &res1);
3986  ge_equals_ge(&res2, &point);
3987 }
3988 
3989 void ecmult_const_chain_multiply(void) {
3990  /* Check known result (randomly generated test problem from sage) */
3991  const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
3992  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
3993  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
3994  );
3995  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
3996  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
3997  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
3998  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
3999  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4000  );
4001  secp256k1_gej point;
4002  secp256k1_ge res;
4003  int i;
4004 
4005  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4006  for (i = 0; i < 100; ++i) {
4007  secp256k1_ge tmp;
4008  secp256k1_ge_set_gej(&tmp, &point);
4009  secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
4010  }
4011  secp256k1_ge_set_gej(&res, &point);
4012  ge_equals_gej(&res, &expected_point);
4013 }
4014 
4015 void run_ecmult_const_tests(void) {
4016  ecmult_const_mult_zero_one();
4017  ecmult_const_random_mult();
4018  ecmult_const_commutativity();
4019  ecmult_const_chain_multiply();
4020 }
4021 
4022 typedef struct {
4023  secp256k1_scalar *sc;
4024  secp256k1_ge *pt;
4025 } ecmult_multi_data;
4026 
4027 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4028  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4029  *sc = data->sc[idx];
4030  *pt = data->pt[idx];
4031  return 1;
4032 }
4033 
4034 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4035  (void)sc;
4036  (void)pt;
4037  (void)idx;
4038  (void)cbdata;
4039  return 0;
4040 }
4041 
4042 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4043  int ncount;
4044  secp256k1_scalar szero;
4045  secp256k1_scalar sc[32];
4046  secp256k1_ge pt[32];
4047  secp256k1_gej r;
4048  secp256k1_gej r2;
4049  ecmult_multi_data data;
4050 
4051  data.sc = sc;
4052  data.pt = pt;
4053  secp256k1_scalar_set_int(&szero, 0);
4054 
4055  /* No points to multiply */
4056  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4057 
4058  /* Check 1- and 2-point multiplies against ecmult */
4059  for (ncount = 0; ncount < count; ncount++) {
4060  secp256k1_ge ptg;
4061  secp256k1_gej ptgj;
4062  random_scalar_order(&sc[0]);
4063  random_scalar_order(&sc[1]);
4064 
4065  random_group_element_test(&ptg);
4066  secp256k1_gej_set_ge(&ptgj, &ptg);
4067  pt[0] = ptg;
4068  pt[1] = secp256k1_ge_const_g;
4069 
4070  /* only G scalar */
4071  secp256k1_ecmult(&r2, &ptgj, &szero, &sc[0]);
4072  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4073  secp256k1_gej_neg(&r2, &r2);
4074  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4075  CHECK(secp256k1_gej_is_infinity(&r));
4076 
4077  /* 1-point */
4078  secp256k1_ecmult(&r2, &ptgj, &sc[0], &szero);
4079  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
4080  secp256k1_gej_neg(&r2, &r2);
4081  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4082  CHECK(secp256k1_gej_is_infinity(&r));
4083 
4084  /* Try to multiply 1 point, but callback returns false */
4085  CHECK(!ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
4086 
4087  /* 2-point */
4088  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4089  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
4090  secp256k1_gej_neg(&r2, &r2);
4091  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4092  CHECK(secp256k1_gej_is_infinity(&r));
4093 
4094  /* 2-point with G scalar */
4095  secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4096  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4097  secp256k1_gej_neg(&r2, &r2);
4098  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4099  CHECK(secp256k1_gej_is_infinity(&r));
4100  }
4101 
4102  /* Check infinite outputs of various forms */
4103  for (ncount = 0; ncount < count; ncount++) {
4104  secp256k1_ge ptg;
4105  size_t i, j;
4106  size_t sizes[] = { 2, 10, 32 };
4107 
4108  for (j = 0; j < 3; j++) {
4109  for (i = 0; i < 32; i++) {
4110  random_scalar_order(&sc[i]);
4111  secp256k1_ge_set_infinity(&pt[i]);
4112  }
4113  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4114  CHECK(secp256k1_gej_is_infinity(&r));
4115  }
4116 
4117  for (j = 0; j < 3; j++) {
4118  for (i = 0; i < 32; i++) {
4119  random_group_element_test(&ptg);
4120  pt[i] = ptg;
4121  secp256k1_scalar_set_int(&sc[i], 0);
4122  }
4123  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4124  CHECK(secp256k1_gej_is_infinity(&r));
4125  }
4126 
4127  for (j = 0; j < 3; j++) {
4128  random_group_element_test(&ptg);
4129  for (i = 0; i < 16; i++) {
4130  random_scalar_order(&sc[2*i]);
4131  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4132  pt[2 * i] = ptg;
4133  pt[2 * i + 1] = ptg;
4134  }
4135 
4136  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4137  CHECK(secp256k1_gej_is_infinity(&r));
4138 
4139  random_scalar_order(&sc[0]);
4140  for (i = 0; i < 16; i++) {
4141  random_group_element_test(&ptg);
4142 
4143  sc[2*i] = sc[0];
4144  sc[2*i+1] = sc[0];
4145  pt[2 * i] = ptg;
4146  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4147  }
4148 
4149  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4150  CHECK(secp256k1_gej_is_infinity(&r));
4151  }
4152 
4153  random_group_element_test(&ptg);
4154  secp256k1_scalar_set_int(&sc[0], 0);
4155  pt[0] = ptg;
4156  for (i = 1; i < 32; i++) {
4157  pt[i] = ptg;
4158 
4159  random_scalar_order(&sc[i]);
4160  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4161  secp256k1_scalar_negate(&sc[i], &sc[i]);
4162  }
4163 
4164  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
4165  CHECK(secp256k1_gej_is_infinity(&r));
4166  }
4167 
4168  /* Check random points, constant scalar */
4169  for (ncount = 0; ncount < count; ncount++) {
4170  size_t i;
4171  secp256k1_gej_set_infinity(&r);
4172 
4173  random_scalar_order(&sc[0]);
4174  for (i = 0; i < 20; i++) {
4175  secp256k1_ge ptg;
4176  sc[i] = sc[0];
4177  random_group_element_test(&ptg);
4178  pt[i] = ptg;
4179  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4180  }
4181 
4182  secp256k1_ecmult(&r2, &r, &sc[0], &szero);
4183  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4184  secp256k1_gej_neg(&r2, &r2);
4185  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4186  CHECK(secp256k1_gej_is_infinity(&r));
4187  }
4188 
4189  /* Check random scalars, constant point */
4190  for (ncount = 0; ncount < count; ncount++) {
4191  size_t i;
4192  secp256k1_ge ptg;
4193  secp256k1_gej p0j;
4194  secp256k1_scalar rs;
4195  secp256k1_scalar_set_int(&rs, 0);
4196 
4197  random_group_element_test(&ptg);
4198  for (i = 0; i < 20; i++) {
4199  random_scalar_order(&sc[i]);
4200  pt[i] = ptg;
4201  secp256k1_scalar_add(&rs, &rs, &sc[i]);
4202  }
4203 
4204  secp256k1_gej_set_ge(&p0j, &pt[0]);
4205  secp256k1_ecmult(&r2, &p0j, &rs, &szero);
4206  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4207  secp256k1_gej_neg(&r2, &r2);
4208  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4209  CHECK(secp256k1_gej_is_infinity(&r));
4210  }
4211 
4212  /* Sanity check that zero scalars don't cause problems */
4213  for (ncount = 0; ncount < 20; ncount++) {
4214  random_scalar_order(&sc[ncount]);
4215  random_group_element_test(&pt[ncount]);
4216  }
4217 
4218  secp256k1_scalar_clear(&sc[0]);
4219  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4220  secp256k1_scalar_clear(&sc[1]);
4221  secp256k1_scalar_clear(&sc[2]);
4222  secp256k1_scalar_clear(&sc[3]);
4223  secp256k1_scalar_clear(&sc[4]);
4224  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
4225  CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
4226  CHECK(secp256k1_gej_is_infinity(&r));
4227 
4228  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4229  {
4230  const size_t TOP = 8;
4231  size_t s0i, s1i;
4232  size_t t0i, t1i;
4233  secp256k1_ge ptg;
4234  secp256k1_gej ptgj;
4235 
4236  random_group_element_test(&ptg);
4237  secp256k1_gej_set_ge(&ptgj, &ptg);
4238 
4239  for(t0i = 0; t0i < TOP; t0i++) {
4240  for(t1i = 0; t1i < TOP; t1i++) {
4241  secp256k1_gej t0p, t1p;
4242  secp256k1_scalar t0, t1;
4243 
4244  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4245  secp256k1_scalar_cond_negate(&t0, t0i & 1);
4246  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4247  secp256k1_scalar_cond_negate(&t1, t1i & 1);
4248 
4249  secp256k1_ecmult(&t0p, &ptgj, &t0, &szero);
4250  secp256k1_ecmult(&t1p, &ptgj, &t1, &szero);
4251 
4252  for(s0i = 0; s0i < TOP; s0i++) {
4253  for(s1i = 0; s1i < TOP; s1i++) {
4254  secp256k1_scalar tmp1, tmp2;
4255  secp256k1_gej expected, actual;
4256 
4257  secp256k1_ge_set_gej(&pt[0], &t0p);
4258  secp256k1_ge_set_gej(&pt[1], &t1p);
4259 
4260  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4261  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4262  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4263  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4264 
4265  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4266  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4267  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4268 
4269  secp256k1_ecmult(&expected, &ptgj, &tmp1, &szero);
4270  CHECK(ecmult_multi(&ctx->error_callback, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
4271  secp256k1_gej_neg(&expected, &expected);
4272  secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
4273  CHECK(secp256k1_gej_is_infinity(&actual));
4274  }
4275  }
4276  }
4277  }
4278  }
4279 }
4280 
4281 int test_ecmult_multi_random(secp256k1_scratch *scratch) {
4282  /* Large random test for ecmult_multi_* functions which exercises:
4283  * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4284  * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4285  * - Including or excluding an nonzero a*G term (or such a term at all).
4286  * - Final expected result equal to infinity or not (roughly 50%).
4287  * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4288  */
4289 
4290  /* These 4 variables define the eventual input to the ecmult_multi function.
4291  * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4292  * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4293  * which form its normal inputs. */
4294  int filled = 0;
4295  secp256k1_scalar g_scalar = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4296  secp256k1_scalar scalars[128];
4297  secp256k1_gej gejs[128];
4298  /* The expected result, and the computed result. */
4299  secp256k1_gej expected, computed;
4300  /* Temporaries. */
4301  secp256k1_scalar sc_tmp;
4302  secp256k1_ge ge_tmp;
4303  /* Variables needed for the actual input to ecmult_multi. */
4304  secp256k1_ge ges[128];
4305  ecmult_multi_data data;
4306 
4307  int i;
4308  /* Which multiplication function to use */
4309  int fn = secp256k1_testrand_int(3);
4310  secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4311  fn == 1 ? secp256k1_ecmult_strauss_batch_single :
4312  secp256k1_ecmult_pippenger_batch_single;
4313  /* Simulate exponentially distributed num. */
4314  int num_bits = 2 + secp256k1_testrand_int(6);
4315  /* Number of (scalar, point) inputs (excluding g). */
4316  int num = secp256k1_testrand_int((1 << num_bits) + 1);
4317  /* Number of those which are nonzero. */
4318  int num_nonzero = secp256k1_testrand_int(num + 1);
4319  /* Whether we're aiming to create an input with nonzero expected result. */
4320  int nonzero_result = secp256k1_testrand_bits(1);
4321  /* Whether we will provide nonzero g multiplicand. In some cases our hand
4322  * is forced here based on num_nonzero and nonzero_result. */
4323  int g_nonzero = num_nonzero == 0 ? nonzero_result :
4324  num_nonzero == 1 && !nonzero_result ? 1 :
4325  (int)secp256k1_testrand_bits(1);
4326  /* Which g_scalar pointer to pass into ecmult_multi(). */
4327  const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4328  /* How many EC multiplications were performed in this function. */
4329  int mults = 0;
4330  /* How many randomization steps to apply to the input list. */
4331  int rands = (int)secp256k1_testrand_bits(3);
4332  if (rands > num_nonzero) rands = num_nonzero;
4333 
4334  secp256k1_gej_set_infinity(&expected);
4335  secp256k1_gej_set_infinity(&gejs[0]);
4336  secp256k1_scalar_set_int(&scalars[0], 0);
4337 
4338  if (g_nonzero) {
4339  /* If g_nonzero, set g_scalar to nonzero value r. */
4340  random_scalar_order_test(&g_scalar);
4341  if (!nonzero_result) {
4342  /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4343  CHECK(num_nonzero > filled);
4344  random_scalar_order_test(&sc_tmp);
4345  secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4346  secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4347  secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4348  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4349  ++filled;
4350  ++mults;
4351  }
4352  }
4353 
4354  if (nonzero_result && filled < num_nonzero) {
4355  /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4356  random_scalar_order_test(&scalars[filled]);
4357  random_group_element_test(&ge_tmp);
4358  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4359  ++filled;
4360  }
4361 
4362  if (nonzero_result) {
4363  /* Compute the expected result using normal ecmult. */
4364  CHECK(filled <= 1);
4365  secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4366  mults += filled + g_nonzero;
4367  }
4368 
4369  /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4370  CHECK(filled <= 1 + !nonzero_result);
4371  CHECK(filled <= num_nonzero);
4372 
4373  /* Add entries to scalars,gejs so that there are num of them. All the added entries
4374  * either have scalar=0 or point=infinity, so these do not change the expected result. */
4375  while (filled < num) {
4376  if (secp256k1_testrand_bits(1)) {
4377  secp256k1_gej_set_infinity(&gejs[filled]);
4378  random_scalar_order_test(&scalars[filled]);
4379  } else {
4380  secp256k1_scalar_set_int(&scalars[filled], 0);
4381  random_group_element_test(&ge_tmp);
4382  secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4383  }
4384  ++filled;
4385  }
4386 
4387  /* Now perform cheapish transformations on gejs and scalars, for indices
4388  * 0..num_nonzero-1, which do not change the expected result, but may
4389  * convert some of them to be both non-0-scalar and non-infinity-point. */
4390  for (i = 0; i < rands; ++i) {
4391  int j;
4392  secp256k1_scalar v, iv;
4393  /* Shuffle the entries. */
4394  for (j = 0; j < num_nonzero; ++j) {
4395  int k = secp256k1_testrand_int(num_nonzero - j);
4396  if (k != 0) {
4397  secp256k1_gej gej = gejs[j];
4398  secp256k1_scalar sc = scalars[j];
4399  gejs[j] = gejs[j + k];
4400  scalars[j] = scalars[j + k];
4401  gejs[j + k] = gej;
4402  scalars[j + k] = sc;
4403  }
4404  }
4405  /* Perturb all consecutive pairs of inputs:
4406  * a*P + b*Q -> (a+b)*P + b*(Q-P). */
4407  for (j = 0; j + 1 < num_nonzero; j += 2) {
4408  secp256k1_gej gej;
4409  secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
4410  secp256k1_gej_neg(&gej, &gejs[j]);
4411  secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
4412  }
4413  /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
4414  CHECK(num_nonzero >= 1);
4415  random_scalar_order_test(&v);
4416  secp256k1_scalar_inverse(&iv, &v);
4417  secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
4418  secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
4419  ++mults;
4420  }
4421 
4422  /* Shuffle all entries (0..num-1). */
4423  for (i = 0; i < num; ++i) {
4424  int j = secp256k1_testrand_int(num - i);
4425  if (j != 0) {
4426  secp256k1_gej gej = gejs[i];
4427  secp256k1_scalar sc = scalars[i];
4428  gejs[i] = gejs[i + j];
4429  scalars[i] = scalars[i + j];
4430  gejs[i + j] = gej;
4431  scalars[i + j] = sc;
4432  }
4433  }
4434 
4435  /* Compute affine versions of all inputs. */
4436  secp256k1_ge_set_all_gej_var(ges, gejs, filled);
4437  /* Invoke ecmult_multi code. */
4438  data.sc = scalars;
4439  data.pt = ges;
4440  CHECK(ecmult_multi(&ctx->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
4441  mults += num_nonzero + g_nonzero;
4442  /* Compare with expected result. */
4443  secp256k1_gej_neg(&computed, &computed);
4444  secp256k1_gej_add_var(&computed, &computed, &expected, NULL);
4445  CHECK(secp256k1_gej_is_infinity(&computed));
4446  return mults;
4447 }
4448 
4449 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
4450  secp256k1_scalar szero;
4451  secp256k1_scalar sc;
4452  secp256k1_ge pt;
4453  secp256k1_gej r;
4454  ecmult_multi_data data;
4455  secp256k1_scratch *scratch_empty;
4456 
4457  random_group_element_test(&pt);
4458  random_scalar_order(&sc);
4459  data.sc = &sc;
4460  data.pt = &pt;
4461  secp256k1_scalar_set_int(&szero, 0);
4462 
4463  /* Try to multiply 1 point, but scratch space is empty.*/
4464  scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
4465  CHECK(!ecmult_multi(&ctx->error_callback, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
4466  secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
4467 }
4468 
4469 void test_secp256k1_pippenger_bucket_window_inv(void) {
4470  int i;
4471 
4472  CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
4473  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
4474  /* Bucket_window of 8 is not used with endo */
4475  if (i == 8) {
4476  continue;
4477  }
4478  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
4479  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
4480  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
4481  }
4482  }
4483 }
4484 
4489 void test_ecmult_multi_pippenger_max_points(void) {
4490  size_t scratch_size = secp256k1_testrand_bits(8);
4491  size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
4492  secp256k1_scratch *scratch;
4493  size_t n_points_supported;
4494  int bucket_window = 0;
4495 
4496  for(; scratch_size < max_size; scratch_size+=256) {
4497  size_t i;
4498  size_t total_alloc;
4499  size_t checkpoint;
4500  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
4501  CHECK(scratch != NULL);
4502  checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
4503  n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
4504  if (n_points_supported == 0) {
4505  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4506  continue;
4507  }
4508  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
4509  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
4510  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
4511  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
4512  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
4513  total_alloc--;
4514  }
4515  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
4516  secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
4517  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4518  }
4519  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
4520 }
4521 
4522 void test_ecmult_multi_batch_size_helper(void) {
4523  size_t n_batches, n_batch_points, max_n_batch_points, n;
4524 
4525  max_n_batch_points = 0;
4526  n = 1;
4527  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
4528 
4529  max_n_batch_points = 1;
4530  n = 0;
4531  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4532  CHECK(n_batches == 0);
4533  CHECK(n_batch_points == 0);
4534 
4535  max_n_batch_points = 2;
4536  n = 5;
4537  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4538  CHECK(n_batches == 3);
4539  CHECK(n_batch_points == 2);
4540 
4541  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
4542  n = ECMULT_MAX_POINTS_PER_BATCH;
4543  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4544  CHECK(n_batches == 1);
4545  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
4546 
4547  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
4548  n = ECMULT_MAX_POINTS_PER_BATCH + 1;
4549  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4550  CHECK(n_batches == 2);
4551  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
4552 
4553  max_n_batch_points = 1;
4554  n = SIZE_MAX;
4555  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4556  CHECK(n_batches == SIZE_MAX);
4557  CHECK(n_batch_points == 1);
4558 
4559  max_n_batch_points = 2;
4560  n = SIZE_MAX;
4561  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4562  CHECK(n_batches == SIZE_MAX/2 + 1);
4563  CHECK(n_batch_points == 2);
4564 }
4565 
4570 void test_ecmult_multi_batching(void) {
4571  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
4572  secp256k1_scalar scG;
4573  secp256k1_scalar szero;
4574  secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
4575  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
4576  secp256k1_gej r;
4577  secp256k1_gej r2;
4578  ecmult_multi_data data;
4579  int i;
4580  secp256k1_scratch *scratch;
4581 
4582  secp256k1_gej_set_infinity(&r2);
4583  secp256k1_scalar_set_int(&szero, 0);
4584 
4585  /* Get random scalars and group elements and compute result */
4586  random_scalar_order(&scG);
4587  secp256k1_ecmult(&r2, &r2, &szero, &scG);
4588  for(i = 0; i < n_points; i++) {
4589  secp256k1_ge ptg;
4590  secp256k1_gej ptgj;
4591  random_group_element_test(&ptg);
4592  secp256k1_gej_set_ge(&ptgj, &ptg);
4593  pt[i] = ptg;
4594  random_scalar_order(&sc[i]);
4595  secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
4596  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
4597  }
4598  data.sc = sc;
4599  data.pt = pt;
4600  secp256k1_gej_neg(&r2, &r2);
4601 
4602  /* Test with empty scratch space. It should compute the correct result using
4603  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
4604  scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
4605  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4606  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4607  CHECK(secp256k1_gej_is_infinity(&r));
4608  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4609 
4610  /* Test with space for 1 point in pippenger. That's not enough because
4611  * ecmult_multi selects strauss which requires more memory. It should
4612  * therefore select the simple algorithm. */
4613  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4614  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4615  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4616  CHECK(secp256k1_gej_is_infinity(&r));
4617  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4618 
4619  for(i = 1; i <= n_points; i++) {
4620  if (i > ECMULT_PIPPENGER_THRESHOLD) {
4621  int bucket_window = secp256k1_pippenger_bucket_window(i);
4622  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
4623  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4624  } else {
4625  size_t scratch_size = secp256k1_strauss_scratch_size(i);
4626  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4627  }
4628  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4629  secp256k1_gej_add_var(&r, &r, &r2, NULL);
4630  CHECK(secp256k1_gej_is_infinity(&r));
4631  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4632  }
4633  free(sc);
4634  free(pt);
4635 }
4636 
4637 void run_ecmult_multi_tests(void) {
4638  secp256k1_scratch *scratch;
4639  int64_t todo = (int64_t)320 * count;
4640 
4641  test_secp256k1_pippenger_bucket_window_inv();
4642  test_ecmult_multi_pippenger_max_points();
4643  scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
4644  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
4645  test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
4646  test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
4647  test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
4648  test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
4649  test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
4650  while (todo > 0) {
4651  todo -= test_ecmult_multi_random(scratch);
4652  }
4653  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4654 
4655  /* Run test_ecmult_multi with space for exactly one point */
4656  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4657  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
4658  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4659 
4660  test_ecmult_multi_batch_size_helper();
4661  test_ecmult_multi_batching();
4662 }
4663 
4664 void test_wnaf(const secp256k1_scalar *number, int w) {
4665  secp256k1_scalar x, two, t;
4666  int wnaf[256];
4667  int zeroes = -1;
4668  int i;
4669  int bits;
4670  secp256k1_scalar_set_int(&x, 0);
4671  secp256k1_scalar_set_int(&two, 2);
4672  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
4673  CHECK(bits <= 256);
4674  for (i = bits-1; i >= 0; i--) {
4675  int v = wnaf[i];
4676  secp256k1_scalar_mul(&x, &x, &two);
4677  if (v) {
4678  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4679  zeroes=0;
4680  CHECK((v & 1) == 1); /* check non-zero elements are odd */
4681  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
4682  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4683  } else {
4684  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4685  zeroes++;
4686  }
4687  if (v >= 0) {
4688  secp256k1_scalar_set_int(&t, v);
4689  } else {
4690  secp256k1_scalar_set_int(&t, -v);
4691  secp256k1_scalar_negate(&t, &t);
4692  }
4693  secp256k1_scalar_add(&x, &x, &t);
4694  }
4695  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4696 }
4697 
4698 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
4699  secp256k1_scalar neg1 = *number;
4700  secp256k1_scalar neg2 = *number;
4701  int sign1 = 1;
4702  int sign2 = 1;
4703 
4704  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
4705  secp256k1_scalar_negate(&neg1, &neg1);
4706  sign1 = -1;
4707  }
4708  sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
4709  CHECK(sign1 == sign2);
4710  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
4711 }
4712 
4713 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
4714  secp256k1_scalar x, shift;
4715  int wnaf[256] = {0};
4716  int i;
4717  int skew;
4718  int bits = 256;
4719  secp256k1_scalar num = *number;
4720  secp256k1_scalar scalar_skew;
4721 
4722  secp256k1_scalar_set_int(&x, 0);
4723  secp256k1_scalar_set_int(&shift, 1 << w);
4724  for (i = 0; i < 16; ++i) {
4725  secp256k1_scalar_shr_int(&num, 8);
4726  }
4727  bits = 128;
4728  skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
4729 
4730  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
4731  secp256k1_scalar t;
4732  int v = wnaf[i];
4733  CHECK(v != 0); /* check nonzero */
4734  CHECK(v & 1); /* check parity */
4735  CHECK(v > -(1 << w)); /* check range above */
4736  CHECK(v < (1 << w)); /* check range below */
4737 
4738  secp256k1_scalar_mul(&x, &x, &shift);
4739  if (v >= 0) {
4740  secp256k1_scalar_set_int(&t, v);
4741  } else {
4742  secp256k1_scalar_set_int(&t, -v);
4743  secp256k1_scalar_negate(&t, &t);
4744  }
4745  secp256k1_scalar_add(&x, &x, &t);
4746  }
4747  /* Skew num because when encoding numbers as odd we use an offset */
4748  secp256k1_scalar_set_int(&scalar_skew, skew);
4749  secp256k1_scalar_add(&num, &num, &scalar_skew);
4750  CHECK(secp256k1_scalar_eq(&x, &num));
4751 }
4752 
4753 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
4754  secp256k1_scalar x, shift;
4755  int wnaf[256] = {0};
4756  int i;
4757  int skew;
4758  secp256k1_scalar num = *number;
4759 
4760  secp256k1_scalar_set_int(&x, 0);
4761  secp256k1_scalar_set_int(&shift, 1 << w);
4762  for (i = 0; i < 16; ++i) {
4763  secp256k1_scalar_shr_int(&num, 8);
4764  }
4765  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4766 
4767  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4768  secp256k1_scalar t;
4769  int v = wnaf[i];
4770  CHECK(v == 0 || v & 1); /* check parity */
4771  CHECK(v > -(1 << w)); /* check range above */
4772  CHECK(v < (1 << w)); /* check range below */
4773 
4774  secp256k1_scalar_mul(&x, &x, &shift);
4775  if (v >= 0) {
4776  secp256k1_scalar_set_int(&t, v);
4777  } else {
4778  secp256k1_scalar_set_int(&t, -v);
4779  secp256k1_scalar_negate(&t, &t);
4780  }
4781  secp256k1_scalar_add(&x, &x, &t);
4782  }
4783  /* If skew is 1 then add 1 to num */
4784  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
4785  CHECK(secp256k1_scalar_eq(&x, &num));
4786 }
4787 
4788 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
4789  * rest is 0.*/
4790 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
4791  int i;
4792  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
4793  CHECK(wnaf[i] == 0);
4794  }
4795  for (i = 7; i >= 0; --i) {
4796  CHECK(wnaf[i] == wnaf_expected[i]);
4797  }
4798 }
4799 
4800 void test_fixed_wnaf_small(void) {
4801  int w = 4;
4802  int wnaf[256] = {0};
4803  int i;
4804  int skew;
4805  secp256k1_scalar num;
4806 
4807  secp256k1_scalar_set_int(&num, 0);
4808  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4809  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4810  int v = wnaf[i];
4811  CHECK(v == 0);
4812  }
4813  CHECK(skew == 0);
4814 
4815  secp256k1_scalar_set_int(&num, 1);
4816  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4817  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
4818  int v = wnaf[i];
4819  CHECK(v == 0);
4820  }
4821  CHECK(wnaf[0] == 1);
4822  CHECK(skew == 0);
4823 
4824  {
4825  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
4826  secp256k1_scalar_set_int(&num, 0xffffffff);
4827  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4828  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4829  CHECK(skew == 0);
4830  }
4831  {
4832  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
4833  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
4834  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4835  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4836  CHECK(skew == 1);
4837  }
4838  {
4839  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
4840  secp256k1_scalar_set_int(&num, 0x01010101);
4841  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4842  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4843  CHECK(skew == 0);
4844  }
4845  {
4846  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
4847  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
4848  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4849  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4850  CHECK(skew == 0);
4851  }
4852 }
4853 
4854 void run_wnaf(void) {
4855  int i;
4856  secp256k1_scalar n = {{0}};
4857 
4858  test_constant_wnaf(&n, 4);
4859  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
4860  * have easier-to-diagnose failure modes */
4861  n.d[0] = 1;
4862  test_constant_wnaf(&n, 4);
4863  n.d[0] = 2;
4864  test_constant_wnaf(&n, 4);
4865  /* Test -1, because it's a special case in wnaf_const */
4866  n = secp256k1_scalar_one;
4867  secp256k1_scalar_negate(&n, &n);
4868  test_constant_wnaf(&n, 4);
4869 
4870  /* Test -2, which may not lead to overflows in wnaf_const */
4871  secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
4872  secp256k1_scalar_negate(&n, &n);
4873  test_constant_wnaf(&n, 4);
4874 
4875  /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
4876  as corner cases of negation handling in wnaf_const */
4877  secp256k1_scalar_inverse(&n, &n);
4878  test_constant_wnaf(&n, 4);
4879 
4880  secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
4881  test_constant_wnaf(&n, 4);
4882 
4883  /* Test 0 for fixed wnaf */
4884  test_fixed_wnaf_small();
4885  /* Random tests */
4886  for (i = 0; i < count; i++) {
4887  random_scalar_order(&n);
4888  test_wnaf(&n, 4+(i%10));
4889  test_constant_wnaf_negate(&n);
4890  test_constant_wnaf(&n, 4 + (i % 10));
4891  test_fixed_wnaf(&n, 4 + (i % 10));
4892  }
4893  secp256k1_scalar_set_int(&n, 0);
4894  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
4895  CHECK(secp256k1_scalar_is_zero(&n));
4896  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
4897  CHECK(secp256k1_scalar_is_zero(&n));
4898 }
4899 
4900 static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
4901  const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
4902  *sc = *indata;
4903  *pt = secp256k1_ge_const_g;
4904  CHECK(idx == 0);
4905  return 1;
4906 }
4907 
4908 void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
4909  /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
4910  secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
4911  secp256k1_ge r;
4912  const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4913  unsigned char bytes[65];
4914  size_t size = 65;
4915  secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
4916  secp256k1_gej_set_infinity(&infj);
4917  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj1, x);
4918  secp256k1_ecmult(&rj2, &gj, x, &zero);
4919  secp256k1_ecmult(&rj3, &infj, &zero, x);
4920  secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
4921  secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &zero, test_ecmult_accumulate_cb, (void*)x, 1);
4922  secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x, 256);
4923  secp256k1_ge_set_gej_var(&r, &rj1);
4924  ge_equals_gej(&r, &rj2);
4925  ge_equals_gej(&r, &rj3);
4926  ge_equals_gej(&r, &rj4);
4927  ge_equals_gej(&r, &rj5);
4928  ge_equals_gej(&r, &rj6);
4929  if (secp256k1_ge_is_infinity(&r)) {
4930  /* Store infinity as 0x00 */
4931  const unsigned char zerobyte[1] = {0};
4932  secp256k1_sha256_write(acc, zerobyte, 1);
4933  } else {
4934  /* Store other points using their uncompressed serialization. */
4935  secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
4936  CHECK(size == 65);
4937  secp256k1_sha256_write(acc, bytes, size);
4938  }
4939 }
4940 
4941 void test_ecmult_constants_2bit(void) {
4942  /* Using test_ecmult_accumulate, test ecmult for:
4943  * - For i in 0..36:
4944  * - Key i
4945  * - Key -i
4946  * - For i in 0..255:
4947  * - For j in 1..255 (only odd values):
4948  * - Key (j*2^i) mod order
4949  */
4950  secp256k1_scalar x;
4951  secp256k1_sha256 acc;
4952  unsigned char b32[32];
4953  int i, j;
4954  secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 65536);
4955 
4956  /* Expected hash of all the computed points; created with an independent
4957  * implementation. */
4958  static const unsigned char expected32[32] = {
4959  0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
4960  0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
4961  0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
4962  0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
4963  };
4964  secp256k1_sha256_initialize(&acc);
4965  for (i = 0; i <= 36; ++i) {
4966  secp256k1_scalar_set_int(&x, i);
4967  test_ecmult_accumulate(&acc, &x, scratch);
4968  secp256k1_scalar_negate(&x, &x);
4969  test_ecmult_accumulate(&acc, &x, scratch);
4970  };
4971  for (i = 0; i < 256; ++i) {
4972  for (j = 1; j < 256; j += 2) {
4973  int k;
4974  secp256k1_scalar_set_int(&x, j);
4975  for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
4976  test_ecmult_accumulate(&acc, &x, scratch);
4977  }
4978  }
4979  secp256k1_sha256_finalize(&acc, b32);
4980  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
4981 
4982  secp256k1_scratch_space_destroy(ctx, scratch);
4983 }
4984 
4985 void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
4986  /* Using test_ecmult_accumulate, test ecmult for:
4987  * - Key 0
4988  * - Key 1
4989  * - Key -1
4990  * - For i in range(iter):
4991  * - Key SHA256(LE32(prefix) || LE16(i))
4992  */
4993  secp256k1_scalar x;
4994  secp256k1_sha256 acc;
4995  unsigned char b32[32];
4996  unsigned char inp[6];
4997  size_t i;
4998  secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 65536);
4999 
5000  inp[0] = prefix & 0xFF;
5001  inp[1] = (prefix >> 8) & 0xFF;
5002  inp[2] = (prefix >> 16) & 0xFF;
5003  inp[3] = (prefix >> 24) & 0xFF;
5004  secp256k1_sha256_initialize(&acc);
5005  secp256k1_scalar_set_int(&x, 0);
5006  test_ecmult_accumulate(&acc, &x, scratch);
5007  secp256k1_scalar_set_int(&x, 1);
5008  test_ecmult_accumulate(&acc, &x, scratch);
5009  secp256k1_scalar_negate(&x, &x);
5010  test_ecmult_accumulate(&acc, &x, scratch);
5011 
5012  for (i = 0; i < iter; ++i) {
5013  secp256k1_sha256 gen;
5014  inp[4] = i & 0xff;
5015  inp[5] = (i >> 8) & 0xff;
5016  secp256k1_sha256_initialize(&gen);
5017  secp256k1_sha256_write(&gen, inp, sizeof(inp));
5018  secp256k1_sha256_finalize(&gen, b32);
5019  secp256k1_scalar_set_b32(&x, b32, NULL);
5020  test_ecmult_accumulate(&acc, &x, scratch);
5021  }
5022  secp256k1_sha256_finalize(&acc, b32);
5023  CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5024 
5025  secp256k1_scratch_space_destroy(ctx, scratch);
5026 }
5027 
5028 void run_ecmult_constants(void) {
5029  /* Expected hashes of all points in the tests below. Computed using an
5030  * independent implementation. */
5031  static const unsigned char expected32_6bit20[32] = {
5032  0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5033  0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5034  0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5035  0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5036  };
5037  static const unsigned char expected32_8bit8[32] = {
5038  0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5039  0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5040  0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5041  0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5042  };
5043  /* For every combination of 6 bit positions out of 256, restricted to
5044  * 20-bit windows (i.e., the first and last bit position are no more than
5045  * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5046  * this test. */
5047  CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5048  test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5049  }
5050 
5051  /* For every combination of 8 consecutive bit positions, all 256 bit
5052  * patterns occur in the input scalars used in this test. */
5053  CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5054  test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5055  }
5056 
5057  CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5058  test_ecmult_constants_2bit();
5059  }
5060 }
5061 
5062 void test_ecmult_gen_blind(void) {
5063  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5064  secp256k1_scalar key;
5065  secp256k1_scalar b;
5066  unsigned char seed32[32];
5067  secp256k1_gej pgej;
5068  secp256k1_gej pgej2;
5069  secp256k1_gej i;
5070  secp256k1_ge pge;
5071  random_scalar_order_test(&key);
5072  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
5073  secp256k1_testrand256(seed32);
5074  b = ctx->ecmult_gen_ctx.blind;
5075  i = ctx->ecmult_gen_ctx.initial;
5076  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
5077  CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
5078  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
5079  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5080  CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
5081  secp256k1_ge_set_gej(&pge, &pgej);
5082  ge_equals_gej(&pge, &pgej2);
5083 }
5084 
5085 void test_ecmult_gen_blind_reset(void) {
5086  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5087  secp256k1_scalar b;
5088  secp256k1_gej initial;
5089  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
5090  b = ctx->ecmult_gen_ctx.blind;
5091  initial = ctx->ecmult_gen_ctx.initial;
5092  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
5093  CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
5094  CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
5095 }
5096 
5097 void run_ecmult_gen_blind(void) {
5098  int i;
5099  test_ecmult_gen_blind_reset();
5100  for (i = 0; i < 10; i++) {
5101  test_ecmult_gen_blind();
5102  }
5103 }
5104 
5105 /***** ENDOMORPHISH TESTS *****/
5106 void test_scalar_split(const secp256k1_scalar* full) {
5107  secp256k1_scalar s, s1, slam;
5108  const unsigned char zero[32] = {0};
5109  unsigned char tmp[32];
5110 
5111  secp256k1_scalar_split_lambda(&s1, &slam, full);
5112 
5113  /* check slam*lambda + s1 == full */
5114  secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5115  secp256k1_scalar_add(&s, &s, &s1);
5116  CHECK(secp256k1_scalar_eq(&s, full));
5117 
5118  /* check that both are <= 128 bits in size */
5119  if (secp256k1_scalar_is_high(&s1)) {
5120  secp256k1_scalar_negate(&s1, &s1);
5121  }
5122  if (secp256k1_scalar_is_high(&slam)) {
5123  secp256k1_scalar_negate(&slam, &slam);
5124  }
5125 
5126  secp256k1_scalar_get_b32(tmp, &s1);
5127  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5128  secp256k1_scalar_get_b32(tmp, &slam);
5129  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5130 }
5131 
5132 
5133 void run_endomorphism_tests(void) {
5134  unsigned i;
5135  static secp256k1_scalar s;
5136  test_scalar_split(&secp256k1_scalar_zero);
5137  test_scalar_split(&secp256k1_scalar_one);
5138  secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5139  test_scalar_split(&s);
5140  test_scalar_split(&secp256k1_const_lambda);
5141  secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5142  test_scalar_split(&s);
5143 
5144  for (i = 0; i < 100U * count; ++i) {
5145  secp256k1_scalar full;
5146  random_scalar_order_test(&full);
5147  test_scalar_split(&full);
5148  }
5149  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5150  test_scalar_split(&scalars_near_split_bounds[i]);
5151  }
5152 }
5153 
5154 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5155  unsigned char pubkeyc[65];
5156  secp256k1_pubkey pubkey;
5157  secp256k1_ge ge;
5158  size_t pubkeyclen;
5159  int32_t ecount;
5160  ecount = 0;
5161  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5162  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5163  /* Smaller sizes are tested exhaustively elsewhere. */
5164  int32_t i;
5165  memcpy(&pubkeyc[1], input, 64);
5166  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5167  for (i = 0; i < 256; i++) {
5168  /* Try all type bytes. */
5169  int xpass;
5170  int ypass;
5171  int ysign;
5172  pubkeyc[0] = i;
5173  /* What sign does this point have? */
5174  ysign = (input[63] & 1) + 2;
5175  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5176  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5177  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5178  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5179  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5180  if (xpass || ypass) {
5181  /* These cases must parse. */
5182  unsigned char pubkeyo[65];
5183  size_t outl;
5184  memset(&pubkey, 0, sizeof(pubkey));
5185  VG_UNDEF(&pubkey, sizeof(pubkey));
5186  ecount = 0;
5187  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5188  VG_CHECK(&pubkey, sizeof(pubkey));
5189  outl = 65;
5190  VG_UNDEF(pubkeyo, 65);
5191  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5192  VG_CHECK(pubkeyo, outl);
5193  CHECK(outl == 33);
5194  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5195  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5196  if (ypass) {
5197  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5198  CHECK(pubkeyo[0] == ysign);
5199  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
5200  memset(&pubkey, 0, sizeof(pubkey));
5201  VG_UNDEF(&pubkey, sizeof(pubkey));
5202  secp256k1_pubkey_save(&pubkey, &ge);
5203  VG_CHECK(&pubkey, sizeof(pubkey));
5204  outl = 65;
5205  VG_UNDEF(pubkeyo, 65);
5206  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5207  VG_CHECK(pubkeyo, outl);
5208  CHECK(outl == 65);
5209  CHECK(pubkeyo[0] == 4);
5210  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5211  }
5212  CHECK(ecount == 0);
5213  } else {
5214  /* These cases must fail to parse. */
5215  memset(&pubkey, 0xfe, sizeof(pubkey));
5216  ecount = 0;
5217  VG_UNDEF(&pubkey, sizeof(pubkey));
5218  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
5219  VG_CHECK(&pubkey, sizeof(pubkey));
5220  CHECK(ecount == 0);
5221  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5222  CHECK(ecount == 1);
5223  }
5224  }
5225  }
5226  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5227 }
5228 
5229 void run_ec_pubkey_parse_test(void) {
5230 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
5231  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5232  {
5233  /* Point with leading and trailing zeros in x and y serialization. */
5234  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5235  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5236  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5237  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5238  },
5239  {
5240  /* Point with x equal to a 3rd root of unity.*/
5241  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5242  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5243  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5244  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5245  },
5246  {
5247  /* Point with largest x. (1/2) */
5248  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5249  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5250  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5251  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5252  },
5253  {
5254  /* Point with largest x. (2/2) */
5255  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5256  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5257  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5258  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5259  },
5260  {
5261  /* Point with smallest x. (1/2) */
5262  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5263  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5264  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5265  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5266  },
5267  {
5268  /* Point with smallest x. (2/2) */
5269  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5270  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5271  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5272  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5273  },
5274  {
5275  /* Point with largest y. (1/3) */
5276  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5277  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5278  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5279  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5280  },
5281  {
5282  /* Point with largest y. (2/3) */
5283  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5284  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5285  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5286  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5287  },
5288  {
5289  /* Point with largest y. (3/3) */
5290  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5291  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5292  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5293  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5294  },
5295  {
5296  /* Point with smallest y. (1/3) */
5297  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5298  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5299  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5300  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5301  },
5302  {
5303  /* Point with smallest y. (2/3) */
5304  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5305  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5306  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5307  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5308  },
5309  {
5310  /* Point with smallest y. (3/3) */
5311  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5312  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5313  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5314  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5315  }
5316  };
5317 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5318  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5319  {
5320  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5321  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5322  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5323  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5324  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5325  },
5326  {
5327  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5328  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5329  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5330  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5331  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5332  },
5333  {
5334  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5335  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5336  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5337  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5338  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5339  },
5340  {
5341  /* x on curve, y is from y^2 = x^3 + 8. */
5342  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5343  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5344  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5345  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5346  }
5347  };
5348 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5349  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5350  {
5351  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5352  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5353  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5354  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5355  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5356  },
5357  {
5358  /* Valid if x overflow ignored (x = 1 mod p). */
5359  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5360  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5361  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5362  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5363  },
5364  {
5365  /* Valid if x overflow ignored (x = 1 mod p). */
5366  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5367  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5368  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5369  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5370  },
5371  {
5372  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5373  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5374  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5375  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5376  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5377  },
5378  {
5379  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5380  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5381  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5382  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5383  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5384  },
5385  {
5386  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5387  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5388  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5389  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5390  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5391  },
5392  {
5393  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5394  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5395  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5396  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5397  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5398  }
5399  };
5400  const unsigned char pubkeyc[66] = {
5401  /* Serialization of G. */
5402  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5403  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5404  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5405  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5406  0xB8, 0x00
5407  };
5408  unsigned char sout[65];
5409  unsigned char shortkey[2];
5410  secp256k1_ge ge;
5411  secp256k1_pubkey pubkey;
5412  size_t len;
5413  int32_t i;
5414  int32_t ecount;
5415  int32_t ecount2;
5416  ecount = 0;
5417  /* Nothing should be reading this far into pubkeyc. */
5418  VG_UNDEF(&pubkeyc[65], 1);
5419  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5420  /* Zero length claimed, fail, zeroize, no illegal arg error. */
5421  memset(&pubkey, 0xfe, sizeof(pubkey));
5422  ecount = 0;
5423  VG_UNDEF(shortkey, 2);
5424  VG_UNDEF(&pubkey, sizeof(pubkey));
5425  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
5426  VG_CHECK(&pubkey, sizeof(pubkey));
5427  CHECK(ecount == 0);
5428  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5429  CHECK(ecount == 1);
5430  /* Length one claimed, fail, zeroize, no illegal arg error. */
5431  for (i = 0; i < 256 ; i++) {
5432  memset(&pubkey, 0xfe, sizeof(pubkey));
5433  ecount = 0;
5434  shortkey[0] = i;
5435  VG_UNDEF(&shortkey[1], 1);
5436  VG_UNDEF(&pubkey, sizeof(pubkey));
5437  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
5438  VG_CHECK(&pubkey, sizeof(pubkey));
5439  CHECK(ecount == 0);
5440  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5441  CHECK(ecount == 1);
5442  }
5443  /* Length two claimed, fail, zeroize, no illegal arg error. */
5444  for (i = 0; i < 65536 ; i++) {
5445  memset(&pubkey, 0xfe, sizeof(pubkey));
5446  ecount = 0;
5447  shortkey[0] = i & 255;
5448  shortkey[1] = i >> 8;
5449  VG_UNDEF(&pubkey, sizeof(pubkey));
5450  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
5451  VG_CHECK(&pubkey, sizeof(pubkey));
5452  CHECK(ecount == 0);
5453  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5454  CHECK(ecount == 1);
5455  }
5456  memset(&pubkey, 0xfe, sizeof(pubkey));
5457  ecount = 0;
5458  VG_UNDEF(&pubkey, sizeof(pubkey));
5459  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5460  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
5461  VG_CHECK(&pubkey, sizeof(pubkey));
5462  CHECK(ecount == 0);
5463  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5464  CHECK(ecount == 1);
5465  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5466  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
5467  CHECK(ecount == 2);
5468  /* NULL input string. Illegal arg and zeroize output. */
5469  memset(&pubkey, 0xfe, sizeof(pubkey));
5470  ecount = 0;
5471  VG_UNDEF(&pubkey, sizeof(pubkey));
5472  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
5473  VG_CHECK(&pubkey, sizeof(pubkey));
5474  CHECK(ecount == 1);
5475  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5476  CHECK(ecount == 2);
5477  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5478  memset(&pubkey, 0xfe, sizeof(pubkey));
5479  ecount = 0;
5480  VG_UNDEF(&pubkey, sizeof(pubkey));
5481  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
5482  VG_CHECK(&pubkey, sizeof(pubkey));
5483  CHECK(ecount == 0);
5484  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5485  CHECK(ecount == 1);
5486  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5487  memset(&pubkey, 0xfe, sizeof(pubkey));
5488  ecount = 0;
5489  VG_UNDEF(&pubkey, sizeof(pubkey));
5490  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
5491  VG_CHECK(&pubkey, sizeof(pubkey));
5492  CHECK(ecount == 0);
5493  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5494  CHECK(ecount == 1);
5495  /* Valid parse. */
5496  memset(&pubkey, 0, sizeof(pubkey));
5497  ecount = 0;
5498  VG_UNDEF(&pubkey, sizeof(pubkey));
5499  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
5500  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
5501  VG_CHECK(&pubkey, sizeof(pubkey));
5502  CHECK(ecount == 0);
5503  VG_UNDEF(&ge, sizeof(ge));
5504  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
5505  VG_CHECK(&ge.x, sizeof(ge.x));
5506  VG_CHECK(&ge.y, sizeof(ge.y));
5507  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
5508  ge_equals_ge(&secp256k1_ge_const_g, &ge);
5509  CHECK(ecount == 0);
5510  /* secp256k1_ec_pubkey_serialize illegal args. */
5511  ecount = 0;
5512  len = 65;
5513  CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
5514  CHECK(ecount == 1);
5515  CHECK(len == 0);
5516  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
5517  CHECK(ecount == 2);
5518  len = 65;
5519  VG_UNDEF(sout, 65);
5520  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
5521  VG_CHECK(sout, 65);
5522  CHECK(ecount == 3);
5523  CHECK(len == 0);
5524  len = 65;
5525  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
5526  CHECK(ecount == 4);
5527  CHECK(len == 0);
5528  len = 65;
5529  VG_UNDEF(sout, 65);
5530  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5531  VG_CHECK(sout, 65);
5532  CHECK(ecount == 4);
5533  CHECK(len == 65);
5534  /* Multiple illegal args. Should still set arg error only once. */
5535  ecount = 0;
5536  ecount2 = 11;
5537  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5538  CHECK(ecount == 1);
5539  /* Does the illegal arg callback actually change the behavior? */
5540  secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
5541  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5542  CHECK(ecount == 1);
5543  CHECK(ecount2 == 10);
5544  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5545  /* Try a bunch of prefabbed points with all possible encodings. */
5546  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
5547  ec_pubkey_parse_pointtest(valid[i], 1, 1);
5548  }
5549  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
5550  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
5551  }
5552  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
5553  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
5554  }
5555 }
5556 
5557 void run_eckey_edge_case_test(void) {
5558  const unsigned char orderc[32] = {
5559  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5560  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5561  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5562  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
5563  };
5564  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
5565  unsigned char ctmp[33];
5566  unsigned char ctmp2[33];
5567  secp256k1_pubkey pubkey;
5568  secp256k1_pubkey pubkey2;
5569  secp256k1_pubkey pubkey_one;
5570  secp256k1_pubkey pubkey_negone;
5571  const secp256k1_pubkey *pubkeys[3];
5572  size_t len;
5573  int32_t ecount;
5574  /* Group order is too large, reject. */
5575  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
5576  VG_UNDEF(&pubkey, sizeof(pubkey));
5577  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
5578  VG_CHECK(&pubkey, sizeof(pubkey));
5579  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5580  /* Maximum value is too large, reject. */
5581  memset(ctmp, 255, 32);
5582  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5583  memset(&pubkey, 1, sizeof(pubkey));
5584  VG_UNDEF(&pubkey, sizeof(pubkey));
5585  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5586  VG_CHECK(&pubkey, sizeof(pubkey));
5587  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5588  /* Zero is too small, reject. */
5589  memset(ctmp, 0, 32);
5590  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5591  memset(&pubkey, 1, sizeof(pubkey));
5592  VG_UNDEF(&pubkey, sizeof(pubkey));
5593  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5594  VG_CHECK(&pubkey, sizeof(pubkey));
5595  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5596  /* One must be accepted. */
5597  ctmp[31] = 0x01;
5598  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5599  memset(&pubkey, 0, sizeof(pubkey));
5600  VG_UNDEF(&pubkey, sizeof(pubkey));
5601  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5602  VG_CHECK(&pubkey, sizeof(pubkey));
5603  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5604  pubkey_one = pubkey;
5605  /* Group order + 1 is too large, reject. */
5606  memcpy(ctmp, orderc, 32);
5607  ctmp[31] = 0x42;
5608  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5609  memset(&pubkey, 1, sizeof(pubkey));
5610  VG_UNDEF(&pubkey, sizeof(pubkey));
5611  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5612  VG_CHECK(&pubkey, sizeof(pubkey));
5613  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5614  /* -1 must be accepted. */
5615  ctmp[31] = 0x40;
5616  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5617  memset(&pubkey, 0, sizeof(pubkey));
5618  VG_UNDEF(&pubkey, sizeof(pubkey));
5619  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5620  VG_CHECK(&pubkey, sizeof(pubkey));
5621  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5622  pubkey_negone = pubkey;
5623  /* Tweak of zero leaves the value unchanged. */
5624  memset(ctmp2, 0, 32);
5625  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
5626  CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
5627  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
5628  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5629  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5630  /* Multiply tweak of zero zeroizes the output. */
5631  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5632  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5633  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
5634  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5635  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5636  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5637  seckey, the seckey is zeroized. */
5638  memcpy(ctmp, orderc, 32);
5639  memset(ctmp2, 0, 32);
5640  ctmp2[31] = 0x01;
5641  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
5642  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5643  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
5644  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5645  memcpy(ctmp, orderc, 32);
5646  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5647  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5648  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5649  tweak, the seckey is zeroized. */
5650  memcpy(ctmp, orderc, 32);
5651  ctmp[31] = 0x40;
5652  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
5653  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5654  memcpy(ctmp, orderc, 32);
5655  ctmp[31] = 0x40;
5656  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
5657  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5658  memcpy(ctmp, orderc, 32);
5659  ctmp[31] = 0x40;
5660  /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
5661  tweak, the pubkey is zeroized. */
5662  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
5663  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5664  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5665  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
5666  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5667  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5668  /* If the resulting key in secp256k1_ec_seckey_tweak_add and
5669  * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
5670  * case the pubkey is zeroized. */
5671  memcpy(ctmp, orderc, 32);
5672  ctmp[31] = 0x40;
5673  memset(ctmp2, 0, 32);
5674  ctmp2[31] = 1;
5675  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
5676  CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
5677  ctmp2[31] = 1;
5678  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5679  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5680  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5681  /* Tweak computation wraps and results in a key of 1. */
5682  ctmp2[31] = 2;
5683  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
5684  CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
5685  ctmp2[31] = 2;
5686  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5687  ctmp2[31] = 1;
5688  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
5689  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5690  /* Tweak mul * 2 = 1+1. */
5691  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5692  ctmp2[31] = 2;
5693  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
5694  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5695  /* Test argument errors. */
5696  ecount = 0;
5697  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5698  CHECK(ecount == 0);
5699  /* Zeroize pubkey on parse error. */
5700  memset(&pubkey, 0, 32);
5701  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5702  CHECK(ecount == 1);
5703  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5704  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5705  memset(&pubkey2, 0, 32);
5706  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
5707  CHECK(ecount == 2);
5708  CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
5709  /* Plain argument errors. */
5710  ecount = 0;
5711  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5712  CHECK(ecount == 0);
5713  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
5714  CHECK(ecount == 1);
5715  ecount = 0;
5716  memset(ctmp2, 0, 32);
5717  ctmp2[31] = 4;
5718  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
5719  CHECK(ecount == 1);
5720  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
5721  CHECK(ecount == 2);
5722  ecount = 0;
5723  memset(ctmp2, 0, 32);
5724  ctmp2[31] = 4;
5725  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
5726  CHECK(ecount == 1);
5727  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
5728  CHECK(ecount == 2);
5729  ecount = 0;
5730  memset(ctmp2, 0, 32);
5731  CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
5732  CHECK(ecount == 1);
5733  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
5734  CHECK(ecount == 2);
5735  ecount = 0;
5736  memset(ctmp2, 0, 32);
5737  ctmp2[31] = 1;
5738  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
5739  CHECK(ecount == 1);
5740  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
5741  CHECK(ecount == 2);
5742  ecount = 0;
5743  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
5744  CHECK(ecount == 1);
5745  memset(&pubkey, 1, sizeof(pubkey));
5746  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5747  CHECK(ecount == 2);
5748  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5749  /* secp256k1_ec_pubkey_combine tests. */
5750  ecount = 0;
5751  pubkeys[0] = &pubkey_one;
5752  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
5753  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
5754  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
5755  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5756  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5757  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
5758  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5759  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5760  CHECK(ecount == 1);
5761  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
5762  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5763  CHECK(ecount == 2);
5764  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5765  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5766  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
5767  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5768  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5769  CHECK(ecount == 3);
5770  pubkeys[0] = &pubkey_negone;
5771  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5772  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5773  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
5774  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5775  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5776  CHECK(ecount == 3);
5777  len = 33;
5778  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5779  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
5780  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5781  /* Result is infinity. */
5782  pubkeys[0] = &pubkey_one;
5783  pubkeys[1] = &pubkey_negone;
5784  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5785  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5786  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
5787  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5788  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5789  CHECK(ecount == 3);
5790  /* Passes through infinity but comes out one. */
5791  pubkeys[2] = &pubkey_one;
5792  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5793  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5794  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
5795  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5796  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5797  CHECK(ecount == 3);
5798  len = 33;
5799  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5800  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
5801  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5802  /* Adds to two. */
5803  pubkeys[1] = &pubkey_one;
5804  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5805  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5806  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
5807  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5808  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5809  CHECK(ecount == 3);
5810  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5811 }
5812 
5813 void run_eckey_negate_test(void) {
5814  unsigned char seckey[32];
5815  unsigned char seckey_tmp[32];
5816 
5817  random_scalar_order_b32(seckey);
5818  memcpy(seckey_tmp, seckey, 32);
5819 
5820  /* Verify negation changes the key and changes it back */
5821  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5822  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
5823  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5824  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5825 
5826  /* Check that privkey alias gives same result */
5827  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5828  CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
5829  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5830 
5831  /* Negating all 0s fails */
5832  memset(seckey, 0, 32);
5833  memset(seckey_tmp, 0, 32);
5834  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5835  /* Check that seckey is not modified */
5836  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5837 
5838  /* Negating an overflowing seckey fails and the seckey is zeroed. In this
5839  * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
5840  * doesn't just set seckey to a constant value in case of failure. */
5841  random_scalar_order_b32(seckey);
5842  memset(seckey, 0xFF, 16);
5843  memset(seckey_tmp, 0, 32);
5844  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5845  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5846 }
5847 
5848 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
5849  secp256k1_scalar nonce;
5850  do {
5851  random_scalar_order_test(&nonce);
5852  } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
5853 }
5854 
5855 void test_ecdsa_sign_verify(void) {
5856  secp256k1_gej pubj;
5857  secp256k1_ge pub;
5858  secp256k1_scalar one;
5859  secp256k1_scalar msg, key;
5860  secp256k1_scalar sigr, sigs;
5861  int getrec;
5862  int recid;
5863  random_scalar_order_test(&msg);
5864  random_scalar_order_test(&key);
5865  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
5866  secp256k1_ge_set_gej(&pub, &pubj);
5867  getrec = secp256k1_testrand_bits(1);
5868  /* The specific way in which this conditional is written sidesteps a potential bug in clang.
5869  See the commit messages of the commit that introduced this comment for details. */
5870  if (getrec) {
5871  random_sign(&sigr, &sigs, &key, &msg, &recid);
5872  CHECK(recid >= 0 && recid < 4);
5873  } else {
5874  random_sign(&sigr, &sigs, &key, &msg, NULL);
5875  }
5876  CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
5877  secp256k1_scalar_set_int(&one, 1);
5878  secp256k1_scalar_add(&msg, &msg, &one);
5879  CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
5880 }
5881 
5882 void run_ecdsa_sign_verify(void) {
5883  int i;
5884  for (i = 0; i < 10*count; i++) {
5885  test_ecdsa_sign_verify();
5886  }
5887 }
5888 
5890 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5891  (void)msg32;
5892  (void)key32;
5893  (void)algo16;
5894  memcpy(nonce32, data, 32);
5895  return (counter == 0);
5896 }
5897 
5898 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5899  /* Dummy nonce generator that has a fatal error on the first counter value. */
5900  if (counter == 0) {
5901  return 0;
5902  }
5903  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
5904 }
5905 
5906 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5907  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
5908  if (counter < 3) {
5909  memset(nonce32, counter==0 ? 0 : 255, 32);
5910  if (counter == 2) {
5911  nonce32[31]--;
5912  }
5913  return 1;
5914  }
5915  if (counter < 5) {
5916  static const unsigned char order[] = {
5917  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5918  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5919  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5920  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
5921  };
5922  memcpy(nonce32, order, 32);
5923  if (counter == 4) {
5924  nonce32[31]++;
5925  }
5926  return 1;
5927  }
5928  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
5929  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
5930  if (counter > 5) {
5931  return 0;
5932  }
5933  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
5934 }
5935 
5936 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
5937  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
5938  return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
5939 }
5940 
5941 void test_ecdsa_end_to_end(void) {
5942  unsigned char extra[32] = {0x00};
5943  unsigned char privkey[32];
5944  unsigned char message[32];
5945  unsigned char privkey2[32];
5946  secp256k1_ecdsa_signature signature[6];
5947  secp256k1_scalar r, s;
5948  unsigned char sig[74];
5949  size_t siglen = 74;
5950  unsigned char pubkeyc[65];
5951  size_t pubkeyclen = 65;
5952  secp256k1_pubkey pubkey;
5953  secp256k1_pubkey pubkey_tmp;
5954  unsigned char seckey[300];
5955  size_t seckeylen = 300;
5956 
5957  /* Generate a random key and message. */
5958  {
5959  secp256k1_scalar msg, key;
5960  random_scalar_order_test(&msg);
5961  random_scalar_order_test(&key);
5962  secp256k1_scalar_get_b32(privkey, &key);
5963  secp256k1_scalar_get_b32(message, &msg);
5964  }
5965 
5966  /* Construct and verify corresponding public key. */
5967  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
5968  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
5969 
5970  /* Verify exporting and importing public key. */
5971  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
5972  memset(&pubkey, 0, sizeof(pubkey));
5973  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5974 
5975  /* Verify negation changes the key and changes it back */
5976  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
5977  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
5978  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
5979  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
5980  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
5981 
5982  /* Verify private key import and export. */
5983  CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
5984  CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
5985  CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
5986 
5987  /* Optionally tweak the keys using addition. */
5988  if (secp256k1_testrand_int(3) == 0) {
5989  int ret1;
5990  int ret2;
5991  int ret3;
5992  unsigned char rnd[32];
5993  unsigned char privkey_tmp[32];
5994  secp256k1_pubkey pubkey2;
5995  secp256k1_testrand256_test(rnd);
5996  memcpy(privkey_tmp, privkey, 32);
5997  ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
5998  ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
5999  /* Check that privkey alias gives same result */
6000  ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
6001  CHECK(ret1 == ret2);
6002  CHECK(ret2 == ret3);
6003  if (ret1 == 0) {
6004  return;
6005  }
6006  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6007  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
6008  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6009  }
6010 
6011  /* Optionally tweak the keys using multiplication. */
6012  if (secp256k1_testrand_int(3) == 0) {
6013  int ret1;
6014  int ret2;
6015  int ret3;
6016  unsigned char rnd[32];
6017  unsigned char privkey_tmp[32];
6018  secp256k1_pubkey pubkey2;
6019  secp256k1_testrand256_test(rnd);
6020  memcpy(privkey_tmp, privkey, 32);
6021  ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
6022  ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
6023  /* Check that privkey alias gives same result */
6024  ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
6025  CHECK(ret1 == ret2);
6026  CHECK(ret2 == ret3);
6027  if (ret1 == 0) {
6028  return;
6029  }
6030  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6031  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
6032  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6033  }
6034 
6035  /* Sign. */
6036  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
6037  CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
6038  CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
6039  extra[31] = 1;
6040  CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
6041  extra[31] = 0;
6042  extra[0] = 1;
6043  CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
6044  CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6045  CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6046  CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6047  CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6048  CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6049  CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6050  CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6051  /* Verify. */
6052  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
6053  CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
6054  CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
6055  CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
6056  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6057  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
6058  secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
6059  secp256k1_scalar_negate(&s, &s);
6060  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6061  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
6062  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6063  CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
6064  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6065  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
6066  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
6067  secp256k1_scalar_negate(&s, &s);
6068  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6069  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6070  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
6071  CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6072 
6073  /* Serialize/parse DER and verify again */
6074  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
6075  memset(&signature[0], 0, sizeof(signature[0]));
6076  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
6077  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
6078  /* Serialize/destroy/parse DER and verify again. */
6079  siglen = 74;
6080  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
6081  sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6082  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
6083  secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
6084 }
6085 
6086 void test_random_pubkeys(void) {
6087  secp256k1_ge elem;
6088  secp256k1_ge elem2;
6089  unsigned char in[65];
6090  /* Generate some randomly sized pubkeys. */
6091  size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6092  if (secp256k1_testrand_bits(2) == 0) {
6093  len = secp256k1_testrand_bits(6);
6094  }
6095  if (len == 65) {
6096  in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6097  } else {
6098  in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6099  }
6100  if (secp256k1_testrand_bits(3) == 0) {
6101  in[0] = secp256k1_testrand_bits(8);
6102  }
6103  if (len > 1) {
6104  secp256k1_testrand256(&in[1]);
6105  }
6106  if (len > 33) {
6107  secp256k1_testrand256(&in[33]);
6108  }
6109  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6110  unsigned char out[65];
6111  unsigned char firstb;
6112  int res;
6113  size_t size = len;
6114  firstb = in[0];
6115  /* If the pubkey can be parsed, it should round-trip... */
6116  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6117  CHECK(size == len);
6118  CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6119  /* ... except for the type of hybrid inputs. */
6120  if ((in[0] != 6) && (in[0] != 7)) {
6121  CHECK(in[0] == out[0]);
6122  }
6123  size = 65;
6124  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6125  CHECK(size == 65);
6126  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6127  ge_equals_ge(&elem,&elem2);
6128  /* Check that the X9.62 hybrid type is checked. */
6129  in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6130  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6131  if (firstb == 2 || firstb == 3) {
6132  if (in[0] == firstb + 4) {
6133  CHECK(res);
6134  } else {
6135  CHECK(!res);
6136  }
6137  }
6138  if (res) {
6139  ge_equals_ge(&elem,&elem2);
6140  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6141  CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6142  }
6143  }
6144 }
6145 
6146 void run_pubkey_comparison(void) {
6147  unsigned char pk1_ser[33] = {
6148  0x02,
6149  0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6150  0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6151  };
6152  const unsigned char pk2_ser[33] = {
6153  0x02,
6154  0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6155  0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6156  };
6157  secp256k1_pubkey pk1;
6158  secp256k1_pubkey pk2;
6159  int32_t ecount = 0;
6160 
6161  CHECK(secp256k1_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6162  CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6163 
6164  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6165  CHECK(secp256k1_ec_pubkey_cmp(ctx, NULL, &pk2) < 0);
6166  CHECK(ecount == 1);
6167  CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, NULL) > 0);
6168  CHECK(ecount == 2);
6169  CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
6170  CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
6171  CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk1) == 0);
6172  CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk2) == 0);
6173  CHECK(ecount == 2);
6174  {
6175  secp256k1_pubkey pk_tmp;
6176  memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6177  CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk2) < 0);
6178  CHECK(ecount == 3);
6179  CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk_tmp) == 0);
6180  CHECK(ecount == 5);
6181  CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk_tmp) > 0);
6182  CHECK(ecount == 6);
6183  }
6184 
6185  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
6186 
6187  /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6188  * an uncompressed encoding, these would have the opposite ordering */
6189  pk1_ser[0] = 3;
6190  CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6191  CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
6192  CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
6193 }
6194 
6195 void run_random_pubkeys(void) {
6196  int i;
6197  for (i = 0; i < 10*count; i++) {
6198  test_random_pubkeys();
6199  }
6200 }
6201 
6202 void run_ecdsa_end_to_end(void) {
6203  int i;
6204  for (i = 0; i < 64*count; i++) {
6205  test_ecdsa_end_to_end();
6206  }
6207 }
6208 
6209 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6210  static const unsigned char zeroes[32] = {0};
6211 
6212  int ret = 0;
6213 
6214  secp256k1_ecdsa_signature sig_der;
6215  unsigned char roundtrip_der[2048];
6216  unsigned char compact_der[64];
6217  size_t len_der = 2048;
6218  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6219 
6220  secp256k1_ecdsa_signature sig_der_lax;
6221  unsigned char roundtrip_der_lax[2048];
6222  unsigned char compact_der_lax[64];
6223  size_t len_der_lax = 2048;
6224  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6225 
6226  parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
6227  if (parsed_der) {
6228  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
6229  valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6230  }
6231  if (valid_der) {
6232  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
6233  roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6234  }
6235 
6236  parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
6237  if (parsed_der_lax) {
6238  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
6239  valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6240  }
6241  if (valid_der_lax) {
6242  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6243  roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6244  }
6245 
6246  if (certainly_der) {
6247  ret |= (!parsed_der) << 2;
6248  }
6249  if (certainly_not_der) {
6250  ret |= (parsed_der) << 17;
6251  }
6252  if (valid_der) {
6253  ret |= (!roundtrips_der) << 3;
6254  }
6255 
6256  if (valid_der) {
6257  ret |= (!roundtrips_der_lax) << 12;
6258  ret |= (len_der != len_der_lax) << 13;
6259  ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6260  }
6261  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6262  if (parsed_der) {
6263  ret |= (!parsed_der_lax) << 16;
6264  }
6265 
6266  return ret;
6267 }
6268 
6269 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6270  size_t i;
6271  for (i = 0; i < ptrlen; i++) {
6272  int shift = ptrlen - 1 - i;
6273  if (shift >= 4) {
6274  ptr[i] = 0;
6275  } else {
6276  ptr[i] = (val >> shift) & 0xFF;
6277  }
6278  }
6279 }
6280 
6281 static void damage_array(unsigned char *sig, size_t *len) {
6282  int pos;
6283  int action = secp256k1_testrand_bits(3);
6284  if (action < 1 && *len > 3) {
6285  /* Delete a byte. */
6286  pos = secp256k1_testrand_int(*len);
6287  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6288  (*len)--;
6289  return;
6290  } else if (action < 2 && *len < 2048) {
6291  /* Insert a byte. */
6292  pos = secp256k1_testrand_int(1 + *len);
6293  memmove(sig + pos + 1, sig + pos, *len - pos);
6294  sig[pos] = secp256k1_testrand_bits(8);
6295  (*len)++;
6296  return;
6297  } else if (action < 4) {
6298  /* Modify a byte. */
6299  sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6300  return;
6301  } else { /* action < 8 */
6302  /* Modify a bit. */
6303  sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6304  return;
6305  }
6306 }
6307 
6308 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6309  int der;
6310  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6311  size_t tlen, elen, glen;
6312  int indet;
6313  int n;
6314 
6315  *len = 0;
6316  der = secp256k1_testrand_bits(2) == 0;
6317  *certainly_der = der;
6318  *certainly_not_der = 0;
6319  indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6320 
6321  for (n = 0; n < 2; n++) {
6322  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6323  nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6324  /* The length of the number in bytes (the first byte of which will always be nonzero) */
6325  nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6326  CHECK(nlen[n] <= 232);
6327  /* The top bit of the number. */
6328  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6329  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6330  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6331  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6332  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6333  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6334  *certainly_not_der = 1;
6335  }
6336  CHECK(nlen[n] + nzlen[n] <= 300);
6337  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6338  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6339  if (!der) {
6340  /* nlenlen[n] max 127 bytes */
6341  int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6342  nlenlen[n] += add;
6343  if (add != 0) {
6344  *certainly_not_der = 1;
6345  }
6346  }
6347  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6348  }
6349 
6350  /* The total length of the data to go, so far */
6351  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6352  CHECK(tlen <= 856);
6353 
6354  /* The length of the garbage inside the tuple. */
6355  elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6356  if (elen != 0) {
6357  *certainly_not_der = 1;
6358  }
6359  tlen += elen;
6360  CHECK(tlen <= 980);
6361 
6362  /* The length of the garbage after the end of the tuple. */
6363  glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6364  if (glen != 0) {
6365  *certainly_not_der = 1;
6366  }
6367  CHECK(tlen + glen <= 990);
6368 
6369  /* Write the tuple header. */
6370  sig[(*len)++] = 0x30;
6371  if (indet) {
6372  /* Indeterminate length */
6373  sig[(*len)++] = 0x80;
6374  *certainly_not_der = 1;
6375  } else {
6376  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6377  if (!der) {
6378  int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6379  tlenlen += add;
6380  if (add != 0) {
6381  *certainly_not_der = 1;
6382  }
6383  }
6384  if (tlenlen == 0) {
6385  /* Short length notation */
6386  sig[(*len)++] = tlen;
6387  } else {
6388  /* Long length notation */
6389  sig[(*len)++] = 128 + tlenlen;
6390  assign_big_endian(sig + *len, tlenlen, tlen);
6391  *len += tlenlen;
6392  }
6393  tlen += tlenlen;
6394  }
6395  tlen += 2;
6396  CHECK(tlen + glen <= 1119);
6397 
6398  for (n = 0; n < 2; n++) {
6399  /* Write the integer header. */
6400  sig[(*len)++] = 0x02;
6401  if (nlenlen[n] == 0) {
6402  /* Short length notation */
6403  sig[(*len)++] = nlen[n] + nzlen[n];
6404  } else {
6405  /* Long length notation. */
6406  sig[(*len)++] = 128 + nlenlen[n];
6407  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6408  *len += nlenlen[n];
6409  }
6410  /* Write zero padding */
6411  while (nzlen[n] > 0) {
6412  sig[(*len)++] = 0x00;
6413  nzlen[n]--;
6414  }
6415  if (nlen[n] == 32 && !nlow[n]) {
6416  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6417  int i;
6418  for (i = 0; i < 16; i++) {
6419  sig[(*len)++] = 0xFF;
6420  }
6421  nlen[n] -= 16;
6422  }
6423  /* Write first byte of number */
6424  if (nlen[n] > 0) {
6425  sig[(*len)++] = nhbyte[n];
6426  nlen[n]--;
6427  }
6428  /* Generate remaining random bytes of number */
6429  secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
6430  *len += nlen[n];
6431  nlen[n] = 0;
6432  }
6433 
6434  /* Generate random garbage inside tuple. */
6435  secp256k1_testrand_bytes_test(sig + *len, elen);
6436  *len += elen;
6437 
6438  /* Generate end-of-contents bytes. */
6439  if (indet) {
6440  sig[(*len)++] = 0;
6441  sig[(*len)++] = 0;
6442  tlen += 2;
6443  }
6444  CHECK(tlen + glen <= 1121);
6445 
6446  /* Generate random garbage outside tuple. */
6447  secp256k1_testrand_bytes_test(sig + *len, glen);
6448  *len += glen;
6449  tlen += glen;
6450  CHECK(tlen <= 1121);
6451  CHECK(tlen == *len);
6452 }
6453 
6454 void run_ecdsa_der_parse(void) {
6455  int i,j;
6456  for (i = 0; i < 200 * count; i++) {
6457  unsigned char buffer[2048];
6458  size_t buflen = 0;
6459  int certainly_der = 0;
6460  int certainly_not_der = 0;
6461  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
6462  CHECK(buflen <= 2048);
6463  for (j = 0; j < 16; j++) {
6464  int ret = 0;
6465  if (j > 0) {
6466  damage_array(buffer, &buflen);
6467  /* We don't know anything anymore about the DERness of the result */
6468  certainly_der = 0;
6469  certainly_not_der = 0;
6470  }
6471  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
6472  if (ret != 0) {
6473  size_t k;
6474  fprintf(stderr, "Failure %x on ", ret);
6475  for (k = 0; k < buflen; k++) {
6476  fprintf(stderr, "%02x ", buffer[k]);
6477  }
6478  fprintf(stderr, "\n");
6479  }
6480  CHECK(ret == 0);
6481  }
6482  }
6483 }
6484 
6485 /* Tests several edge cases. */
6486 void test_ecdsa_edge_cases(void) {
6487  int t;
6488  secp256k1_ecdsa_signature sig;
6489 
6490  /* Test the case where ECDSA recomputes a point that is infinity. */
6491  {
6492  secp256k1_gej keyj;
6493  secp256k1_ge key;
6494  secp256k1_scalar msg;
6495  secp256k1_scalar sr, ss;
6496  secp256k1_scalar_set_int(&ss, 1);
6497  secp256k1_scalar_negate(&ss, &ss);
6498  secp256k1_scalar_inverse(&ss, &ss);
6499  secp256k1_scalar_set_int(&sr, 1);
6500  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
6501  secp256k1_ge_set_gej(&key, &keyj);
6502  msg = ss;
6503  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6504  }
6505 
6506  /* Verify signature with r of zero fails. */
6507  {
6508  const unsigned char pubkey_mods_zero[33] = {
6509  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6510  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6511  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6512  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6513  0x41
6514  };
6515  secp256k1_ge key;
6516  secp256k1_scalar msg;
6517  secp256k1_scalar sr, ss;
6518  secp256k1_scalar_set_int(&ss, 1);
6519  secp256k1_scalar_set_int(&msg, 0);
6520  secp256k1_scalar_set_int(&sr, 0);
6521  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
6522  CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
6523  }
6524 
6525  /* Verify signature with s of zero fails. */
6526  {
6527  const unsigned char pubkey[33] = {
6528  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6529  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6530  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6531  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6532  0x01
6533  };
6534  secp256k1_ge key;
6535  secp256k1_scalar msg;
6536  secp256k1_scalar sr, ss;
6537  secp256k1_scalar_set_int(&ss, 0);
6538  secp256k1_scalar_set_int(&msg, 0);
6539  secp256k1_scalar_set_int(&sr, 1);
6540  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6541  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6542  }
6543 
6544  /* Verify signature with message 0 passes. */
6545  {
6546  const unsigned char pubkey[33] = {
6547  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6548  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6549  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6550  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6551  0x02
6552  };
6553  const unsigned char pubkey2[33] = {
6554  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6555  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6556  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6557  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6558  0x43
6559  };
6560  secp256k1_ge key;
6561  secp256k1_ge key2;
6562  secp256k1_scalar msg;
6563  secp256k1_scalar sr, ss;
6564  secp256k1_scalar_set_int(&ss, 2);
6565  secp256k1_scalar_set_int(&msg, 0);
6566  secp256k1_scalar_set_int(&sr, 2);
6567  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6568  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6569  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6570  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6571  secp256k1_scalar_negate(&ss, &ss);
6572  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6573  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6574  secp256k1_scalar_set_int(&ss, 1);
6575  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6576  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6577  }
6578 
6579  /* Verify signature with message 1 passes. */
6580  {
6581  const unsigned char pubkey[33] = {
6582  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
6583  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
6584  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
6585  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
6586  0x25
6587  };
6588  const unsigned char pubkey2[33] = {
6589  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
6590  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
6591  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
6592  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
6593  0x62
6594  };
6595  const unsigned char csr[32] = {
6596  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6597  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6598  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
6599  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
6600  };
6601  secp256k1_ge key;
6602  secp256k1_ge key2;
6603  secp256k1_scalar msg;
6604  secp256k1_scalar sr, ss;
6605  secp256k1_scalar_set_int(&ss, 1);
6606  secp256k1_scalar_set_int(&msg, 1);
6607  secp256k1_scalar_set_b32(&sr, csr, NULL);
6608  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6609  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6610  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6611  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6612  secp256k1_scalar_negate(&ss, &ss);
6613  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6614  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6615  secp256k1_scalar_set_int(&ss, 2);
6616  secp256k1_scalar_inverse_var(&ss, &ss);
6617  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6618  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6619  }
6620 
6621  /* Verify signature with message -1 passes. */
6622  {
6623  const unsigned char pubkey[33] = {
6624  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
6625  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
6626  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
6627  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
6628  0xf1
6629  };
6630  const unsigned char csr[32] = {
6631  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6632  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6633  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
6634  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
6635  };
6636  secp256k1_ge key;
6637  secp256k1_scalar msg;
6638  secp256k1_scalar sr, ss;
6639  secp256k1_scalar_set_int(&ss, 1);
6640  secp256k1_scalar_set_int(&msg, 1);
6641  secp256k1_scalar_negate(&msg, &msg);
6642  secp256k1_scalar_set_b32(&sr, csr, NULL);
6643  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6644  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6645  secp256k1_scalar_negate(&ss, &ss);
6646  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6647  secp256k1_scalar_set_int(&ss, 3);
6648  secp256k1_scalar_inverse_var(&ss, &ss);
6649  CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6650  }
6651 
6652  /* Signature where s would be zero. */
6653  {
6654  secp256k1_pubkey pubkey;
6655  size_t siglen;
6656  int32_t ecount;
6657  unsigned char signature[72];
6658  static const unsigned char nonce[32] = {
6659  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6660  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6661  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6662  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6663  };
6664  static const unsigned char nonce2[32] = {
6665  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6666  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6667  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6668  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
6669  };
6670  const unsigned char key[32] = {
6671  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6672  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6673  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6674  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6675  };
6676  unsigned char msg[32] = {
6677  0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
6678  0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
6679  0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
6680  0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
6681  };
6682  ecount = 0;
6683  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6684  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
6685  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
6686  msg[31] = 0xaa;
6687  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
6688  CHECK(ecount == 0);
6689  CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
6690  CHECK(ecount == 1);
6691  CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
6692  CHECK(ecount == 2);
6693  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
6694  CHECK(ecount == 3);
6695  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
6696  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
6697  CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
6698  CHECK(ecount == 4);
6699  CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
6700  CHECK(ecount == 5);
6701  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
6702  CHECK(ecount == 6);
6703  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
6704  CHECK(ecount == 6);
6705  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
6706  CHECK(ecount == 7);
6707  /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
6708  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
6709  CHECK(ecount == 8);
6710  siglen = 72;
6711  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
6712  CHECK(ecount == 9);
6713  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
6714  CHECK(ecount == 10);
6715  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
6716  CHECK(ecount == 11);
6717  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
6718  CHECK(ecount == 11);
6719  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
6720  CHECK(ecount == 12);
6721  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
6722  CHECK(ecount == 13);
6723  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
6724  CHECK(ecount == 13);
6725  siglen = 10;
6726  /* Too little room for a signature does not fail via ARGCHECK. */
6727  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
6728  CHECK(ecount == 13);
6729  ecount = 0;
6730  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
6731  CHECK(ecount == 1);
6732  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
6733  CHECK(ecount == 2);
6734  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
6735  CHECK(ecount == 3);
6736  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
6737  CHECK(ecount == 3);
6738  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
6739  CHECK(ecount == 4);
6740  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
6741  CHECK(ecount == 5);
6742  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
6743  CHECK(ecount == 5);
6744  memset(signature, 255, 64);
6745  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
6746  CHECK(ecount == 5);
6747  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
6748  }
6749 
6750  /* Nonce function corner cases. */
6751  for (t = 0; t < 2; t++) {
6752  static const unsigned char zero[32] = {0x00};
6753  int i;
6754  unsigned char key[32];
6755  unsigned char msg[32];
6756  secp256k1_ecdsa_signature sig2;
6757  secp256k1_scalar sr[512], ss;
6758  const unsigned char *extra;
6759  extra = t == 0 ? NULL : zero;
6760  memset(msg, 0, 32);
6761  msg[31] = 1;
6762  /* High key results in signature failure. */
6763  memset(key, 0xFF, 32);
6764  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
6765  CHECK(is_empty_signature(&sig));
6766  /* Zero key results in signature failure. */
6767  memset(key, 0, 32);
6768  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
6769  CHECK(is_empty_signature(&sig));
6770  /* Nonce function failure results in signature failure. */
6771  key[31] = 1;
6772  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
6773  CHECK(is_empty_signature(&sig));
6774  /* The retry loop successfully makes its way to the first good value. */
6775  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
6776  CHECK(!is_empty_signature(&sig));
6777  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
6778  CHECK(!is_empty_signature(&sig2));
6779  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
6780  /* The default nonce function is deterministic. */
6781  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6782  CHECK(!is_empty_signature(&sig2));
6783  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
6784  /* The default nonce function changes output with different messages. */
6785  for(i = 0; i < 256; i++) {
6786  int j;
6787  msg[0] = i;
6788  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6789  CHECK(!is_empty_signature(&sig2));
6790  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
6791  for (j = 0; j < i; j++) {
6792  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
6793  }
6794  }
6795  msg[0] = 0;
6796  msg[31] = 2;
6797  /* The default nonce function changes output with different keys. */
6798  for(i = 256; i < 512; i++) {
6799  int j;
6800  key[0] = i - 256;
6801  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6802  CHECK(!is_empty_signature(&sig2));
6803  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
6804  for (j = 0; j < i; j++) {
6805  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
6806  }
6807  }
6808  key[0] = 0;
6809  }
6810 
6811  {
6812  /* Check that optional nonce arguments do not have equivalent effect. */
6813  const unsigned char zeros[32] = {0};
6814  unsigned char nonce[32];
6815  unsigned char nonce2[32];
6816  unsigned char nonce3[32];
6817  unsigned char nonce4[32];
6818  VG_UNDEF(nonce,32);
6819  VG_UNDEF(nonce2,32);
6820  VG_UNDEF(nonce3,32);
6821  VG_UNDEF(nonce4,32);
6822  CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
6823  VG_CHECK(nonce,32);
6824  CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
6825  VG_CHECK(nonce2,32);
6826  CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
6827  VG_CHECK(nonce3,32);
6828  CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
6829  VG_CHECK(nonce4,32);
6830  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
6831  CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
6832  CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
6833  CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
6834  CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
6835  CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
6836  }
6837 
6838 
6839  /* Privkey export where pubkey is the point at infinity. */
6840  {
6841  unsigned char privkey[300];
6842  unsigned char seckey[32] = {
6843  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6844  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6845  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6846  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
6847  };
6848  size_t outlen = 300;
6849  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
6850  outlen = 300;
6851  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
6852  }
6853 }
6854 
6855 void run_ecdsa_edge_cases(void) {
6856  test_ecdsa_edge_cases();
6857 }
6858 
6859 #ifdef ENABLE_MODULE_ECDH
6860 # include "modules/ecdh/tests_impl.h"
6861 #endif
6862 
6863 #ifdef ENABLE_MODULE_RECOVERY
6864 # include "modules/recovery/tests_impl.h"
6865 #endif
6866 
6867 #ifdef ENABLE_MODULE_EXTRAKEYS
6868 # include "modules/extrakeys/tests_impl.h"
6869 #endif
6870 
6871 #ifdef ENABLE_MODULE_SCHNORRSIG
6872 # include "modules/schnorrsig/tests_impl.h"
6873 #endif
6874 
6875 void run_secp256k1_memczero_test(void) {
6876  unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
6877  unsigned char buf2[sizeof(buf1)];
6878 
6879  /* secp256k1_memczero(..., ..., 0) is a noop. */
6880  memcpy(buf2, buf1, sizeof(buf1));
6881  secp256k1_memczero(buf1, sizeof(buf1), 0);
6882  CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
6883 
6884  /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
6885  memset(buf2, 0, sizeof(buf2));
6886  secp256k1_memczero(buf1, sizeof(buf1) , 1);
6887  CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
6888 }
6889 
6890 void run_secp256k1_byteorder_tests(void) {
6891  const uint32_t x = 0xFF03AB45;
6892  const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
6893  unsigned char buf[4];
6894  uint32_t x_;
6895 
6896  secp256k1_write_be32(buf, x);
6897  CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
6898 
6899  x_ = secp256k1_read_be32(buf);
6900  CHECK(x == x_);
6901 }
6902 
6903 void int_cmov_test(void) {
6904  int r = INT_MAX;
6905  int a = 0;
6906 
6907  secp256k1_int_cmov(&r, &a, 0);
6908  CHECK(r == INT_MAX);
6909 
6910  r = 0; a = INT_MAX;
6911  secp256k1_int_cmov(&r, &a, 1);
6912  CHECK(r == INT_MAX);
6913 
6914  a = 0;
6915  secp256k1_int_cmov(&r, &a, 1);
6916  CHECK(r == 0);
6917 
6918  a = 1;
6919  secp256k1_int_cmov(&r, &a, 1);
6920  CHECK(r == 1);
6921 
6922  r = 1; a = 0;
6923  secp256k1_int_cmov(&r, &a, 0);
6924  CHECK(r == 1);
6925 
6926 }
6927 
6928 void fe_cmov_test(void) {
6929  static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6930  static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6931  static const secp256k1_fe max = SECP256K1_FE_CONST(
6932  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6933  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6934  );
6935  secp256k1_fe r = max;
6936  secp256k1_fe a = zero;
6937 
6938  secp256k1_fe_cmov(&r, &a, 0);
6939  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6940 
6941  r = zero; a = max;
6942  secp256k1_fe_cmov(&r, &a, 1);
6943  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6944 
6945  a = zero;
6946  secp256k1_fe_cmov(&r, &a, 1);
6947  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6948 
6949  a = one;
6950  secp256k1_fe_cmov(&r, &a, 1);
6951  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6952 
6953  r = one; a = zero;
6954  secp256k1_fe_cmov(&r, &a, 0);
6955  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6956 }
6957 
6958 void fe_storage_cmov_test(void) {
6959  static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6960  static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6961  static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
6962  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6963  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6964  );
6965  secp256k1_fe_storage r = max;
6966  secp256k1_fe_storage a = zero;
6967 
6968  secp256k1_fe_storage_cmov(&r, &a, 0);
6969  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6970 
6971  r = zero; a = max;
6972  secp256k1_fe_storage_cmov(&r, &a, 1);
6973  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6974 
6975  a = zero;
6976  secp256k1_fe_storage_cmov(&r, &a, 1);
6977  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6978 
6979  a = one;
6980  secp256k1_fe_storage_cmov(&r, &a, 1);
6981  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6982 
6983  r = one; a = zero;
6984  secp256k1_fe_storage_cmov(&r, &a, 0);
6985  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6986 }
6987 
6988 void scalar_cmov_test(void) {
6989  static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6990  static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6991  static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
6992  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6993  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6994  );
6995  secp256k1_scalar r = max;
6996  secp256k1_scalar a = zero;
6997 
6998  secp256k1_scalar_cmov(&r, &a, 0);
6999  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7000 
7001  r = zero; a = max;
7002  secp256k1_scalar_cmov(&r, &a, 1);
7003  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7004 
7005  a = zero;
7006  secp256k1_scalar_cmov(&r, &a, 1);
7007  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7008 
7009  a = one;
7010  secp256k1_scalar_cmov(&r, &a, 1);
7011  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7012 
7013  r = one; a = zero;
7014  secp256k1_scalar_cmov(&r, &a, 0);
7015  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7016 }
7017 
7018 void ge_storage_cmov_test(void) {
7019  static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7020  static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7021  static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7022  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7023  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7024  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7025  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7026  );
7027  secp256k1_ge_storage r = max;
7028  secp256k1_ge_storage a = zero;
7029 
7030  secp256k1_ge_storage_cmov(&r, &a, 0);
7031  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7032 
7033  r = zero; a = max;
7034  secp256k1_ge_storage_cmov(&r, &a, 1);
7035  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7036 
7037  a = zero;
7038  secp256k1_ge_storage_cmov(&r, &a, 1);
7039  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7040 
7041  a = one;
7042  secp256k1_ge_storage_cmov(&r, &a, 1);
7043  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7044 
7045  r = one; a = zero;
7046  secp256k1_ge_storage_cmov(&r, &a, 0);
7047  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7048 }
7049 
7050 void run_cmov_tests(void) {
7051  int_cmov_test();
7052  fe_cmov_test();
7053  fe_storage_cmov_test();
7054  scalar_cmov_test();
7055  ge_storage_cmov_test();
7056 }
7057 
7058 int main(int argc, char **argv) {
7059  /* Disable buffering for stdout to improve reliability of getting
7060  * diagnostic information. Happens right at the start of main because
7061  * setbuf must be used before any other operation on the stream. */
7062  setbuf(stdout, NULL);
7063  /* Also disable buffering for stderr because it's not guaranteed that it's
7064  * unbuffered on all systems. */
7065  setbuf(stderr, NULL);
7066 
7067  /* find iteration count */
7068  if (argc > 1) {
7069  count = strtol(argv[1], NULL, 0);
7070  } else {
7071  const char* env = getenv("SECP256K1_TEST_ITERS");
7072  if (env && strlen(env) > 0) {
7073  count = strtol(env, NULL, 0);
7074  }
7075  }
7076  if (count <= 0) {
7077  fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7078  return EXIT_FAILURE;
7079  }
7080  printf("test count = %i\n", count);
7081 
7082  /* find random seed */
7083  secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7084 
7085  /* initialize */
7086  run_context_tests(0);
7087  run_context_tests(1);
7088  run_scratch_tests();
7089  ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
7090  if (secp256k1_testrand_bits(1)) {
7091  unsigned char rand32[32];
7092  secp256k1_testrand256(rand32);
7093  CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL));
7094  }
7095 
7096  run_rand_bits();
7097  run_rand_int();
7098 
7099  run_ctz_tests();
7100  run_modinv_tests();
7101  run_inverse_tests();
7102 
7103  run_sha256_known_output_tests();
7104  run_sha256_counter_tests();
7105  run_hmac_sha256_tests();
7106  run_rfc6979_hmac_sha256_tests();
7107  run_tagged_sha256_tests();
7108 
7109  /* scalar tests */
7110  run_scalar_tests();
7111 
7112  /* field tests */
7113  run_field_half();
7114  run_field_misc();
7115  run_field_convert();
7116  run_fe_mul();
7117  run_sqr();
7118  run_sqrt();
7119 
7120  /* group tests */
7121  run_ge();
7122  run_gej();
7123  run_group_decompress();
7124 
7125  /* ecmult tests */
7126  run_ecmult_pre_g();
7127  run_wnaf();
7128  run_point_times_order();
7129  run_ecmult_near_split_bound();
7130  run_ecmult_chain();
7131  run_ecmult_constants();
7132  run_ecmult_gen_blind();
7133  run_ecmult_const_tests();
7134  run_ecmult_multi_tests();
7135  run_ec_combine();
7136 
7137  /* endomorphism tests */
7138  run_endomorphism_tests();
7139 
7140  /* EC point parser test */
7141  run_ec_pubkey_parse_test();
7142 
7143  /* EC key edge cases */
7144  run_eckey_edge_case_test();
7145 
7146  /* EC key arithmetic test */
7147  run_eckey_negate_test();
7148 
7149 #ifdef ENABLE_MODULE_ECDH
7150  /* ecdh tests */
7151  run_ecdh_tests();
7152 #endif
7153 
7154  /* ecdsa tests */
7155  run_pubkey_comparison();
7156  run_random_pubkeys();
7157  run_ecdsa_der_parse();
7158  run_ecdsa_sign_verify();
7159  run_ecdsa_end_to_end();
7160  run_ecdsa_edge_cases();
7161 
7162 #ifdef ENABLE_MODULE_RECOVERY
7163  /* ECDSA pubkey recovery tests */
7164  run_recovery_tests();
7165 #endif
7166 
7167 #ifdef ENABLE_MODULE_EXTRAKEYS
7168  run_extrakeys_tests();
7169 #endif
7170 
7171 #ifdef ENABLE_MODULE_SCHNORRSIG
7172  run_schnorrsig_tests();
7173 #endif
7174 
7175  /* util tests */
7176  run_secp256k1_memczero_test();
7177  run_secp256k1_byteorder_tests();
7178 
7179  run_cmov_tests();
7180 
7181  secp256k1_testrand_finish();
7182 
7183  /* shutdown */
7184  secp256k1_context_destroy(ctx);
7185 
7186  printf("no problems found\n");
7187  return 0;
7188 }
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:514
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
test_intialized_inf
void test_intialized_inf(void)
Definition: tests.c:3428
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:59
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:82
run_hmac_sha256_tests
void run_hmac_sha256_tests(void)
Definition: tests.c:613
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:584
test_gej_cmov
void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3536
test_ecmult_constants_sha
void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:4985
secp256k1_modinv32_modinfo
Definition: modinv32.h:23
run_cmov_tests
void run_cmov_tests(void)
Definition: tests.c:7050
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
check_fe_equal
int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2547
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:24
test_secp256k1_pippenger_bucket_window_inv
void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:4469
secp256k1_fe
Definition: field_10x26.h:12
ret
int ret
Definition: bitcoin-cli.cpp:1242
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:4024
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:659
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
random_fe
void random_fe(secp256k1_fe *x)
Definition: tests.c:2506
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:153
test_add_neg_y_diff_x
void test_add_neg_y_diff_x(void)
Definition: tests.c:3460
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:720
run_ecmult_const_tests
void run_ecmult_const_tests(void)
Definition: tests.c:4015
secp256k1_fe_half
static void secp256k1_fe_half(secp256k1_fe *r)
Halves the value of a field element modulo the field prime.
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:637
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:368
test_point_times_order
void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:3783
ECMULT_TABLE_SIZE
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:30
secp256k1_fe_normalizes_to_zero_var
static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r)
Verify whether a field element represents zero i.e.
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
coprime
int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1047
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:810
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:381
run_group_decompress
void run_group_decompress(void)
Definition: tests.c:3634
secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
tests_impl.h
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
tests_impl.h
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
nonce
unsigned int nonce
Definition: miner_tests.cpp:60
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_modinv64_modinfo
Definition: modinv64.h:27
run_scalar_tests
void run_scalar_tests(void)
Definition: tests.c:1898
test_sqrt
void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:2818
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:20
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:706
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:5898
run_inverse_tests
void run_inverse_tests(void)
Definition: tests.c:2932
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:683
ALIGNMENT
#define ALIGNMENT
Definition: util.h:140
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:421
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
cs
static void pool cs
Definition: mempool_eviction.cpp:12
test_random_pubkeys
void test_random_pubkeys(void)
Definition: tests.c:6086
run_modinv_tests
void run_modinv_tests(void)
Definition: tests.c:1077
secp256k1_fe_negate
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Set a field element equal to the additive inverse of another.
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:5906
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8240
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:55
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6269
secp256k1_fe_from_storage
static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
Convert a field element back from the storage type.
prefix
const char * prefix
Definition: rest.cpp:938
modinv32_impl.h
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:35
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:281
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:202
secp256k1_read_be32
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:317
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
run_field_misc
void run_field_misc(void)
Definition: tests.c:2646
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
run_ge
void run_ge(void)
Definition: tests.c:3527
run_sqrt
void run_sqrt(void)
Definition: tests.c:2832
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
run_random_pubkeys
void run_random_pubkeys(void)
Definition: tests.c:6195
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:569
run_rand_int
void run_rand_int(void)
Definition: tests.c:791
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:214
secp256k1_fe_cmov
static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
test_wnaf
void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:4664
run_pubkey_comparison
void run_pubkey_comparison(void)
Definition: tests.c:6146
uint16_to_signed30
void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:903
secp256k1_sha256
Definition: hash.h:13
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b&#39;s Z coordinate passed as bzinv)...
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:146
test_ecmult_multi
void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4042
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
random_scalar_order
void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:124
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
random_fe_non_zero
void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:2526
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:246
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory...
Definition: secp256k1.c:62
test_fixed_wnaf
void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:4753
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
Definition: ecmult_const_impl.h:69
testrand_impl.h
run_ecmult_constants
void run_ecmult_constants(void)
Definition: tests.c:5028
run_gej
void run_gej(void)
Definition: tests.c:3544
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:20
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_fe_set_int
static void secp256k1_fe_set_int(secp256k1_fe *r, int a)
Set a field element equal to a small (not greater than 0x7FFF), non-negative integer.
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:615
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:29
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:139
secp256k1_context_struct
Definition: secp256k1.c:47
run_secp256k1_byteorder_tests
void run_secp256k1_byteorder_tests(void)
Definition: tests.c:6890
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:631
run_rand_bits
void run_rand_bits(void)
Definition: tests.c:783
secp256k1_fe_to_storage
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
Convert a field element to the storage type.
ge_equals_ge
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:3180
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:200
run_ecdsa_sign_verify
void run_ecdsa_sign_verify(void)
Definition: tests.c:5882
random_field_element_test
void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:52
test_ecmult_multi_pippenger_max_points
void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:4489
run_sha256_counter_tests
void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:555
scalar_cmov_test
void scalar_cmov_test(void)
Definition: tests.c:6988
test_ec_combine
void test_ec_combine(void)
Definition: tests.c:3567
random_sign
void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:5848
test_fixed_wnaf_small_helper
void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:4790
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:309
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:40
test_ecmult_gen_blind_reset
void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5085
secp256k1_fe_clear
static void secp256k1_fe_clear(secp256k1_fe *a)
Sets a field element equal to zero, initializing all fields.
mutate_sign_signed30
void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:921
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_fe_add
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6281
secp256k1_fe_mul_int
static void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
Multiplies the passed field element with a small integer constant.
ge_equals_gej
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:3211
secp256k1_fe_is_odd
static int secp256k1_fe_is_odd(const secp256k1_fe *a)
Check the "oddness" of a field element.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
run_eckey_edge_case_test
void run_eckey_edge_case_test(void)
Definition: tests.c:5557
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:32
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
sum
volatile double sum
Definition: examples.cpp:10
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:11
test_ecdsa_der_parse
int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6209
fe_storage_cmov_test
void fe_storage_cmov_test(void)
Definition: tests.c:6958
run_ecdh_tests
void run_ecdh_tests(void)
Definition: tests_impl.h:158
ecmult_multi_data
Definition: tests.c:4022
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:62
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:2873
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:551
modinv2p64
uint64_t modinv2p64(uint64_t x)
Definition: tests.c:805
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:642
test_rand_int
void test_rand_int(uint32_t range, uint32_t subrange)
Definition: tests.c:767
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:206
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:205
run_extrakeys_tests
void run_extrakeys_tests(void)
Definition: tests_impl.h:582
run_rfc6979_hmac_sha256_tests
void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:657
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
run_ec_pubkey_parse_test
void run_ec_pubkey_parse_test(void)
Definition: tests.c:5229
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
test_inverse_scalar
void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:2885
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
run_scalar_set_b32_seckey_tests
void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:1881
secp256k1_write_be32
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:325
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:528
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:299
run_ecmult_gen_blind
void run_ecmult_gen_blind(void)
Definition: tests.c:5097
test_modinv32_uint16
void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:936
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
run_ecdsa_der_parse
void run_ecdsa_der_parse(void)
Definition: tests.c:6454
run_sha256_known_output_tests
void run_sha256_known_output_tests(void)
Definition: tests.c:454
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
run_secp256k1_memczero_test
void run_secp256k1_memczero_test(void)
Definition: tests.c:6875
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:24
run_context_tests
void run_context_tests(int use_prealloc)
Definition: tests.c:143
test_inverse_field
void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:2907
secp256k1_scratch_space_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:171
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits)
Multiply: R = q*A (in constant-time) Here bits should be set to the maximum bitlength of the absolute...
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4027
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:48
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:599
run_field_convert
void run_field_convert(void)
Definition: tests.c:2555
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Field element module.
Definition: field.h:35
test_ecmult_accumulate_cb
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:4900
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:2868
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL...
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:395
ecmult_const_mult_zero_one
void ecmult_const_mult_zero_one(void)
Definition: tests.c:3967
ge_storage_cmov_test
void ge_storage_cmov_test(void)
Definition: tests.c:7018
ctx
static secp256k1_context * ctx
Definition: tests.c:34
run_ecmult_chain
void run_ecmult_chain(void)
Definition: tests.c:3719
is_empty_signature
int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:5936
test_ecmult_multi_batch_size_helper
void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:4522
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
tests_impl.h
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:45
secp256k1_gej::infinity
int infinity
Definition: group.h:32
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
test_ecmult_multi_random
int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4281
mulmod256
void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:821
secp256k1_modinv32_signed30
Definition: modinv32.h:19
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise...
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:20
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:570
test_group_decompress
void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:3599
run_ecdsa_end_to_end
void run_ecdsa_end_to_end(void)
Definition: tests.c:6202
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:410
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:714
test_constant_wnaf_negate
void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:4698
run_fe_mul
void run_fe_mul(void)
Definition: tests.c:2781
tests_impl.h
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
ec_pubkey_parse_pointtest
void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5154
secp256k1_fe_get_bounds
static void secp256k1_fe_get_bounds(secp256k1_fe *r, int m)
Sets each limb of &#39;r&#39; to its upper bound at magnitude &#39;m&#39;.
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
test_ecmult_multi_batching
void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:4570
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:228
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
signed30_to_uint16
void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:912
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
fe_cmov_test
void fe_cmov_test(void)
Definition: tests.c:6928
secp256k1_modinv64_signed62
Definition: modinv64.h:23
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
run_sqr
void run_sqr(void)
Definition: tests.c:2802
secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce its magnitude to 1, but don&#39;t fully normalize.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:270
test_scalar_split
void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5106
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
run_ctz_tests
void run_ctz_tests(void)
Definition: tests.c:433
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:16
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:350
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
test_fixed_wnaf_small
void test_fixed_wnaf_small(void)
Definition: tests.c:4800
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast...
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:162
secp256k1_ge::infinity
int infinity
Definition: group.h:19
test_pre_g_table
void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:3645
test_fe_mul
void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:2738
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
main
int main(int argc, char **argv)
Definition: tests.c:7058
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:295
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:319
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
CONDITIONAL_TEST
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:31
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y...
test_ecdsa_edge_cases
void test_ecdsa_edge_cases(void)
Definition: tests.c:6486
secp256k1_fe_sqr
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the square of another.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
secp256k1_fe_cmp_var
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Compare two field elements.
secp256k1_gej_cmov
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:199
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4034
secp256k1_tagged_sha256
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:740
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory...
Definition: secp256k1.c:76
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:128
secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Same as secp256k1_fe_equal, but may be variable time.
random_group_element_jacobian_test
void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:90
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:177
run_scratch_tests
void run_scratch_tests(void)
Definition: tests.c:350
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:356
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:111
test_ecmult_multi_batch_single
void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4449
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
random_scalar_order_b32
void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:137
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:588
random_group_element_test
void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:78
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space...
Definition: ecmult_impl.h:729
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:335
test_ecmult_target
void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:3847
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
run_wnaf
void run_wnaf(void)
Definition: tests.c:4854
ecmult_const_random_mult
void ecmult_const_random_mult(void)
Definition: tests.c:3919
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6308
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
random_fe_test
void random_fe_test(secp256k1_fe *x)
Definition: tests.c:2516
secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Normalize a field element.
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:47
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_context_no_precomp
SECP256K1_API const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:60
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:196
test_ecdsa_sign_verify
void test_ecdsa_sign_verify(void)
Definition: tests.c:5855
VG_CHECK
#define VG_CHECK(x, y)
Definition: util.h:107
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:4023
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted...
Definition: tests.c:5890
run_ecmult_pre_g
void run_ecmult_pre_g(void)
Definition: tests.c:3695
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
test_ecdsa_end_to_end
void test_ecdsa_end_to_end(void)
Definition: tests.c:5941
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:258
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:3824
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
count
static int count
Definition: tests.c:33
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:195
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:50
test_constant_wnaf
void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:4713
secp256k1_testrand32
static SECP256K1_INLINE uint32_t secp256k1_testrand32(void)
Generate a pseudorandom number in the range [0..2**32-1].
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
VG_UNDEF
#define VG_UNDEF(x, y)
Definition: util.h:106
run_tagged_sha256_tests
void run_tagged_sha256_tests(void)
Definition: tests.c:698
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
random_field_element_magnitude
void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:62
run_ecmult_near_split_bound
void run_ecmult_near_split_bound(void)
Definition: tests.c:3886
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
ecmult_const_commutativity
void ecmult_const_commutativity(void)
Definition: tests.c:3946
run_endomorphism_tests
void run_endomorphism_tests(void)
Definition: tests.c:5133
test_ecmult_constants_2bit
void test_ecmult_constants_2bit(void)
Definition: tests.c:4941
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:36
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:792
secp256k1_scratch_space_struct
Definition: scratch.h:12
modinv64_impl.h
ecmult_const_chain_multiply
void ecmult_const_chain_multiply(void)
Definition: tests.c:3989
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:159
secp256k1_fe_storage
Definition: field_10x26.h:43
test_ecmult_gen_blind
void test_ecmult_gen_blind(void)
Definition: tests.c:5062
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:210
random_gej_test
void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:105
gej_xyz_equals_gej
int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3190
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:679
test_ge
void test_ge(void)
Definition: tests.c:3228
secp256k1_fe_normalizes_to_zero
static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r)
Verify whether a field element represents zero i.e.
run_ecmult_multi_tests
void run_ecmult_multi_tests(void)
Definition: tests.c:4637
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:118
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *r, const secp256k1_fe *a)
If a has a square root, it is computed in r and 1 is returned.
tinyformat::printf
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1079
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is: ...
Definition: scalar_impl.h:64
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:25
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
secp256k1_scratch_space_destroy
SECP256K1_API void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:176
test_ecmult_accumulate
void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:4908
random_fe_non_square
void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2539
secp256k1_fe_inv_var
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *a)
Potentially faster version of secp256k1_fe_inv, without constant-time guarantee.
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
int_cmov_test
void int_cmov_test(void)
Definition: tests.c:6903
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:118
secp256k1_fe_inv
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the (modular) inverse of another.
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:107
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
run_ec_combine
void run_ec_combine(void)
Definition: tests.c:3592
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:44
run_ecdsa_edge_cases
void run_ecdsa_edge_cases(void)
Definition: tests.c:6855
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:19
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:400
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
test_rand_bits
void test_rand_bits(int rand32, int bits)
Definition: tests.c:732
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:388
fe_identical
int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2586
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:269
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:891
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
run_point_times_order
void run_point_times_order(void)
Definition: tests.c:3898
scalar_test
void scalar_test(void)
Definition: tests.c:1716
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
run_field_half
void run_field_half(void)
Definition: tests.c:2597
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
run_eckey_negate_test
void run_eckey_negate_test(void)
Definition: tests.c:5813
Generated on Tue May 16 2023 12:00:00 for Bitcoin Core by   doxygen 1.8.14