1 /***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
23 #ifdef ENABLE_OPENSSL_TESTS
24 #include "openssl/bn.h"
25 #include "openssl/ec.h"
26 #include "openssl/ecdsa.h"
27 #include "openssl/obj_mac.h"
28 # if OPENSSL_VERSION_NUMBER < 0x10100000L
29 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
33 #include "contrib/lax_der_parsing.c"
34 #include "contrib/lax_der_privatekey_parsing.c"
36 #include "modinv32_impl.h"
37 #ifdef SECP256K1_WIDEMUL_INT128
38 #include "modinv64_impl.h"
41 static int count = 64;
42 static secp256k1_context *ctx = NULL;
44 static void counting_illegal_callback_fn(const char* str, void* data) {
45 /* Dummy callback function that just counts. */
52 static void uncounting_illegal_callback_fn(const char* str, void* data) {
53 /* Dummy callback function that just counts (backwards). */
60 void random_field_element_test(secp256k1_fe *fe) {
62 unsigned char b32[32];
63 secp256k1_testrand256_test(b32);
64 if (secp256k1_fe_set_b32(fe, b32)) {
70 void random_field_element_magnitude(secp256k1_fe *fe) {
72 int n = secp256k1_testrand_int(9);
73 secp256k1_fe_normalize(fe);
77 secp256k1_fe_clear(&zero);
78 secp256k1_fe_negate(&zero, &zero, 0);
79 secp256k1_fe_mul_int(&zero, n - 1);
80 secp256k1_fe_add(fe, &zero);
82 CHECK(fe->magnitude == n);
86 void random_group_element_test(secp256k1_ge *ge) {
89 random_field_element_test(&fe);
90 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
91 secp256k1_fe_normalize(&ge->y);
98 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
101 random_field_element_test(&gej->z);
102 if (!secp256k1_fe_is_zero(&gej->z)) {
106 secp256k1_fe_sqr(&z2, &gej->z);
107 secp256k1_fe_mul(&z3, &z2, &gej->z);
108 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
109 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
110 gej->infinity = ge->infinity;
113 void random_scalar_order_test(secp256k1_scalar *num) {
115 unsigned char b32[32];
117 secp256k1_testrand256_test(b32);
118 secp256k1_scalar_set_b32(num, b32, &overflow);
119 if (overflow || secp256k1_scalar_is_zero(num)) {
126 void random_scalar_order(secp256k1_scalar *num) {
128 unsigned char b32[32];
130 secp256k1_testrand256(b32);
131 secp256k1_scalar_set_b32(num, b32, &overflow);
132 if (overflow || secp256k1_scalar_is_zero(num)) {
139 void random_scalar_order_b32(unsigned char *b32) {
140 secp256k1_scalar num;
141 random_scalar_order(&num);
142 secp256k1_scalar_get_b32(b32, &num);
145 void run_context_tests(int use_prealloc) {
146 secp256k1_pubkey pubkey;
147 secp256k1_pubkey zero_pubkey;
148 secp256k1_ecdsa_signature sig;
149 unsigned char ctmp[32];
152 secp256k1_context *none;
153 secp256k1_context *sign;
154 secp256k1_context *vrfy;
155 secp256k1_context *both;
156 void *none_prealloc = NULL;
157 void *sign_prealloc = NULL;
158 void *vrfy_prealloc = NULL;
159 void *both_prealloc = NULL;
163 secp256k1_scalar msg, key, nonce;
164 secp256k1_scalar sigr, sigs;
167 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
168 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
169 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
170 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
171 CHECK(none_prealloc != NULL);
172 CHECK(sign_prealloc != NULL);
173 CHECK(vrfy_prealloc != NULL);
174 CHECK(both_prealloc != NULL);
175 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
176 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
177 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
178 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
180 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
181 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
182 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
183 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
186 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
190 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
191 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
192 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
193 secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
194 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
195 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
197 /* check if sizes for cloning are consistent */
198 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
199 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
200 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
201 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
203 /*** clone and destroy all of them to make sure cloning was complete ***/
205 secp256k1_context *ctx_tmp;
208 /* clone into a non-preallocated context and then again into a new preallocated one. */
209 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
210 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
211 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
213 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
214 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
215 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
217 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
218 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
219 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
221 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
222 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
223 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
225 /* clone into a preallocated context and then again into a new non-preallocated one. */
228 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
229 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
230 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
233 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
234 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
235 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
238 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
239 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
240 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
243 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
244 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
245 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
250 /* Verify that the error callback makes it across the clone. */
251 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
252 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
253 /* And that it resets back to default. */
254 secp256k1_context_set_error_callback(sign, NULL, NULL);
255 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
257 /*** attempt to use them ***/
258 random_scalar_order_test(&msg);
259 random_scalar_order_test(&key);
260 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
261 secp256k1_ge_set_gej(&pub, &pubj);
263 /* Verify context-type checking illegal-argument errors. */
265 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
267 VG_UNDEF(&pubkey, sizeof(pubkey));
268 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
269 VG_CHECK(&pubkey, sizeof(pubkey));
270 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
272 VG_UNDEF(&sig, sizeof(sig));
273 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
274 VG_CHECK(&sig, sizeof(sig));
275 CHECK(ecount2 == 10);
276 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
277 CHECK(ecount2 == 11);
278 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
280 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
281 CHECK(ecount2 == 12);
282 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
284 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
285 CHECK(ecount2 == 13);
286 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
288 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
290 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
291 CHECK(ecount2 == 14);
292 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
294 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
296 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
298 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
300 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
301 CHECK(ecount2 == 14);
302 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
303 CHECK(ecount2 == 14);
304 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
305 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
307 /* obtain a working nonce */
309 random_scalar_order_test(&nonce);
310 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
313 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
314 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
317 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
318 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
322 secp256k1_context_preallocated_destroy(none);
323 secp256k1_context_preallocated_destroy(sign);
324 secp256k1_context_preallocated_destroy(vrfy);
325 secp256k1_context_preallocated_destroy(both);
331 secp256k1_context_destroy(none);
332 secp256k1_context_destroy(sign);
333 secp256k1_context_destroy(vrfy);
334 secp256k1_context_destroy(both);
336 /* Defined as no-op. */
337 secp256k1_context_destroy(NULL);
338 secp256k1_context_preallocated_destroy(NULL);
342 void run_scratch_tests(void) {
343 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
348 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
349 secp256k1_scratch_space *scratch;
350 secp256k1_scratch_space local_scratch;
352 /* Test public API */
353 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
354 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
356 scratch = secp256k1_scratch_space_create(none, 1000);
357 CHECK(scratch != NULL);
360 /* Test internal API */
361 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
362 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
363 CHECK(scratch->alloc_size == 0);
364 CHECK(scratch->alloc_size % ALIGNMENT == 0);
366 /* Allocating 500 bytes succeeds */
367 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
368 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
369 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
370 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
371 CHECK(scratch->alloc_size != 0);
372 CHECK(scratch->alloc_size % ALIGNMENT == 0);
374 /* Allocating another 501 bytes fails */
375 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
376 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
377 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
378 CHECK(scratch->alloc_size != 0);
379 CHECK(scratch->alloc_size % ALIGNMENT == 0);
381 /* ...but it succeeds once we apply the checkpoint to undo it */
382 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
383 CHECK(scratch->alloc_size == 0);
384 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
385 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
386 CHECK(scratch->alloc_size != 0);
388 /* try to apply a bad checkpoint */
389 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
390 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
392 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
394 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
397 /* try to use badly initialized scratch space */
398 secp256k1_scratch_space_destroy(none, scratch);
399 memset(&local_scratch, 0, sizeof(local_scratch));
400 scratch = &local_scratch;
401 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
403 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
405 secp256k1_scratch_space_destroy(none, scratch);
408 /* Test that large integers do not wrap around in a bad way */
409 scratch = secp256k1_scratch_space_create(none, 1000);
410 /* Try max allocation with a large number of objects. Only makes sense if
411 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
413 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
414 /* Try allocating SIZE_MAX to test wrap around which only happens if
415 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
416 * space is too small. */
417 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
418 secp256k1_scratch_space_destroy(none, scratch);
421 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
422 secp256k1_context_destroy(none);
425 void run_ctz_tests(void) {
426 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
427 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
430 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
431 for (shift = 0; shift < 32; ++shift) {
432 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
433 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
436 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
437 for (shift = 0; shift < 64; ++shift) {
438 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
439 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
444 /***** HASH TESTS *****/
446 void run_sha256_tests(void) {
447 static const char *inputs[8] = {
448 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
449 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
450 "For this sample, this 63-byte string will be used as input data",
451 "This is exactly 64 bytes long, not counting the terminating byte"
453 static const unsigned char outputs[8][32] = {
454 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
455 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
456 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
457 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
458 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
459 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
460 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
461 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
464 for (i = 0; i < 8; i++) {
465 unsigned char out[32];
466 secp256k1_sha256 hasher;
467 secp256k1_sha256_initialize(&hasher);
468 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
469 secp256k1_sha256_finalize(&hasher, out);
470 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
471 if (strlen(inputs[i]) > 0) {
472 int split = secp256k1_testrand_int(strlen(inputs[i]));
473 secp256k1_sha256_initialize(&hasher);
474 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
475 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
476 secp256k1_sha256_finalize(&hasher, out);
477 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
482 void run_hmac_sha256_tests(void) {
483 static const char *keys[6] = {
484 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
486 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
487 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
488 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
489 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
491 static const char *inputs[6] = {
492 "\x48\x69\x20\x54\x68\x65\x72\x65",
493 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
494 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
495 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
496 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
497 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
499 static const unsigned char outputs[6][32] = {
500 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
501 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
502 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
503 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
504 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
505 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
508 for (i = 0; i < 6; i++) {
509 secp256k1_hmac_sha256 hasher;
510 unsigned char out[32];
511 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
512 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
513 secp256k1_hmac_sha256_finalize(&hasher, out);
514 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
515 if (strlen(inputs[i]) > 0) {
516 int split = secp256k1_testrand_int(strlen(inputs[i]));
517 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
518 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
519 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
520 secp256k1_hmac_sha256_finalize(&hasher, out);
521 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
526 void run_rfc6979_hmac_sha256_tests(void) {
527 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
528 static const unsigned char out1[3][32] = {
529 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
530 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
531 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
534 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
535 static const unsigned char out2[3][32] = {
536 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
537 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
538 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
541 secp256k1_rfc6979_hmac_sha256 rng;
542 unsigned char out[32];
545 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
546 for (i = 0; i < 3; i++) {
547 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
548 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
550 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
552 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
553 for (i = 0; i < 3; i++) {
554 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
555 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
557 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
559 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
560 for (i = 0; i < 3; i++) {
561 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
562 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
564 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
567 /***** RANDOM TESTS *****/
569 void test_rand_bits(int rand32, int bits) {
570 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
571 * get a false negative chance below once in a billion */
572 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
573 /* We try multiplying the results with various odd numbers, which shouldn't
574 * influence the uniform distribution modulo a power of 2. */
575 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
576 /* We only select up to 6 bits from the output to analyse */
577 unsigned int usebits = bits > 6 ? 6 : bits;
578 unsigned int maxshift = bits - usebits;
579 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
580 number, track all observed outcomes, one per bit in a uint64_t. */
581 uint64_t x[6][27] = {{0}};
582 unsigned int i, shift, m;
583 /* Multiply the output of all rand calls with the odd number m, which
584 should not change the uniformity of its distribution. */
585 for (i = 0; i < rounds[usebits]; i++) {
586 uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
587 CHECK((((uint64_t)r) >> bits) == 0);
588 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
589 uint32_t rm = r * mults[m];
590 for (shift = 0; shift <= maxshift; shift++) {
591 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
595 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
596 for (shift = 0; shift <= maxshift; shift++) {
597 /* Test that the lower usebits bits of x[shift] are 1 */
598 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
603 /* Subrange must be a whole divisor of range, and at most 64 */
604 void test_rand_int(uint32_t range, uint32_t subrange) {
605 /* (1-1/subrange)^rounds < 1/10^9 */
606 int rounds = (subrange * 2073) / 100;
609 CHECK((range % subrange) == 0);
610 for (i = 0; i < rounds; i++) {
611 uint32_t r = secp256k1_testrand_int(range);
614 x |= (((uint64_t)1) << r);
616 /* Test that the lower subrange bits of x are 1. */
617 CHECK(((~x) << (64 - subrange)) == 0);
620 void run_rand_bits(void) {
622 test_rand_bits(1, 32);
623 for (b = 1; b <= 32; b++) {
624 test_rand_bits(0, b);
628 void run_rand_int(void) {
629 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
630 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
632 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
633 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
634 test_rand_int(ms[m] * ss[s], ss[s]);
639 /***** NUM TESTS *****/
642 void random_num_negate(secp256k1_num *num) {
643 if (secp256k1_testrand_bits(1)) {
644 secp256k1_num_negate(num);
648 void random_num_order_test(secp256k1_num *num) {
650 random_scalar_order_test(&sc);
651 secp256k1_scalar_get_num(num, &sc);
654 void random_num_order(secp256k1_num *num) {
656 random_scalar_order(&sc);
657 secp256k1_scalar_get_num(num, &sc);
660 void test_num_negate(void) {
663 random_num_order_test(&n1); /* n1 = R */
664 random_num_negate(&n1);
665 secp256k1_num_copy(&n2, &n1); /* n2 = R */
666 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
667 CHECK(secp256k1_num_is_zero(&n1));
668 secp256k1_num_copy(&n1, &n2); /* n1 = R */
669 secp256k1_num_negate(&n1); /* n1 = -R */
670 CHECK(!secp256k1_num_is_zero(&n1));
671 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
672 CHECK(secp256k1_num_is_zero(&n1));
673 secp256k1_num_copy(&n1, &n2); /* n1 = R */
674 secp256k1_num_negate(&n1); /* n1 = -R */
675 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
676 secp256k1_num_negate(&n1); /* n1 = R */
677 CHECK(secp256k1_num_eq(&n1, &n2));
680 void test_num_add_sub(void) {
685 secp256k1_num n1p2, n2p1, n1m2, n2m1;
686 random_num_order_test(&n1); /* n1 = R1 */
687 if (secp256k1_testrand_bits(1)) {
688 random_num_negate(&n1);
690 random_num_order_test(&n2); /* n2 = R2 */
691 if (secp256k1_testrand_bits(1)) {
692 random_num_negate(&n2);
694 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
695 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
696 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
697 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
698 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
699 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
700 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
701 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
702 CHECK(!secp256k1_num_eq(&n2m1, &n1));
703 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
704 CHECK(secp256k1_num_eq(&n2m1, &n1));
705 CHECK(!secp256k1_num_eq(&n2p1, &n1));
706 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
707 CHECK(secp256k1_num_eq(&n2p1, &n1));
710 secp256k1_scalar_set_int(&s, 1);
711 secp256k1_scalar_get_num(&n1, &s);
712 CHECK(secp256k1_num_is_one(&n1));
713 /* check that 2^n + 1 is never 1 */
714 secp256k1_scalar_get_num(&n2, &s);
715 for (i = 0; i < 250; ++i) {
716 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
717 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
718 CHECK(!secp256k1_num_is_one(&n1p2));
722 void test_num_mod(void) {
725 secp256k1_num order, n;
727 /* check that 0 mod anything is 0 */
728 random_scalar_order_test(&s);
729 secp256k1_scalar_get_num(&order, &s);
730 secp256k1_scalar_set_int(&s, 0);
731 secp256k1_scalar_get_num(&n, &s);
732 secp256k1_num_mod(&n, &order);
733 CHECK(secp256k1_num_is_zero(&n));
735 /* check that anything mod 1 is 0 */
736 secp256k1_scalar_set_int(&s, 1);
737 secp256k1_scalar_get_num(&order, &s);
738 secp256k1_scalar_get_num(&n, &s);
739 secp256k1_num_mod(&n, &order);
740 CHECK(secp256k1_num_is_zero(&n));
742 /* check that increasing the number past 2^256 does not break this */
743 random_scalar_order_test(&s);
744 secp256k1_scalar_get_num(&n, &s);
745 /* multiply by 2^8, which'll test this case with high probability */
746 for (i = 0; i < 8; ++i) {
747 secp256k1_num_add(&n, &n, &n);
749 secp256k1_num_mod(&n, &order);
750 CHECK(secp256k1_num_is_zero(&n));
753 void test_num_jacobi(void) {
754 secp256k1_scalar sqr;
755 secp256k1_scalar small;
756 secp256k1_scalar five; /* five is not a quadratic residue */
757 secp256k1_num order, n;
759 /* squares mod 5 are 1, 4 */
760 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
762 /* check some small values with 5 as the order */
763 secp256k1_scalar_set_int(&five, 5);
764 secp256k1_scalar_get_num(&order, &five);
765 for (i = 0; i < 10; ++i) {
766 secp256k1_scalar_set_int(&small, i);
767 secp256k1_scalar_get_num(&n, &small);
768 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
771 /** test large values with 5 as group order */
772 secp256k1_scalar_get_num(&order, &five);
773 /* we first need a scalar which is not a multiple of 5 */
776 random_scalar_order_test(&sqr);
777 secp256k1_scalar_get_num(&fiven, &five);
778 secp256k1_scalar_get_num(&n, &sqr);
779 secp256k1_num_mod(&n, &fiven);
780 } while (secp256k1_num_is_zero(&n));
781 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
782 * just multiply by two, i.e. add the number to itself */
783 if (secp256k1_num_jacobi(&n, &order) == -1) {
784 secp256k1_num_add(&n, &n, &n);
788 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
789 /* test nonresidue */
790 secp256k1_num_add(&n, &n, &n);
791 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
793 /** test with secp group order as order */
794 secp256k1_scalar_order_get_num(&order);
795 random_scalar_order_test(&sqr);
796 secp256k1_scalar_sqr(&sqr, &sqr);
798 secp256k1_scalar_get_num(&n, &sqr);
799 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
800 /* test nonresidue */
801 secp256k1_scalar_mul(&sqr, &sqr, &five);
802 secp256k1_scalar_get_num(&n, &sqr);
803 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
804 /* test multiple of the order*/
805 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
807 /* check one less than the order */
808 secp256k1_scalar_set_int(&small, 1);
809 secp256k1_scalar_get_num(&n, &small);
810 secp256k1_num_sub(&n, &order, &n);
811 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
814 void run_num_smalltests(void) {
816 for (i = 0; i < 100*count; i++) {
825 /***** MODINV TESTS *****/
827 /* Compute the modular inverse of (odd) x mod 2^64. */
828 uint64_t modinv2p64(uint64_t x) {
829 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
830 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
831 * why. Start with L=0, for which it is true for every odd x that
832 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
836 for (l = 0; l < 6; ++l) w *= (2 - w*x);
840 /* compute out = (a*b) mod m; if b=NULL, treat b=1.
842 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
843 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
844 void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
852 /* Compute the product of a and b, and put it in mul. */
853 for (i = 0; i < 32; ++i) {
854 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
855 c += (uint64_t)a[j] * b[i - j];
862 /* compute the highest set bit in mul */
863 for (i = 511; i >= 0; --i) {
864 if ((mul[i >> 4] >> (i & 15)) & 1) {
870 /* if b==NULL, set mul=a. */
872 memset(mul + 16, 0, 32);
873 /* compute the highest set bit in mul */
874 for (i = 255; i >= 0; --i) {
875 if ((mul[i >> 4] >> (i & 15)) & 1) {
882 /* Compute the highest set bit in m. */
883 for (i = 255; i >= 0; --i) {
884 if ((m[i >> 4] >> (i & 15)) & 1) {
890 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
891 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
895 /* Compute mul2 = mul - m<<i. */
896 cs = 0; /* accumulator */
897 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
898 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
901 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
902 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
903 if (bitpos >= 0 && bitpos < 256) {
904 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
907 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
910 mul2[j] = (cs & 0xFFFF);
913 /* If remainder of subtraction is 0, set mul = mul2. */
915 memcpy(mul, mul2, sizeof(mul));
918 /* Sanity check: test that all limbs higher than m's highest are zero */
919 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
922 memcpy(out, mul, 32);
925 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
926 void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
928 memset(out->v, 0, sizeof(out->v));
929 for (i = 0; i < 256; ++i) {
930 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
934 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
935 void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
938 for (i = 0; i < 256; ++i) {
939 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
943 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
944 void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
946 for (i = 0; i < 16; ++i) {
947 int pos = secp256k1_testrand_int(8);
948 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
949 x->v[pos] -= 0x40000000;
951 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
952 x->v[pos] += 0x40000000;
958 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
959 void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
961 secp256k1_modinv32_signed30 x;
962 secp256k1_modinv32_modinfo m;
963 int i, vartime, nonzero;
965 uint16_to_signed30(&x, in);
966 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
967 uint16_to_signed30(&m.modulus, mod);
968 mutate_sign_signed30(&m.modulus);
970 /* compute 1/modulus mod 2^30 */
971 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
972 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
974 for (vartime = 0; vartime < 2; ++vartime) {
975 /* compute inverse */
976 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
979 signed30_to_uint16(out, &x);
981 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
982 mulmod256(tmp, out, in, mod);
983 CHECK(tmp[0] == nonzero);
984 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
987 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
989 /* check if the result is equal to the input */
990 signed30_to_uint16(tmp, &x);
991 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
995 #ifdef SECP256K1_WIDEMUL_INT128
996 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
997 void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
999 memset(out->v, 0, sizeof(out->v));
1000 for (i = 0; i < 256; ++i) {
1001 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1005 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1006 void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1009 for (i = 0; i < 256; ++i) {
1010 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1014 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1015 void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1016 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1018 for (i = 0; i < 8; ++i) {
1019 int pos = secp256k1_testrand_int(4);
1020 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1021 x->v[pos] -= (M62 + 1);
1023 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1024 x->v[pos] += (M62 + 1);
1030 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1031 void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1032 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1034 secp256k1_modinv64_signed62 x;
1035 secp256k1_modinv64_modinfo m;
1036 int i, vartime, nonzero;
1038 uint16_to_signed62(&x, in);
1039 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1040 uint16_to_signed62(&m.modulus, mod);
1041 mutate_sign_signed62(&m.modulus);
1043 /* compute 1/modulus mod 2^62 */
1044 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1045 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1047 for (vartime = 0; vartime < 2; ++vartime) {
1048 /* compute inverse */
1049 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1051 /* produce output */
1052 signed62_to_uint16(out, &x);
1054 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1055 mulmod256(tmp, out, in, mod);
1056 CHECK(tmp[0] == nonzero);
1057 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1060 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1062 /* check if the result is equal to the input */
1063 signed62_to_uint16(tmp, &x);
1064 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1069 /* test if a and b are coprime */
1070 int coprime(const uint16_t* a, const uint16_t* b) {
1071 uint16_t x[16], y[16], t[16];
1077 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1080 for (i = 0; i < 16; ++i) {
1087 mulmod256(t, y, NULL, x);
1092 /* return whether y=1 */
1093 if (y[0] != 1) return 0;
1094 for (i = 1; i < 16; ++i) {
1095 if (y[i] != 0) return 0;
1100 void run_modinv_tests(void) {
1101 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1102 static const uint16_t CASES[][3][16] = {
1103 /* Test case known to need 713 divsteps */
1104 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1105 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1106 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1107 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1108 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1109 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1110 /* Test case known to need 589 divsteps, reaching delta=-140 and
1112 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1113 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1114 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1115 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1116 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1117 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1118 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1119 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1120 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1121 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1122 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1123 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1124 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1125 /* Test case with the group order as modulus, needing 635 divsteps. */
1126 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1127 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1128 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1129 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1130 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1131 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1132 /* Test case with the field size as modulus, needing 637 divsteps. */
1133 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1134 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1135 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1136 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1137 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1138 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1139 /* Test case with the field size as modulus, needing 935 divsteps with
1140 broken eta handling. */
1141 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1142 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1143 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1144 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1145 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1146 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1147 /* Test case with the group size as modulus, needing 981 divsteps with
1148 broken eta handling. */
1149 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1150 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1151 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1152 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1153 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1154 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1155 /* Test case with the field size as modulus, input = 0. */
1156 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1157 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1158 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1159 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1160 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1161 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1162 /* Test case with the field size as modulus, input = 1. */
1163 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1164 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1165 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1166 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1167 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1168 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1169 /* Test case with the field size as modulus, input = 2. */
1170 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1171 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1172 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1173 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1174 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1175 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1176 /* Test case with the field size as modulus, input = field - 1. */
1177 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1178 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1179 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1180 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1181 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1182 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1183 /* Test case with the group size as modulus, input = 0. */
1184 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1185 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1186 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1187 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1188 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1189 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1190 /* Test case with the group size as modulus, input = 1. */
1191 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1192 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1193 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1194 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1195 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1196 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1197 /* Test case with the group size as modulus, input = 2. */
1198 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1199 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1200 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1201 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1202 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1203 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1204 /* Test case with the group size as modulus, input = group - 1. */
1205 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1206 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1207 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1208 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1209 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1210 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}
1215 /* Test known inputs/outputs */
1216 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1218 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1219 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1220 #ifdef SECP256K1_WIDEMUL_INT128
1221 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1222 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1226 for (i = 0; i < 100 * count; ++i) {
1227 /* 256-bit numbers in 16-uint16_t's notation */
1228 static const uint16_t ZERO[16] = {0};
1229 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1230 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1231 uint16_t id[16]; /* the inverse of xd mod md */
1233 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1235 /* generate random xd and md (with many subsequent 0s and 1s) */
1236 secp256k1_testrand256_test((unsigned char*)xd);
1237 secp256k1_testrand256_test((unsigned char*)md);
1238 md[0] |= 1; /* modulus must be odd */
1239 /* If modulus is 1, find another one. */
1241 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1242 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1243 } while (!(ok && coprime(xd, md)));
1245 test_modinv32_uint16(id, xd, md);
1246 #ifdef SECP256K1_WIDEMUL_INT128
1247 test_modinv64_uint16(id, xd, md);
1250 /* In a few cases, also test with input=0 */
1252 test_modinv32_uint16(id, ZERO, md);
1253 #ifdef SECP256K1_WIDEMUL_INT128
1254 test_modinv64_uint16(id, ZERO, md);
1260 /***** SCALAR TESTS *****/
1263 void scalar_test(void) {
1265 secp256k1_scalar s1;
1266 secp256k1_scalar s2;
1267 #ifndef USE_NUM_NONE
1268 secp256k1_num snum, s1num, s2num;
1269 secp256k1_num order, half_order;
1271 unsigned char c[32];
1273 /* Set 's' to a random scalar, with value 'snum'. */
1274 random_scalar_order_test(&s);
1276 /* Set 's1' to a random scalar, with value 's1num'. */
1277 random_scalar_order_test(&s1);
1279 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1280 random_scalar_order_test(&s2);
1281 secp256k1_scalar_get_b32(c, &s2);
1283 #ifndef USE_NUM_NONE
1284 secp256k1_scalar_get_num(&snum, &s);
1285 secp256k1_scalar_get_num(&s1num, &s1);
1286 secp256k1_scalar_get_num(&s2num, &s2);
1288 secp256k1_scalar_order_get_num(&order);
1290 secp256k1_num_shift(&half_order, 1);
1295 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1297 secp256k1_scalar_set_int(&n, 0);
1298 for (i = 0; i < 256; i += 4) {
1301 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1302 for (j = 0; j < 4; j++) {
1303 secp256k1_scalar_add(&n, &n, &n);
1305 secp256k1_scalar_add(&n, &n, &t);
1307 CHECK(secp256k1_scalar_eq(&n, &s));
1311 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1314 secp256k1_scalar_set_int(&n, 0);
1318 int now = secp256k1_testrand_int(15) + 1;
1319 if (now + i > 256) {
1322 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1323 for (j = 0; j < now; j++) {
1324 secp256k1_scalar_add(&n, &n, &n);
1326 secp256k1_scalar_add(&n, &n, &t);
1329 CHECK(secp256k1_scalar_eq(&n, &s));
1332 #ifndef USE_NUM_NONE
1334 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
1336 secp256k1_num r2num;
1338 secp256k1_num_add(&rnum, &snum, &s2num);
1339 secp256k1_num_mod(&rnum, &order);
1340 secp256k1_scalar_add(&r, &s, &s2);
1341 secp256k1_scalar_get_num(&r2num, &r);
1342 CHECK(secp256k1_num_eq(&rnum, &r2num));
1346 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
1348 secp256k1_num r2num;
1350 secp256k1_num_mul(&rnum, &snum, &s2num);
1351 secp256k1_num_mod(&rnum, &order);
1352 secp256k1_scalar_mul(&r, &s, &s2);
1353 secp256k1_scalar_get_num(&r2num, &r);
1354 CHECK(secp256k1_num_eq(&rnum, &r2num));
1355 /* The result can only be zero if at least one of the factors was zero. */
1356 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
1357 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
1358 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
1359 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
1363 secp256k1_scalar neg;
1364 secp256k1_num negnum;
1365 secp256k1_num negnum2;
1366 /* Check that comparison with zero matches comparison with zero on the number. */
1367 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
1368 /* Check that comparison with the half order is equal to testing for high scalar. */
1369 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
1370 secp256k1_scalar_negate(&neg, &s);
1371 secp256k1_num_sub(&negnum, &order, &snum);
1372 secp256k1_num_mod(&negnum, &order);
1373 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
1374 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
1375 /* Negating should change the high property, unless the value was already zero. */
1376 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
1377 secp256k1_scalar_get_num(&negnum2, &neg);
1378 /* Negating a scalar should be equal to (order - n) mod order on the number. */
1379 CHECK(secp256k1_num_eq(&negnum, &negnum2));
1380 secp256k1_scalar_add(&neg, &neg, &s);
1381 /* Adding a number to its negation should result in zero. */
1382 CHECK(secp256k1_scalar_is_zero(&neg));
1383 secp256k1_scalar_negate(&neg, &neg);
1384 /* Negating zero should still result in zero. */
1385 CHECK(secp256k1_scalar_is_zero(&neg));
1389 /* Test secp256k1_scalar_mul_shift_var. */
1393 secp256k1_num rnum2;
1394 unsigned char cone[1] = {0x01};
1395 unsigned int shift = 256 + secp256k1_testrand_int(257);
1396 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
1397 secp256k1_num_mul(&rnum, &s1num, &s2num);
1398 secp256k1_num_shift(&rnum, shift - 1);
1399 secp256k1_num_set_bin(&one, cone, 1);
1400 secp256k1_num_add(&rnum, &rnum, &one);
1401 secp256k1_num_shift(&rnum, 1);
1402 secp256k1_scalar_get_num(&rnum2, &r);
1403 CHECK(secp256k1_num_eq(&rnum, &rnum2));
1407 /* test secp256k1_scalar_shr_int */
1410 random_scalar_order_test(&r);
1411 for (i = 0; i < 100; ++i) {
1413 int shift = 1 + secp256k1_testrand_int(15);
1414 int expected = r.d[0] % (1 << shift);
1415 low = secp256k1_scalar_shr_int(&r, shift);
1416 CHECK(expected == low);
1422 /* Test commutativity of add. */
1423 secp256k1_scalar r1, r2;
1424 secp256k1_scalar_add(&r1, &s1, &s2);
1425 secp256k1_scalar_add(&r2, &s2, &s1);
1426 CHECK(secp256k1_scalar_eq(&r1, &r2));
1430 secp256k1_scalar r1, r2;
1434 int bit = secp256k1_testrand_bits(8);
1435 secp256k1_scalar_set_int(&b, 1);
1436 CHECK(secp256k1_scalar_is_one(&b));
1437 for (i = 0; i < bit; i++) {
1438 secp256k1_scalar_add(&b, &b, &b);
1442 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1443 /* No overflow happened. */
1444 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1445 CHECK(secp256k1_scalar_eq(&r1, &r2));
1446 /* cadd is a noop when flag is zero */
1447 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1448 CHECK(secp256k1_scalar_eq(&r1, &r2));
1453 /* Test commutativity of mul. */
1454 secp256k1_scalar r1, r2;
1455 secp256k1_scalar_mul(&r1, &s1, &s2);
1456 secp256k1_scalar_mul(&r2, &s2, &s1);
1457 CHECK(secp256k1_scalar_eq(&r1, &r2));
1461 /* Test associativity of add. */
1462 secp256k1_scalar r1, r2;
1463 secp256k1_scalar_add(&r1, &s1, &s2);
1464 secp256k1_scalar_add(&r1, &r1, &s);
1465 secp256k1_scalar_add(&r2, &s2, &s);
1466 secp256k1_scalar_add(&r2, &s1, &r2);
1467 CHECK(secp256k1_scalar_eq(&r1, &r2));
1471 /* Test associativity of mul. */
1472 secp256k1_scalar r1, r2;
1473 secp256k1_scalar_mul(&r1, &s1, &s2);
1474 secp256k1_scalar_mul(&r1, &r1, &s);
1475 secp256k1_scalar_mul(&r2, &s2, &s);
1476 secp256k1_scalar_mul(&r2, &s1, &r2);
1477 CHECK(secp256k1_scalar_eq(&r1, &r2));
1481 /* Test distributitivity of mul over add. */
1482 secp256k1_scalar r1, r2, t;
1483 secp256k1_scalar_add(&r1, &s1, &s2);
1484 secp256k1_scalar_mul(&r1, &r1, &s);
1485 secp256k1_scalar_mul(&r2, &s1, &s);
1486 secp256k1_scalar_mul(&t, &s2, &s);
1487 secp256k1_scalar_add(&r2, &r2, &t);
1488 CHECK(secp256k1_scalar_eq(&r1, &r2));
1493 secp256k1_scalar r1, r2;
1494 secp256k1_scalar_sqr(&r1, &s1);
1495 secp256k1_scalar_mul(&r2, &s1, &s1);
1496 CHECK(secp256k1_scalar_eq(&r1, &r2));
1500 /* Test multiplicative identity. */
1501 secp256k1_scalar r1, v1;
1502 secp256k1_scalar_set_int(&v1,1);
1503 secp256k1_scalar_mul(&r1, &s1, &v1);
1504 CHECK(secp256k1_scalar_eq(&r1, &s1));
1508 /* Test additive identity. */
1509 secp256k1_scalar r1, v0;
1510 secp256k1_scalar_set_int(&v0,0);
1511 secp256k1_scalar_add(&r1, &s1, &v0);
1512 CHECK(secp256k1_scalar_eq(&r1, &s1));
1516 /* Test zero product property. */
1517 secp256k1_scalar r1, v0;
1518 secp256k1_scalar_set_int(&v0,0);
1519 secp256k1_scalar_mul(&r1, &s1, &v0);
1520 CHECK(secp256k1_scalar_eq(&r1, &v0));
1525 void run_scalar_set_b32_seckey_tests(void) {
1526 unsigned char b32[32];
1527 secp256k1_scalar s1;
1528 secp256k1_scalar s2;
1530 /* Usually set_b32 and set_b32_seckey give the same result */
1531 random_scalar_order_b32(b32);
1532 secp256k1_scalar_set_b32(&s1, b32, NULL);
1533 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1534 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1536 memset(b32, 0, sizeof(b32));
1537 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1538 memset(b32, 0xFF, sizeof(b32));
1539 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1542 void run_scalar_tests(void) {
1544 for (i = 0; i < 128 * count; i++) {
1547 for (i = 0; i < count; i++) {
1548 run_scalar_set_b32_seckey_tests();
1552 /* (-1)+1 should be zero. */
1553 secp256k1_scalar s, o;
1554 secp256k1_scalar_set_int(&s, 1);
1555 CHECK(secp256k1_scalar_is_one(&s));
1556 secp256k1_scalar_negate(&o, &s);
1557 secp256k1_scalar_add(&o, &o, &s);
1558 CHECK(secp256k1_scalar_is_zero(&o));
1559 secp256k1_scalar_negate(&o, &o);
1560 CHECK(secp256k1_scalar_is_zero(&o));
1563 #ifndef USE_NUM_NONE
1565 /* Test secp256k1_scalar_set_b32 boundary conditions */
1566 secp256k1_num order;
1567 secp256k1_scalar scalar;
1568 unsigned char bin[32];
1569 unsigned char bin_tmp[32];
1571 /* 2^256-1 - order */
1572 static const secp256k1_scalar all_ones_minus_order = SECP256K1_SCALAR_CONST(
1573 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000001UL,
1574 0x45512319UL, 0x50B75FC4UL, 0x402DA173UL, 0x2FC9BEBEUL
1577 /* A scalar set to 0s should be 0. */
1579 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1580 CHECK(overflow == 0);
1581 CHECK(secp256k1_scalar_is_zero(&scalar));
1583 /* A scalar with value of the curve order should be 0. */
1584 secp256k1_scalar_order_get_num(&order);
1585 secp256k1_num_get_bin(bin, 32, &order);
1586 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1587 CHECK(overflow == 1);
1588 CHECK(secp256k1_scalar_is_zero(&scalar));
1590 /* A scalar with value of the curve order minus one should not overflow. */
1592 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1593 CHECK(overflow == 0);
1594 secp256k1_scalar_get_b32(bin_tmp, &scalar);
1595 CHECK(secp256k1_memcmp_var(bin, bin_tmp, 32) == 0);
1597 /* A scalar set to all 1s should overflow. */
1598 memset(bin, 0xFF, 32);
1599 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1600 CHECK(overflow == 1);
1601 CHECK(secp256k1_scalar_eq(&scalar, &all_ones_minus_order));
1606 /* Does check_overflow check catch all ones? */
1607 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1608 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1609 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1611 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1615 /* Static test vectors.
1616 * These were reduced from ~10^12 random vectors based on comparison-decision
1617 * and edge-case coverage on 32-bit and 64-bit implementations.
1618 * The responses were generated with Sage 5.9.
1623 secp256k1_scalar zz;
1624 secp256k1_scalar one;
1625 secp256k1_scalar r1;
1626 secp256k1_scalar r2;
1627 #if defined(USE_SCALAR_INV_NUM)
1628 secp256k1_scalar zzv;
1631 unsigned char chal[33][2][32] = {
1632 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1633 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1634 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1635 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1636 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1637 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1638 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1639 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1640 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1641 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1643 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1644 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1645 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1646 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1647 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1648 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1649 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1650 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1651 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1652 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1653 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1654 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1655 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1656 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1657 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1658 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1659 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1660 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1661 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1662 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1663 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1664 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1665 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1666 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1667 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1668 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1669 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1670 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1671 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1672 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1673 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1674 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1675 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1676 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1677 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1678 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1679 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1680 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1681 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1682 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1683 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1684 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1685 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1686 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1687 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1688 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1689 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1690 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1691 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1692 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1693 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1694 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1695 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1696 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1697 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1698 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1699 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1700 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1701 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1704 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1705 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1706 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1707 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1708 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1709 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1710 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1711 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1712 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1713 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1714 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1715 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1716 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1717 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1718 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1719 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1720 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1721 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1722 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1723 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1724 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1725 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1726 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1727 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1728 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1729 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1731 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1732 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1733 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1734 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1735 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1736 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1737 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1738 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1739 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1740 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1741 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1742 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1744 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1745 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1747 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1748 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1749 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1750 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1751 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1752 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1753 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1754 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1755 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1756 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1757 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1758 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1759 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1760 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1761 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1762 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1763 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1764 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1765 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1766 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1768 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1769 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1770 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1771 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1772 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1773 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1774 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1775 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1776 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1777 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1778 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1779 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1780 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1781 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1782 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1783 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1784 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1785 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1786 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1787 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1788 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1789 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1790 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1791 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1792 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1794 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1796 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1797 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1798 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1799 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1800 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1803 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1804 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1805 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1808 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1809 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1810 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1811 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1812 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1813 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1814 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1815 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1816 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1817 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1818 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1819 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1820 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1821 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1822 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1823 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1824 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1825 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1826 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1827 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1828 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1829 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1830 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1831 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1832 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1833 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1834 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1835 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1836 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1837 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1838 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1839 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1840 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1841 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1842 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1843 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1844 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1845 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1846 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1847 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1848 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1849 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1850 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1851 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1852 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1853 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1854 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1855 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1856 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1857 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1858 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1859 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1860 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1862 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1863 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1864 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1865 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1866 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1867 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1868 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1869 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1870 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1871 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1872 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1873 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1874 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1875 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1876 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1877 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1878 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1879 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1880 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1881 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1882 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1883 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1884 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1885 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1886 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1887 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1888 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1889 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1890 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1891 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1892 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1893 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1894 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1895 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1897 unsigned char res[33][2][32] = {
1898 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1899 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1900 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1901 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1902 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1903 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1904 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1905 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1906 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1907 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1908 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1909 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1910 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1911 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1912 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1913 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1914 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1915 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1916 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1917 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1918 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1919 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1920 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1921 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1922 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1923 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1924 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1925 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1926 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1927 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1928 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1929 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1930 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1931 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1932 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1933 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1934 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1935 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1936 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1937 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1938 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1939 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1940 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1941 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1942 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1943 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1944 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1945 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1946 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1947 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1948 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1949 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1950 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1951 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1952 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1953 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1954 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1955 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1956 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1957 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1958 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1959 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1960 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1961 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1962 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1963 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1964 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1965 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1966 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1967 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1968 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1969 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1970 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1971 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1972 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1973 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1974 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1975 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1976 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1977 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1978 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1979 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1980 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1981 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1982 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1983 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1984 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1985 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1986 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1987 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1988 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1989 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1990 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1991 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1992 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1993 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1994 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1995 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1996 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1997 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1998 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1999 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2000 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2001 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2002 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2003 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2004 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2005 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2006 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2007 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2008 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2009 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2010 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2011 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2012 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2013 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2014 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2015 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2016 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2017 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2018 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2019 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2020 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2021 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2022 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2023 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2024 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2025 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2026 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2027 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2028 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2029 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2030 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2031 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2032 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2033 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2034 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2035 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2036 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2037 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2038 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2039 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2040 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2041 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2042 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2043 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2044 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2045 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2046 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2047 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2048 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2049 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2050 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2051 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2052 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2053 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2054 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2055 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2056 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2057 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2058 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2059 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2060 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2061 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2062 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2063 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2064 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2065 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2066 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2067 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2068 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2069 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2070 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2071 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2072 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2073 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2074 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2075 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2076 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2077 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2078 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2079 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2080 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2081 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2082 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2083 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2084 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2085 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2086 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2087 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2088 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2089 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2090 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2091 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2092 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2093 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2094 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2095 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2096 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2097 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2098 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2099 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2100 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2101 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2102 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2103 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2104 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2105 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2106 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2107 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2108 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2109 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2110 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2111 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2112 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2113 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2114 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2115 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2116 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2117 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2118 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2119 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2120 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2121 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2122 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2123 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2124 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2125 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2126 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2127 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2128 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2129 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2130 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2131 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2132 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2133 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2134 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2135 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2136 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2137 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2138 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2139 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2140 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2141 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2142 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2143 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2144 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2145 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2146 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2147 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2148 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2149 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2150 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2151 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2152 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2153 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2154 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2155 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2156 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2157 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2158 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2159 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2160 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2161 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2163 secp256k1_scalar_set_int(&one, 1);
2164 for (i = 0; i < 33; i++) {
2165 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2167 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2169 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2171 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2173 secp256k1_scalar_mul(&z, &x, &y);
2174 CHECK(!secp256k1_scalar_check_overflow(&z));
2175 CHECK(secp256k1_scalar_eq(&r1, &z));
2176 if (!secp256k1_scalar_is_zero(&y)) {
2177 secp256k1_scalar_inverse(&zz, &y);
2178 CHECK(!secp256k1_scalar_check_overflow(&zz));
2179 #if defined(USE_SCALAR_INV_NUM)
2180 secp256k1_scalar_inverse_var(&zzv, &y);
2181 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2183 secp256k1_scalar_mul(&z, &z, &zz);
2184 CHECK(!secp256k1_scalar_check_overflow(&z));
2185 CHECK(secp256k1_scalar_eq(&x, &z));
2186 secp256k1_scalar_mul(&zz, &zz, &y);
2187 CHECK(!secp256k1_scalar_check_overflow(&zz));
2188 CHECK(secp256k1_scalar_eq(&one, &zz));
2190 secp256k1_scalar_mul(&z, &x, &x);
2191 CHECK(!secp256k1_scalar_check_overflow(&z));
2192 secp256k1_scalar_sqr(&zz, &x);
2193 CHECK(!secp256k1_scalar_check_overflow(&zz));
2194 CHECK(secp256k1_scalar_eq(&zz, &z));
2195 CHECK(secp256k1_scalar_eq(&r2, &zz));
2200 /***** FIELD TESTS *****/
2202 void random_fe(secp256k1_fe *x) {
2203 unsigned char bin[32];
2205 secp256k1_testrand256(bin);
2206 if (secp256k1_fe_set_b32(x, bin)) {
2212 void random_fe_test(secp256k1_fe *x) {
2213 unsigned char bin[32];
2215 secp256k1_testrand256_test(bin);
2216 if (secp256k1_fe_set_b32(x, bin)) {
2222 void random_fe_non_zero(secp256k1_fe *nz) {
2224 while (--tries >= 0) {
2226 secp256k1_fe_normalize(nz);
2227 if (!secp256k1_fe_is_zero(nz)) {
2231 /* Infinitesimal probability of spurious failure here */
2235 void random_fe_non_square(secp256k1_fe *ns) {
2237 random_fe_non_zero(ns);
2238 if (secp256k1_fe_sqrt(&r, ns)) {
2239 secp256k1_fe_negate(ns, ns, 1);
2243 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2244 secp256k1_fe an = *a;
2245 secp256k1_fe bn = *b;
2246 secp256k1_fe_normalize_weak(&an);
2247 secp256k1_fe_normalize_var(&bn);
2248 return secp256k1_fe_equal_var(&an, &bn);
2251 void run_field_convert(void) {
2252 static const unsigned char b32[32] = {
2253 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2254 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2255 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2256 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2258 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
2259 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2260 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2262 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2263 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2264 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2267 unsigned char b322[32];
2268 secp256k1_fe_storage fes2;
2269 /* Check conversions to fe. */
2270 CHECK(secp256k1_fe_set_b32(&fe2, b32));
2271 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2272 secp256k1_fe_from_storage(&fe2, &fes);
2273 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2274 /* Check conversion from fe. */
2275 secp256k1_fe_get_b32(b322, &fe);
2276 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2277 secp256k1_fe_to_storage(&fes2, &fe);
2278 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2281 int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
2282 secp256k1_fe t = *b;
2284 t.magnitude = a->magnitude;
2285 t.normalized = a->normalized;
2287 return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
2290 void run_field_misc(void) {
2295 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2297 for (i = 0; i < 5*count; i++) {
2298 secp256k1_fe_storage xs, ys, zs;
2300 random_fe_non_zero(&y);
2301 /* Test the fe equality and comparison operations. */
2302 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
2303 CHECK(secp256k1_fe_equal_var(&x, &x));
2305 secp256k1_fe_add(&z,&y);
2306 /* Test fe conditional move; z is not normalized here. */
2308 secp256k1_fe_cmov(&x, &z, 0);
2310 CHECK(x.normalized && x.magnitude == 1);
2312 secp256k1_fe_cmov(&x, &x, 1);
2313 CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
2314 CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
2315 secp256k1_fe_cmov(&q, &z, 1);
2317 CHECK(!q.normalized && q.magnitude == z.magnitude);
2319 CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
2320 secp256k1_fe_normalize_var(&x);
2321 secp256k1_fe_normalize_var(&z);
2322 CHECK(!secp256k1_fe_equal_var(&x, &z));
2323 secp256k1_fe_normalize_var(&q);
2324 secp256k1_fe_cmov(&q, &z, (i&1));
2326 CHECK(q.normalized && q.magnitude == 1);
2328 for (j = 0; j < 6; j++) {
2329 secp256k1_fe_negate(&z, &z, j+1);
2330 secp256k1_fe_normalize_var(&q);
2331 secp256k1_fe_cmov(&q, &z, (j&1));
2333 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2336 secp256k1_fe_normalize_var(&z);
2337 /* Test storage conversion and conditional moves. */
2338 secp256k1_fe_to_storage(&xs, &x);
2339 secp256k1_fe_to_storage(&ys, &y);
2340 secp256k1_fe_to_storage(&zs, &z);
2341 secp256k1_fe_storage_cmov(&zs, &xs, 0);
2342 secp256k1_fe_storage_cmov(&zs, &zs, 1);
2343 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2344 secp256k1_fe_storage_cmov(&ys, &xs, 1);
2345 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2346 secp256k1_fe_from_storage(&x, &xs);
2347 secp256k1_fe_from_storage(&y, &ys);
2348 secp256k1_fe_from_storage(&z, &zs);
2349 /* Test that mul_int, mul, and add agree. */
2350 secp256k1_fe_add(&y, &x);
2351 secp256k1_fe_add(&y, &x);
2353 secp256k1_fe_mul_int(&z, 3);
2354 CHECK(check_fe_equal(&y, &z));
2355 secp256k1_fe_add(&y, &x);
2356 secp256k1_fe_add(&z, &x);
2357 CHECK(check_fe_equal(&z, &y));
2359 secp256k1_fe_mul_int(&z, 5);
2360 secp256k1_fe_mul(&q, &x, &fe5);
2361 CHECK(check_fe_equal(&z, &q));
2362 secp256k1_fe_negate(&x, &x, 1);
2363 secp256k1_fe_add(&z, &x);
2364 secp256k1_fe_add(&q, &x);
2365 CHECK(check_fe_equal(&y, &z));
2366 CHECK(check_fe_equal(&q, &y));
2370 void run_sqr(void) {
2375 secp256k1_fe_set_int(&x, 1);
2376 secp256k1_fe_negate(&x, &x, 1);
2378 for (i = 1; i <= 512; ++i) {
2379 secp256k1_fe_mul_int(&x, 2);
2380 secp256k1_fe_normalize(&x);
2381 secp256k1_fe_sqr(&s, &x);
2386 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2387 secp256k1_fe r1, r2;
2388 int v = secp256k1_fe_sqrt(&r1, a);
2389 CHECK((v == 0) == (k == NULL));
2392 /* Check that the returned root is +/- the given known answer */
2393 secp256k1_fe_negate(&r2, &r1, 1);
2394 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2395 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2396 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2400 void run_sqrt(void) {
2401 secp256k1_fe ns, x, s, t;
2404 /* Check sqrt(0) is 0 */
2405 secp256k1_fe_set_int(&x, 0);
2406 secp256k1_fe_sqr(&s, &x);
2409 /* Check sqrt of small squares (and their negatives) */
2410 for (i = 1; i <= 100; i++) {
2411 secp256k1_fe_set_int(&x, i);
2412 secp256k1_fe_sqr(&s, &x);
2414 secp256k1_fe_negate(&t, &s, 1);
2415 test_sqrt(&t, NULL);
2418 /* Consistency checks for large random values */
2419 for (i = 0; i < 10; i++) {
2421 random_fe_non_square(&ns);
2422 for (j = 0; j < count; j++) {
2424 secp256k1_fe_sqr(&s, &x);
2426 secp256k1_fe_negate(&t, &s, 1);
2427 test_sqrt(&t, NULL);
2428 secp256k1_fe_mul(&t, &s, &ns);
2429 test_sqrt(&t, NULL);
2434 /***** FIELD/SCALAR INVERSE TESTS *****/
2436 static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
2437 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2438 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2441 static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
2442 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2443 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2446 /* These tests test the following identities:
2448 * for x==0: 1/x == 0
2449 * for x!=0: x*(1/x) == 1
2450 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2453 void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
2455 secp256k1_scalar l, r, t;
2457 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, x); /* l = 1/x */
2459 if (secp256k1_scalar_is_zero(x)) {
2460 CHECK(secp256k1_scalar_is_zero(&l));
2463 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2464 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2465 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2466 if (secp256k1_scalar_is_zero(&r)) return;
2467 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&r, &r); /* r = 1/(x-1) */
2468 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2469 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, &l); /* l = 1/(1/x-1) */
2470 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2471 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2472 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2475 void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2477 secp256k1_fe l, r, t;
2479 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2482 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
2483 CHECK(secp256k1_fe_normalizes_to_zero(&l));
2486 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2487 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2488 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2490 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2491 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
2492 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2493 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2494 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2495 secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2496 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2497 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
2500 void run_inverse_tests(void)
2502 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2503 static const secp256k1_fe fe_cases[][2] = {
2505 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2506 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2508 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2509 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2511 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2512 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2514 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2515 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2517 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2518 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2519 /* Input known to need 637 divsteps */
2520 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2521 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)}
2523 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
2524 static const secp256k1_scalar scalar_cases[][2] = {
2526 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2527 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2529 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2530 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2532 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
2533 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
2535 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2536 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
2538 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2539 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
2540 /* Input known to need 635 divsteps */
2541 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
2542 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)}
2544 int i, var, testrand;
2545 unsigned char b32[32];
2547 secp256k1_scalar x_scalar;
2548 memset(b32, 0, sizeof(b32));
2549 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
2550 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
2551 for (var = 0; var <= 1; ++var) {
2552 test_inverse_field(&x_fe, &fe_cases[i][0], var);
2553 check_fe_equal(&x_fe, &fe_cases[i][1]);
2554 test_inverse_field(&x_fe, &fe_cases[i][1], var);
2555 check_fe_equal(&x_fe, &fe_cases[i][0]);
2558 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
2559 for (var = 0; var <= 1; ++var) {
2560 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
2561 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
2562 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
2563 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
2566 /* Test inputs 0..999 and their respective negations. */
2567 for (i = 0; i < 1000; ++i) {
2569 b32[30] = (i >> 8) & 0xff;
2570 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2571 secp256k1_fe_set_b32(&x_fe, b32);
2572 for (var = 0; var <= 1; ++var) {
2573 test_inverse_scalar(NULL, &x_scalar, var);
2574 test_inverse_field(NULL, &x_fe, var);
2576 secp256k1_scalar_negate(&x_scalar, &x_scalar);
2577 secp256k1_fe_negate(&x_fe, &x_fe, 1);
2578 for (var = 0; var <= 1; ++var) {
2579 test_inverse_scalar(NULL, &x_scalar, var);
2580 test_inverse_field(NULL, &x_fe, var);
2583 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
2584 for (testrand = 0; testrand <= 1; ++testrand) {
2585 for (i = 0; i < 64 * count; ++i) {
2586 (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
2587 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2588 secp256k1_fe_set_b32(&x_fe, b32);
2589 for (var = 0; var <= 1; ++var) {
2590 test_inverse_scalar(NULL, &x_scalar, var);
2591 test_inverse_field(NULL, &x_fe, var);
2597 /***** GROUP TESTS *****/
2599 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2600 CHECK(a->infinity == b->infinity);
2604 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2605 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2608 /* This compares jacobian points including their Z, not just their geometric meaning. */
2609 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2613 ret &= a->infinity == b->infinity;
2614 if (ret && !a->infinity) {
2617 secp256k1_fe_normalize(&a2.x);
2618 secp256k1_fe_normalize(&a2.y);
2619 secp256k1_fe_normalize(&a2.z);
2620 secp256k1_fe_normalize(&b2.x);
2621 secp256k1_fe_normalize(&b2.y);
2622 secp256k1_fe_normalize(&b2.z);
2623 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2624 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2625 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2630 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2632 secp256k1_fe u1, u2, s1, s2;
2633 CHECK(a->infinity == b->infinity);
2637 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2638 secp256k1_fe_sqr(&z2s, &b->z);
2639 secp256k1_fe_mul(&u1, &a->x, &z2s);
2640 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2641 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2642 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2643 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2644 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2647 void test_ge(void) {
2650 /* 25 points are used:
2652 * - for each of four random points p1 p2 p3 p4, we add the point, its
2653 * negation, and then those two again but with randomized Z coordinate.
2654 * - The same is then done for lambda*p1 and lambda^2*p1.
2656 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2657 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2659 secp256k1_fe zfi2, zfi3;
2661 secp256k1_gej_set_infinity(&gej[0]);
2662 secp256k1_ge_clear(&ge[0]);
2663 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2664 for (i = 0; i < runs; i++) {
2667 random_group_element_test(&g);
2668 if (i >= runs - 2) {
2669 secp256k1_ge_mul_lambda(&g, &ge[1]);
2671 if (i >= runs - 1) {
2672 secp256k1_ge_mul_lambda(&g, &g);
2676 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2677 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2678 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2679 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2680 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2681 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2682 for (j = 0; j < 4; j++) {
2683 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2684 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2685 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2686 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2687 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2691 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2693 random_field_element_test(&zf);
2694 } while(secp256k1_fe_is_zero(&zf));
2695 random_field_element_magnitude(&zf);
2696 secp256k1_fe_inv_var(&zfi3, &zf);
2697 secp256k1_fe_sqr(&zfi2, &zfi3);
2698 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2700 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2702 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2703 /* Compute reference result using gej + gej (var). */
2704 secp256k1_gej refj, resj;
2707 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2708 /* Check Z ratio. */
2709 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2710 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2711 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2713 secp256k1_ge_set_gej_var(&ref, &refj);
2715 /* Test gej + ge with Z ratio result (var). */
2716 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2717 ge_equals_gej(&ref, &resj);
2718 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2719 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2720 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2723 /* Test gej + ge (var, with additional Z factor). */
2725 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2726 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2727 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2728 random_field_element_magnitude(&ge2_zfi.x);
2729 random_field_element_magnitude(&ge2_zfi.y);
2730 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2731 ge_equals_gej(&ref, &resj);
2734 /* Test gej + ge (const). */
2736 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2737 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2738 ge_equals_gej(&ref, &resj);
2741 /* Test doubling (var). */
2742 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2744 /* Normal doubling with Z ratio result. */
2745 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2746 ge_equals_gej(&ref, &resj);
2747 /* Check Z ratio. */
2748 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2749 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2750 /* Normal doubling. */
2751 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2752 ge_equals_gej(&ref, &resj);
2753 /* Constant-time doubling. */
2754 secp256k1_gej_double(&resj, &gej[i2]);
2755 ge_equals_gej(&ref, &resj);
2758 /* Test adding opposites. */
2759 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2760 CHECK(secp256k1_ge_is_infinity(&ref));
2763 /* Test adding infinity. */
2765 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2766 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2767 ge_equals_gej(&ref, &gej[i2]);
2770 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2771 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2772 ge_equals_gej(&ref, &gej[i1]);
2777 /* Test adding all points together in random order equals infinity. */
2779 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2780 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2781 for (i = 0; i < 4 * runs + 1; i++) {
2782 gej_shuffled[i] = gej[i];
2784 for (i = 0; i < 4 * runs + 1; i++) {
2785 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
2787 secp256k1_gej t = gej_shuffled[i];
2788 gej_shuffled[i] = gej_shuffled[swap];
2789 gej_shuffled[swap] = t;
2792 for (i = 0; i < 4 * runs + 1; i++) {
2793 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2795 CHECK(secp256k1_gej_is_infinity(&sum));
2799 /* Test batch gej -> ge conversion without known z ratios. */
2801 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2802 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2803 for (i = 0; i < 4 * runs + 1; i++) {
2805 random_fe_non_zero(&s);
2806 secp256k1_gej_rescale(&gej[i], &s);
2807 ge_equals_gej(&ge_set_all[i], &gej[i]);
2812 /* Test batch gej -> ge conversion with many infinities. */
2813 for (i = 0; i < 4 * runs + 1; i++) {
2814 random_group_element_test(&ge[i]);
2815 /* randomly set half the points to infinity */
2816 if(secp256k1_fe_is_odd(&ge[i].x)) {
2817 secp256k1_ge_set_infinity(&ge[i]);
2819 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2822 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2824 for (i = 0; i < 4 * runs + 1; i++) {
2825 ge_equals_gej(&ge[i], &gej[i]);
2833 void test_intialized_inf(void) {
2835 secp256k1_gej pj, npj, infj1, infj2, infj3;
2838 /* Test that adding P+(-P) results in a fully initalized infinity*/
2839 random_group_element_test(&p);
2840 secp256k1_gej_set_ge(&pj, &p);
2841 secp256k1_gej_neg(&npj, &pj);
2843 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
2844 CHECK(secp256k1_gej_is_infinity(&infj1));
2845 CHECK(secp256k1_fe_is_zero(&infj1.x));
2846 CHECK(secp256k1_fe_is_zero(&infj1.y));
2847 CHECK(secp256k1_fe_is_zero(&infj1.z));
2849 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
2850 CHECK(secp256k1_gej_is_infinity(&infj2));
2851 CHECK(secp256k1_fe_is_zero(&infj2.x));
2852 CHECK(secp256k1_fe_is_zero(&infj2.y));
2853 CHECK(secp256k1_fe_is_zero(&infj2.z));
2855 secp256k1_fe_set_int(&zinv, 1);
2856 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
2857 CHECK(secp256k1_gej_is_infinity(&infj3));
2858 CHECK(secp256k1_fe_is_zero(&infj3.x));
2859 CHECK(secp256k1_fe_is_zero(&infj3.y));
2860 CHECK(secp256k1_fe_is_zero(&infj3.z));
2865 void test_add_neg_y_diff_x(void) {
2866 /* The point of this test is to check that we can add two points
2867 * whose y-coordinates are negatives of each other but whose x
2868 * coordinates differ. If the x-coordinates were the same, these
2869 * points would be negatives of each other and their sum is
2870 * infinity. This is cool because it "covers up" any degeneracy
2871 * in the addition algorithm that would cause the xy coordinates
2872 * of the sum to be wrong (since infinity has no xy coordinates).
2873 * HOWEVER, if the x-coordinates are different, infinity is the
2874 * wrong answer, and such degeneracies are exposed. This is the
2875 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2876 * which this test is a regression test for.
2878 * These points were generated in sage as
2879 * # secp256k1 params
2880 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2881 * C = EllipticCurve ([F (0), F (7)])
2882 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2883 * N = FiniteField(G.order())
2885 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2887 * lam = (1 - x^3).roots()[1][0]
2889 * # random "bad pair"
2890 * P = C.random_element()
2892 * print " P: %x %x" % P.xy()
2893 * print " Q: %x %x" % Q.xy()
2894 * print "P + Q: %x %x" % (P + Q).xy()
2896 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2897 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2898 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2899 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2900 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2902 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2903 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2904 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2905 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2906 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2908 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2909 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2910 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2911 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2912 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2917 secp256k1_ge_set_gej(&b, &bj);
2919 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2920 secp256k1_ge_set_gej(&res, &resj);
2921 ge_equals_gej(&res, &sumj);
2923 secp256k1_gej_add_ge(&resj, &aj, &b);
2924 secp256k1_ge_set_gej(&res, &resj);
2925 ge_equals_gej(&res, &sumj);
2927 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2928 secp256k1_ge_set_gej(&res, &resj);
2929 ge_equals_gej(&res, &sumj);
2934 for (i = 0; i < count * 32; i++) {
2937 test_add_neg_y_diff_x();
2938 test_intialized_inf();
2941 void test_ec_combine(void) {
2942 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2943 secp256k1_pubkey data[6];
2944 const secp256k1_pubkey* d[6];
2945 secp256k1_pubkey sd;
2946 secp256k1_pubkey sd2;
2950 for (i = 1; i <= 6; i++) {
2952 random_scalar_order_test(&s);
2953 secp256k1_scalar_add(&sum, &sum, &s);
2954 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2955 secp256k1_ge_set_gej(&Q, &Qj);
2956 secp256k1_pubkey_save(&data[i - 1], &Q);
2957 d[i - 1] = &data[i - 1];
2958 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2959 secp256k1_ge_set_gej(&Q, &Qj);
2960 secp256k1_pubkey_save(&sd, &Q);
2961 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2962 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
2966 void run_ec_combine(void) {
2968 for (i = 0; i < count * 8; i++) {
2973 void test_group_decompress(const secp256k1_fe* x) {
2974 /* The input itself, normalized. */
2975 secp256k1_fe fex = *x;
2977 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2978 secp256k1_ge ge_quad, ge_even, ge_odd;
2979 secp256k1_gej gej_quad;
2980 /* Return values of the above calls. */
2981 int res_quad, res_even, res_odd;
2983 secp256k1_fe_normalize_var(&fex);
2985 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2986 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2987 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2989 CHECK(res_quad == res_even);
2990 CHECK(res_quad == res_odd);
2993 secp256k1_fe_normalize_var(&ge_quad.x);
2994 secp256k1_fe_normalize_var(&ge_odd.x);
2995 secp256k1_fe_normalize_var(&ge_even.x);
2996 secp256k1_fe_normalize_var(&ge_quad.y);
2997 secp256k1_fe_normalize_var(&ge_odd.y);
2998 secp256k1_fe_normalize_var(&ge_even.y);
3000 /* No infinity allowed. */
3001 CHECK(!ge_quad.infinity);
3002 CHECK(!ge_even.infinity);
3003 CHECK(!ge_odd.infinity);
3005 /* Check that the x coordinates check out. */
3006 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
3007 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
3008 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
3010 /* Check that the Y coordinate result in ge_quad is a square. */
3011 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
3013 /* Check odd/even Y in ge_odd, ge_even. */
3014 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
3015 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
3017 /* Check secp256k1_gej_has_quad_y_var. */
3018 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
3019 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3021 random_fe_test(&fez);
3022 } while (secp256k1_fe_is_zero(&fez));
3023 secp256k1_gej_rescale(&gej_quad, &fez);
3024 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3025 secp256k1_gej_neg(&gej_quad, &gej_quad);
3026 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
3028 random_fe_test(&fez);
3029 } while (secp256k1_fe_is_zero(&fez));
3030 secp256k1_gej_rescale(&gej_quad, &fez);
3031 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
3032 secp256k1_gej_neg(&gej_quad, &gej_quad);
3033 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3037 void run_group_decompress(void) {
3039 for (i = 0; i < count * 4; i++) {
3041 random_fe_test(&fe);
3042 test_group_decompress(&fe);
3046 /***** ECMULT TESTS *****/
3048 void run_ecmult_chain(void) {
3049 /* random starting point A (on the curve) */
3050 secp256k1_gej a = SECP256K1_GEJ_CONST(
3051 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
3052 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
3053 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
3054 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
3056 /* two random initial factors xn and gn */
3057 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
3058 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
3059 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
3061 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
3062 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
3063 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
3065 /* two small multipliers to be applied to xn and gn in every iteration: */
3066 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
3067 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
3068 /* accumulators with the resulting coefficients to A and G */
3069 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3070 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3076 /* the point being computed */
3078 for (i = 0; i < 200*count; i++) {
3079 /* in each iteration, compute X = xn*X + gn*G; */
3080 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
3081 /* also compute ae and ge: the actual accumulated factors for A and G */
3082 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
3083 secp256k1_scalar_mul(&ae, &ae, &xn);
3084 secp256k1_scalar_mul(&ge, &ge, &xn);
3085 secp256k1_scalar_add(&ge, &ge, &gn);
3086 /* modify xn and gn */
3087 secp256k1_scalar_mul(&xn, &xn, &xf);
3088 secp256k1_scalar_mul(&gn, &gn, &gf);
3092 /* expected result after 19999 iterations */
3093 secp256k1_gej rp = SECP256K1_GEJ_CONST(
3094 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
3095 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
3096 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
3097 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
3100 secp256k1_gej_neg(&rp, &rp);
3101 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
3102 CHECK(secp256k1_gej_is_infinity(&rp));
3105 /* redo the computation, but directly with the resulting ae and ge coefficients: */
3106 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
3107 secp256k1_gej_neg(&x2, &x2);
3108 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
3109 CHECK(secp256k1_gej_is_infinity(&x2));
3112 void test_point_times_order(const secp256k1_gej *point) {
3113 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
3115 secp256k1_scalar nx;
3116 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3117 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3118 secp256k1_gej res1, res2;
3120 unsigned char pub[65];
3122 random_scalar_order_test(&x);
3123 secp256k1_scalar_negate(&nx, &x);
3124 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
3125 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
3126 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
3127 CHECK(secp256k1_gej_is_infinity(&res1));
3128 secp256k1_ge_set_gej(&res3, &res1);
3129 CHECK(secp256k1_ge_is_infinity(&res3));
3130 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
3131 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
3133 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
3134 /* check zero/one edge cases */
3135 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
3136 secp256k1_ge_set_gej(&res3, &res1);
3137 CHECK(secp256k1_ge_is_infinity(&res3));
3138 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
3139 secp256k1_ge_set_gej(&res3, &res1);
3140 ge_equals_gej(&res3, point);
3141 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
3142 secp256k1_ge_set_gej(&res3, &res1);
3143 ge_equals_ge(&res3, &secp256k1_ge_const_g);
3146 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
3148 * They are computed as:
3149 * - For a in [-2, -1, 0, 1, 2]:
3150 * - For b in [-3, -1, 1, 3]:
3151 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
3153 static const secp256k1_scalar scalars_near_split_bounds[20] = {
3154 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
3155 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
3156 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
3157 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
3158 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
3159 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
3160 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
3161 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
3162 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
3163 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
3164 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
3165 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
3166 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
3167 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
3168 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
3169 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
3170 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
3171 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
3172 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
3173 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
3176 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
3177 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
3178 secp256k1_scalar n1, n2;
3180 secp256k1_gej pj, p1j, p2j, ptj;
3181 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3183 /* Generate random n1,n2 such that n1+n2 = -target. */
3184 random_scalar_order_test(&n1);
3185 secp256k1_scalar_add(&n2, &n1, target);
3186 secp256k1_scalar_negate(&n2, &n2);
3188 /* Generate a random input point. */
3190 random_group_element_test(&p);
3191 secp256k1_gej_set_ge(&pj, &p);
3194 /* EC multiplications */
3196 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
3197 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
3198 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
3199 } else if (mode == 1) {
3200 secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
3201 secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
3202 secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
3204 secp256k1_ecmult_const(&p1j, &p, &n1, 256);
3205 secp256k1_ecmult_const(&p2j, &p, &n2, 256);
3206 secp256k1_ecmult_const(&ptj, &p, target, 256);
3209 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
3210 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
3211 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
3212 CHECK(secp256k1_gej_is_infinity(&ptj));
3215 void run_ecmult_near_split_bound(void) {
3218 for (i = 0; i < 4*count; ++i) {
3219 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
3220 test_ecmult_target(&scalars_near_split_bounds[j], 0);
3221 test_ecmult_target(&scalars_near_split_bounds[j], 1);
3222 test_ecmult_target(&scalars_near_split_bounds[j], 2);
3227 void run_point_times_order(void) {
3229 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
3230 static const secp256k1_fe xr = SECP256K1_FE_CONST(
3231 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
3232 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
3234 for (i = 0; i < 500; i++) {
3236 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
3238 CHECK(secp256k1_ge_is_valid_var(&p));
3239 secp256k1_gej_set_ge(&j, &p);
3240 test_point_times_order(&j);
3242 secp256k1_fe_sqr(&x, &x);
3244 secp256k1_fe_normalize_var(&x);
3245 CHECK(secp256k1_fe_equal_var(&x, &xr));
3248 void ecmult_const_random_mult(void) {
3249 /* random starting point A (on the curve) */
3250 secp256k1_ge a = SECP256K1_GE_CONST(
3251 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
3252 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
3253 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
3254 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
3256 /* random initial factor xn */
3257 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
3258 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
3259 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
3261 /* expected xn * A (from sage) */
3262 secp256k1_ge expected_b = SECP256K1_GE_CONST(
3263 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
3264 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
3265 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
3266 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
3269 secp256k1_ecmult_const(&b, &a, &xn, 256);
3271 CHECK(secp256k1_ge_is_valid_var(&a));
3272 ge_equals_gej(&expected_b, &b);
3275 void ecmult_const_commutativity(void) {
3282 random_scalar_order_test(&a);
3283 random_scalar_order_test(&b);
3285 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
3286 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
3287 secp256k1_ge_set_gej(&mid1, &res1);
3288 secp256k1_ge_set_gej(&mid2, &res2);
3289 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
3290 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
3291 secp256k1_ge_set_gej(&mid1, &res1);
3292 secp256k1_ge_set_gej(&mid2, &res2);
3293 ge_equals_ge(&mid1, &mid2);
3296 void ecmult_const_mult_zero_one(void) {
3297 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3298 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3299 secp256k1_scalar negone;
3303 secp256k1_scalar_negate(&negone, &one);
3305 random_group_element_test(&point);
3306 secp256k1_ecmult_const(&res1, &point, &zero, 3);
3307 secp256k1_ge_set_gej(&res2, &res1);
3308 CHECK(secp256k1_ge_is_infinity(&res2));
3309 secp256k1_ecmult_const(&res1, &point, &one, 2);
3310 secp256k1_ge_set_gej(&res2, &res1);
3311 ge_equals_ge(&res2, &point);
3312 secp256k1_ecmult_const(&res1, &point, &negone, 256);
3313 secp256k1_gej_neg(&res1, &res1);
3314 secp256k1_ge_set_gej(&res2, &res1);
3315 ge_equals_ge(&res2, &point);
3318 void ecmult_const_chain_multiply(void) {
3319 /* Check known result (randomly generated test problem from sage) */
3320 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
3321 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
3322 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
3324 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
3325 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
3326 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
3327 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
3328 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
3330 secp256k1_gej point;
3334 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
3335 for (i = 0; i < 100; ++i) {
3337 secp256k1_ge_set_gej(&tmp, &point);
3338 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
3340 secp256k1_ge_set_gej(&res, &point);
3341 ge_equals_gej(&res, &expected_point);
3344 void run_ecmult_const_tests(void) {
3345 ecmult_const_mult_zero_one();
3346 ecmult_const_random_mult();
3347 ecmult_const_commutativity();
3348 ecmult_const_chain_multiply();
3352 secp256k1_scalar *sc;
3354 } ecmult_multi_data;
3356 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3357 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
3358 *sc = data->sc[idx];
3359 *pt = data->pt[idx];
3363 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3371 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
3373 secp256k1_scalar szero;
3374 secp256k1_scalar sc[32];
3375 secp256k1_ge pt[32];
3378 ecmult_multi_data data;
3382 secp256k1_scalar_set_int(&szero, 0);
3384 /* No points to multiply */
3385 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
3387 /* Check 1- and 2-point multiplies against ecmult */
3388 for (ncount = 0; ncount < count; ncount++) {
3391 random_scalar_order(&sc[0]);
3392 random_scalar_order(&sc[1]);
3394 random_group_element_test(&ptg);
3395 secp256k1_gej_set_ge(&ptgj, &ptg);
3397 pt[1] = secp256k1_ge_const_g;
3400 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
3401 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
3402 secp256k1_gej_neg(&r2, &r2);
3403 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3404 CHECK(secp256k1_gej_is_infinity(&r));
3407 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
3408 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
3409 secp256k1_gej_neg(&r2, &r2);
3410 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3411 CHECK(secp256k1_gej_is_infinity(&r));
3413 /* Try to multiply 1 point, but callback returns false */
3414 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
3417 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3418 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
3419 secp256k1_gej_neg(&r2, &r2);
3420 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3421 CHECK(secp256k1_gej_is_infinity(&r));
3423 /* 2-point with G scalar */
3424 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3425 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
3426 secp256k1_gej_neg(&r2, &r2);
3427 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3428 CHECK(secp256k1_gej_is_infinity(&r));
3431 /* Check infinite outputs of various forms */
3432 for (ncount = 0; ncount < count; ncount++) {
3435 size_t sizes[] = { 2, 10, 32 };
3437 for (j = 0; j < 3; j++) {
3438 for (i = 0; i < 32; i++) {
3439 random_scalar_order(&sc[i]);
3440 secp256k1_ge_set_infinity(&pt[i]);
3442 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3443 CHECK(secp256k1_gej_is_infinity(&r));
3446 for (j = 0; j < 3; j++) {
3447 for (i = 0; i < 32; i++) {
3448 random_group_element_test(&ptg);
3450 secp256k1_scalar_set_int(&sc[i], 0);
3452 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3453 CHECK(secp256k1_gej_is_infinity(&r));
3456 for (j = 0; j < 3; j++) {
3457 random_group_element_test(&ptg);
3458 for (i = 0; i < 16; i++) {
3459 random_scalar_order(&sc[2*i]);
3460 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
3462 pt[2 * i + 1] = ptg;
3465 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3466 CHECK(secp256k1_gej_is_infinity(&r));
3468 random_scalar_order(&sc[0]);
3469 for (i = 0; i < 16; i++) {
3470 random_group_element_test(&ptg);
3475 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
3478 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3479 CHECK(secp256k1_gej_is_infinity(&r));
3482 random_group_element_test(&ptg);
3483 secp256k1_scalar_set_int(&sc[0], 0);
3485 for (i = 1; i < 32; i++) {
3488 random_scalar_order(&sc[i]);
3489 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
3490 secp256k1_scalar_negate(&sc[i], &sc[i]);
3493 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
3494 CHECK(secp256k1_gej_is_infinity(&r));
3497 /* Check random points, constant scalar */
3498 for (ncount = 0; ncount < count; ncount++) {
3500 secp256k1_gej_set_infinity(&r);
3502 random_scalar_order(&sc[0]);
3503 for (i = 0; i < 20; i++) {
3506 random_group_element_test(&ptg);
3508 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
3511 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
3512 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3513 secp256k1_gej_neg(&r2, &r2);
3514 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3515 CHECK(secp256k1_gej_is_infinity(&r));
3518 /* Check random scalars, constant point */
3519 for (ncount = 0; ncount < count; ncount++) {
3523 secp256k1_scalar rs;
3524 secp256k1_scalar_set_int(&rs, 0);
3526 random_group_element_test(&ptg);
3527 for (i = 0; i < 20; i++) {
3528 random_scalar_order(&sc[i]);
3530 secp256k1_scalar_add(&rs, &rs, &sc[i]);
3533 secp256k1_gej_set_ge(&p0j, &pt[0]);
3534 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
3535 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3536 secp256k1_gej_neg(&r2, &r2);
3537 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3538 CHECK(secp256k1_gej_is_infinity(&r));
3541 /* Sanity check that zero scalars don't cause problems */
3542 for (ncount = 0; ncount < 20; ncount++) {
3543 random_scalar_order(&sc[ncount]);
3544 random_group_element_test(&pt[ncount]);
3547 secp256k1_scalar_clear(&sc[0]);
3548 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3549 secp256k1_scalar_clear(&sc[1]);
3550 secp256k1_scalar_clear(&sc[2]);
3551 secp256k1_scalar_clear(&sc[3]);
3552 secp256k1_scalar_clear(&sc[4]);
3553 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3554 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
3555 CHECK(secp256k1_gej_is_infinity(&r));
3557 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
3559 const size_t TOP = 8;
3565 random_group_element_test(&ptg);
3566 secp256k1_gej_set_ge(&ptgj, &ptg);
3568 for(t0i = 0; t0i < TOP; t0i++) {
3569 for(t1i = 0; t1i < TOP; t1i++) {
3570 secp256k1_gej t0p, t1p;
3571 secp256k1_scalar t0, t1;
3573 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3574 secp256k1_scalar_cond_negate(&t0, t0i & 1);
3575 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3576 secp256k1_scalar_cond_negate(&t1, t1i & 1);
3578 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3579 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3581 for(s0i = 0; s0i < TOP; s0i++) {
3582 for(s1i = 0; s1i < TOP; s1i++) {
3583 secp256k1_scalar tmp1, tmp2;
3584 secp256k1_gej expected, actual;
3586 secp256k1_ge_set_gej(&pt[0], &t0p);
3587 secp256k1_ge_set_gej(&pt[1], &t1p);
3589 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3590 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3591 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3592 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3594 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3595 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3596 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3598 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3599 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3600 secp256k1_gej_neg(&expected, &expected);
3601 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3602 CHECK(secp256k1_gej_is_infinity(&actual));
3610 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
3611 secp256k1_scalar szero;
3612 secp256k1_scalar sc;
3615 ecmult_multi_data data;
3616 secp256k1_scratch *scratch_empty;
3618 random_group_element_test(&pt);
3619 random_scalar_order(&sc);
3622 secp256k1_scalar_set_int(&szero, 0);
3624 /* Try to multiply 1 point, but scratch space is empty.*/
3625 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3626 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3627 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3630 void test_secp256k1_pippenger_bucket_window_inv(void) {
3633 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
3634 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3635 /* Bucket_window of 8 is not used with endo */
3639 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3640 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3641 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3647 * Probabilistically test the function returning the maximum number of possible points
3648 * for a given scratch space.
3650 void test_ecmult_multi_pippenger_max_points(void) {
3651 size_t scratch_size = secp256k1_testrand_int(256);
3652 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3653 secp256k1_scratch *scratch;
3654 size_t n_points_supported;
3655 int bucket_window = 0;
3657 for(; scratch_size < max_size; scratch_size+=256) {
3661 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3662 CHECK(scratch != NULL);
3663 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3664 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3665 if (n_points_supported == 0) {
3666 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3669 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3670 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3671 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3672 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3673 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3676 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3677 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3678 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3680 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3683 void test_ecmult_multi_batch_size_helper(void) {
3684 size_t n_batches, n_batch_points, max_n_batch_points, n;
3686 max_n_batch_points = 0;
3688 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3690 max_n_batch_points = 1;
3692 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3693 CHECK(n_batches == 0);
3694 CHECK(n_batch_points == 0);
3696 max_n_batch_points = 2;
3698 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3699 CHECK(n_batches == 3);
3700 CHECK(n_batch_points == 2);
3702 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3703 n = ECMULT_MAX_POINTS_PER_BATCH;
3704 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3705 CHECK(n_batches == 1);
3706 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3708 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3709 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3710 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3711 CHECK(n_batches == 2);
3712 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3714 max_n_batch_points = 1;
3716 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3717 CHECK(n_batches == SIZE_MAX);
3718 CHECK(n_batch_points == 1);
3720 max_n_batch_points = 2;
3722 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3723 CHECK(n_batches == SIZE_MAX/2 + 1);
3724 CHECK(n_batch_points == 2);
3728 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3729 * 1 <= i <= num points.
3731 void test_ecmult_multi_batching(void) {
3732 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3733 secp256k1_scalar scG;
3734 secp256k1_scalar szero;
3735 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3736 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3739 ecmult_multi_data data;
3741 secp256k1_scratch *scratch;
3743 secp256k1_gej_set_infinity(&r2);
3744 secp256k1_scalar_set_int(&szero, 0);
3746 /* Get random scalars and group elements and compute result */
3747 random_scalar_order(&scG);
3748 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3749 for(i = 0; i < n_points; i++) {
3752 random_group_element_test(&ptg);
3753 secp256k1_gej_set_ge(&ptgj, &ptg);
3755 random_scalar_order(&sc[i]);
3756 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3757 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3761 secp256k1_gej_neg(&r2, &r2);
3763 /* Test with empty scratch space. It should compute the correct result using
3764 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3765 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3766 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3767 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3768 CHECK(secp256k1_gej_is_infinity(&r));
3769 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3771 /* Test with space for 1 point in pippenger. That's not enough because
3772 * ecmult_multi selects strauss which requires more memory. It should
3773 * therefore select the simple algorithm. */
3774 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3775 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3776 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3777 CHECK(secp256k1_gej_is_infinity(&r));
3778 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3780 for(i = 1; i <= n_points; i++) {
3781 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3782 int bucket_window = secp256k1_pippenger_bucket_window(i);
3783 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3784 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3786 size_t scratch_size = secp256k1_strauss_scratch_size(i);
3787 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3789 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3790 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3791 CHECK(secp256k1_gej_is_infinity(&r));
3792 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3798 void run_ecmult_multi_tests(void) {
3799 secp256k1_scratch *scratch;
3801 test_secp256k1_pippenger_bucket_window_inv();
3802 test_ecmult_multi_pippenger_max_points();
3803 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3804 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3805 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3806 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3807 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3808 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3809 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3810 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3812 /* Run test_ecmult_multi with space for exactly one point */
3813 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3814 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3815 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3817 test_ecmult_multi_batch_size_helper();
3818 test_ecmult_multi_batching();
3821 void test_wnaf(const secp256k1_scalar *number, int w) {
3822 secp256k1_scalar x, two, t;
3827 secp256k1_scalar_set_int(&x, 0);
3828 secp256k1_scalar_set_int(&two, 2);
3829 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3831 for (i = bits-1; i >= 0; i--) {
3833 secp256k1_scalar_mul(&x, &x, &two);
3835 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3837 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3838 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3839 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3841 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3845 secp256k1_scalar_set_int(&t, v);
3847 secp256k1_scalar_set_int(&t, -v);
3848 secp256k1_scalar_negate(&t, &t);
3850 secp256k1_scalar_add(&x, &x, &t);
3852 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3855 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3856 secp256k1_scalar neg1 = *number;
3857 secp256k1_scalar neg2 = *number;
3861 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3862 secp256k1_scalar_negate(&neg1, &neg1);
3865 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3866 CHECK(sign1 == sign2);
3867 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3870 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3871 secp256k1_scalar x, shift;
3872 int wnaf[256] = {0};
3876 secp256k1_scalar num = *number;
3877 secp256k1_scalar scalar_skew;
3879 secp256k1_scalar_set_int(&x, 0);
3880 secp256k1_scalar_set_int(&shift, 1 << w);
3881 for (i = 0; i < 16; ++i) {
3882 secp256k1_scalar_shr_int(&num, 8);
3885 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3887 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3890 CHECK(v != 0); /* check nonzero */
3891 CHECK(v & 1); /* check parity */
3892 CHECK(v > -(1 << w)); /* check range above */
3893 CHECK(v < (1 << w)); /* check range below */
3895 secp256k1_scalar_mul(&x, &x, &shift);
3897 secp256k1_scalar_set_int(&t, v);
3899 secp256k1_scalar_set_int(&t, -v);
3900 secp256k1_scalar_negate(&t, &t);
3902 secp256k1_scalar_add(&x, &x, &t);
3904 /* Skew num because when encoding numbers as odd we use an offset */
3905 secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3906 secp256k1_scalar_add(&num, &num, &scalar_skew);
3907 CHECK(secp256k1_scalar_eq(&x, &num));
3910 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3911 secp256k1_scalar x, shift;
3912 int wnaf[256] = {0};
3915 secp256k1_scalar num = *number;
3917 secp256k1_scalar_set_int(&x, 0);
3918 secp256k1_scalar_set_int(&shift, 1 << w);
3919 for (i = 0; i < 16; ++i) {
3920 secp256k1_scalar_shr_int(&num, 8);
3922 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3924 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3927 CHECK(v == 0 || v & 1); /* check parity */
3928 CHECK(v > -(1 << w)); /* check range above */
3929 CHECK(v < (1 << w)); /* check range below */
3931 secp256k1_scalar_mul(&x, &x, &shift);
3933 secp256k1_scalar_set_int(&t, v);
3935 secp256k1_scalar_set_int(&t, -v);
3936 secp256k1_scalar_negate(&t, &t);
3938 secp256k1_scalar_add(&x, &x, &t);
3940 /* If skew is 1 then add 1 to num */
3941 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3942 CHECK(secp256k1_scalar_eq(&x, &num));
3945 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3947 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3949 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3950 CHECK(wnaf[i] == 0);
3952 for (i = 7; i >= 0; --i) {
3953 CHECK(wnaf[i] == wnaf_expected[i]);
3957 void test_fixed_wnaf_small(void) {
3959 int wnaf[256] = {0};
3962 secp256k1_scalar num;
3964 secp256k1_scalar_set_int(&num, 0);
3965 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3966 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3972 secp256k1_scalar_set_int(&num, 1);
3973 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3974 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3978 CHECK(wnaf[0] == 1);
3982 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3983 secp256k1_scalar_set_int(&num, 0xffffffff);
3984 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3985 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3989 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3990 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3991 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3992 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3996 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3997 secp256k1_scalar_set_int(&num, 0x01010101);
3998 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3999 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4003 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
4004 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
4005 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4006 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4011 void run_wnaf(void) {
4013 secp256k1_scalar n = {{0}};
4015 test_constant_wnaf(&n, 4);
4016 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
4017 * have easier-to-diagnose failure modes */
4019 test_constant_wnaf(&n, 4);
4021 test_constant_wnaf(&n, 4);
4022 /* Test -1, because it's a special case in wnaf_const */
4023 n = secp256k1_scalar_one;
4024 secp256k1_scalar_negate(&n, &n);
4025 test_constant_wnaf(&n, 4);
4027 /* Test -2, which may not lead to overflows in wnaf_const */
4028 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
4029 secp256k1_scalar_negate(&n, &n);
4030 test_constant_wnaf(&n, 4);
4032 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
4033 as corner cases of negation handling in wnaf_const */
4034 secp256k1_scalar_inverse(&n, &n);
4035 test_constant_wnaf(&n, 4);
4037 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
4038 test_constant_wnaf(&n, 4);
4040 /* Test 0 for fixed wnaf */
4041 test_fixed_wnaf_small();
4043 for (i = 0; i < count; i++) {
4044 random_scalar_order(&n);
4045 test_wnaf(&n, 4+(i%10));
4046 test_constant_wnaf_negate(&n);
4047 test_constant_wnaf(&n, 4 + (i % 10));
4048 test_fixed_wnaf(&n, 4 + (i % 10));
4050 secp256k1_scalar_set_int(&n, 0);
4051 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
4052 CHECK(secp256k1_scalar_is_zero(&n));
4053 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
4054 CHECK(secp256k1_scalar_is_zero(&n));
4057 void test_ecmult_constants(void) {
4058 /* Test ecmult_gen() for [0..36) and [order-36..0). */
4064 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
4065 for (i = 0; i < 36; i++ ) {
4066 secp256k1_scalar_set_int(&x, i);
4067 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
4068 for (j = 0; j < i; j++) {
4070 ge_equals_gej(&secp256k1_ge_const_g, &r);
4072 secp256k1_gej_add_ge(&r, &r, &ng);
4074 CHECK(secp256k1_gej_is_infinity(&r));
4076 for (i = 1; i <= 36; i++ ) {
4077 secp256k1_scalar_set_int(&x, i);
4078 secp256k1_scalar_negate(&x, &x);
4079 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
4080 for (j = 0; j < i; j++) {
4082 ge_equals_gej(&ng, &r);
4084 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
4086 CHECK(secp256k1_gej_is_infinity(&r));
4090 void run_ecmult_constants(void) {
4091 test_ecmult_constants();
4094 void test_ecmult_gen_blind(void) {
4095 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
4096 secp256k1_scalar key;
4098 unsigned char seed32[32];
4100 secp256k1_gej pgej2;
4103 random_scalar_order_test(&key);
4104 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
4105 secp256k1_testrand256(seed32);
4106 b = ctx->ecmult_gen_ctx.blind;
4107 i = ctx->ecmult_gen_ctx.initial;
4108 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
4109 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
4110 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
4111 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
4112 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
4113 secp256k1_ge_set_gej(&pge, &pgej);
4114 ge_equals_gej(&pge, &pgej2);
4117 void test_ecmult_gen_blind_reset(void) {
4118 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
4120 secp256k1_gej initial;
4121 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
4122 b = ctx->ecmult_gen_ctx.blind;
4123 initial = ctx->ecmult_gen_ctx.initial;
4124 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
4125 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
4126 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
4129 void run_ecmult_gen_blind(void) {
4131 test_ecmult_gen_blind_reset();
4132 for (i = 0; i < 10; i++) {
4133 test_ecmult_gen_blind();
4137 /***** ENDOMORPHISH TESTS *****/
4138 void test_scalar_split(const secp256k1_scalar* full) {
4139 secp256k1_scalar s, s1, slam;
4140 const unsigned char zero[32] = {0};
4141 unsigned char tmp[32];
4143 secp256k1_scalar_split_lambda(&s1, &slam, full);
4145 /* check slam*lambda + s1 == full */
4146 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
4147 secp256k1_scalar_add(&s, &s, &s1);
4148 CHECK(secp256k1_scalar_eq(&s, full));
4150 /* check that both are <= 128 bits in size */
4151 if (secp256k1_scalar_is_high(&s1)) {
4152 secp256k1_scalar_negate(&s1, &s1);
4154 if (secp256k1_scalar_is_high(&slam)) {
4155 secp256k1_scalar_negate(&slam, &slam);
4158 secp256k1_scalar_get_b32(tmp, &s1);
4159 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
4160 secp256k1_scalar_get_b32(tmp, &slam);
4161 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
4165 void run_endomorphism_tests(void) {
4167 static secp256k1_scalar s;
4168 test_scalar_split(&secp256k1_scalar_zero);
4169 test_scalar_split(&secp256k1_scalar_one);
4170 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
4171 test_scalar_split(&s);
4172 test_scalar_split(&secp256k1_const_lambda);
4173 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
4174 test_scalar_split(&s);
4176 for (i = 0; i < 100U * count; ++i) {
4177 secp256k1_scalar full;
4178 random_scalar_order_test(&full);
4179 test_scalar_split(&full);
4181 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
4182 test_scalar_split(&scalars_near_split_bounds[i]);
4186 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
4187 unsigned char pubkeyc[65];
4188 secp256k1_pubkey pubkey;
4193 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4194 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
4195 /* Smaller sizes are tested exhaustively elsewhere. */
4197 memcpy(&pubkeyc[1], input, 64);
4198 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
4199 for (i = 0; i < 256; i++) {
4200 /* Try all type bytes. */
4205 /* What sign does this point have? */
4206 ysign = (input[63] & 1) + 2;
4207 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
4208 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
4209 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
4210 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
4211 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
4212 if (xpass || ypass) {
4213 /* These cases must parse. */
4214 unsigned char pubkeyo[65];
4216 memset(&pubkey, 0, sizeof(pubkey));
4217 VG_UNDEF(&pubkey, sizeof(pubkey));
4219 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4220 VG_CHECK(&pubkey, sizeof(pubkey));
4222 VG_UNDEF(pubkeyo, 65);
4223 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4224 VG_CHECK(pubkeyo, outl);
4226 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
4227 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
4229 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
4230 CHECK(pubkeyo[0] == ysign);
4231 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4232 memset(&pubkey, 0, sizeof(pubkey));
4233 VG_UNDEF(&pubkey, sizeof(pubkey));
4234 secp256k1_pubkey_save(&pubkey, &ge);
4235 VG_CHECK(&pubkey, sizeof(pubkey));
4237 VG_UNDEF(pubkeyo, 65);
4238 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4239 VG_CHECK(pubkeyo, outl);
4241 CHECK(pubkeyo[0] == 4);
4242 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
4246 /* These cases must fail to parse. */
4247 memset(&pubkey, 0xfe, sizeof(pubkey));
4249 VG_UNDEF(&pubkey, sizeof(pubkey));
4250 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
4251 VG_CHECK(&pubkey, sizeof(pubkey));
4253 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4258 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4261 void run_ec_pubkey_parse_test(void) {
4262 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
4263 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
4265 /* Point with leading and trailing zeros in x and y serialization. */
4266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
4267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4268 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
4269 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
4272 /* Point with x equal to a 3rd root of unity.*/
4273 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
4274 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
4275 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4276 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4279 /* Point with largest x. (1/2) */
4280 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4281 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
4282 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
4283 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
4286 /* Point with largest x. (2/2) */
4287 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4288 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
4289 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
4290 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
4293 /* Point with smallest x. (1/2) */
4294 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4295 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4296 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4297 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4300 /* Point with smallest x. (2/2) */
4301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4303 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4304 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4307 /* Point with largest y. (1/3) */
4308 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4309 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4310 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4311 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4314 /* Point with largest y. (2/3) */
4315 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4316 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4317 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4318 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4321 /* Point with largest y. (3/3) */
4322 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4323 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4324 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4325 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4328 /* Point with smallest y. (1/3) */
4329 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4330 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4331 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4332 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4335 /* Point with smallest y. (2/3) */
4336 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4337 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4338 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4339 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4342 /* Point with smallest y. (3/3) */
4343 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4344 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4345 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4346 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
4349 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
4350 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
4352 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
4353 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4354 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4355 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4356 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4359 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
4360 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4361 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4362 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4366 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
4367 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4368 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4369 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4370 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4373 /* x on curve, y is from y^2 = x^3 + 8. */
4374 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4375 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4376 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4377 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
4380 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
4381 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
4383 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
4384 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
4385 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
4386 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4387 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4390 /* Valid if x overflow ignored (x = 1 mod p). */
4391 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4392 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4393 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4394 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4397 /* Valid if x overflow ignored (x = 1 mod p). */
4398 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4399 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4400 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4401 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4404 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4405 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4406 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4407 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
4408 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
4411 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4412 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4413 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4414 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
4415 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
4418 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4419 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4420 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4421 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
4422 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
4425 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4426 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4428 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
4429 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
4432 const unsigned char pubkeyc[66] = {
4433 /* Serialization of G. */
4434 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
4435 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
4436 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
4437 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
4440 unsigned char sout[65];
4441 unsigned char shortkey[2];
4443 secp256k1_pubkey pubkey;
4449 /* Nothing should be reading this far into pubkeyc. */
4450 VG_UNDEF(&pubkeyc[65], 1);
4451 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4452 /* Zero length claimed, fail, zeroize, no illegal arg error. */
4453 memset(&pubkey, 0xfe, sizeof(pubkey));
4455 VG_UNDEF(shortkey, 2);
4456 VG_UNDEF(&pubkey, sizeof(pubkey));
4457 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
4458 VG_CHECK(&pubkey, sizeof(pubkey));
4460 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4462 /* Length one claimed, fail, zeroize, no illegal arg error. */
4463 for (i = 0; i < 256 ; i++) {
4464 memset(&pubkey, 0xfe, sizeof(pubkey));
4467 VG_UNDEF(&shortkey[1], 1);
4468 VG_UNDEF(&pubkey, sizeof(pubkey));
4469 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
4470 VG_CHECK(&pubkey, sizeof(pubkey));
4472 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4475 /* Length two claimed, fail, zeroize, no illegal arg error. */
4476 for (i = 0; i < 65536 ; i++) {
4477 memset(&pubkey, 0xfe, sizeof(pubkey));
4479 shortkey[0] = i & 255;
4480 shortkey[1] = i >> 8;
4481 VG_UNDEF(&pubkey, sizeof(pubkey));
4482 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
4483 VG_CHECK(&pubkey, sizeof(pubkey));
4485 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4488 memset(&pubkey, 0xfe, sizeof(pubkey));
4490 VG_UNDEF(&pubkey, sizeof(pubkey));
4491 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
4492 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
4493 VG_CHECK(&pubkey, sizeof(pubkey));
4495 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4497 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
4498 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
4500 /* NULL input string. Illegal arg and zeroize output. */
4501 memset(&pubkey, 0xfe, sizeof(pubkey));
4503 VG_UNDEF(&pubkey, sizeof(pubkey));
4504 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
4505 VG_CHECK(&pubkey, sizeof(pubkey));
4507 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4509 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
4510 memset(&pubkey, 0xfe, sizeof(pubkey));
4512 VG_UNDEF(&pubkey, sizeof(pubkey));
4513 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
4514 VG_CHECK(&pubkey, sizeof(pubkey));
4516 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4518 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
4519 memset(&pubkey, 0xfe, sizeof(pubkey));
4521 VG_UNDEF(&pubkey, sizeof(pubkey));
4522 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
4523 VG_CHECK(&pubkey, sizeof(pubkey));
4525 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4528 memset(&pubkey, 0, sizeof(pubkey));
4530 VG_UNDEF(&pubkey, sizeof(pubkey));
4531 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
4532 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
4533 VG_CHECK(&pubkey, sizeof(pubkey));
4535 VG_UNDEF(&ge, sizeof(ge));
4536 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4537 VG_CHECK(&ge.x, sizeof(ge.x));
4538 VG_CHECK(&ge.y, sizeof(ge.y));
4539 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
4540 ge_equals_ge(&secp256k1_ge_const_g, &ge);
4542 /* secp256k1_ec_pubkey_serialize illegal args. */
4545 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4548 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4552 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
4557 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
4562 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4566 /* Multiple illegal args. Should still set arg error only once. */
4569 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4571 /* Does the illegal arg callback actually change the behavior? */
4572 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
4573 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4575 CHECK(ecount2 == 10);
4576 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4577 /* Try a bunch of prefabbed points with all possible encodings. */
4578 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4579 ec_pubkey_parse_pointtest(valid[i], 1, 1);
4581 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4582 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4584 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4585 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4589 void run_eckey_edge_case_test(void) {
4590 const unsigned char orderc[32] = {
4591 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4592 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4593 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4594 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4596 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4597 unsigned char ctmp[33];
4598 unsigned char ctmp2[33];
4599 secp256k1_pubkey pubkey;
4600 secp256k1_pubkey pubkey2;
4601 secp256k1_pubkey pubkey_one;
4602 secp256k1_pubkey pubkey_negone;
4603 const secp256k1_pubkey *pubkeys[3];
4606 /* Group order is too large, reject. */
4607 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4608 VG_UNDEF(&pubkey, sizeof(pubkey));
4609 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4610 VG_CHECK(&pubkey, sizeof(pubkey));
4611 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4612 /* Maximum value is too large, reject. */
4613 memset(ctmp, 255, 32);
4614 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4615 memset(&pubkey, 1, sizeof(pubkey));
4616 VG_UNDEF(&pubkey, sizeof(pubkey));
4617 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4618 VG_CHECK(&pubkey, sizeof(pubkey));
4619 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4620 /* Zero is too small, reject. */
4621 memset(ctmp, 0, 32);
4622 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4623 memset(&pubkey, 1, sizeof(pubkey));
4624 VG_UNDEF(&pubkey, sizeof(pubkey));
4625 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4626 VG_CHECK(&pubkey, sizeof(pubkey));
4627 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4628 /* One must be accepted. */
4630 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4631 memset(&pubkey, 0, sizeof(pubkey));
4632 VG_UNDEF(&pubkey, sizeof(pubkey));
4633 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4634 VG_CHECK(&pubkey, sizeof(pubkey));
4635 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4636 pubkey_one = pubkey;
4637 /* Group order + 1 is too large, reject. */
4638 memcpy(ctmp, orderc, 32);
4640 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4641 memset(&pubkey, 1, sizeof(pubkey));
4642 VG_UNDEF(&pubkey, sizeof(pubkey));
4643 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4644 VG_CHECK(&pubkey, sizeof(pubkey));
4645 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4646 /* -1 must be accepted. */
4648 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4649 memset(&pubkey, 0, sizeof(pubkey));
4650 VG_UNDEF(&pubkey, sizeof(pubkey));
4651 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4652 VG_CHECK(&pubkey, sizeof(pubkey));
4653 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4654 pubkey_negone = pubkey;
4655 /* Tweak of zero leaves the value unchanged. */
4656 memset(ctmp2, 0, 32);
4657 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4658 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4659 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4660 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4661 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4662 /* Multiply tweak of zero zeroizes the output. */
4663 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4664 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4665 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4666 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4667 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4668 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4669 seckey, the seckey is zeroized. */
4670 memcpy(ctmp, orderc, 32);
4671 memset(ctmp2, 0, 32);
4673 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4674 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4675 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4676 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4677 memcpy(ctmp, orderc, 32);
4678 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4679 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4680 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4681 tweak, the seckey is zeroized. */
4682 memcpy(ctmp, orderc, 32);
4684 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4685 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4686 memcpy(ctmp, orderc, 32);
4688 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4689 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4690 memcpy(ctmp, orderc, 32);
4692 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4693 tweak, the pubkey is zeroized. */
4694 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4695 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4696 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4697 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4698 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4699 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4700 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4701 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4702 * case the pubkey is zeroized. */
4703 memcpy(ctmp, orderc, 32);
4705 memset(ctmp2, 0, 32);
4707 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4708 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
4710 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4711 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4712 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4713 /* Tweak computation wraps and results in a key of 1. */
4715 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4716 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4718 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4720 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4721 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4722 /* Tweak mul * 2 = 1+1. */
4723 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4725 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4726 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4727 /* Test argument errors. */
4729 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4731 /* Zeroize pubkey on parse error. */
4732 memset(&pubkey, 0, 32);
4733 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4735 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4736 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4737 memset(&pubkey2, 0, 32);
4738 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4740 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4741 /* Plain argument errors. */
4743 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4745 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4748 memset(ctmp2, 0, 32);
4750 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4752 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4755 memset(ctmp2, 0, 32);
4757 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4759 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4762 memset(ctmp2, 0, 32);
4763 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
4765 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
4768 memset(ctmp2, 0, 32);
4770 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
4772 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
4775 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4777 memset(&pubkey, 1, sizeof(pubkey));
4778 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4780 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4781 /* secp256k1_ec_pubkey_combine tests. */
4783 pubkeys[0] = &pubkey_one;
4784 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4785 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4786 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4787 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4788 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4789 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4790 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4791 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4793 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4794 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4796 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4797 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4798 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4799 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4800 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4802 pubkeys[0] = &pubkey_negone;
4803 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4804 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4805 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4806 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4807 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4810 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4811 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4812 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4813 /* Result is infinity. */
4814 pubkeys[0] = &pubkey_one;
4815 pubkeys[1] = &pubkey_negone;
4816 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4817 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4818 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4819 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4820 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4822 /* Passes through infinity but comes out one. */
4823 pubkeys[2] = &pubkey_one;
4824 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4825 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4826 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4827 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4828 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4831 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4832 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4833 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4835 pubkeys[1] = &pubkey_one;
4836 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4837 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4838 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4839 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4840 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4842 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4845 void run_eckey_negate_test(void) {
4846 unsigned char seckey[32];
4847 unsigned char seckey_tmp[32];
4849 random_scalar_order_b32(seckey);
4850 memcpy(seckey_tmp, seckey, 32);
4852 /* Verify negation changes the key and changes it back */
4853 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4854 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
4855 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4856 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4858 /* Check that privkey alias gives same result */
4859 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4860 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
4861 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4863 /* Negating all 0s fails */
4864 memset(seckey, 0, 32);
4865 memset(seckey_tmp, 0, 32);
4866 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4867 /* Check that seckey is not modified */
4868 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4870 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
4871 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
4872 * doesn't just set seckey to a constant value in case of failure. */
4873 random_scalar_order_b32(seckey);
4874 memset(seckey, 0xFF, 16);
4875 memset(seckey_tmp, 0, 32);
4876 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4877 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4880 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4881 secp256k1_scalar nonce;
4883 random_scalar_order_test(&nonce);
4884 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4887 void test_ecdsa_sign_verify(void) {
4890 secp256k1_scalar one;
4891 secp256k1_scalar msg, key;
4892 secp256k1_scalar sigr, sigs;
4895 random_scalar_order_test(&msg);
4896 random_scalar_order_test(&key);
4897 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4898 secp256k1_ge_set_gej(&pub, &pubj);
4899 getrec = secp256k1_testrand_bits(1);
4900 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4902 CHECK(recid >= 0 && recid < 4);
4904 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4905 secp256k1_scalar_set_int(&one, 1);
4906 secp256k1_scalar_add(&msg, &msg, &one);
4907 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4910 void run_ecdsa_sign_verify(void) {
4912 for (i = 0; i < 10*count; i++) {
4913 test_ecdsa_sign_verify();
4917 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
4918 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4922 memcpy(nonce32, data, 32);
4923 return (counter == 0);
4926 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4927 /* Dummy nonce generator that has a fatal error on the first counter value. */
4931 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4934 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4935 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4937 memset(nonce32, counter==0 ? 0 : 255, 32);
4944 static const unsigned char order[] = {
4945 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4946 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4947 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4948 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4950 memcpy(nonce32, order, 32);
4956 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4957 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4961 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4964 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4965 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4966 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4969 void test_ecdsa_end_to_end(void) {
4970 unsigned char extra[32] = {0x00};
4971 unsigned char privkey[32];
4972 unsigned char message[32];
4973 unsigned char privkey2[32];
4974 secp256k1_ecdsa_signature signature[6];
4975 secp256k1_scalar r, s;
4976 unsigned char sig[74];
4978 unsigned char pubkeyc[65];
4979 size_t pubkeyclen = 65;
4980 secp256k1_pubkey pubkey;
4981 secp256k1_pubkey pubkey_tmp;
4982 unsigned char seckey[300];
4983 size_t seckeylen = 300;
4985 /* Generate a random key and message. */
4987 secp256k1_scalar msg, key;
4988 random_scalar_order_test(&msg);
4989 random_scalar_order_test(&key);
4990 secp256k1_scalar_get_b32(privkey, &key);
4991 secp256k1_scalar_get_b32(message, &msg);
4994 /* Construct and verify corresponding public key. */
4995 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4996 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4998 /* Verify exporting and importing public key. */
4999 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
5000 memset(&pubkey, 0, sizeof(pubkey));
5001 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5003 /* Verify negation changes the key and changes it back */
5004 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
5005 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
5006 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
5007 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
5008 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
5010 /* Verify private key import and export. */
5011 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
5012 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
5013 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
5015 /* Optionally tweak the keys using addition. */
5016 if (secp256k1_testrand_int(3) == 0) {
5020 unsigned char rnd[32];
5021 unsigned char privkey_tmp[32];
5022 secp256k1_pubkey pubkey2;
5023 secp256k1_testrand256_test(rnd);
5024 memcpy(privkey_tmp, privkey, 32);
5025 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
5026 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
5027 /* Check that privkey alias gives same result */
5028 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
5029 CHECK(ret1 == ret2);
5030 CHECK(ret2 == ret3);
5034 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
5035 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
5036 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5039 /* Optionally tweak the keys using multiplication. */
5040 if (secp256k1_testrand_int(3) == 0) {
5044 unsigned char rnd[32];
5045 unsigned char privkey_tmp[32];
5046 secp256k1_pubkey pubkey2;
5047 secp256k1_testrand256_test(rnd);
5048 memcpy(privkey_tmp, privkey, 32);
5049 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
5050 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
5051 /* Check that privkey alias gives same result */
5052 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
5053 CHECK(ret1 == ret2);
5054 CHECK(ret2 == ret3);
5058 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
5059 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
5060 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5064 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
5065 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
5066 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
5068 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
5071 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
5072 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
5073 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
5074 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
5075 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
5076 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
5077 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
5078 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
5080 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
5081 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
5082 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
5083 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
5084 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
5085 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
5086 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
5087 secp256k1_scalar_negate(&s, &s);
5088 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
5089 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
5090 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5091 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
5092 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5093 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
5094 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
5095 secp256k1_scalar_negate(&s, &s);
5096 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
5097 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5098 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
5099 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
5101 /* Serialize/parse DER and verify again */
5102 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
5103 memset(&signature[0], 0, sizeof(signature[0]));
5104 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
5105 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
5106 /* Serialize/destroy/parse DER and verify again. */
5108 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
5109 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
5110 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
5111 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
5114 void test_random_pubkeys(void) {
5117 unsigned char in[65];
5118 /* Generate some randomly sized pubkeys. */
5119 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
5120 if (secp256k1_testrand_bits(2) == 0) {
5121 len = secp256k1_testrand_bits(6);
5124 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
5126 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
5128 if (secp256k1_testrand_bits(3) == 0) {
5129 in[0] = secp256k1_testrand_bits(8);
5132 secp256k1_testrand256(&in[1]);
5135 secp256k1_testrand256(&in[33]);
5137 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
5138 unsigned char out[65];
5139 unsigned char firstb;
5143 /* If the pubkey can be parsed, it should round-trip... */
5144 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
5146 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
5147 /* ... except for the type of hybrid inputs. */
5148 if ((in[0] != 6) && (in[0] != 7)) {
5149 CHECK(in[0] == out[0]);
5152 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
5154 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
5155 ge_equals_ge(&elem,&elem2);
5156 /* Check that the X9.62 hybrid type is checked. */
5157 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
5158 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
5159 if (firstb == 2 || firstb == 3) {
5160 if (in[0] == firstb + 4) {
5167 ge_equals_ge(&elem,&elem2);
5168 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
5169 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
5174 void run_random_pubkeys(void) {
5176 for (i = 0; i < 10*count; i++) {
5177 test_random_pubkeys();
5181 void run_ecdsa_end_to_end(void) {
5183 for (i = 0; i < 64*count; i++) {
5184 test_ecdsa_end_to_end();
5188 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
5189 static const unsigned char zeroes[32] = {0};
5190 #ifdef ENABLE_OPENSSL_TESTS
5191 static const unsigned char max_scalar[32] = {
5192 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5193 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5194 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5195 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
5201 secp256k1_ecdsa_signature sig_der;
5202 unsigned char roundtrip_der[2048];
5203 unsigned char compact_der[64];
5204 size_t len_der = 2048;
5205 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
5207 secp256k1_ecdsa_signature sig_der_lax;
5208 unsigned char roundtrip_der_lax[2048];
5209 unsigned char compact_der_lax[64];
5210 size_t len_der_lax = 2048;
5211 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
5213 #ifdef ENABLE_OPENSSL_TESTS
5214 ECDSA_SIG *sig_openssl;
5215 const BIGNUM *r = NULL, *s = NULL;
5216 const unsigned char *sigptr;
5217 unsigned char roundtrip_openssl[2048];
5218 int len_openssl = 2048;
5219 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
5222 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
5224 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
5225 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
5228 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
5229 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
5232 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
5233 if (parsed_der_lax) {
5234 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
5235 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
5237 if (valid_der_lax) {
5238 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
5239 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
5242 if (certainly_der) {
5243 ret |= (!parsed_der) << 2;
5245 if (certainly_not_der) {
5246 ret |= (parsed_der) << 17;
5249 ret |= (!roundtrips_der) << 3;
5253 ret |= (!roundtrips_der_lax) << 12;
5254 ret |= (len_der != len_der_lax) << 13;
5255 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
5257 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
5259 ret |= (!parsed_der_lax) << 16;
5262 #ifdef ENABLE_OPENSSL_TESTS
5263 sig_openssl = ECDSA_SIG_new();
5265 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
5266 if (parsed_openssl) {
5267 ECDSA_SIG_get0(sig_openssl, &r, &s);
5268 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
5269 if (valid_openssl) {
5270 unsigned char tmp[32] = {0};
5271 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
5272 valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
5274 if (valid_openssl) {
5275 unsigned char tmp[32] = {0};
5276 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
5277 valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
5280 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
5281 if (len_openssl <= 2048) {
5282 unsigned char *ptr = roundtrip_openssl;
5283 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
5284 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (secp256k1_memcmp_var(roundtrip_openssl, sig, siglen) == 0);
5288 ECDSA_SIG_free(sig_openssl);
5290 ret |= (parsed_der && !parsed_openssl) << 4;
5291 ret |= (valid_der && !valid_openssl) << 5;
5292 ret |= (roundtrips_openssl && !parsed_der) << 6;
5293 ret |= (roundtrips_der != roundtrips_openssl) << 7;
5294 if (roundtrips_openssl) {
5295 ret |= (len_der != (size_t)len_openssl) << 8;
5296 ret |= ((len_der != (size_t)len_openssl) || (secp256k1_memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
5302 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
5304 for (i = 0; i < ptrlen; i++) {
5305 int shift = ptrlen - 1 - i;
5309 ptr[i] = (val >> shift) & 0xFF;
5314 static void damage_array(unsigned char *sig, size_t *len) {
5316 int action = secp256k1_testrand_bits(3);
5317 if (action < 1 && *len > 3) {
5318 /* Delete a byte. */
5319 pos = secp256k1_testrand_int(*len);
5320 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
5323 } else if (action < 2 && *len < 2048) {
5324 /* Insert a byte. */
5325 pos = secp256k1_testrand_int(1 + *len);
5326 memmove(sig + pos + 1, sig + pos, *len - pos);
5327 sig[pos] = secp256k1_testrand_bits(8);
5330 } else if (action < 4) {
5331 /* Modify a byte. */
5332 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
5334 } else { /* action < 8 */
5336 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
5341 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
5343 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
5344 size_t tlen, elen, glen;
5349 der = secp256k1_testrand_bits(2) == 0;
5350 *certainly_der = der;
5351 *certainly_not_der = 0;
5352 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
5354 for (n = 0; n < 2; n++) {
5355 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
5356 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
5357 /* The length of the number in bytes (the first byte of which will always be nonzero) */
5358 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
5359 CHECK(nlen[n] <= 232);
5360 /* The top bit of the number. */
5361 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
5362 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
5363 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
5364 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
5365 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
5366 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
5367 *certainly_not_der = 1;
5369 CHECK(nlen[n] + nzlen[n] <= 300);
5370 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
5371 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
5373 /* nlenlen[n] max 127 bytes */
5374 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5377 *certainly_not_der = 1;
5380 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
5383 /* The total length of the data to go, so far */
5384 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
5387 /* The length of the garbage inside the tuple. */
5388 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
5390 *certainly_not_der = 1;
5395 /* The length of the garbage after the end of the tuple. */
5396 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
5398 *certainly_not_der = 1;
5400 CHECK(tlen + glen <= 990);
5402 /* Write the tuple header. */
5403 sig[(*len)++] = 0x30;
5405 /* Indeterminate length */
5406 sig[(*len)++] = 0x80;
5407 *certainly_not_der = 1;
5409 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
5411 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5414 *certainly_not_der = 1;
5418 /* Short length notation */
5419 sig[(*len)++] = tlen;
5421 /* Long length notation */
5422 sig[(*len)++] = 128 + tlenlen;
5423 assign_big_endian(sig + *len, tlenlen, tlen);
5429 CHECK(tlen + glen <= 1119);
5431 for (n = 0; n < 2; n++) {
5432 /* Write the integer header. */
5433 sig[(*len)++] = 0x02;
5434 if (nlenlen[n] == 0) {
5435 /* Short length notation */
5436 sig[(*len)++] = nlen[n] + nzlen[n];
5438 /* Long length notation. */
5439 sig[(*len)++] = 128 + nlenlen[n];
5440 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
5443 /* Write zero padding */
5444 while (nzlen[n] > 0) {
5445 sig[(*len)++] = 0x00;
5448 if (nlen[n] == 32 && !nlow[n]) {
5449 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
5451 for (i = 0; i < 16; i++) {
5452 sig[(*len)++] = 0xFF;
5456 /* Write first byte of number */
5458 sig[(*len)++] = nhbyte[n];
5461 /* Generate remaining random bytes of number */
5462 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
5467 /* Generate random garbage inside tuple. */
5468 secp256k1_testrand_bytes_test(sig + *len, elen);
5471 /* Generate end-of-contents bytes. */
5477 CHECK(tlen + glen <= 1121);
5479 /* Generate random garbage outside tuple. */
5480 secp256k1_testrand_bytes_test(sig + *len, glen);
5483 CHECK(tlen <= 1121);
5484 CHECK(tlen == *len);
5487 void run_ecdsa_der_parse(void) {
5489 for (i = 0; i < 200 * count; i++) {
5490 unsigned char buffer[2048];
5492 int certainly_der = 0;
5493 int certainly_not_der = 0;
5494 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5495 CHECK(buflen <= 2048);
5496 for (j = 0; j < 16; j++) {
5499 damage_array(buffer, &buflen);
5500 /* We don't know anything anymore about the DERness of the result */
5502 certainly_not_der = 0;
5504 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
5507 fprintf(stderr, "Failure %x on ", ret);
5508 for (k = 0; k < buflen; k++) {
5509 fprintf(stderr, "%02x ", buffer[k]);
5511 fprintf(stderr, "\n");
5518 /* Tests several edge cases. */
5519 void test_ecdsa_edge_cases(void) {
5521 secp256k1_ecdsa_signature sig;
5523 /* Test the case where ECDSA recomputes a point that is infinity. */
5527 secp256k1_scalar msg;
5528 secp256k1_scalar sr, ss;
5529 secp256k1_scalar_set_int(&ss, 1);
5530 secp256k1_scalar_negate(&ss, &ss);
5531 secp256k1_scalar_inverse(&ss, &ss);
5532 secp256k1_scalar_set_int(&sr, 1);
5533 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
5534 secp256k1_ge_set_gej(&key, &keyj);
5536 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5539 /* Verify signature with r of zero fails. */
5541 const unsigned char pubkey_mods_zero[33] = {
5542 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5543 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5544 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5545 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5549 secp256k1_scalar msg;
5550 secp256k1_scalar sr, ss;
5551 secp256k1_scalar_set_int(&ss, 1);
5552 secp256k1_scalar_set_int(&msg, 0);
5553 secp256k1_scalar_set_int(&sr, 0);
5554 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
5555 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5558 /* Verify signature with s of zero fails. */
5560 const unsigned char pubkey[33] = {
5561 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5562 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5568 secp256k1_scalar msg;
5569 secp256k1_scalar sr, ss;
5570 secp256k1_scalar_set_int(&ss, 0);
5571 secp256k1_scalar_set_int(&msg, 0);
5572 secp256k1_scalar_set_int(&sr, 1);
5573 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5574 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5577 /* Verify signature with message 0 passes. */
5579 const unsigned char pubkey[33] = {
5580 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5581 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5582 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5586 const unsigned char pubkey2[33] = {
5587 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5588 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5589 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5590 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5595 secp256k1_scalar msg;
5596 secp256k1_scalar sr, ss;
5597 secp256k1_scalar_set_int(&ss, 2);
5598 secp256k1_scalar_set_int(&msg, 0);
5599 secp256k1_scalar_set_int(&sr, 2);
5600 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5601 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5602 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5603 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5604 secp256k1_scalar_negate(&ss, &ss);
5605 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5606 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5607 secp256k1_scalar_set_int(&ss, 1);
5608 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5609 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5612 /* Verify signature with message 1 passes. */
5614 const unsigned char pubkey[33] = {
5615 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5616 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5617 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5618 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5621 const unsigned char pubkey2[33] = {
5622 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5623 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5624 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5625 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5628 const unsigned char csr[32] = {
5629 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5630 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5631 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5632 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5636 secp256k1_scalar msg;
5637 secp256k1_scalar sr, ss;
5638 secp256k1_scalar_set_int(&ss, 1);
5639 secp256k1_scalar_set_int(&msg, 1);
5640 secp256k1_scalar_set_b32(&sr, csr, NULL);
5641 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5642 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5643 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5644 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5645 secp256k1_scalar_negate(&ss, &ss);
5646 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5647 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5648 secp256k1_scalar_set_int(&ss, 2);
5649 secp256k1_scalar_inverse_var(&ss, &ss);
5650 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5651 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5654 /* Verify signature with message -1 passes. */
5656 const unsigned char pubkey[33] = {
5657 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5658 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5659 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5660 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5663 const unsigned char csr[32] = {
5664 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5665 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5666 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5667 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5670 secp256k1_scalar msg;
5671 secp256k1_scalar sr, ss;
5672 secp256k1_scalar_set_int(&ss, 1);
5673 secp256k1_scalar_set_int(&msg, 1);
5674 secp256k1_scalar_negate(&msg, &msg);
5675 secp256k1_scalar_set_b32(&sr, csr, NULL);
5676 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5677 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5678 secp256k1_scalar_negate(&ss, &ss);
5679 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5680 secp256k1_scalar_set_int(&ss, 3);
5681 secp256k1_scalar_inverse_var(&ss, &ss);
5682 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5685 /* Signature where s would be zero. */
5687 secp256k1_pubkey pubkey;
5690 unsigned char signature[72];
5691 static const unsigned char nonce[32] = {
5692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5694 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5697 static const unsigned char nonce2[32] = {
5698 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5699 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5700 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5701 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
5703 const unsigned char key[32] = {
5704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5709 unsigned char msg[32] = {
5710 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
5711 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
5712 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
5713 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
5716 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5717 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
5718 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
5720 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
5722 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
5724 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
5726 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
5728 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
5729 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
5730 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
5732 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
5734 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
5736 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5738 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5740 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
5741 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
5744 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5746 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5747 CHECK(ecount == 10);
5748 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5749 CHECK(ecount == 11);
5750 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5751 CHECK(ecount == 11);
5752 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
5753 CHECK(ecount == 12);
5754 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
5755 CHECK(ecount == 13);
5756 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
5757 CHECK(ecount == 13);
5759 /* Too little room for a signature does not fail via ARGCHECK. */
5760 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5761 CHECK(ecount == 13);
5763 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
5765 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5767 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5769 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5771 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5773 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5775 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5777 memset(signature, 255, 64);
5778 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5780 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5783 /* Nonce function corner cases. */
5784 for (t = 0; t < 2; t++) {
5785 static const unsigned char zero[32] = {0x00};
5787 unsigned char key[32];
5788 unsigned char msg[32];
5789 secp256k1_ecdsa_signature sig2;
5790 secp256k1_scalar sr[512], ss;
5791 const unsigned char *extra;
5792 extra = t == 0 ? NULL : zero;
5795 /* High key results in signature failure. */
5796 memset(key, 0xFF, 32);
5797 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5798 CHECK(is_empty_signature(&sig));
5799 /* Zero key results in signature failure. */
5801 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5802 CHECK(is_empty_signature(&sig));
5803 /* Nonce function failure results in signature failure. */
5805 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5806 CHECK(is_empty_signature(&sig));
5807 /* The retry loop successfully makes its way to the first good value. */
5808 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5809 CHECK(!is_empty_signature(&sig));
5810 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5811 CHECK(!is_empty_signature(&sig2));
5812 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5813 /* The default nonce function is deterministic. */
5814 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5815 CHECK(!is_empty_signature(&sig2));
5816 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5817 /* The default nonce function changes output with different messages. */
5818 for(i = 0; i < 256; i++) {
5821 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5822 CHECK(!is_empty_signature(&sig2));
5823 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5824 for (j = 0; j < i; j++) {
5825 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5830 /* The default nonce function changes output with different keys. */
5831 for(i = 256; i < 512; i++) {
5834 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5835 CHECK(!is_empty_signature(&sig2));
5836 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5837 for (j = 0; j < i; j++) {
5838 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5845 /* Check that optional nonce arguments do not have equivalent effect. */
5846 const unsigned char zeros[32] = {0};
5847 unsigned char nonce[32];
5848 unsigned char nonce2[32];
5849 unsigned char nonce3[32];
5850 unsigned char nonce4[32];
5852 VG_UNDEF(nonce2,32);
5853 VG_UNDEF(nonce3,32);
5854 VG_UNDEF(nonce4,32);
5855 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5857 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5858 VG_CHECK(nonce2,32);
5859 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5860 VG_CHECK(nonce3,32);
5861 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5862 VG_CHECK(nonce4,32);
5863 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
5864 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
5865 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
5866 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
5867 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
5868 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
5872 /* Privkey export where pubkey is the point at infinity. */
5874 unsigned char privkey[300];
5875 unsigned char seckey[32] = {
5876 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5877 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5878 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5879 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5881 size_t outlen = 300;
5882 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5884 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5888 void run_ecdsa_edge_cases(void) {
5889 test_ecdsa_edge_cases();
5892 #ifdef ENABLE_OPENSSL_TESTS
5893 EC_KEY *get_openssl_key(const unsigned char *key32) {
5894 unsigned char privkey[300];
5896 const unsigned char* pbegin = privkey;
5897 int compr = secp256k1_testrand_bits(1);
5898 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5899 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5900 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5901 CHECK(EC_KEY_check_key(ec_key));
5905 void test_ecdsa_openssl(void) {
5908 secp256k1_scalar sigr, sigs;
5909 secp256k1_scalar one;
5910 secp256k1_scalar msg2;
5911 secp256k1_scalar key, msg;
5913 unsigned int sigsize = 80;
5914 size_t secp_sigsize = 80;
5915 unsigned char message[32];
5916 unsigned char signature[80];
5917 unsigned char key32[32];
5918 secp256k1_testrand256_test(message);
5919 secp256k1_scalar_set_b32(&msg, message, NULL);
5920 random_scalar_order_test(&key);
5921 secp256k1_scalar_get_b32(key32, &key);
5922 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5923 secp256k1_ge_set_gej(&q, &qj);
5924 ec_key = get_openssl_key(key32);
5925 CHECK(ec_key != NULL);
5926 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5927 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5928 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
5929 secp256k1_scalar_set_int(&one, 1);
5930 secp256k1_scalar_add(&msg2, &msg, &one);
5931 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
5933 random_sign(&sigr, &sigs, &key, &msg, NULL);
5934 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
5935 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
5937 EC_KEY_free(ec_key);
5940 void run_ecdsa_openssl(void) {
5942 for (i = 0; i < 10*count; i++) {
5943 test_ecdsa_openssl();
5948 #ifdef ENABLE_MODULE_ECDH
5949 # include "modules/ecdh/tests_impl.h"
5952 #ifdef ENABLE_MODULE_RECOVERY
5953 # include "modules/recovery/tests_impl.h"
5956 #ifdef ENABLE_MODULE_EXTRAKEYS
5957 # include "modules/extrakeys/tests_impl.h"
5960 #ifdef ENABLE_MODULE_SCHNORRSIG
5961 # include "modules/schnorrsig/tests_impl.h"
5964 void run_secp256k1_memczero_test(void) {
5965 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
5966 unsigned char buf2[sizeof(buf1)];
5968 /* secp256k1_memczero(..., ..., 0) is a noop. */
5969 memcpy(buf2, buf1, sizeof(buf1));
5970 secp256k1_memczero(buf1, sizeof(buf1), 0);
5971 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5973 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
5974 memset(buf2, 0, sizeof(buf2));
5975 secp256k1_memczero(buf1, sizeof(buf1) , 1);
5976 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5979 void int_cmov_test(void) {
5983 secp256k1_int_cmov(&r, &a, 0);
5984 CHECK(r == INT_MAX);
5987 secp256k1_int_cmov(&r, &a, 1);
5988 CHECK(r == INT_MAX);
5991 secp256k1_int_cmov(&r, &a, 1);
5995 secp256k1_int_cmov(&r, &a, 1);
5999 secp256k1_int_cmov(&r, &a, 0);
6004 void fe_cmov_test(void) {
6005 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6006 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6007 static const secp256k1_fe max = SECP256K1_FE_CONST(
6008 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6009 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6011 secp256k1_fe r = max;
6012 secp256k1_fe a = zero;
6014 secp256k1_fe_cmov(&r, &a, 0);
6015 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6018 secp256k1_fe_cmov(&r, &a, 1);
6019 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6022 secp256k1_fe_cmov(&r, &a, 1);
6023 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6026 secp256k1_fe_cmov(&r, &a, 1);
6027 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6030 secp256k1_fe_cmov(&r, &a, 0);
6031 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6034 void fe_storage_cmov_test(void) {
6035 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6036 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6037 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
6038 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6039 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6041 secp256k1_fe_storage r = max;
6042 secp256k1_fe_storage a = zero;
6044 secp256k1_fe_storage_cmov(&r, &a, 0);
6045 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6048 secp256k1_fe_storage_cmov(&r, &a, 1);
6049 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6052 secp256k1_fe_storage_cmov(&r, &a, 1);
6053 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6056 secp256k1_fe_storage_cmov(&r, &a, 1);
6057 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6060 secp256k1_fe_storage_cmov(&r, &a, 0);
6061 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6064 void scalar_cmov_test(void) {
6065 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6066 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6067 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
6068 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6069 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6071 secp256k1_scalar r = max;
6072 secp256k1_scalar a = zero;
6074 secp256k1_scalar_cmov(&r, &a, 0);
6075 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6078 secp256k1_scalar_cmov(&r, &a, 1);
6079 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6082 secp256k1_scalar_cmov(&r, &a, 1);
6083 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6086 secp256k1_scalar_cmov(&r, &a, 1);
6087 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6090 secp256k1_scalar_cmov(&r, &a, 0);
6091 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6094 void ge_storage_cmov_test(void) {
6095 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
6096 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
6097 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
6098 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6099 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6100 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6101 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6103 secp256k1_ge_storage r = max;
6104 secp256k1_ge_storage a = zero;
6106 secp256k1_ge_storage_cmov(&r, &a, 0);
6107 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6110 secp256k1_ge_storage_cmov(&r, &a, 1);
6111 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6114 secp256k1_ge_storage_cmov(&r, &a, 1);
6115 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6118 secp256k1_ge_storage_cmov(&r, &a, 1);
6119 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6122 secp256k1_ge_storage_cmov(&r, &a, 0);
6123 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6126 void run_cmov_tests(void) {
6129 fe_storage_cmov_test();
6131 ge_storage_cmov_test();
6134 int main(int argc, char **argv) {
6135 /* Disable buffering for stdout to improve reliability of getting
6136 * diagnostic information. Happens right at the start of main because
6137 * setbuf must be used before any other operation on the stream. */
6138 setbuf(stdout, NULL);
6139 /* Also disable buffering for stderr because it's not guaranteed that it's
6140 * unbuffered on all systems. */
6141 setbuf(stderr, NULL);
6143 /* find iteration count */
6145 count = strtol(argv[1], NULL, 0);
6147 const char* env = getenv("SECP256K1_TEST_ITERS");
6149 count = strtol(env, NULL, 0);
6153 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
6154 return EXIT_FAILURE;
6156 printf("test count = %i\n", count);
6158 /* find random seed */
6159 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
6162 run_context_tests(0);
6163 run_context_tests(1);
6164 run_scratch_tests();
6165 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
6166 if (secp256k1_testrand_bits(1)) {
6167 unsigned char rand32[32];
6168 secp256k1_testrand256(rand32);
6169 CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL));
6177 run_inverse_tests();
6180 run_hmac_sha256_tests();
6181 run_rfc6979_hmac_sha256_tests();
6183 #ifndef USE_NUM_NONE
6185 run_num_smalltests();
6193 run_field_convert();
6199 run_group_decompress();
6203 run_point_times_order();
6204 run_ecmult_near_split_bound();
6206 run_ecmult_constants();
6207 run_ecmult_gen_blind();
6208 run_ecmult_const_tests();
6209 run_ecmult_multi_tests();
6212 /* endomorphism tests */
6213 run_endomorphism_tests();
6215 /* EC point parser test */
6216 run_ec_pubkey_parse_test();
6218 /* EC key edge cases */
6219 run_eckey_edge_case_test();
6221 /* EC key arithmetic test */
6222 run_eckey_negate_test();
6224 #ifdef ENABLE_MODULE_ECDH
6230 run_random_pubkeys();
6231 run_ecdsa_der_parse();
6232 run_ecdsa_sign_verify();
6233 run_ecdsa_end_to_end();
6234 run_ecdsa_edge_cases();
6235 #ifdef ENABLE_OPENSSL_TESTS
6236 run_ecdsa_openssl();
6239 #ifdef ENABLE_MODULE_RECOVERY
6240 /* ECDSA pubkey recovery tests */
6241 run_recovery_tests();
6244 #ifdef ENABLE_MODULE_EXTRAKEYS
6245 run_extrakeys_tests();
6248 #ifdef ENABLE_MODULE_SCHNORRSIG
6249 run_schnorrsig_tests();
6253 run_secp256k1_memczero_test();
6257 secp256k1_testrand_finish();
6260 secp256k1_context_destroy(ctx);
6262 printf("no problems found\n");
projects / secp256k1.git / blob