1 /***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "../include/secp256k1.h"
19 #include "../include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
23 #ifdef ENABLE_OPENSSL_TESTS
24 #include <openssl/bn.h>
25 #include <openssl/ec.h>
26 #include <openssl/ecdsa.h>
27 #include <openssl/obj_mac.h>
28 # if OPENSSL_VERSION_NUMBER < 0x10100000L
29 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
33 #include "../contrib/lax_der_parsing.c"
34 #include "../contrib/lax_der_privatekey_parsing.c"
36 #include "modinv32_impl.h"
37 #ifdef SECP256K1_WIDEMUL_INT128
38 #include "modinv64_impl.h"
41 static int count = 64;
42 static secp256k1_context *ctx = NULL;
44 static void counting_illegal_callback_fn(const char* str, void* data) {
45 /* Dummy callback function that just counts. */
52 static void uncounting_illegal_callback_fn(const char* str, void* data) {
53 /* Dummy callback function that just counts (backwards). */
60 void random_field_element_test(secp256k1_fe *fe) {
62 unsigned char b32[32];
63 secp256k1_testrand256_test(b32);
64 if (secp256k1_fe_set_b32(fe, b32)) {
70 void random_field_element_magnitude(secp256k1_fe *fe) {
72 int n = secp256k1_testrand_int(9);
73 secp256k1_fe_normalize(fe);
77 secp256k1_fe_clear(&zero);
78 secp256k1_fe_negate(&zero, &zero, 0);
79 secp256k1_fe_mul_int(&zero, n - 1);
80 secp256k1_fe_add(fe, &zero);
82 CHECK(fe->magnitude == n);
86 void random_group_element_test(secp256k1_ge *ge) {
89 random_field_element_test(&fe);
90 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
91 secp256k1_fe_normalize(&ge->y);
98 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
101 random_field_element_test(&gej->z);
102 if (!secp256k1_fe_is_zero(&gej->z)) {
106 secp256k1_fe_sqr(&z2, &gej->z);
107 secp256k1_fe_mul(&z3, &z2, &gej->z);
108 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
109 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
110 gej->infinity = ge->infinity;
113 void random_scalar_order_test(secp256k1_scalar *num) {
115 unsigned char b32[32];
117 secp256k1_testrand256_test(b32);
118 secp256k1_scalar_set_b32(num, b32, &overflow);
119 if (overflow || secp256k1_scalar_is_zero(num)) {
126 void random_scalar_order(secp256k1_scalar *num) {
128 unsigned char b32[32];
130 secp256k1_testrand256(b32);
131 secp256k1_scalar_set_b32(num, b32, &overflow);
132 if (overflow || secp256k1_scalar_is_zero(num)) {
139 void random_scalar_order_b32(unsigned char *b32) {
140 secp256k1_scalar num;
141 random_scalar_order(&num);
142 secp256k1_scalar_get_b32(b32, &num);
145 void run_context_tests(int use_prealloc) {
146 secp256k1_pubkey pubkey;
147 secp256k1_pubkey zero_pubkey;
148 secp256k1_ecdsa_signature sig;
149 unsigned char ctmp[32];
152 secp256k1_context *none;
153 secp256k1_context *sign;
154 secp256k1_context *vrfy;
155 secp256k1_context *both;
156 void *none_prealloc = NULL;
157 void *sign_prealloc = NULL;
158 void *vrfy_prealloc = NULL;
159 void *both_prealloc = NULL;
163 secp256k1_scalar msg, key, nonce;
164 secp256k1_scalar sigr, sigs;
167 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
168 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
169 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
170 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
171 CHECK(none_prealloc != NULL);
172 CHECK(sign_prealloc != NULL);
173 CHECK(vrfy_prealloc != NULL);
174 CHECK(both_prealloc != NULL);
175 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
176 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
177 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
178 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
180 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
181 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
182 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
183 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
186 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
190 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
191 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
192 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
193 secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
194 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
195 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
197 /* check if sizes for cloning are consistent */
198 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
199 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
200 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
201 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
203 /*** clone and destroy all of them to make sure cloning was complete ***/
205 secp256k1_context *ctx_tmp;
208 /* clone into a non-preallocated context and then again into a new preallocated one. */
209 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
210 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
211 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
213 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
214 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
215 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
217 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
218 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
219 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
221 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
222 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
223 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
225 /* clone into a preallocated context and then again into a new non-preallocated one. */
228 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
229 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
230 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
233 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
234 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
235 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
238 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
239 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
240 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
243 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
244 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
245 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
250 /* Verify that the error callback makes it across the clone. */
251 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
252 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
253 /* And that it resets back to default. */
254 secp256k1_context_set_error_callback(sign, NULL, NULL);
255 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
257 /*** attempt to use them ***/
258 random_scalar_order_test(&msg);
259 random_scalar_order_test(&key);
260 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
261 secp256k1_ge_set_gej(&pub, &pubj);
263 /* Verify context-type checking illegal-argument errors. */
265 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
267 VG_UNDEF(&pubkey, sizeof(pubkey));
268 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
269 VG_CHECK(&pubkey, sizeof(pubkey));
270 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
272 VG_UNDEF(&sig, sizeof(sig));
273 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
274 VG_CHECK(&sig, sizeof(sig));
275 CHECK(ecount2 == 10);
276 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
277 CHECK(ecount2 == 11);
278 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
280 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
281 CHECK(ecount2 == 12);
282 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
284 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
285 CHECK(ecount2 == 13);
286 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
288 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
290 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
291 CHECK(ecount2 == 14);
292 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
294 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
296 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
298 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
300 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
301 CHECK(ecount2 == 14);
302 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
303 CHECK(ecount2 == 14);
304 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
305 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
307 /* obtain a working nonce */
309 random_scalar_order_test(&nonce);
310 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
313 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
314 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
317 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
318 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
322 secp256k1_context_preallocated_destroy(none);
323 secp256k1_context_preallocated_destroy(sign);
324 secp256k1_context_preallocated_destroy(vrfy);
325 secp256k1_context_preallocated_destroy(both);
331 secp256k1_context_destroy(none);
332 secp256k1_context_destroy(sign);
333 secp256k1_context_destroy(vrfy);
334 secp256k1_context_destroy(both);
336 /* Defined as no-op. */
337 secp256k1_context_destroy(NULL);
338 secp256k1_context_preallocated_destroy(NULL);
342 void run_scratch_tests(void) {
343 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
348 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
349 secp256k1_scratch_space *scratch;
350 secp256k1_scratch_space local_scratch;
352 /* Test public API */
353 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
354 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
356 scratch = secp256k1_scratch_space_create(none, 1000);
357 CHECK(scratch != NULL);
360 /* Test internal API */
361 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
362 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
363 CHECK(scratch->alloc_size == 0);
364 CHECK(scratch->alloc_size % ALIGNMENT == 0);
366 /* Allocating 500 bytes succeeds */
367 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
368 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
369 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
370 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
371 CHECK(scratch->alloc_size != 0);
372 CHECK(scratch->alloc_size % ALIGNMENT == 0);
374 /* Allocating another 501 bytes fails */
375 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
376 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
377 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
378 CHECK(scratch->alloc_size != 0);
379 CHECK(scratch->alloc_size % ALIGNMENT == 0);
381 /* ...but it succeeds once we apply the checkpoint to undo it */
382 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
383 CHECK(scratch->alloc_size == 0);
384 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
385 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
386 CHECK(scratch->alloc_size != 0);
388 /* try to apply a bad checkpoint */
389 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
390 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
392 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
394 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
397 /* try to use badly initialized scratch space */
398 secp256k1_scratch_space_destroy(none, scratch);
399 memset(&local_scratch, 0, sizeof(local_scratch));
400 scratch = &local_scratch;
401 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
403 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
405 secp256k1_scratch_space_destroy(none, scratch);
408 /* Test that large integers do not wrap around in a bad way */
409 scratch = secp256k1_scratch_space_create(none, 1000);
410 /* Try max allocation with a large number of objects. Only makes sense if
411 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
413 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
414 /* Try allocating SIZE_MAX to test wrap around which only happens if
415 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
416 * space is too small. */
417 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
418 secp256k1_scratch_space_destroy(none, scratch);
421 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
422 secp256k1_context_destroy(none);
425 void run_ctz_tests(void) {
426 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
427 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
430 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
431 for (shift = 0; shift < 32; ++shift) {
432 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
433 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
436 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
437 for (shift = 0; shift < 64; ++shift) {
438 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
439 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
444 /***** HASH TESTS *****/
446 void run_sha256_tests(void) {
447 static const char *inputs[8] = {
448 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
449 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
450 "For this sample, this 63-byte string will be used as input data",
451 "This is exactly 64 bytes long, not counting the terminating byte"
453 static const unsigned char outputs[8][32] = {
454 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
455 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
456 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
457 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
458 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
459 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
460 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
461 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
464 for (i = 0; i < 8; i++) {
465 unsigned char out[32];
466 secp256k1_sha256 hasher;
467 secp256k1_sha256_initialize(&hasher);
468 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
469 secp256k1_sha256_finalize(&hasher, out);
470 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
471 if (strlen(inputs[i]) > 0) {
472 int split = secp256k1_testrand_int(strlen(inputs[i]));
473 secp256k1_sha256_initialize(&hasher);
474 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
475 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
476 secp256k1_sha256_finalize(&hasher, out);
477 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
482 void run_hmac_sha256_tests(void) {
483 static const char *keys[6] = {
484 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
486 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
487 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
488 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
489 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
491 static const char *inputs[6] = {
492 "\x48\x69\x20\x54\x68\x65\x72\x65",
493 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
494 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
495 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
496 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
497 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
499 static const unsigned char outputs[6][32] = {
500 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
501 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
502 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
503 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
504 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
505 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
508 for (i = 0; i < 6; i++) {
509 secp256k1_hmac_sha256 hasher;
510 unsigned char out[32];
511 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
512 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
513 secp256k1_hmac_sha256_finalize(&hasher, out);
514 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
515 if (strlen(inputs[i]) > 0) {
516 int split = secp256k1_testrand_int(strlen(inputs[i]));
517 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
518 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
519 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
520 secp256k1_hmac_sha256_finalize(&hasher, out);
521 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
526 void run_rfc6979_hmac_sha256_tests(void) {
527 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
528 static const unsigned char out1[3][32] = {
529 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
530 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
531 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
534 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
535 static const unsigned char out2[3][32] = {
536 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
537 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
538 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
541 secp256k1_rfc6979_hmac_sha256 rng;
542 unsigned char out[32];
545 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
546 for (i = 0; i < 3; i++) {
547 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
548 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
550 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
552 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
553 for (i = 0; i < 3; i++) {
554 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
555 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
557 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
559 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
560 for (i = 0; i < 3; i++) {
561 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
562 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
564 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
567 /***** RANDOM TESTS *****/
569 void test_rand_bits(int rand32, int bits) {
570 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
571 * get a false negative chance below once in a billion */
572 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
573 /* We try multiplying the results with various odd numbers, which shouldn't
574 * influence the uniform distribution modulo a power of 2. */
575 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
576 /* We only select up to 6 bits from the output to analyse */
577 unsigned int usebits = bits > 6 ? 6 : bits;
578 unsigned int maxshift = bits - usebits;
579 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
580 number, track all observed outcomes, one per bit in a uint64_t. */
581 uint64_t x[6][27] = {{0}};
582 unsigned int i, shift, m;
583 /* Multiply the output of all rand calls with the odd number m, which
584 should not change the uniformity of its distribution. */
585 for (i = 0; i < rounds[usebits]; i++) {
586 uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
587 CHECK((((uint64_t)r) >> bits) == 0);
588 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
589 uint32_t rm = r * mults[m];
590 for (shift = 0; shift <= maxshift; shift++) {
591 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
595 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
596 for (shift = 0; shift <= maxshift; shift++) {
597 /* Test that the lower usebits bits of x[shift] are 1 */
598 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
603 /* Subrange must be a whole divisor of range, and at most 64 */
604 void test_rand_int(uint32_t range, uint32_t subrange) {
605 /* (1-1/subrange)^rounds < 1/10^9 */
606 int rounds = (subrange * 2073) / 100;
609 CHECK((range % subrange) == 0);
610 for (i = 0; i < rounds; i++) {
611 uint32_t r = secp256k1_testrand_int(range);
614 x |= (((uint64_t)1) << r);
616 /* Test that the lower subrange bits of x are 1. */
617 CHECK(((~x) << (64 - subrange)) == 0);
620 void run_rand_bits(void) {
622 test_rand_bits(1, 32);
623 for (b = 1; b <= 32; b++) {
624 test_rand_bits(0, b);
628 void run_rand_int(void) {
629 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
630 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
632 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
633 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
634 test_rand_int(ms[m] * ss[s], ss[s]);
639 /***** MODINV TESTS *****/
641 /* Compute the modular inverse of (odd) x mod 2^64. */
642 uint64_t modinv2p64(uint64_t x) {
643 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
644 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
645 * why. Start with L=0, for which it is true for every odd x that
646 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
650 for (l = 0; l < 6; ++l) w *= (2 - w*x);
654 /* compute out = (a*b) mod m; if b=NULL, treat b=1.
656 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
657 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
658 void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
666 /* Compute the product of a and b, and put it in mul. */
667 for (i = 0; i < 32; ++i) {
668 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
669 c += (uint64_t)a[j] * b[i - j];
676 /* compute the highest set bit in mul */
677 for (i = 511; i >= 0; --i) {
678 if ((mul[i >> 4] >> (i & 15)) & 1) {
684 /* if b==NULL, set mul=a. */
686 memset(mul + 16, 0, 32);
687 /* compute the highest set bit in mul */
688 for (i = 255; i >= 0; --i) {
689 if ((mul[i >> 4] >> (i & 15)) & 1) {
696 /* Compute the highest set bit in m. */
697 for (i = 255; i >= 0; --i) {
698 if ((m[i >> 4] >> (i & 15)) & 1) {
704 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
705 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
709 /* Compute mul2 = mul - m<<i. */
710 cs = 0; /* accumulator */
711 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
712 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
715 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
716 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
717 if (bitpos >= 0 && bitpos < 256) {
718 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
721 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
724 mul2[j] = (cs & 0xFFFF);
727 /* If remainder of subtraction is 0, set mul = mul2. */
729 memcpy(mul, mul2, sizeof(mul));
732 /* Sanity check: test that all limbs higher than m's highest are zero */
733 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
736 memcpy(out, mul, 32);
739 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
740 void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
742 memset(out->v, 0, sizeof(out->v));
743 for (i = 0; i < 256; ++i) {
744 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
748 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
749 void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
752 for (i = 0; i < 256; ++i) {
753 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
757 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
758 void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
760 for (i = 0; i < 16; ++i) {
761 int pos = secp256k1_testrand_int(8);
762 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
763 x->v[pos] -= 0x40000000;
765 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
766 x->v[pos] += 0x40000000;
772 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
773 void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
775 secp256k1_modinv32_signed30 x;
776 secp256k1_modinv32_modinfo m;
777 int i, vartime, nonzero;
779 uint16_to_signed30(&x, in);
780 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
781 uint16_to_signed30(&m.modulus, mod);
782 mutate_sign_signed30(&m.modulus);
784 /* compute 1/modulus mod 2^30 */
785 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
786 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
788 for (vartime = 0; vartime < 2; ++vartime) {
789 /* compute inverse */
790 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
793 signed30_to_uint16(out, &x);
795 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
796 mulmod256(tmp, out, in, mod);
797 CHECK(tmp[0] == nonzero);
798 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
801 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
803 /* check if the result is equal to the input */
804 signed30_to_uint16(tmp, &x);
805 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
809 #ifdef SECP256K1_WIDEMUL_INT128
810 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
811 void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
813 memset(out->v, 0, sizeof(out->v));
814 for (i = 0; i < 256; ++i) {
815 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
819 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
820 void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
823 for (i = 0; i < 256; ++i) {
824 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
828 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
829 void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
830 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
832 for (i = 0; i < 8; ++i) {
833 int pos = secp256k1_testrand_int(4);
834 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
835 x->v[pos] -= (M62 + 1);
837 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
838 x->v[pos] += (M62 + 1);
844 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
845 void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
846 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
848 secp256k1_modinv64_signed62 x;
849 secp256k1_modinv64_modinfo m;
850 int i, vartime, nonzero;
852 uint16_to_signed62(&x, in);
853 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
854 uint16_to_signed62(&m.modulus, mod);
855 mutate_sign_signed62(&m.modulus);
857 /* compute 1/modulus mod 2^62 */
858 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
859 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
861 for (vartime = 0; vartime < 2; ++vartime) {
862 /* compute inverse */
863 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
866 signed62_to_uint16(out, &x);
868 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
869 mulmod256(tmp, out, in, mod);
870 CHECK(tmp[0] == nonzero);
871 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
874 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
876 /* check if the result is equal to the input */
877 signed62_to_uint16(tmp, &x);
878 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
883 /* test if a and b are coprime */
884 int coprime(const uint16_t* a, const uint16_t* b) {
885 uint16_t x[16], y[16], t[16];
891 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
894 for (i = 0; i < 16; ++i) {
901 mulmod256(t, y, NULL, x);
906 /* return whether y=1 */
907 if (y[0] != 1) return 0;
908 for (i = 1; i < 16; ++i) {
909 if (y[i] != 0) return 0;
914 void run_modinv_tests(void) {
915 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
916 static const uint16_t CASES[][3][16] = {
917 /* Test cases triggering edge cases in divsteps */
919 /* Test case known to need 713 divsteps */
920 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
921 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
922 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
923 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
924 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
925 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
926 /* Test case known to need 589 divsteps, reaching delta=-140 and
928 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
929 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
930 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
931 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
932 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
933 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
934 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
935 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
936 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
937 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
938 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
939 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
940 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
941 /* example needing 713 divsteps; delta=-2..3 */
942 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
943 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
944 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
945 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
946 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
947 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
948 /* example needing 713 divsteps; delta=-2..3 */
949 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
950 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
951 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
952 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
953 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
954 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
955 /* example needing 713 divsteps; delta=-2..3 */
956 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
957 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
958 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
959 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
960 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
961 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
962 /* example reaching delta=-64..65; 661 divsteps */
963 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
964 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
965 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
966 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
967 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
968 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
969 /* example reaching delta=-64..65; 661 divsteps */
970 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
971 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
972 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
973 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
974 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
975 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
976 /* example reaching delta=-64..65; 661 divsteps */
977 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
978 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
979 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
980 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
981 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
982 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
983 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
984 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
985 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
986 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
987 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
988 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
989 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
990 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
991 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
992 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
993 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
994 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
995 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
996 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
997 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
998 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
999 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1000 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1001 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1002 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1003 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1004 /* example doing 446 (f,g/2) steps; 523 divsteps */
1005 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1006 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1007 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1008 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1009 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1010 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1011 /* example doing 446 (f,g/2) steps; 523 divsteps */
1012 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1013 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1014 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1015 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1016 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1017 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1018 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1019 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1020 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1021 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1022 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1023 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1024 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1025 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1026 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1027 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1028 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1029 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1030 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1031 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1032 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1033 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1034 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1035 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1036 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1037 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1038 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1039 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1040 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1041 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1042 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1043 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1044 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1045 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1047 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1049 /* example needing 590 divsteps; delta=-5/2..7/2 */
1050 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1051 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1052 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1053 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1054 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1055 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1056 /* example needing 590 divsteps; delta=-3/2..5/2 */
1057 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1058 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1059 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1060 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1061 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1062 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1063 /* example needing 590 divsteps; delta=-3/2..5/2 */
1064 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1065 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1066 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1067 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1068 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1069 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1070 /* example needing 590 divsteps; delta=-5/2..7/2 */
1071 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1072 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1073 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1074 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1075 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1076 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1077 /* example needing 590 divsteps; delta=-3/2..5/2 */
1078 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1079 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1080 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1081 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1082 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1083 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1084 /* example reaching delta=-127/2..129/2; 571 divsteps */
1085 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1086 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1087 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1088 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1089 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1090 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1091 /* example reaching delta=-127/2..129/2; 571 divsteps */
1092 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1093 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1094 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1095 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1096 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1097 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1098 /* example reaching delta=-127/2..129/2; 571 divsteps */
1099 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1100 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1101 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1102 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1103 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1104 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1105 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1106 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1107 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1108 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1109 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1110 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1111 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1112 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1113 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1114 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1115 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1116 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1117 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1118 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1119 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1120 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1121 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1122 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1123 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1124 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1125 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1126 /* example doing 453 (f,g/2) steps; 514 divsteps */
1127 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1128 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1129 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1130 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1131 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1132 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1133 /* example doing 453 (f,g/2) steps; 514 divsteps */
1134 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1135 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1136 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1137 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1138 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1139 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1140 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1141 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1142 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1143 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1144 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1145 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1146 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1147 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1148 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1149 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1150 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1151 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1152 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1153 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1154 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1155 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1156 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1157 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1158 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1159 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1160 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1161 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1162 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1163 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1164 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1165 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1166 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1167 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1169 /* Test cases with the group order as modulus. */
1171 /* Test case with the group order as modulus, needing 635 divsteps. */
1172 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1173 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1174 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1175 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1176 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1177 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1178 /* example with group size as modulus needing 631 divsteps */
1179 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1180 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1181 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1182 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1183 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1184 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1185 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1186 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1187 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1188 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1189 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1190 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1191 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1192 /* Test case with the group size as modulus, needing 981 divsteps with
1193 broken eta handling. */
1194 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1195 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1196 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1197 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1198 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1199 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1200 /* Test case with the group size as modulus, input = 0. */
1201 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1202 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1203 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1204 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1205 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1206 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1207 /* Test case with the group size as modulus, input = 1. */
1208 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1209 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1210 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1211 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1212 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1213 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1214 /* Test case with the group size as modulus, input = 2. */
1215 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1216 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1217 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1218 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1219 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1220 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1221 /* Test case with the group size as modulus, input = group - 1. */
1222 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1223 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1224 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1225 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1226 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1227 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1229 /* Test cases with the field size as modulus. */
1231 /* Test case with the field size as modulus, needing 637 divsteps. */
1232 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1233 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1234 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1235 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1236 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1237 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1238 /* example with field size as modulus needing 637 divsteps */
1239 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1240 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1241 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1242 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1243 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1244 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1245 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1246 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1247 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1248 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1249 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1250 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1251 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1252 /* Test case with the field size as modulus, needing 935 divsteps with
1253 broken eta handling. */
1254 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1255 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1256 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1257 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1258 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1259 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1260 /* Test case with the field size as modulus, input = 0. */
1261 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1262 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1263 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1264 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1265 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1266 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1267 /* Test case with the field size as modulus, input = 1. */
1268 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1269 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1270 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1271 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1272 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1273 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1274 /* Test case with the field size as modulus, input = 2. */
1275 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1276 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1277 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1278 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1279 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1280 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1281 /* Test case with the field size as modulus, input = field - 1. */
1282 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1283 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1284 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1285 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1286 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1287 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1289 /* Selected from a large number of random inputs to reach small/large
1290 * d/e values in various configurations. */
1291 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1292 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1293 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1294 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1295 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1296 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1297 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1298 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1299 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1300 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1301 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1302 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1303 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1304 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1305 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1306 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1307 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1308 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1309 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1310 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1311 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1312 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1313 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1314 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1315 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1316 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1317 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1318 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1319 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1320 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1321 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1322 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1323 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1324 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1325 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1326 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1327 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1328 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1329 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1330 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1331 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1332 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1333 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1334 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1335 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1336 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1337 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1338 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1339 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1340 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1341 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1342 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1343 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1344 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1345 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1346 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1347 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1348 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1349 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1350 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1351 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1352 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1353 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1354 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1355 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1356 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1357 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1358 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1359 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1360 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1361 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1362 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1363 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1364 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1365 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1366 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1367 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1368 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1369 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1370 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1371 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1372 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1373 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1374 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1375 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1376 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1377 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1378 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1379 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1380 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1381 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1382 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1383 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1384 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1385 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1386 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1387 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1388 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1389 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1390 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1391 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1392 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1393 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1394 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1395 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1396 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1397 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1398 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1399 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1400 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1401 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1402 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1403 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1404 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1405 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1406 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1407 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1408 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1409 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1410 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1411 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1412 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1413 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1414 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1415 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1416 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1417 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1418 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1419 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1420 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1421 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1422 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1423 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1424 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1425 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1426 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1427 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1428 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1429 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1430 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1431 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1432 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1433 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1434 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1435 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1436 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1437 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1438 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1439 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1440 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1441 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1442 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1443 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1444 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1445 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1446 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1447 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1448 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1449 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1450 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1451 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1452 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1453 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1454 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1455 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1456 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1457 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1458 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1459 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1460 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1461 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1462 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1463 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1464 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1465 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1466 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1467 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1468 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1469 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1470 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1471 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1472 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1473 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1474 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1475 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1476 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1477 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1478 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1479 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1480 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1481 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1482 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1483 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1484 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1485 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1486 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1487 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1488 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1489 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1490 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1491 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1492 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1493 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1494 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1495 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1496 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1497 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1498 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1499 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1500 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1505 /* Test known inputs/outputs */
1506 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1508 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1509 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1510 #ifdef SECP256K1_WIDEMUL_INT128
1511 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1512 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1516 for (i = 0; i < 100 * count; ++i) {
1517 /* 256-bit numbers in 16-uint16_t's notation */
1518 static const uint16_t ZERO[16] = {0};
1519 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1520 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1521 uint16_t id[16]; /* the inverse of xd mod md */
1523 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1525 /* generate random xd and md (with many subsequent 0s and 1s) */
1526 secp256k1_testrand256_test((unsigned char*)xd);
1527 secp256k1_testrand256_test((unsigned char*)md);
1528 md[0] |= 1; /* modulus must be odd */
1529 /* If modulus is 1, find another one. */
1531 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1532 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1533 } while (!(ok && coprime(xd, md)));
1535 test_modinv32_uint16(id, xd, md);
1536 #ifdef SECP256K1_WIDEMUL_INT128
1537 test_modinv64_uint16(id, xd, md);
1540 /* In a few cases, also test with input=0 */
1542 test_modinv32_uint16(id, ZERO, md);
1543 #ifdef SECP256K1_WIDEMUL_INT128
1544 test_modinv64_uint16(id, ZERO, md);
1550 /***** SCALAR TESTS *****/
1553 void scalar_test(void) {
1555 secp256k1_scalar s1;
1556 secp256k1_scalar s2;
1557 unsigned char c[32];
1559 /* Set 's' to a random scalar, with value 'snum'. */
1560 random_scalar_order_test(&s);
1562 /* Set 's1' to a random scalar, with value 's1num'. */
1563 random_scalar_order_test(&s1);
1565 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1566 random_scalar_order_test(&s2);
1567 secp256k1_scalar_get_b32(c, &s2);
1571 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1573 secp256k1_scalar_set_int(&n, 0);
1574 for (i = 0; i < 256; i += 4) {
1577 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1578 for (j = 0; j < 4; j++) {
1579 secp256k1_scalar_add(&n, &n, &n);
1581 secp256k1_scalar_add(&n, &n, &t);
1583 CHECK(secp256k1_scalar_eq(&n, &s));
1587 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1590 secp256k1_scalar_set_int(&n, 0);
1594 int now = secp256k1_testrand_int(15) + 1;
1595 if (now + i > 256) {
1598 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1599 for (j = 0; j < now; j++) {
1600 secp256k1_scalar_add(&n, &n, &n);
1602 secp256k1_scalar_add(&n, &n, &t);
1605 CHECK(secp256k1_scalar_eq(&n, &s));
1609 /* test secp256k1_scalar_shr_int */
1612 random_scalar_order_test(&r);
1613 for (i = 0; i < 100; ++i) {
1615 int shift = 1 + secp256k1_testrand_int(15);
1616 int expected = r.d[0] % (1 << shift);
1617 low = secp256k1_scalar_shr_int(&r, shift);
1618 CHECK(expected == low);
1623 /* Test commutativity of add. */
1624 secp256k1_scalar r1, r2;
1625 secp256k1_scalar_add(&r1, &s1, &s2);
1626 secp256k1_scalar_add(&r2, &s2, &s1);
1627 CHECK(secp256k1_scalar_eq(&r1, &r2));
1631 secp256k1_scalar r1, r2;
1635 int bit = secp256k1_testrand_bits(8);
1636 secp256k1_scalar_set_int(&b, 1);
1637 CHECK(secp256k1_scalar_is_one(&b));
1638 for (i = 0; i < bit; i++) {
1639 secp256k1_scalar_add(&b, &b, &b);
1643 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1644 /* No overflow happened. */
1645 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1646 CHECK(secp256k1_scalar_eq(&r1, &r2));
1647 /* cadd is a noop when flag is zero */
1648 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1649 CHECK(secp256k1_scalar_eq(&r1, &r2));
1654 /* Test commutativity of mul. */
1655 secp256k1_scalar r1, r2;
1656 secp256k1_scalar_mul(&r1, &s1, &s2);
1657 secp256k1_scalar_mul(&r2, &s2, &s1);
1658 CHECK(secp256k1_scalar_eq(&r1, &r2));
1662 /* Test associativity of add. */
1663 secp256k1_scalar r1, r2;
1664 secp256k1_scalar_add(&r1, &s1, &s2);
1665 secp256k1_scalar_add(&r1, &r1, &s);
1666 secp256k1_scalar_add(&r2, &s2, &s);
1667 secp256k1_scalar_add(&r2, &s1, &r2);
1668 CHECK(secp256k1_scalar_eq(&r1, &r2));
1672 /* Test associativity of mul. */
1673 secp256k1_scalar r1, r2;
1674 secp256k1_scalar_mul(&r1, &s1, &s2);
1675 secp256k1_scalar_mul(&r1, &r1, &s);
1676 secp256k1_scalar_mul(&r2, &s2, &s);
1677 secp256k1_scalar_mul(&r2, &s1, &r2);
1678 CHECK(secp256k1_scalar_eq(&r1, &r2));
1682 /* Test distributitivity of mul over add. */
1683 secp256k1_scalar r1, r2, t;
1684 secp256k1_scalar_add(&r1, &s1, &s2);
1685 secp256k1_scalar_mul(&r1, &r1, &s);
1686 secp256k1_scalar_mul(&r2, &s1, &s);
1687 secp256k1_scalar_mul(&t, &s2, &s);
1688 secp256k1_scalar_add(&r2, &r2, &t);
1689 CHECK(secp256k1_scalar_eq(&r1, &r2));
1693 /* Test multiplicative identity. */
1694 secp256k1_scalar r1, v1;
1695 secp256k1_scalar_set_int(&v1,1);
1696 secp256k1_scalar_mul(&r1, &s1, &v1);
1697 CHECK(secp256k1_scalar_eq(&r1, &s1));
1701 /* Test additive identity. */
1702 secp256k1_scalar r1, v0;
1703 secp256k1_scalar_set_int(&v0,0);
1704 secp256k1_scalar_add(&r1, &s1, &v0);
1705 CHECK(secp256k1_scalar_eq(&r1, &s1));
1709 /* Test zero product property. */
1710 secp256k1_scalar r1, v0;
1711 secp256k1_scalar_set_int(&v0,0);
1712 secp256k1_scalar_mul(&r1, &s1, &v0);
1713 CHECK(secp256k1_scalar_eq(&r1, &v0));
1718 void run_scalar_set_b32_seckey_tests(void) {
1719 unsigned char b32[32];
1720 secp256k1_scalar s1;
1721 secp256k1_scalar s2;
1723 /* Usually set_b32 and set_b32_seckey give the same result */
1724 random_scalar_order_b32(b32);
1725 secp256k1_scalar_set_b32(&s1, b32, NULL);
1726 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1727 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1729 memset(b32, 0, sizeof(b32));
1730 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1731 memset(b32, 0xFF, sizeof(b32));
1732 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1735 void run_scalar_tests(void) {
1737 for (i = 0; i < 128 * count; i++) {
1740 for (i = 0; i < count; i++) {
1741 run_scalar_set_b32_seckey_tests();
1745 /* (-1)+1 should be zero. */
1746 secp256k1_scalar s, o;
1747 secp256k1_scalar_set_int(&s, 1);
1748 CHECK(secp256k1_scalar_is_one(&s));
1749 secp256k1_scalar_negate(&o, &s);
1750 secp256k1_scalar_add(&o, &o, &s);
1751 CHECK(secp256k1_scalar_is_zero(&o));
1752 secp256k1_scalar_negate(&o, &o);
1753 CHECK(secp256k1_scalar_is_zero(&o));
1757 /* Does check_overflow check catch all ones? */
1758 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1759 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1760 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1762 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1766 /* Static test vectors.
1767 * These were reduced from ~10^12 random vectors based on comparison-decision
1768 * and edge-case coverage on 32-bit and 64-bit implementations.
1769 * The responses were generated with Sage 5.9.
1774 secp256k1_scalar zz;
1775 secp256k1_scalar one;
1776 secp256k1_scalar r1;
1777 secp256k1_scalar r2;
1778 secp256k1_scalar zzv;
1780 unsigned char chal[33][2][32] = {
1781 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1782 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1783 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1784 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1785 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1786 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1787 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1788 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1789 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1790 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1791 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1792 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1793 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1794 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1795 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1796 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1797 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1798 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1799 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1800 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1801 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1802 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1803 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1804 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1805 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1806 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1807 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1808 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1809 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1810 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1811 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1812 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1813 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1814 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1815 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1816 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1817 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1818 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1819 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1820 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1821 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1822 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1823 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1824 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1825 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1826 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1827 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1828 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1829 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1830 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1831 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1832 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1833 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1834 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1835 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1836 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1837 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1838 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1839 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1840 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1841 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1842 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1843 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1844 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1845 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1846 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1847 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1848 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1849 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1850 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1851 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1852 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1853 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1854 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1855 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1856 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1857 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1858 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1859 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1860 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1861 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1862 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1863 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1864 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1865 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1866 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1867 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1868 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1869 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1870 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1871 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1872 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1873 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1874 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1875 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1876 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1877 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1878 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1879 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1880 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1881 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1882 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1883 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1884 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1885 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1886 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1887 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1888 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1889 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1890 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1891 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1892 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1893 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1894 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1895 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1896 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1897 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1898 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1899 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1900 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1901 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1902 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1903 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1904 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1905 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1906 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1907 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1908 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1909 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1910 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1911 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1912 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1913 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1914 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1915 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1916 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1917 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1918 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1919 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1920 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1921 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1922 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1923 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1924 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1925 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1926 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1927 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1928 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1929 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1930 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1931 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1932 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1933 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1934 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1935 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1936 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1937 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1938 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1939 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1940 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1941 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1942 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1943 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1944 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1945 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1946 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1947 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1948 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1949 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1950 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1951 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1952 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1953 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1954 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1955 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1956 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1957 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1958 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1959 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1960 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1961 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1962 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1963 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1964 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1965 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1966 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1967 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1968 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1969 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1970 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1971 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1972 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1973 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1974 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1975 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1976 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1977 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1978 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1979 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1980 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1981 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1982 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1983 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1984 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1985 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1986 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1987 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1988 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1989 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1990 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1991 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1992 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1993 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1994 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1995 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1996 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1997 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1998 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1999 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2000 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2001 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2002 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2003 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2004 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2005 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2006 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2007 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2008 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2009 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2010 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2011 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2012 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2013 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2014 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2015 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2016 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2017 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2018 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2019 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2020 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2021 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2022 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2023 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2024 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2025 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2026 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2027 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2028 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2029 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2030 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2031 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2032 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2033 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2034 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2035 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2036 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2037 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2038 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2039 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2040 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2041 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2042 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2043 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2044 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2046 unsigned char res[33][2][32] = {
2047 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2048 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2049 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2050 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2051 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2052 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2053 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2054 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2055 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2056 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2057 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2058 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2059 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2060 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2061 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2062 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2063 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2064 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2065 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2066 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2067 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2068 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2069 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2070 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2071 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2072 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2073 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2074 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2075 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2076 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2077 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2078 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2079 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2080 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2081 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2082 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2083 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2084 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2085 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2086 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2087 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2088 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2089 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2090 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2091 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2092 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2093 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2094 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2095 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2096 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2097 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2098 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2099 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2100 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2101 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2102 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2103 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2104 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2105 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2106 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2107 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2108 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2109 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2110 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2111 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2112 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2113 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2114 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2115 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2116 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2117 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2118 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2119 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2120 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2121 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2122 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2123 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2124 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2125 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2126 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2127 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2128 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2129 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2130 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2131 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2132 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2133 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2134 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2135 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2136 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2137 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2138 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2139 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2140 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2141 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2142 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2143 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2144 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2145 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2146 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2147 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2148 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2149 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2150 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2151 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2152 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2153 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2154 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2155 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2156 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2157 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2158 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2159 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2160 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2161 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2162 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2163 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2164 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2165 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2166 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2167 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2168 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2169 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2170 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2171 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2172 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2173 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2174 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2175 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2176 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2177 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2178 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2179 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2180 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2181 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2182 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2183 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2184 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2185 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2186 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2187 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2188 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2189 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2190 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2191 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2192 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2193 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2194 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2195 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2196 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2197 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2198 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2199 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2200 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2201 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2202 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2203 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2204 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2205 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2206 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2207 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2208 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2209 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2211 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2212 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2213 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2214 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2215 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2216 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2217 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2219 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2220 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2221 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2223 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2224 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2225 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2226 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2227 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2228 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2229 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2230 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2231 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2232 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2233 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2234 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2235 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2236 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2237 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2238 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2239 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2240 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2241 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2242 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2243 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2244 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2245 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2246 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2247 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2248 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2249 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2250 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2251 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2252 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2253 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2254 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2255 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2256 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2257 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2258 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2259 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2260 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2261 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2262 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2263 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2264 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2265 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2266 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2267 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2268 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2269 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2270 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2271 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2272 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2273 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2274 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2275 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2276 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2277 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2278 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2279 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2280 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2281 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2282 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2283 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2284 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2285 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2286 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2287 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2288 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2289 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2290 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2291 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2292 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2293 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2294 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2295 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2296 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2297 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2298 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2299 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2300 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2301 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2302 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2303 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2304 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2305 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2306 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2307 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2308 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2309 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2310 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2312 secp256k1_scalar_set_int(&one, 1);
2313 for (i = 0; i < 33; i++) {
2314 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2316 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2318 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2320 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2322 secp256k1_scalar_mul(&z, &x, &y);
2323 CHECK(!secp256k1_scalar_check_overflow(&z));
2324 CHECK(secp256k1_scalar_eq(&r1, &z));
2325 if (!secp256k1_scalar_is_zero(&y)) {
2326 secp256k1_scalar_inverse(&zz, &y);
2327 CHECK(!secp256k1_scalar_check_overflow(&zz));
2328 secp256k1_scalar_inverse_var(&zzv, &y);
2329 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2330 secp256k1_scalar_mul(&z, &z, &zz);
2331 CHECK(!secp256k1_scalar_check_overflow(&z));
2332 CHECK(secp256k1_scalar_eq(&x, &z));
2333 secp256k1_scalar_mul(&zz, &zz, &y);
2334 CHECK(!secp256k1_scalar_check_overflow(&zz));
2335 CHECK(secp256k1_scalar_eq(&one, &zz));
2341 /***** FIELD TESTS *****/
2343 void random_fe(secp256k1_fe *x) {
2344 unsigned char bin[32];
2346 secp256k1_testrand256(bin);
2347 if (secp256k1_fe_set_b32(x, bin)) {
2353 void random_fe_test(secp256k1_fe *x) {
2354 unsigned char bin[32];
2356 secp256k1_testrand256_test(bin);
2357 if (secp256k1_fe_set_b32(x, bin)) {
2363 void random_fe_non_zero(secp256k1_fe *nz) {
2365 while (--tries >= 0) {
2367 secp256k1_fe_normalize(nz);
2368 if (!secp256k1_fe_is_zero(nz)) {
2372 /* Infinitesimal probability of spurious failure here */
2376 void random_fe_non_square(secp256k1_fe *ns) {
2378 random_fe_non_zero(ns);
2379 if (secp256k1_fe_sqrt(&r, ns)) {
2380 secp256k1_fe_negate(ns, ns, 1);
2384 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2385 secp256k1_fe an = *a;
2386 secp256k1_fe bn = *b;
2387 secp256k1_fe_normalize_weak(&an);
2388 secp256k1_fe_normalize_var(&bn);
2389 return secp256k1_fe_equal_var(&an, &bn);
2392 void run_field_convert(void) {
2393 static const unsigned char b32[32] = {
2394 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2395 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2396 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2397 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2399 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
2400 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2401 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2403 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2404 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2405 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2408 unsigned char b322[32];
2409 secp256k1_fe_storage fes2;
2410 /* Check conversions to fe. */
2411 CHECK(secp256k1_fe_set_b32(&fe2, b32));
2412 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2413 secp256k1_fe_from_storage(&fe2, &fes);
2414 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2415 /* Check conversion from fe. */
2416 secp256k1_fe_get_b32(b322, &fe);
2417 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2418 secp256k1_fe_to_storage(&fes2, &fe);
2419 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2422 int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
2423 secp256k1_fe t = *b;
2425 t.magnitude = a->magnitude;
2426 t.normalized = a->normalized;
2428 return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
2431 void run_field_misc(void) {
2436 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2438 for (i = 0; i < 5*count; i++) {
2439 secp256k1_fe_storage xs, ys, zs;
2441 random_fe_non_zero(&y);
2442 /* Test the fe equality and comparison operations. */
2443 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
2444 CHECK(secp256k1_fe_equal_var(&x, &x));
2446 secp256k1_fe_add(&z,&y);
2447 /* Test fe conditional move; z is not normalized here. */
2449 secp256k1_fe_cmov(&x, &z, 0);
2451 CHECK(x.normalized && x.magnitude == 1);
2453 secp256k1_fe_cmov(&x, &x, 1);
2454 CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
2455 CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
2456 secp256k1_fe_cmov(&q, &z, 1);
2458 CHECK(!q.normalized && q.magnitude == z.magnitude);
2460 CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
2461 secp256k1_fe_normalize_var(&x);
2462 secp256k1_fe_normalize_var(&z);
2463 CHECK(!secp256k1_fe_equal_var(&x, &z));
2464 secp256k1_fe_normalize_var(&q);
2465 secp256k1_fe_cmov(&q, &z, (i&1));
2467 CHECK(q.normalized && q.magnitude == 1);
2469 for (j = 0; j < 6; j++) {
2470 secp256k1_fe_negate(&z, &z, j+1);
2471 secp256k1_fe_normalize_var(&q);
2472 secp256k1_fe_cmov(&q, &z, (j&1));
2474 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2477 secp256k1_fe_normalize_var(&z);
2478 /* Test storage conversion and conditional moves. */
2479 secp256k1_fe_to_storage(&xs, &x);
2480 secp256k1_fe_to_storage(&ys, &y);
2481 secp256k1_fe_to_storage(&zs, &z);
2482 secp256k1_fe_storage_cmov(&zs, &xs, 0);
2483 secp256k1_fe_storage_cmov(&zs, &zs, 1);
2484 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2485 secp256k1_fe_storage_cmov(&ys, &xs, 1);
2486 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2487 secp256k1_fe_from_storage(&x, &xs);
2488 secp256k1_fe_from_storage(&y, &ys);
2489 secp256k1_fe_from_storage(&z, &zs);
2490 /* Test that mul_int, mul, and add agree. */
2491 secp256k1_fe_add(&y, &x);
2492 secp256k1_fe_add(&y, &x);
2494 secp256k1_fe_mul_int(&z, 3);
2495 CHECK(check_fe_equal(&y, &z));
2496 secp256k1_fe_add(&y, &x);
2497 secp256k1_fe_add(&z, &x);
2498 CHECK(check_fe_equal(&z, &y));
2500 secp256k1_fe_mul_int(&z, 5);
2501 secp256k1_fe_mul(&q, &x, &fe5);
2502 CHECK(check_fe_equal(&z, &q));
2503 secp256k1_fe_negate(&x, &x, 1);
2504 secp256k1_fe_add(&z, &x);
2505 secp256k1_fe_add(&q, &x);
2506 CHECK(check_fe_equal(&y, &z));
2507 CHECK(check_fe_equal(&q, &y));
2511 void run_sqr(void) {
2516 secp256k1_fe_set_int(&x, 1);
2517 secp256k1_fe_negate(&x, &x, 1);
2519 for (i = 1; i <= 512; ++i) {
2520 secp256k1_fe_mul_int(&x, 2);
2521 secp256k1_fe_normalize(&x);
2522 secp256k1_fe_sqr(&s, &x);
2527 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2528 secp256k1_fe r1, r2;
2529 int v = secp256k1_fe_sqrt(&r1, a);
2530 CHECK((v == 0) == (k == NULL));
2533 /* Check that the returned root is +/- the given known answer */
2534 secp256k1_fe_negate(&r2, &r1, 1);
2535 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2536 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2537 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2541 void run_sqrt(void) {
2542 secp256k1_fe ns, x, s, t;
2545 /* Check sqrt(0) is 0 */
2546 secp256k1_fe_set_int(&x, 0);
2547 secp256k1_fe_sqr(&s, &x);
2550 /* Check sqrt of small squares (and their negatives) */
2551 for (i = 1; i <= 100; i++) {
2552 secp256k1_fe_set_int(&x, i);
2553 secp256k1_fe_sqr(&s, &x);
2555 secp256k1_fe_negate(&t, &s, 1);
2556 test_sqrt(&t, NULL);
2559 /* Consistency checks for large random values */
2560 for (i = 0; i < 10; i++) {
2562 random_fe_non_square(&ns);
2563 for (j = 0; j < count; j++) {
2565 secp256k1_fe_sqr(&s, &x);
2567 secp256k1_fe_negate(&t, &s, 1);
2568 test_sqrt(&t, NULL);
2569 secp256k1_fe_mul(&t, &s, &ns);
2570 test_sqrt(&t, NULL);
2575 /***** FIELD/SCALAR INVERSE TESTS *****/
2577 static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
2578 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2579 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2582 static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
2583 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2584 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2587 /* These tests test the following identities:
2589 * for x==0: 1/x == 0
2590 * for x!=0: x*(1/x) == 1
2591 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2594 void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
2596 secp256k1_scalar l, r, t;
2598 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, x); /* l = 1/x */
2600 if (secp256k1_scalar_is_zero(x)) {
2601 CHECK(secp256k1_scalar_is_zero(&l));
2604 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2605 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2606 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2607 if (secp256k1_scalar_is_zero(&r)) return;
2608 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&r, &r); /* r = 1/(x-1) */
2609 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2610 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, &l); /* l = 1/(1/x-1) */
2611 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2612 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2613 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2616 void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2618 secp256k1_fe l, r, t;
2620 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2623 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
2624 CHECK(secp256k1_fe_normalizes_to_zero(&l));
2627 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2628 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2629 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2631 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2632 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
2633 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2634 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2635 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2636 secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2637 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2638 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
2641 void run_inverse_tests(void)
2643 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2644 static const secp256k1_fe fe_cases[][2] = {
2646 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2647 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2649 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2650 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2652 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2653 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2655 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2656 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2658 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2659 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2660 /* Input known to need 637 divsteps */
2661 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2662 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
2663 /* Input known to need 567 divsteps starting with delta=1/2. */
2664 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
2665 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
2666 /* Input known to need 566 divsteps starting with delta=1/2. */
2667 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
2668 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
2669 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
2670 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
2671 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
2672 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
2673 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
2674 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
2675 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
2676 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
2677 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
2678 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
2679 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
2680 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
2681 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
2682 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
2683 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
2684 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
2685 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
2686 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
2687 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
2688 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
2689 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
2690 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
2691 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
2692 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
2693 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
2694 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
2695 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
2696 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
2697 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
2698 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
2699 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
2700 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
2701 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
2702 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
2703 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
2704 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
2705 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
2706 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
2707 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
2708 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
2709 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
2710 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
2711 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
2712 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
2713 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
2714 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
2715 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
2716 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
2717 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
2718 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
2719 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
2720 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
2721 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
2722 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
2723 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
2724 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
2725 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
2726 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
2727 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
2728 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
2729 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
2730 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
2731 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
2732 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
2733 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
2734 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
2735 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
2736 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
2737 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
2738 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
2739 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
2740 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
2741 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
2742 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
2743 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
2744 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
2745 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
2746 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
2748 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
2749 static const secp256k1_scalar scalar_cases[][2] = {
2751 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2752 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2754 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2755 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2757 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
2758 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
2760 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2761 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
2763 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2764 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
2765 /* Input known to need 635 divsteps */
2766 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
2767 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
2768 /* Input known to need 566 divsteps starting with delta=1/2. */
2769 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
2770 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
2771 /* Input known to need 565 divsteps starting with delta=1/2. */
2772 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
2773 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
2774 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
2775 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
2776 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
2777 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
2778 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
2779 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
2780 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
2781 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
2782 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
2783 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
2784 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
2785 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
2786 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
2787 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
2788 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
2789 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
2790 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
2791 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
2792 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
2793 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
2794 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
2795 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
2796 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
2797 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
2798 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
2799 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
2800 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
2801 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
2802 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
2803 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
2804 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
2805 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
2806 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
2807 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
2808 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
2809 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
2810 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
2811 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
2812 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
2813 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
2814 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
2815 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
2816 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
2817 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
2818 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
2819 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
2820 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
2821 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
2822 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
2823 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
2824 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
2825 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
2826 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
2827 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
2828 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
2829 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
2830 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
2831 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
2832 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
2834 int i, var, testrand;
2835 unsigned char b32[32];
2837 secp256k1_scalar x_scalar;
2838 memset(b32, 0, sizeof(b32));
2839 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
2840 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
2841 for (var = 0; var <= 1; ++var) {
2842 test_inverse_field(&x_fe, &fe_cases[i][0], var);
2843 check_fe_equal(&x_fe, &fe_cases[i][1]);
2844 test_inverse_field(&x_fe, &fe_cases[i][1], var);
2845 check_fe_equal(&x_fe, &fe_cases[i][0]);
2848 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
2849 for (var = 0; var <= 1; ++var) {
2850 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
2851 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
2852 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
2853 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
2856 /* Test inputs 0..999 and their respective negations. */
2857 for (i = 0; i < 1000; ++i) {
2859 b32[30] = (i >> 8) & 0xff;
2860 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2861 secp256k1_fe_set_b32(&x_fe, b32);
2862 for (var = 0; var <= 1; ++var) {
2863 test_inverse_scalar(NULL, &x_scalar, var);
2864 test_inverse_field(NULL, &x_fe, var);
2866 secp256k1_scalar_negate(&x_scalar, &x_scalar);
2867 secp256k1_fe_negate(&x_fe, &x_fe, 1);
2868 for (var = 0; var <= 1; ++var) {
2869 test_inverse_scalar(NULL, &x_scalar, var);
2870 test_inverse_field(NULL, &x_fe, var);
2873 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
2874 for (testrand = 0; testrand <= 1; ++testrand) {
2875 for (i = 0; i < 64 * count; ++i) {
2876 (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
2877 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2878 secp256k1_fe_set_b32(&x_fe, b32);
2879 for (var = 0; var <= 1; ++var) {
2880 test_inverse_scalar(NULL, &x_scalar, var);
2881 test_inverse_field(NULL, &x_fe, var);
2887 /***** GROUP TESTS *****/
2889 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2890 CHECK(a->infinity == b->infinity);
2894 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2895 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2898 /* This compares jacobian points including their Z, not just their geometric meaning. */
2899 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2903 ret &= a->infinity == b->infinity;
2904 if (ret && !a->infinity) {
2907 secp256k1_fe_normalize(&a2.x);
2908 secp256k1_fe_normalize(&a2.y);
2909 secp256k1_fe_normalize(&a2.z);
2910 secp256k1_fe_normalize(&b2.x);
2911 secp256k1_fe_normalize(&b2.y);
2912 secp256k1_fe_normalize(&b2.z);
2913 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2914 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2915 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2920 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2922 secp256k1_fe u1, u2, s1, s2;
2923 CHECK(a->infinity == b->infinity);
2927 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2928 secp256k1_fe_sqr(&z2s, &b->z);
2929 secp256k1_fe_mul(&u1, &a->x, &z2s);
2930 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2931 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2932 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2933 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2934 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2937 void test_ge(void) {
2940 /* 25 points are used:
2942 * - for each of four random points p1 p2 p3 p4, we add the point, its
2943 * negation, and then those two again but with randomized Z coordinate.
2944 * - The same is then done for lambda*p1 and lambda^2*p1.
2946 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2947 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2949 secp256k1_fe zfi2, zfi3;
2951 secp256k1_gej_set_infinity(&gej[0]);
2952 secp256k1_ge_clear(&ge[0]);
2953 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2954 for (i = 0; i < runs; i++) {
2957 random_group_element_test(&g);
2958 if (i >= runs - 2) {
2959 secp256k1_ge_mul_lambda(&g, &ge[1]);
2961 if (i >= runs - 1) {
2962 secp256k1_ge_mul_lambda(&g, &g);
2966 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2967 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2968 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2969 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2970 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2971 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2972 for (j = 0; j < 4; j++) {
2973 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2974 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2975 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2976 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2977 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2981 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2983 random_field_element_test(&zf);
2984 } while(secp256k1_fe_is_zero(&zf));
2985 random_field_element_magnitude(&zf);
2986 secp256k1_fe_inv_var(&zfi3, &zf);
2987 secp256k1_fe_sqr(&zfi2, &zfi3);
2988 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2990 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2992 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2993 /* Compute reference result using gej + gej (var). */
2994 secp256k1_gej refj, resj;
2997 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2998 /* Check Z ratio. */
2999 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3000 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3001 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3003 secp256k1_ge_set_gej_var(&ref, &refj);
3005 /* Test gej + ge with Z ratio result (var). */
3006 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3007 ge_equals_gej(&ref, &resj);
3008 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3009 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3010 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3013 /* Test gej + ge (var, with additional Z factor). */
3015 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3016 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3017 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3018 random_field_element_magnitude(&ge2_zfi.x);
3019 random_field_element_magnitude(&ge2_zfi.y);
3020 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3021 ge_equals_gej(&ref, &resj);
3024 /* Test gej + ge (const). */
3026 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3027 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3028 ge_equals_gej(&ref, &resj);
3031 /* Test doubling (var). */
3032 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3034 /* Normal doubling with Z ratio result. */
3035 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3036 ge_equals_gej(&ref, &resj);
3037 /* Check Z ratio. */
3038 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3039 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3040 /* Normal doubling. */
3041 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3042 ge_equals_gej(&ref, &resj);
3043 /* Constant-time doubling. */
3044 secp256k1_gej_double(&resj, &gej[i2]);
3045 ge_equals_gej(&ref, &resj);
3048 /* Test adding opposites. */
3049 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3050 CHECK(secp256k1_ge_is_infinity(&ref));
3053 /* Test adding infinity. */
3055 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3056 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3057 ge_equals_gej(&ref, &gej[i2]);
3060 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3061 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3062 ge_equals_gej(&ref, &gej[i1]);
3067 /* Test adding all points together in random order equals infinity. */
3069 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3070 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3071 for (i = 0; i < 4 * runs + 1; i++) {
3072 gej_shuffled[i] = gej[i];
3074 for (i = 0; i < 4 * runs + 1; i++) {
3075 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3077 secp256k1_gej t = gej_shuffled[i];
3078 gej_shuffled[i] = gej_shuffled[swap];
3079 gej_shuffled[swap] = t;
3082 for (i = 0; i < 4 * runs + 1; i++) {
3083 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3085 CHECK(secp256k1_gej_is_infinity(&sum));
3089 /* Test batch gej -> ge conversion without known z ratios. */
3091 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3092 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3093 for (i = 0; i < 4 * runs + 1; i++) {
3095 random_fe_non_zero(&s);
3096 secp256k1_gej_rescale(&gej[i], &s);
3097 ge_equals_gej(&ge_set_all[i], &gej[i]);
3102 /* Test batch gej -> ge conversion with many infinities. */
3103 for (i = 0; i < 4 * runs + 1; i++) {
3105 random_group_element_test(&ge[i]);
3106 odd = secp256k1_fe_is_odd(&ge[i].x);
3107 CHECK(odd == 0 || odd == 1);
3108 /* randomly set half the points to infinity */
3110 secp256k1_ge_set_infinity(&ge[i]);
3112 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3115 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3117 for (i = 0; i < 4 * runs + 1; i++) {
3118 ge_equals_gej(&ge[i], &gej[i]);
3121 /* Test batch gej -> ge conversion with all infinities. */
3122 for (i = 0; i < 4 * runs + 1; i++) {
3123 secp256k1_gej_set_infinity(&gej[i]);
3126 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3128 for (i = 0; i < 4 * runs + 1; i++) {
3129 CHECK(secp256k1_ge_is_infinity(&ge[i]));
3137 void test_intialized_inf(void) {
3139 secp256k1_gej pj, npj, infj1, infj2, infj3;
3142 /* Test that adding P+(-P) results in a fully initalized infinity*/
3143 random_group_element_test(&p);
3144 secp256k1_gej_set_ge(&pj, &p);
3145 secp256k1_gej_neg(&npj, &pj);
3147 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3148 CHECK(secp256k1_gej_is_infinity(&infj1));
3149 CHECK(secp256k1_fe_is_zero(&infj1.x));
3150 CHECK(secp256k1_fe_is_zero(&infj1.y));
3151 CHECK(secp256k1_fe_is_zero(&infj1.z));
3153 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3154 CHECK(secp256k1_gej_is_infinity(&infj2));
3155 CHECK(secp256k1_fe_is_zero(&infj2.x));
3156 CHECK(secp256k1_fe_is_zero(&infj2.y));
3157 CHECK(secp256k1_fe_is_zero(&infj2.z));
3159 secp256k1_fe_set_int(&zinv, 1);
3160 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3161 CHECK(secp256k1_gej_is_infinity(&infj3));
3162 CHECK(secp256k1_fe_is_zero(&infj3.x));
3163 CHECK(secp256k1_fe_is_zero(&infj3.y));
3164 CHECK(secp256k1_fe_is_zero(&infj3.z));
3169 void test_add_neg_y_diff_x(void) {
3170 /* The point of this test is to check that we can add two points
3171 * whose y-coordinates are negatives of each other but whose x
3172 * coordinates differ. If the x-coordinates were the same, these
3173 * points would be negatives of each other and their sum is
3174 * infinity. This is cool because it "covers up" any degeneracy
3175 * in the addition algorithm that would cause the xy coordinates
3176 * of the sum to be wrong (since infinity has no xy coordinates).
3177 * HOWEVER, if the x-coordinates are different, infinity is the
3178 * wrong answer, and such degeneracies are exposed. This is the
3179 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3180 * which this test is a regression test for.
3182 * These points were generated in sage as
3183 * # secp256k1 params
3184 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3185 * C = EllipticCurve ([F (0), F (7)])
3186 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3187 * N = FiniteField(G.order())
3189 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3191 * lam = (1 - x^3).roots()[1][0]
3193 * # random "bad pair"
3194 * P = C.random_element()
3196 * print " P: %x %x" % P.xy()
3197 * print " Q: %x %x" % Q.xy()
3198 * print "P + Q: %x %x" % (P + Q).xy()
3200 secp256k1_gej aj = SECP256K1_GEJ_CONST(
3201 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3202 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3203 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3204 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3206 secp256k1_gej bj = SECP256K1_GEJ_CONST(
3207 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3208 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3209 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3210 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3212 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
3213 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3214 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3215 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3216 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3221 secp256k1_ge_set_gej(&b, &bj);
3223 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3224 secp256k1_ge_set_gej(&res, &resj);
3225 ge_equals_gej(&res, &sumj);
3227 secp256k1_gej_add_ge(&resj, &aj, &b);
3228 secp256k1_ge_set_gej(&res, &resj);
3229 ge_equals_gej(&res, &sumj);
3231 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
3232 secp256k1_ge_set_gej(&res, &resj);
3233 ge_equals_gej(&res, &sumj);
3238 for (i = 0; i < count * 32; i++) {
3241 test_add_neg_y_diff_x();
3242 test_intialized_inf();
3245 void test_ec_combine(void) {
3246 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3247 secp256k1_pubkey data[6];
3248 const secp256k1_pubkey* d[6];
3249 secp256k1_pubkey sd;
3250 secp256k1_pubkey sd2;
3254 for (i = 1; i <= 6; i++) {
3256 random_scalar_order_test(&s);
3257 secp256k1_scalar_add(&sum, &sum, &s);
3258 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
3259 secp256k1_ge_set_gej(&Q, &Qj);
3260 secp256k1_pubkey_save(&data[i - 1], &Q);
3261 d[i - 1] = &data[i - 1];
3262 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
3263 secp256k1_ge_set_gej(&Q, &Qj);
3264 secp256k1_pubkey_save(&sd, &Q);
3265 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
3266 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
3270 void run_ec_combine(void) {
3272 for (i = 0; i < count * 8; i++) {
3277 void test_group_decompress(const secp256k1_fe* x) {
3278 /* The input itself, normalized. */
3279 secp256k1_fe fex = *x;
3280 /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
3281 secp256k1_ge ge_even, ge_odd;
3282 /* Return values of the above calls. */
3283 int res_even, res_odd;
3285 secp256k1_fe_normalize_var(&fex);
3287 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
3288 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
3290 CHECK(res_even == res_odd);
3293 secp256k1_fe_normalize_var(&ge_odd.x);
3294 secp256k1_fe_normalize_var(&ge_even.x);
3295 secp256k1_fe_normalize_var(&ge_odd.y);
3296 secp256k1_fe_normalize_var(&ge_even.y);
3298 /* No infinity allowed. */
3299 CHECK(!ge_even.infinity);
3300 CHECK(!ge_odd.infinity);
3302 /* Check that the x coordinates check out. */
3303 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
3304 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
3306 /* Check odd/even Y in ge_odd, ge_even. */
3307 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
3308 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
3312 void run_group_decompress(void) {
3314 for (i = 0; i < count * 4; i++) {
3316 random_fe_test(&fe);
3317 test_group_decompress(&fe);
3321 /***** ECMULT TESTS *****/
3323 void run_ecmult_chain(void) {
3324 /* random starting point A (on the curve) */
3325 secp256k1_gej a = SECP256K1_GEJ_CONST(
3326 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
3327 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
3328 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
3329 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
3331 /* two random initial factors xn and gn */
3332 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
3333 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
3334 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
3336 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
3337 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
3338 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
3340 /* two small multipliers to be applied to xn and gn in every iteration: */
3341 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
3342 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
3343 /* accumulators with the resulting coefficients to A and G */
3344 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3345 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3351 /* the point being computed */
3353 for (i = 0; i < 200*count; i++) {
3354 /* in each iteration, compute X = xn*X + gn*G; */
3355 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
3356 /* also compute ae and ge: the actual accumulated factors for A and G */
3357 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
3358 secp256k1_scalar_mul(&ae, &ae, &xn);
3359 secp256k1_scalar_mul(&ge, &ge, &xn);
3360 secp256k1_scalar_add(&ge, &ge, &gn);
3361 /* modify xn and gn */
3362 secp256k1_scalar_mul(&xn, &xn, &xf);
3363 secp256k1_scalar_mul(&gn, &gn, &gf);
3367 /* expected result after 19999 iterations */
3368 secp256k1_gej rp = SECP256K1_GEJ_CONST(
3369 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
3370 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
3371 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
3372 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
3375 secp256k1_gej_neg(&rp, &rp);
3376 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
3377 CHECK(secp256k1_gej_is_infinity(&rp));
3380 /* redo the computation, but directly with the resulting ae and ge coefficients: */
3381 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
3382 secp256k1_gej_neg(&x2, &x2);
3383 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
3384 CHECK(secp256k1_gej_is_infinity(&x2));
3387 void test_point_times_order(const secp256k1_gej *point) {
3388 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
3390 secp256k1_scalar nx;
3391 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3392 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3393 secp256k1_gej res1, res2;
3395 unsigned char pub[65];
3397 random_scalar_order_test(&x);
3398 secp256k1_scalar_negate(&nx, &x);
3399 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
3400 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
3401 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
3402 CHECK(secp256k1_gej_is_infinity(&res1));
3403 secp256k1_ge_set_gej(&res3, &res1);
3404 CHECK(secp256k1_ge_is_infinity(&res3));
3405 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
3406 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
3408 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
3409 /* check zero/one edge cases */
3410 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
3411 secp256k1_ge_set_gej(&res3, &res1);
3412 CHECK(secp256k1_ge_is_infinity(&res3));
3413 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
3414 secp256k1_ge_set_gej(&res3, &res1);
3415 ge_equals_gej(&res3, point);
3416 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
3417 secp256k1_ge_set_gej(&res3, &res1);
3418 ge_equals_ge(&res3, &secp256k1_ge_const_g);
3421 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
3423 * They are computed as:
3424 * - For a in [-2, -1, 0, 1, 2]:
3425 * - For b in [-3, -1, 1, 3]:
3426 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
3428 static const secp256k1_scalar scalars_near_split_bounds[20] = {
3429 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
3430 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
3431 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
3432 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
3433 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
3434 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
3435 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
3436 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
3437 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
3438 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
3439 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
3440 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
3441 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
3442 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
3443 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
3444 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
3445 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
3446 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
3447 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
3448 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
3451 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
3452 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
3453 secp256k1_scalar n1, n2;
3455 secp256k1_gej pj, p1j, p2j, ptj;
3456 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3458 /* Generate random n1,n2 such that n1+n2 = -target. */
3459 random_scalar_order_test(&n1);
3460 secp256k1_scalar_add(&n2, &n1, target);
3461 secp256k1_scalar_negate(&n2, &n2);
3463 /* Generate a random input point. */
3465 random_group_element_test(&p);
3466 secp256k1_gej_set_ge(&pj, &p);
3469 /* EC multiplications */
3471 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
3472 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
3473 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
3474 } else if (mode == 1) {
3475 secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
3476 secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
3477 secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
3479 secp256k1_ecmult_const(&p1j, &p, &n1, 256);
3480 secp256k1_ecmult_const(&p2j, &p, &n2, 256);
3481 secp256k1_ecmult_const(&ptj, &p, target, 256);
3484 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
3485 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
3486 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
3487 CHECK(secp256k1_gej_is_infinity(&ptj));
3490 void run_ecmult_near_split_bound(void) {
3493 for (i = 0; i < 4*count; ++i) {
3494 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
3495 test_ecmult_target(&scalars_near_split_bounds[j], 0);
3496 test_ecmult_target(&scalars_near_split_bounds[j], 1);
3497 test_ecmult_target(&scalars_near_split_bounds[j], 2);
3502 void run_point_times_order(void) {
3504 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
3505 static const secp256k1_fe xr = SECP256K1_FE_CONST(
3506 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
3507 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
3509 for (i = 0; i < 500; i++) {
3511 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
3513 CHECK(secp256k1_ge_is_valid_var(&p));
3514 secp256k1_gej_set_ge(&j, &p);
3515 test_point_times_order(&j);
3517 secp256k1_fe_sqr(&x, &x);
3519 secp256k1_fe_normalize_var(&x);
3520 CHECK(secp256k1_fe_equal_var(&x, &xr));
3523 void ecmult_const_random_mult(void) {
3524 /* random starting point A (on the curve) */
3525 secp256k1_ge a = SECP256K1_GE_CONST(
3526 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
3527 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
3528 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
3529 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
3531 /* random initial factor xn */
3532 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
3533 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
3534 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
3536 /* expected xn * A (from sage) */
3537 secp256k1_ge expected_b = SECP256K1_GE_CONST(
3538 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
3539 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
3540 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
3541 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
3544 secp256k1_ecmult_const(&b, &a, &xn, 256);
3546 CHECK(secp256k1_ge_is_valid_var(&a));
3547 ge_equals_gej(&expected_b, &b);
3550 void ecmult_const_commutativity(void) {
3557 random_scalar_order_test(&a);
3558 random_scalar_order_test(&b);
3560 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
3561 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
3562 secp256k1_ge_set_gej(&mid1, &res1);
3563 secp256k1_ge_set_gej(&mid2, &res2);
3564 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
3565 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
3566 secp256k1_ge_set_gej(&mid1, &res1);
3567 secp256k1_ge_set_gej(&mid2, &res2);
3568 ge_equals_ge(&mid1, &mid2);
3571 void ecmult_const_mult_zero_one(void) {
3572 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3573 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3574 secp256k1_scalar negone;
3578 secp256k1_scalar_negate(&negone, &one);
3580 random_group_element_test(&point);
3581 secp256k1_ecmult_const(&res1, &point, &zero, 3);
3582 secp256k1_ge_set_gej(&res2, &res1);
3583 CHECK(secp256k1_ge_is_infinity(&res2));
3584 secp256k1_ecmult_const(&res1, &point, &one, 2);
3585 secp256k1_ge_set_gej(&res2, &res1);
3586 ge_equals_ge(&res2, &point);
3587 secp256k1_ecmult_const(&res1, &point, &negone, 256);
3588 secp256k1_gej_neg(&res1, &res1);
3589 secp256k1_ge_set_gej(&res2, &res1);
3590 ge_equals_ge(&res2, &point);
3593 void ecmult_const_chain_multiply(void) {
3594 /* Check known result (randomly generated test problem from sage) */
3595 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
3596 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
3597 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
3599 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
3600 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
3601 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
3602 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
3603 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
3605 secp256k1_gej point;
3609 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
3610 for (i = 0; i < 100; ++i) {
3612 secp256k1_ge_set_gej(&tmp, &point);
3613 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
3615 secp256k1_ge_set_gej(&res, &point);
3616 ge_equals_gej(&res, &expected_point);
3619 void run_ecmult_const_tests(void) {
3620 ecmult_const_mult_zero_one();
3621 ecmult_const_random_mult();
3622 ecmult_const_commutativity();
3623 ecmult_const_chain_multiply();
3627 secp256k1_scalar *sc;
3629 } ecmult_multi_data;
3631 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3632 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
3633 *sc = data->sc[idx];
3634 *pt = data->pt[idx];
3638 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3646 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
3648 secp256k1_scalar szero;
3649 secp256k1_scalar sc[32];
3650 secp256k1_ge pt[32];
3653 ecmult_multi_data data;
3657 secp256k1_scalar_set_int(&szero, 0);
3659 /* No points to multiply */
3660 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
3662 /* Check 1- and 2-point multiplies against ecmult */
3663 for (ncount = 0; ncount < count; ncount++) {
3666 random_scalar_order(&sc[0]);
3667 random_scalar_order(&sc[1]);
3669 random_group_element_test(&ptg);
3670 secp256k1_gej_set_ge(&ptgj, &ptg);
3672 pt[1] = secp256k1_ge_const_g;
3675 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
3676 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
3677 secp256k1_gej_neg(&r2, &r2);
3678 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3679 CHECK(secp256k1_gej_is_infinity(&r));
3682 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
3683 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
3684 secp256k1_gej_neg(&r2, &r2);
3685 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3686 CHECK(secp256k1_gej_is_infinity(&r));
3688 /* Try to multiply 1 point, but callback returns false */
3689 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
3692 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3693 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
3694 secp256k1_gej_neg(&r2, &r2);
3695 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3696 CHECK(secp256k1_gej_is_infinity(&r));
3698 /* 2-point with G scalar */
3699 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3700 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
3701 secp256k1_gej_neg(&r2, &r2);
3702 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3703 CHECK(secp256k1_gej_is_infinity(&r));
3706 /* Check infinite outputs of various forms */
3707 for (ncount = 0; ncount < count; ncount++) {
3710 size_t sizes[] = { 2, 10, 32 };
3712 for (j = 0; j < 3; j++) {
3713 for (i = 0; i < 32; i++) {
3714 random_scalar_order(&sc[i]);
3715 secp256k1_ge_set_infinity(&pt[i]);
3717 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3718 CHECK(secp256k1_gej_is_infinity(&r));
3721 for (j = 0; j < 3; j++) {
3722 for (i = 0; i < 32; i++) {
3723 random_group_element_test(&ptg);
3725 secp256k1_scalar_set_int(&sc[i], 0);
3727 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3728 CHECK(secp256k1_gej_is_infinity(&r));
3731 for (j = 0; j < 3; j++) {
3732 random_group_element_test(&ptg);
3733 for (i = 0; i < 16; i++) {
3734 random_scalar_order(&sc[2*i]);
3735 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
3737 pt[2 * i + 1] = ptg;
3740 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3741 CHECK(secp256k1_gej_is_infinity(&r));
3743 random_scalar_order(&sc[0]);
3744 for (i = 0; i < 16; i++) {
3745 random_group_element_test(&ptg);
3750 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
3753 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3754 CHECK(secp256k1_gej_is_infinity(&r));
3757 random_group_element_test(&ptg);
3758 secp256k1_scalar_set_int(&sc[0], 0);
3760 for (i = 1; i < 32; i++) {
3763 random_scalar_order(&sc[i]);
3764 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
3765 secp256k1_scalar_negate(&sc[i], &sc[i]);
3768 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
3769 CHECK(secp256k1_gej_is_infinity(&r));
3772 /* Check random points, constant scalar */
3773 for (ncount = 0; ncount < count; ncount++) {
3775 secp256k1_gej_set_infinity(&r);
3777 random_scalar_order(&sc[0]);
3778 for (i = 0; i < 20; i++) {
3781 random_group_element_test(&ptg);
3783 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
3786 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
3787 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3788 secp256k1_gej_neg(&r2, &r2);
3789 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3790 CHECK(secp256k1_gej_is_infinity(&r));
3793 /* Check random scalars, constant point */
3794 for (ncount = 0; ncount < count; ncount++) {
3798 secp256k1_scalar rs;
3799 secp256k1_scalar_set_int(&rs, 0);
3801 random_group_element_test(&ptg);
3802 for (i = 0; i < 20; i++) {
3803 random_scalar_order(&sc[i]);
3805 secp256k1_scalar_add(&rs, &rs, &sc[i]);
3808 secp256k1_gej_set_ge(&p0j, &pt[0]);
3809 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
3810 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3811 secp256k1_gej_neg(&r2, &r2);
3812 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3813 CHECK(secp256k1_gej_is_infinity(&r));
3816 /* Sanity check that zero scalars don't cause problems */
3817 for (ncount = 0; ncount < 20; ncount++) {
3818 random_scalar_order(&sc[ncount]);
3819 random_group_element_test(&pt[ncount]);
3822 secp256k1_scalar_clear(&sc[0]);
3823 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3824 secp256k1_scalar_clear(&sc[1]);
3825 secp256k1_scalar_clear(&sc[2]);
3826 secp256k1_scalar_clear(&sc[3]);
3827 secp256k1_scalar_clear(&sc[4]);
3828 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3829 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
3830 CHECK(secp256k1_gej_is_infinity(&r));
3832 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
3834 const size_t TOP = 8;
3840 random_group_element_test(&ptg);
3841 secp256k1_gej_set_ge(&ptgj, &ptg);
3843 for(t0i = 0; t0i < TOP; t0i++) {
3844 for(t1i = 0; t1i < TOP; t1i++) {
3845 secp256k1_gej t0p, t1p;
3846 secp256k1_scalar t0, t1;
3848 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3849 secp256k1_scalar_cond_negate(&t0, t0i & 1);
3850 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3851 secp256k1_scalar_cond_negate(&t1, t1i & 1);
3853 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3854 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3856 for(s0i = 0; s0i < TOP; s0i++) {
3857 for(s1i = 0; s1i < TOP; s1i++) {
3858 secp256k1_scalar tmp1, tmp2;
3859 secp256k1_gej expected, actual;
3861 secp256k1_ge_set_gej(&pt[0], &t0p);
3862 secp256k1_ge_set_gej(&pt[1], &t1p);
3864 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3865 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3866 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3867 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3869 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3870 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3871 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3873 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3874 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3875 secp256k1_gej_neg(&expected, &expected);
3876 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3877 CHECK(secp256k1_gej_is_infinity(&actual));
3885 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
3886 secp256k1_scalar szero;
3887 secp256k1_scalar sc;
3890 ecmult_multi_data data;
3891 secp256k1_scratch *scratch_empty;
3893 random_group_element_test(&pt);
3894 random_scalar_order(&sc);
3897 secp256k1_scalar_set_int(&szero, 0);
3899 /* Try to multiply 1 point, but scratch space is empty.*/
3900 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3901 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3902 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3905 void test_secp256k1_pippenger_bucket_window_inv(void) {
3908 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
3909 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3910 /* Bucket_window of 8 is not used with endo */
3914 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3915 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3916 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3922 * Probabilistically test the function returning the maximum number of possible points
3923 * for a given scratch space.
3925 void test_ecmult_multi_pippenger_max_points(void) {
3926 size_t scratch_size = secp256k1_testrand_int(256);
3927 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3928 secp256k1_scratch *scratch;
3929 size_t n_points_supported;
3930 int bucket_window = 0;
3932 for(; scratch_size < max_size; scratch_size+=256) {
3936 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3937 CHECK(scratch != NULL);
3938 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3939 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3940 if (n_points_supported == 0) {
3941 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3944 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3945 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3946 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3947 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3948 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3951 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3952 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3953 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3955 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3958 void test_ecmult_multi_batch_size_helper(void) {
3959 size_t n_batches, n_batch_points, max_n_batch_points, n;
3961 max_n_batch_points = 0;
3963 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3965 max_n_batch_points = 1;
3967 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3968 CHECK(n_batches == 0);
3969 CHECK(n_batch_points == 0);
3971 max_n_batch_points = 2;
3973 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3974 CHECK(n_batches == 3);
3975 CHECK(n_batch_points == 2);
3977 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3978 n = ECMULT_MAX_POINTS_PER_BATCH;
3979 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3980 CHECK(n_batches == 1);
3981 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3983 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3984 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3985 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3986 CHECK(n_batches == 2);
3987 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3989 max_n_batch_points = 1;
3991 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3992 CHECK(n_batches == SIZE_MAX);
3993 CHECK(n_batch_points == 1);
3995 max_n_batch_points = 2;
3997 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3998 CHECK(n_batches == SIZE_MAX/2 + 1);
3999 CHECK(n_batch_points == 2);
4003 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
4004 * 1 <= i <= num points.
4006 void test_ecmult_multi_batching(void) {
4007 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
4008 secp256k1_scalar scG;
4009 secp256k1_scalar szero;
4010 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
4011 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
4014 ecmult_multi_data data;
4016 secp256k1_scratch *scratch;
4018 secp256k1_gej_set_infinity(&r2);
4019 secp256k1_scalar_set_int(&szero, 0);
4021 /* Get random scalars and group elements and compute result */
4022 random_scalar_order(&scG);
4023 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
4024 for(i = 0; i < n_points; i++) {
4027 random_group_element_test(&ptg);
4028 secp256k1_gej_set_ge(&ptgj, &ptg);
4030 random_scalar_order(&sc[i]);
4031 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
4032 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
4036 secp256k1_gej_neg(&r2, &r2);
4038 /* Test with empty scratch space. It should compute the correct result using
4039 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
4040 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
4041 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4042 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4043 CHECK(secp256k1_gej_is_infinity(&r));
4044 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4046 /* Test with space for 1 point in pippenger. That's not enough because
4047 * ecmult_multi selects strauss which requires more memory. It should
4048 * therefore select the simple algorithm. */
4049 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4050 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4051 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4052 CHECK(secp256k1_gej_is_infinity(&r));
4053 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4055 for(i = 1; i <= n_points; i++) {
4056 if (i > ECMULT_PIPPENGER_THRESHOLD) {
4057 int bucket_window = secp256k1_pippenger_bucket_window(i);
4058 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
4059 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4061 size_t scratch_size = secp256k1_strauss_scratch_size(i);
4062 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4064 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4065 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4066 CHECK(secp256k1_gej_is_infinity(&r));
4067 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4073 void run_ecmult_multi_tests(void) {
4074 secp256k1_scratch *scratch;
4076 test_secp256k1_pippenger_bucket_window_inv();
4077 test_ecmult_multi_pippenger_max_points();
4078 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
4079 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
4080 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
4081 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
4082 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
4083 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
4084 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
4085 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4087 /* Run test_ecmult_multi with space for exactly one point */
4088 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4089 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
4090 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4092 test_ecmult_multi_batch_size_helper();
4093 test_ecmult_multi_batching();
4096 void test_wnaf(const secp256k1_scalar *number, int w) {
4097 secp256k1_scalar x, two, t;
4102 secp256k1_scalar_set_int(&x, 0);
4103 secp256k1_scalar_set_int(&two, 2);
4104 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
4106 for (i = bits-1; i >= 0; i--) {
4108 secp256k1_scalar_mul(&x, &x, &two);
4110 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4112 CHECK((v & 1) == 1); /* check non-zero elements are odd */
4113 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
4114 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4116 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4120 secp256k1_scalar_set_int(&t, v);
4122 secp256k1_scalar_set_int(&t, -v);
4123 secp256k1_scalar_negate(&t, &t);
4125 secp256k1_scalar_add(&x, &x, &t);
4127 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4130 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
4131 secp256k1_scalar neg1 = *number;
4132 secp256k1_scalar neg2 = *number;
4136 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
4137 secp256k1_scalar_negate(&neg1, &neg1);
4140 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
4141 CHECK(sign1 == sign2);
4142 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
4145 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
4146 secp256k1_scalar x, shift;
4147 int wnaf[256] = {0};
4151 secp256k1_scalar num = *number;
4152 secp256k1_scalar scalar_skew;
4154 secp256k1_scalar_set_int(&x, 0);
4155 secp256k1_scalar_set_int(&shift, 1 << w);
4156 for (i = 0; i < 16; ++i) {
4157 secp256k1_scalar_shr_int(&num, 8);
4160 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
4162 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
4165 CHECK(v != 0); /* check nonzero */
4166 CHECK(v & 1); /* check parity */
4167 CHECK(v > -(1 << w)); /* check range above */
4168 CHECK(v < (1 << w)); /* check range below */
4170 secp256k1_scalar_mul(&x, &x, &shift);
4172 secp256k1_scalar_set_int(&t, v);
4174 secp256k1_scalar_set_int(&t, -v);
4175 secp256k1_scalar_negate(&t, &t);
4177 secp256k1_scalar_add(&x, &x, &t);
4179 /* Skew num because when encoding numbers as odd we use an offset */
4180 secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
4181 secp256k1_scalar_add(&num, &num, &scalar_skew);
4182 CHECK(secp256k1_scalar_eq(&x, &num));
4185 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
4186 secp256k1_scalar x, shift;
4187 int wnaf[256] = {0};
4190 secp256k1_scalar num = *number;
4192 secp256k1_scalar_set_int(&x, 0);
4193 secp256k1_scalar_set_int(&shift, 1 << w);
4194 for (i = 0; i < 16; ++i) {
4195 secp256k1_scalar_shr_int(&num, 8);
4197 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4199 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4202 CHECK(v == 0 || v & 1); /* check parity */
4203 CHECK(v > -(1 << w)); /* check range above */
4204 CHECK(v < (1 << w)); /* check range below */
4206 secp256k1_scalar_mul(&x, &x, &shift);
4208 secp256k1_scalar_set_int(&t, v);
4210 secp256k1_scalar_set_int(&t, -v);
4211 secp256k1_scalar_negate(&t, &t);
4213 secp256k1_scalar_add(&x, &x, &t);
4215 /* If skew is 1 then add 1 to num */
4216 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
4217 CHECK(secp256k1_scalar_eq(&x, &num));
4220 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
4222 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
4224 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
4225 CHECK(wnaf[i] == 0);
4227 for (i = 7; i >= 0; --i) {
4228 CHECK(wnaf[i] == wnaf_expected[i]);
4232 void test_fixed_wnaf_small(void) {
4234 int wnaf[256] = {0};
4237 secp256k1_scalar num;
4239 secp256k1_scalar_set_int(&num, 0);
4240 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4241 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4247 secp256k1_scalar_set_int(&num, 1);
4248 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4249 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
4253 CHECK(wnaf[0] == 1);
4257 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
4258 secp256k1_scalar_set_int(&num, 0xffffffff);
4259 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4260 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4264 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
4265 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
4266 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4267 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4271 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
4272 secp256k1_scalar_set_int(&num, 0x01010101);
4273 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4274 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4278 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
4279 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
4280 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4281 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4286 void run_wnaf(void) {
4288 secp256k1_scalar n = {{0}};
4290 test_constant_wnaf(&n, 4);
4291 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
4292 * have easier-to-diagnose failure modes */
4294 test_constant_wnaf(&n, 4);
4296 test_constant_wnaf(&n, 4);
4297 /* Test -1, because it's a special case in wnaf_const */
4298 n = secp256k1_scalar_one;
4299 secp256k1_scalar_negate(&n, &n);
4300 test_constant_wnaf(&n, 4);
4302 /* Test -2, which may not lead to overflows in wnaf_const */
4303 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
4304 secp256k1_scalar_negate(&n, &n);
4305 test_constant_wnaf(&n, 4);
4307 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
4308 as corner cases of negation handling in wnaf_const */
4309 secp256k1_scalar_inverse(&n, &n);
4310 test_constant_wnaf(&n, 4);
4312 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
4313 test_constant_wnaf(&n, 4);
4315 /* Test 0 for fixed wnaf */
4316 test_fixed_wnaf_small();
4318 for (i = 0; i < count; i++) {
4319 random_scalar_order(&n);
4320 test_wnaf(&n, 4+(i%10));
4321 test_constant_wnaf_negate(&n);
4322 test_constant_wnaf(&n, 4 + (i % 10));
4323 test_fixed_wnaf(&n, 4 + (i % 10));
4325 secp256k1_scalar_set_int(&n, 0);
4326 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
4327 CHECK(secp256k1_scalar_is_zero(&n));
4328 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
4329 CHECK(secp256k1_scalar_is_zero(&n));
4332 void test_ecmult_constants(void) {
4333 /* Test ecmult_gen() for [0..36) and [order-36..0). */
4339 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
4340 for (i = 0; i < 36; i++ ) {
4341 secp256k1_scalar_set_int(&x, i);
4342 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
4343 for (j = 0; j < i; j++) {
4345 ge_equals_gej(&secp256k1_ge_const_g, &r);
4347 secp256k1_gej_add_ge(&r, &r, &ng);
4349 CHECK(secp256k1_gej_is_infinity(&r));
4351 for (i = 1; i <= 36; i++ ) {
4352 secp256k1_scalar_set_int(&x, i);
4353 secp256k1_scalar_negate(&x, &x);
4354 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
4355 for (j = 0; j < i; j++) {
4357 ge_equals_gej(&ng, &r);
4359 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
4361 CHECK(secp256k1_gej_is_infinity(&r));
4365 void run_ecmult_constants(void) {
4366 test_ecmult_constants();
4369 void test_ecmult_gen_blind(void) {
4370 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
4371 secp256k1_scalar key;
4373 unsigned char seed32[32];
4375 secp256k1_gej pgej2;
4378 random_scalar_order_test(&key);
4379 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
4380 secp256k1_testrand256(seed32);
4381 b = ctx->ecmult_gen_ctx.blind;
4382 i = ctx->ecmult_gen_ctx.initial;
4383 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
4384 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
4385 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
4386 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
4387 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
4388 secp256k1_ge_set_gej(&pge, &pgej);
4389 ge_equals_gej(&pge, &pgej2);
4392 void test_ecmult_gen_blind_reset(void) {
4393 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
4395 secp256k1_gej initial;
4396 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
4397 b = ctx->ecmult_gen_ctx.blind;
4398 initial = ctx->ecmult_gen_ctx.initial;
4399 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
4400 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
4401 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
4404 void run_ecmult_gen_blind(void) {
4406 test_ecmult_gen_blind_reset();
4407 for (i = 0; i < 10; i++) {
4408 test_ecmult_gen_blind();
4412 /***** ENDOMORPHISH TESTS *****/
4413 void test_scalar_split(const secp256k1_scalar* full) {
4414 secp256k1_scalar s, s1, slam;
4415 const unsigned char zero[32] = {0};
4416 unsigned char tmp[32];
4418 secp256k1_scalar_split_lambda(&s1, &slam, full);
4420 /* check slam*lambda + s1 == full */
4421 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
4422 secp256k1_scalar_add(&s, &s, &s1);
4423 CHECK(secp256k1_scalar_eq(&s, full));
4425 /* check that both are <= 128 bits in size */
4426 if (secp256k1_scalar_is_high(&s1)) {
4427 secp256k1_scalar_negate(&s1, &s1);
4429 if (secp256k1_scalar_is_high(&slam)) {
4430 secp256k1_scalar_negate(&slam, &slam);
4433 secp256k1_scalar_get_b32(tmp, &s1);
4434 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
4435 secp256k1_scalar_get_b32(tmp, &slam);
4436 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
4440 void run_endomorphism_tests(void) {
4442 static secp256k1_scalar s;
4443 test_scalar_split(&secp256k1_scalar_zero);
4444 test_scalar_split(&secp256k1_scalar_one);
4445 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
4446 test_scalar_split(&s);
4447 test_scalar_split(&secp256k1_const_lambda);
4448 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
4449 test_scalar_split(&s);
4451 for (i = 0; i < 100U * count; ++i) {
4452 secp256k1_scalar full;
4453 random_scalar_order_test(&full);
4454 test_scalar_split(&full);
4456 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
4457 test_scalar_split(&scalars_near_split_bounds[i]);
4461 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
4462 unsigned char pubkeyc[65];
4463 secp256k1_pubkey pubkey;
4468 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4469 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
4470 /* Smaller sizes are tested exhaustively elsewhere. */
4472 memcpy(&pubkeyc[1], input, 64);
4473 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
4474 for (i = 0; i < 256; i++) {
4475 /* Try all type bytes. */
4480 /* What sign does this point have? */
4481 ysign = (input[63] & 1) + 2;
4482 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
4483 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
4484 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
4485 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
4486 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
4487 if (xpass || ypass) {
4488 /* These cases must parse. */
4489 unsigned char pubkeyo[65];
4491 memset(&pubkey, 0, sizeof(pubkey));
4492 VG_UNDEF(&pubkey, sizeof(pubkey));
4494 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4495 VG_CHECK(&pubkey, sizeof(pubkey));
4497 VG_UNDEF(pubkeyo, 65);
4498 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4499 VG_CHECK(pubkeyo, outl);
4501 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
4502 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
4504 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
4505 CHECK(pubkeyo[0] == ysign);
4506 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4507 memset(&pubkey, 0, sizeof(pubkey));
4508 VG_UNDEF(&pubkey, sizeof(pubkey));
4509 secp256k1_pubkey_save(&pubkey, &ge);
4510 VG_CHECK(&pubkey, sizeof(pubkey));
4512 VG_UNDEF(pubkeyo, 65);
4513 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4514 VG_CHECK(pubkeyo, outl);
4516 CHECK(pubkeyo[0] == 4);
4517 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
4521 /* These cases must fail to parse. */
4522 memset(&pubkey, 0xfe, sizeof(pubkey));
4524 VG_UNDEF(&pubkey, sizeof(pubkey));
4525 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
4526 VG_CHECK(&pubkey, sizeof(pubkey));
4528 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4533 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4536 void run_ec_pubkey_parse_test(void) {
4537 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
4538 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
4540 /* Point with leading and trailing zeros in x and y serialization. */
4541 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
4542 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4543 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
4544 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
4547 /* Point with x equal to a 3rd root of unity.*/
4548 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
4549 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
4550 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4551 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4554 /* Point with largest x. (1/2) */
4555 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4556 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
4557 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
4558 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
4561 /* Point with largest x. (2/2) */
4562 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4563 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
4564 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
4565 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
4568 /* Point with smallest x. (1/2) */
4569 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4570 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4571 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4572 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4575 /* Point with smallest x. (2/2) */
4576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4578 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4579 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4582 /* Point with largest y. (1/3) */
4583 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4584 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4585 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4586 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4589 /* Point with largest y. (2/3) */
4590 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4591 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4592 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4593 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4596 /* Point with largest y. (3/3) */
4597 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4598 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4599 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4600 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4603 /* Point with smallest y. (1/3) */
4604 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4605 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4606 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4607 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4610 /* Point with smallest y. (2/3) */
4611 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4612 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4614 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4617 /* Point with smallest y. (3/3) */
4618 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4619 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4621 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
4624 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
4625 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
4627 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
4628 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4629 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4630 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4631 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4634 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
4635 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4636 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4637 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4638 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4641 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
4642 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4643 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4644 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4645 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4648 /* x on curve, y is from y^2 = x^3 + 8. */
4649 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4650 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4651 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4652 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
4655 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
4656 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
4658 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
4659 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
4660 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
4661 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4662 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4665 /* Valid if x overflow ignored (x = 1 mod p). */
4666 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4667 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4668 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4669 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4672 /* Valid if x overflow ignored (x = 1 mod p). */
4673 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4674 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4675 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4676 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4679 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4680 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4681 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4682 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
4683 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
4686 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4687 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4688 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4689 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
4690 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
4693 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4694 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4696 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
4697 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
4700 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4703 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
4704 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
4707 const unsigned char pubkeyc[66] = {
4708 /* Serialization of G. */
4709 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
4710 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
4711 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
4712 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
4715 unsigned char sout[65];
4716 unsigned char shortkey[2];
4718 secp256k1_pubkey pubkey;
4724 /* Nothing should be reading this far into pubkeyc. */
4725 VG_UNDEF(&pubkeyc[65], 1);
4726 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4727 /* Zero length claimed, fail, zeroize, no illegal arg error. */
4728 memset(&pubkey, 0xfe, sizeof(pubkey));
4730 VG_UNDEF(shortkey, 2);
4731 VG_UNDEF(&pubkey, sizeof(pubkey));
4732 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
4733 VG_CHECK(&pubkey, sizeof(pubkey));
4735 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4737 /* Length one claimed, fail, zeroize, no illegal arg error. */
4738 for (i = 0; i < 256 ; i++) {
4739 memset(&pubkey, 0xfe, sizeof(pubkey));
4742 VG_UNDEF(&shortkey[1], 1);
4743 VG_UNDEF(&pubkey, sizeof(pubkey));
4744 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
4745 VG_CHECK(&pubkey, sizeof(pubkey));
4747 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4750 /* Length two claimed, fail, zeroize, no illegal arg error. */
4751 for (i = 0; i < 65536 ; i++) {
4752 memset(&pubkey, 0xfe, sizeof(pubkey));
4754 shortkey[0] = i & 255;
4755 shortkey[1] = i >> 8;
4756 VG_UNDEF(&pubkey, sizeof(pubkey));
4757 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
4758 VG_CHECK(&pubkey, sizeof(pubkey));
4760 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4763 memset(&pubkey, 0xfe, sizeof(pubkey));
4765 VG_UNDEF(&pubkey, sizeof(pubkey));
4766 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
4767 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
4768 VG_CHECK(&pubkey, sizeof(pubkey));
4770 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4772 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
4773 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
4775 /* NULL input string. Illegal arg and zeroize output. */
4776 memset(&pubkey, 0xfe, sizeof(pubkey));
4778 VG_UNDEF(&pubkey, sizeof(pubkey));
4779 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
4780 VG_CHECK(&pubkey, sizeof(pubkey));
4782 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4784 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
4785 memset(&pubkey, 0xfe, sizeof(pubkey));
4787 VG_UNDEF(&pubkey, sizeof(pubkey));
4788 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
4789 VG_CHECK(&pubkey, sizeof(pubkey));
4791 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4793 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
4794 memset(&pubkey, 0xfe, sizeof(pubkey));
4796 VG_UNDEF(&pubkey, sizeof(pubkey));
4797 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
4798 VG_CHECK(&pubkey, sizeof(pubkey));
4800 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4803 memset(&pubkey, 0, sizeof(pubkey));
4805 VG_UNDEF(&pubkey, sizeof(pubkey));
4806 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
4807 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
4808 VG_CHECK(&pubkey, sizeof(pubkey));
4810 VG_UNDEF(&ge, sizeof(ge));
4811 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4812 VG_CHECK(&ge.x, sizeof(ge.x));
4813 VG_CHECK(&ge.y, sizeof(ge.y));
4814 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
4815 ge_equals_ge(&secp256k1_ge_const_g, &ge);
4817 /* secp256k1_ec_pubkey_serialize illegal args. */
4820 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4823 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4827 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
4832 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
4837 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4841 /* Multiple illegal args. Should still set arg error only once. */
4844 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4846 /* Does the illegal arg callback actually change the behavior? */
4847 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
4848 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4850 CHECK(ecount2 == 10);
4851 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4852 /* Try a bunch of prefabbed points with all possible encodings. */
4853 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4854 ec_pubkey_parse_pointtest(valid[i], 1, 1);
4856 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4857 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4859 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4860 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4864 void run_eckey_edge_case_test(void) {
4865 const unsigned char orderc[32] = {
4866 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4867 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4868 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4869 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4871 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4872 unsigned char ctmp[33];
4873 unsigned char ctmp2[33];
4874 secp256k1_pubkey pubkey;
4875 secp256k1_pubkey pubkey2;
4876 secp256k1_pubkey pubkey_one;
4877 secp256k1_pubkey pubkey_negone;
4878 const secp256k1_pubkey *pubkeys[3];
4881 /* Group order is too large, reject. */
4882 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4883 VG_UNDEF(&pubkey, sizeof(pubkey));
4884 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4885 VG_CHECK(&pubkey, sizeof(pubkey));
4886 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4887 /* Maximum value is too large, reject. */
4888 memset(ctmp, 255, 32);
4889 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4890 memset(&pubkey, 1, sizeof(pubkey));
4891 VG_UNDEF(&pubkey, sizeof(pubkey));
4892 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4893 VG_CHECK(&pubkey, sizeof(pubkey));
4894 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4895 /* Zero is too small, reject. */
4896 memset(ctmp, 0, 32);
4897 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4898 memset(&pubkey, 1, sizeof(pubkey));
4899 VG_UNDEF(&pubkey, sizeof(pubkey));
4900 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4901 VG_CHECK(&pubkey, sizeof(pubkey));
4902 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4903 /* One must be accepted. */
4905 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4906 memset(&pubkey, 0, sizeof(pubkey));
4907 VG_UNDEF(&pubkey, sizeof(pubkey));
4908 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4909 VG_CHECK(&pubkey, sizeof(pubkey));
4910 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4911 pubkey_one = pubkey;
4912 /* Group order + 1 is too large, reject. */
4913 memcpy(ctmp, orderc, 32);
4915 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4916 memset(&pubkey, 1, sizeof(pubkey));
4917 VG_UNDEF(&pubkey, sizeof(pubkey));
4918 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4919 VG_CHECK(&pubkey, sizeof(pubkey));
4920 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4921 /* -1 must be accepted. */
4923 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4924 memset(&pubkey, 0, sizeof(pubkey));
4925 VG_UNDEF(&pubkey, sizeof(pubkey));
4926 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4927 VG_CHECK(&pubkey, sizeof(pubkey));
4928 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4929 pubkey_negone = pubkey;
4930 /* Tweak of zero leaves the value unchanged. */
4931 memset(ctmp2, 0, 32);
4932 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4933 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4934 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4935 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4936 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4937 /* Multiply tweak of zero zeroizes the output. */
4938 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4939 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4940 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4941 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4942 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4943 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4944 seckey, the seckey is zeroized. */
4945 memcpy(ctmp, orderc, 32);
4946 memset(ctmp2, 0, 32);
4948 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4949 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4950 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4951 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4952 memcpy(ctmp, orderc, 32);
4953 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4954 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4955 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4956 tweak, the seckey is zeroized. */
4957 memcpy(ctmp, orderc, 32);
4959 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4960 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4961 memcpy(ctmp, orderc, 32);
4963 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4964 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4965 memcpy(ctmp, orderc, 32);
4967 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4968 tweak, the pubkey is zeroized. */
4969 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4970 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4971 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4972 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4973 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4974 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4975 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4976 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4977 * case the pubkey is zeroized. */
4978 memcpy(ctmp, orderc, 32);
4980 memset(ctmp2, 0, 32);
4982 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4983 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
4985 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4986 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4987 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4988 /* Tweak computation wraps and results in a key of 1. */
4990 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4991 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4993 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4995 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4996 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4997 /* Tweak mul * 2 = 1+1. */
4998 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5000 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
5001 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5002 /* Test argument errors. */
5004 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5006 /* Zeroize pubkey on parse error. */
5007 memset(&pubkey, 0, 32);
5008 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5010 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5011 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5012 memset(&pubkey2, 0, 32);
5013 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
5015 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
5016 /* Plain argument errors. */
5018 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5020 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
5023 memset(ctmp2, 0, 32);
5025 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
5027 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
5030 memset(ctmp2, 0, 32);
5032 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
5034 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
5037 memset(ctmp2, 0, 32);
5038 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
5040 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
5043 memset(ctmp2, 0, 32);
5045 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
5047 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
5050 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
5052 memset(&pubkey, 1, sizeof(pubkey));
5053 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5055 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5056 /* secp256k1_ec_pubkey_combine tests. */
5058 pubkeys[0] = &pubkey_one;
5059 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
5060 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
5061 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
5062 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5063 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5064 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
5065 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5066 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5068 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
5069 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5071 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5072 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5073 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
5074 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5075 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5077 pubkeys[0] = &pubkey_negone;
5078 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5079 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5080 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
5081 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5082 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5085 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5086 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
5087 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5088 /* Result is infinity. */
5089 pubkeys[0] = &pubkey_one;
5090 pubkeys[1] = &pubkey_negone;
5091 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5092 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5093 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
5094 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5095 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5097 /* Passes through infinity but comes out one. */
5098 pubkeys[2] = &pubkey_one;
5099 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5100 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5101 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
5102 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5103 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5106 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5107 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
5108 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5110 pubkeys[1] = &pubkey_one;
5111 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5112 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5113 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
5114 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5115 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5117 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5120 void run_eckey_negate_test(void) {
5121 unsigned char seckey[32];
5122 unsigned char seckey_tmp[32];
5124 random_scalar_order_b32(seckey);
5125 memcpy(seckey_tmp, seckey, 32);
5127 /* Verify negation changes the key and changes it back */
5128 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5129 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
5130 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5131 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5133 /* Check that privkey alias gives same result */
5134 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5135 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
5136 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5138 /* Negating all 0s fails */
5139 memset(seckey, 0, 32);
5140 memset(seckey_tmp, 0, 32);
5141 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5142 /* Check that seckey is not modified */
5143 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5145 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
5146 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
5147 * doesn't just set seckey to a constant value in case of failure. */
5148 random_scalar_order_b32(seckey);
5149 memset(seckey, 0xFF, 16);
5150 memset(seckey_tmp, 0, 32);
5151 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5152 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5155 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
5156 secp256k1_scalar nonce;
5158 random_scalar_order_test(&nonce);
5159 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
5162 void test_ecdsa_sign_verify(void) {
5165 secp256k1_scalar one;
5166 secp256k1_scalar msg, key;
5167 secp256k1_scalar sigr, sigs;
5169 /* Initialize recid to suppress a false positive -Wconditional-uninitialized in clang.
5170 VG_UNDEF ensures that valgrind will still treat the variable as uninitialized. */
5171 int recid = -1; VG_UNDEF(&recid, sizeof(recid));
5172 random_scalar_order_test(&msg);
5173 random_scalar_order_test(&key);
5174 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
5175 secp256k1_ge_set_gej(&pub, &pubj);
5176 getrec = secp256k1_testrand_bits(1);
5177 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
5179 CHECK(recid >= 0 && recid < 4);
5181 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5182 secp256k1_scalar_set_int(&one, 1);
5183 secp256k1_scalar_add(&msg, &msg, &one);
5184 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5187 void run_ecdsa_sign_verify(void) {
5189 for (i = 0; i < 10*count; i++) {
5190 test_ecdsa_sign_verify();
5194 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
5195 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5199 memcpy(nonce32, data, 32);
5200 return (counter == 0);
5203 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5204 /* Dummy nonce generator that has a fatal error on the first counter value. */
5208 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
5211 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5212 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
5214 memset(nonce32, counter==0 ? 0 : 255, 32);
5221 static const unsigned char order[] = {
5222 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5223 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5224 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5225 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
5227 memcpy(nonce32, order, 32);
5233 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
5234 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
5238 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
5241 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
5242 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
5243 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
5246 void test_ecdsa_end_to_end(void) {
5247 unsigned char extra[32] = {0x00};
5248 unsigned char privkey[32];
5249 unsigned char message[32];
5250 unsigned char privkey2[32];
5251 secp256k1_ecdsa_signature signature[6];
5252 secp256k1_scalar r, s;
5253 unsigned char sig[74];
5255 unsigned char pubkeyc[65];
5256 size_t pubkeyclen = 65;
5257 secp256k1_pubkey pubkey;
5258 secp256k1_pubkey pubkey_tmp;
5259 unsigned char seckey[300];
5260 size_t seckeylen = 300;
5262 /* Generate a random key and message. */
5264 secp256k1_scalar msg, key;
5265 random_scalar_order_test(&msg);
5266 random_scalar_order_test(&key);
5267 secp256k1_scalar_get_b32(privkey, &key);
5268 secp256k1_scalar_get_b32(message, &msg);
5271 /* Construct and verify corresponding public key. */
5272 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
5273 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
5275 /* Verify exporting and importing public key. */
5276 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
5277 memset(&pubkey, 0, sizeof(pubkey));
5278 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5280 /* Verify negation changes the key and changes it back */
5281 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
5282 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
5283 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
5284 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
5285 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
5287 /* Verify private key import and export. */
5288 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
5289 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
5290 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
5292 /* Optionally tweak the keys using addition. */
5293 if (secp256k1_testrand_int(3) == 0) {
5297 unsigned char rnd[32];
5298 unsigned char privkey_tmp[32];
5299 secp256k1_pubkey pubkey2;
5300 secp256k1_testrand256_test(rnd);
5301 memcpy(privkey_tmp, privkey, 32);
5302 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
5303 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
5304 /* Check that privkey alias gives same result */
5305 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
5306 CHECK(ret1 == ret2);
5307 CHECK(ret2 == ret3);
5311 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
5312 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
5313 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5316 /* Optionally tweak the keys using multiplication. */
5317 if (secp256k1_testrand_int(3) == 0) {
5321 unsigned char rnd[32];
5322 unsigned char privkey_tmp[32];
5323 secp256k1_pubkey pubkey2;
5324 secp256k1_testrand256_test(rnd);
5325 memcpy(privkey_tmp, privkey, 32);
5326 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
5327 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
5328 /* Check that privkey alias gives same result */
5329 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
5330 CHECK(ret1 == ret2);
5331 CHECK(ret2 == ret3);
5335 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
5336 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
5337 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5341 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
5342 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
5343 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
5345 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
5348 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
5349 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
5350 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
5351 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
5352 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
5353 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
5354 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
5355 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
5357 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
5358 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
5359 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
5360 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
5361 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
5362 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
5363 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
5364 secp256k1_scalar_negate(&s, &s);
5365 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
5366 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
5367 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5368 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
5369 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5370 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
5371 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
5372 secp256k1_scalar_negate(&s, &s);
5373 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
5374 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5375 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
5376 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
5378 /* Serialize/parse DER and verify again */
5379 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
5380 memset(&signature[0], 0, sizeof(signature[0]));
5381 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
5382 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
5383 /* Serialize/destroy/parse DER and verify again. */
5385 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
5386 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
5387 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
5388 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
5391 void test_random_pubkeys(void) {
5394 unsigned char in[65];
5395 /* Generate some randomly sized pubkeys. */
5396 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
5397 if (secp256k1_testrand_bits(2) == 0) {
5398 len = secp256k1_testrand_bits(6);
5401 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
5403 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
5405 if (secp256k1_testrand_bits(3) == 0) {
5406 in[0] = secp256k1_testrand_bits(8);
5409 secp256k1_testrand256(&in[1]);
5412 secp256k1_testrand256(&in[33]);
5414 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
5415 unsigned char out[65];
5416 unsigned char firstb;
5420 /* If the pubkey can be parsed, it should round-trip... */
5421 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
5423 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
5424 /* ... except for the type of hybrid inputs. */
5425 if ((in[0] != 6) && (in[0] != 7)) {
5426 CHECK(in[0] == out[0]);
5429 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
5431 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
5432 ge_equals_ge(&elem,&elem2);
5433 /* Check that the X9.62 hybrid type is checked. */
5434 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
5435 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
5436 if (firstb == 2 || firstb == 3) {
5437 if (in[0] == firstb + 4) {
5444 ge_equals_ge(&elem,&elem2);
5445 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
5446 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
5451 void run_pubkey_comparison(void) {
5452 unsigned char pk1_ser[33] = {
5454 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
5455 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
5457 const unsigned char pk2_ser[33] = {
5459 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
5460 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
5462 secp256k1_pubkey pk1;
5463 secp256k1_pubkey pk2;
5466 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
5467 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
5469 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5470 CHECK(secp256k1_ec_pubkey_cmp(ctx, NULL, &pk2) < 0);
5472 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, NULL) > 0);
5474 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
5475 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
5476 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk1) == 0);
5477 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk2) == 0);
5480 secp256k1_pubkey pk_tmp;
5481 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
5482 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk2) < 0);
5484 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk_tmp) == 0);
5486 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk_tmp) > 0);
5490 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5492 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
5493 * an uncompressed encoding, these would have the opposite ordering */
5495 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
5496 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
5497 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
5500 void run_random_pubkeys(void) {
5502 for (i = 0; i < 10*count; i++) {
5503 test_random_pubkeys();
5507 void run_ecdsa_end_to_end(void) {
5509 for (i = 0; i < 64*count; i++) {
5510 test_ecdsa_end_to_end();
5514 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
5515 static const unsigned char zeroes[32] = {0};
5516 #ifdef ENABLE_OPENSSL_TESTS
5517 static const unsigned char max_scalar[32] = {
5518 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5519 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5520 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5521 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
5527 secp256k1_ecdsa_signature sig_der;
5528 unsigned char roundtrip_der[2048];
5529 unsigned char compact_der[64];
5530 size_t len_der = 2048;
5531 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
5533 secp256k1_ecdsa_signature sig_der_lax;
5534 unsigned char roundtrip_der_lax[2048];
5535 unsigned char compact_der_lax[64];
5536 size_t len_der_lax = 2048;
5537 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
5539 #ifdef ENABLE_OPENSSL_TESTS
5540 ECDSA_SIG *sig_openssl;
5541 const BIGNUM *r = NULL, *s = NULL;
5542 const unsigned char *sigptr;
5543 unsigned char roundtrip_openssl[2048];
5544 int len_openssl = 2048;
5545 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
5548 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
5550 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
5551 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
5554 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
5555 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
5558 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
5559 if (parsed_der_lax) {
5560 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
5561 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
5563 if (valid_der_lax) {
5564 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
5565 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
5568 if (certainly_der) {
5569 ret |= (!parsed_der) << 2;
5571 if (certainly_not_der) {
5572 ret |= (parsed_der) << 17;
5575 ret |= (!roundtrips_der) << 3;
5579 ret |= (!roundtrips_der_lax) << 12;
5580 ret |= (len_der != len_der_lax) << 13;
5581 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
5583 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
5585 ret |= (!parsed_der_lax) << 16;
5588 #ifdef ENABLE_OPENSSL_TESTS
5589 sig_openssl = ECDSA_SIG_new();
5591 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
5592 if (parsed_openssl) {
5593 ECDSA_SIG_get0(sig_openssl, &r, &s);
5594 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
5595 if (valid_openssl) {
5596 unsigned char tmp[32] = {0};
5597 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
5598 valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
5600 if (valid_openssl) {
5601 unsigned char tmp[32] = {0};
5602 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
5603 valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
5606 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
5607 if (len_openssl <= 2048) {
5608 unsigned char *ptr = roundtrip_openssl;
5609 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
5610 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (secp256k1_memcmp_var(roundtrip_openssl, sig, siglen) == 0);
5614 ECDSA_SIG_free(sig_openssl);
5616 ret |= (parsed_der && !parsed_openssl) << 4;
5617 ret |= (valid_der && !valid_openssl) << 5;
5618 ret |= (roundtrips_openssl && !parsed_der) << 6;
5619 ret |= (roundtrips_der != roundtrips_openssl) << 7;
5620 if (roundtrips_openssl) {
5621 ret |= (len_der != (size_t)len_openssl) << 8;
5622 ret |= ((len_der != (size_t)len_openssl) || (secp256k1_memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
5628 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
5630 for (i = 0; i < ptrlen; i++) {
5631 int shift = ptrlen - 1 - i;
5635 ptr[i] = (val >> shift) & 0xFF;
5640 static void damage_array(unsigned char *sig, size_t *len) {
5642 int action = secp256k1_testrand_bits(3);
5643 if (action < 1 && *len > 3) {
5644 /* Delete a byte. */
5645 pos = secp256k1_testrand_int(*len);
5646 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
5649 } else if (action < 2 && *len < 2048) {
5650 /* Insert a byte. */
5651 pos = secp256k1_testrand_int(1 + *len);
5652 memmove(sig + pos + 1, sig + pos, *len - pos);
5653 sig[pos] = secp256k1_testrand_bits(8);
5656 } else if (action < 4) {
5657 /* Modify a byte. */
5658 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
5660 } else { /* action < 8 */
5662 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
5667 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
5669 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
5670 size_t tlen, elen, glen;
5675 der = secp256k1_testrand_bits(2) == 0;
5676 *certainly_der = der;
5677 *certainly_not_der = 0;
5678 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
5680 for (n = 0; n < 2; n++) {
5681 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
5682 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
5683 /* The length of the number in bytes (the first byte of which will always be nonzero) */
5684 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
5685 CHECK(nlen[n] <= 232);
5686 /* The top bit of the number. */
5687 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
5688 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
5689 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
5690 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
5691 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
5692 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
5693 *certainly_not_der = 1;
5695 CHECK(nlen[n] + nzlen[n] <= 300);
5696 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
5697 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
5699 /* nlenlen[n] max 127 bytes */
5700 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5703 *certainly_not_der = 1;
5706 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
5709 /* The total length of the data to go, so far */
5710 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
5713 /* The length of the garbage inside the tuple. */
5714 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
5716 *certainly_not_der = 1;
5721 /* The length of the garbage after the end of the tuple. */
5722 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
5724 *certainly_not_der = 1;
5726 CHECK(tlen + glen <= 990);
5728 /* Write the tuple header. */
5729 sig[(*len)++] = 0x30;
5731 /* Indeterminate length */
5732 sig[(*len)++] = 0x80;
5733 *certainly_not_der = 1;
5735 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
5737 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5740 *certainly_not_der = 1;
5744 /* Short length notation */
5745 sig[(*len)++] = tlen;
5747 /* Long length notation */
5748 sig[(*len)++] = 128 + tlenlen;
5749 assign_big_endian(sig + *len, tlenlen, tlen);
5755 CHECK(tlen + glen <= 1119);
5757 for (n = 0; n < 2; n++) {
5758 /* Write the integer header. */
5759 sig[(*len)++] = 0x02;
5760 if (nlenlen[n] == 0) {
5761 /* Short length notation */
5762 sig[(*len)++] = nlen[n] + nzlen[n];
5764 /* Long length notation. */
5765 sig[(*len)++] = 128 + nlenlen[n];
5766 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
5769 /* Write zero padding */
5770 while (nzlen[n] > 0) {
5771 sig[(*len)++] = 0x00;
5774 if (nlen[n] == 32 && !nlow[n]) {
5775 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
5777 for (i = 0; i < 16; i++) {
5778 sig[(*len)++] = 0xFF;
5782 /* Write first byte of number */
5784 sig[(*len)++] = nhbyte[n];
5787 /* Generate remaining random bytes of number */
5788 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
5793 /* Generate random garbage inside tuple. */
5794 secp256k1_testrand_bytes_test(sig + *len, elen);
5797 /* Generate end-of-contents bytes. */
5803 CHECK(tlen + glen <= 1121);
5805 /* Generate random garbage outside tuple. */
5806 secp256k1_testrand_bytes_test(sig + *len, glen);
5809 CHECK(tlen <= 1121);
5810 CHECK(tlen == *len);
5813 void run_ecdsa_der_parse(void) {
5815 for (i = 0; i < 200 * count; i++) {
5816 unsigned char buffer[2048];
5818 int certainly_der = 0;
5819 int certainly_not_der = 0;
5820 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5821 CHECK(buflen <= 2048);
5822 for (j = 0; j < 16; j++) {
5825 damage_array(buffer, &buflen);
5826 /* We don't know anything anymore about the DERness of the result */
5828 certainly_not_der = 0;
5830 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
5833 fprintf(stderr, "Failure %x on ", ret);
5834 for (k = 0; k < buflen; k++) {
5835 fprintf(stderr, "%02x ", buffer[k]);
5837 fprintf(stderr, "\n");
5844 /* Tests several edge cases. */
5845 void test_ecdsa_edge_cases(void) {
5847 secp256k1_ecdsa_signature sig;
5849 /* Test the case where ECDSA recomputes a point that is infinity. */
5853 secp256k1_scalar msg;
5854 secp256k1_scalar sr, ss;
5855 secp256k1_scalar_set_int(&ss, 1);
5856 secp256k1_scalar_negate(&ss, &ss);
5857 secp256k1_scalar_inverse(&ss, &ss);
5858 secp256k1_scalar_set_int(&sr, 1);
5859 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
5860 secp256k1_ge_set_gej(&key, &keyj);
5862 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5865 /* Verify signature with r of zero fails. */
5867 const unsigned char pubkey_mods_zero[33] = {
5868 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5869 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5870 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5871 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5875 secp256k1_scalar msg;
5876 secp256k1_scalar sr, ss;
5877 secp256k1_scalar_set_int(&ss, 1);
5878 secp256k1_scalar_set_int(&msg, 0);
5879 secp256k1_scalar_set_int(&sr, 0);
5880 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
5881 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5884 /* Verify signature with s of zero fails. */
5886 const unsigned char pubkey[33] = {
5887 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5888 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5889 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5890 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5894 secp256k1_scalar msg;
5895 secp256k1_scalar sr, ss;
5896 secp256k1_scalar_set_int(&ss, 0);
5897 secp256k1_scalar_set_int(&msg, 0);
5898 secp256k1_scalar_set_int(&sr, 1);
5899 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5900 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5903 /* Verify signature with message 0 passes. */
5905 const unsigned char pubkey[33] = {
5906 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5907 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5908 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5909 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5912 const unsigned char pubkey2[33] = {
5913 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5914 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5915 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5916 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5921 secp256k1_scalar msg;
5922 secp256k1_scalar sr, ss;
5923 secp256k1_scalar_set_int(&ss, 2);
5924 secp256k1_scalar_set_int(&msg, 0);
5925 secp256k1_scalar_set_int(&sr, 2);
5926 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5927 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5928 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5929 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5930 secp256k1_scalar_negate(&ss, &ss);
5931 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5932 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5933 secp256k1_scalar_set_int(&ss, 1);
5934 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5935 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5938 /* Verify signature with message 1 passes. */
5940 const unsigned char pubkey[33] = {
5941 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5942 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5943 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5944 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5947 const unsigned char pubkey2[33] = {
5948 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5949 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5950 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5951 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5954 const unsigned char csr[32] = {
5955 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5956 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5957 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5958 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5962 secp256k1_scalar msg;
5963 secp256k1_scalar sr, ss;
5964 secp256k1_scalar_set_int(&ss, 1);
5965 secp256k1_scalar_set_int(&msg, 1);
5966 secp256k1_scalar_set_b32(&sr, csr, NULL);
5967 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5968 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5969 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5970 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5971 secp256k1_scalar_negate(&ss, &ss);
5972 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5973 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5974 secp256k1_scalar_set_int(&ss, 2);
5975 secp256k1_scalar_inverse_var(&ss, &ss);
5976 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5977 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5980 /* Verify signature with message -1 passes. */
5982 const unsigned char pubkey[33] = {
5983 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5984 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5985 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5986 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5989 const unsigned char csr[32] = {
5990 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5991 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5992 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5993 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5996 secp256k1_scalar msg;
5997 secp256k1_scalar sr, ss;
5998 secp256k1_scalar_set_int(&ss, 1);
5999 secp256k1_scalar_set_int(&msg, 1);
6000 secp256k1_scalar_negate(&msg, &msg);
6001 secp256k1_scalar_set_b32(&sr, csr, NULL);
6002 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6003 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
6004 secp256k1_scalar_negate(&ss, &ss);
6005 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
6006 secp256k1_scalar_set_int(&ss, 3);
6007 secp256k1_scalar_inverse_var(&ss, &ss);
6008 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
6011 /* Signature where s would be zero. */
6013 secp256k1_pubkey pubkey;
6016 unsigned char signature[72];
6017 static const unsigned char nonce[32] = {
6018 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6019 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6020 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6021 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6023 static const unsigned char nonce2[32] = {
6024 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6025 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6026 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6027 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
6029 const unsigned char key[32] = {
6030 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6031 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6032 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6033 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6035 unsigned char msg[32] = {
6036 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
6037 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
6038 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
6039 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
6042 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6043 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
6044 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
6046 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
6048 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
6050 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
6052 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
6054 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
6055 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
6056 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
6058 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
6060 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
6062 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
6064 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
6066 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
6067 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
6070 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
6072 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
6073 CHECK(ecount == 10);
6074 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
6075 CHECK(ecount == 11);
6076 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
6077 CHECK(ecount == 11);
6078 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
6079 CHECK(ecount == 12);
6080 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
6081 CHECK(ecount == 13);
6082 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
6083 CHECK(ecount == 13);
6085 /* Too little room for a signature does not fail via ARGCHECK. */
6086 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
6087 CHECK(ecount == 13);
6089 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
6091 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
6093 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
6095 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
6097 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
6099 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
6101 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
6103 memset(signature, 255, 64);
6104 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
6106 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
6109 /* Nonce function corner cases. */
6110 for (t = 0; t < 2; t++) {
6111 static const unsigned char zero[32] = {0x00};
6113 unsigned char key[32];
6114 unsigned char msg[32];
6115 secp256k1_ecdsa_signature sig2;
6116 secp256k1_scalar sr[512], ss;
6117 const unsigned char *extra;
6118 extra = t == 0 ? NULL : zero;
6121 /* High key results in signature failure. */
6122 memset(key, 0xFF, 32);
6123 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
6124 CHECK(is_empty_signature(&sig));
6125 /* Zero key results in signature failure. */
6127 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
6128 CHECK(is_empty_signature(&sig));
6129 /* Nonce function failure results in signature failure. */
6131 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
6132 CHECK(is_empty_signature(&sig));
6133 /* The retry loop successfully makes its way to the first good value. */
6134 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
6135 CHECK(!is_empty_signature(&sig));
6136 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
6137 CHECK(!is_empty_signature(&sig2));
6138 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
6139 /* The default nonce function is deterministic. */
6140 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6141 CHECK(!is_empty_signature(&sig2));
6142 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
6143 /* The default nonce function changes output with different messages. */
6144 for(i = 0; i < 256; i++) {
6147 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6148 CHECK(!is_empty_signature(&sig2));
6149 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
6150 for (j = 0; j < i; j++) {
6151 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
6156 /* The default nonce function changes output with different keys. */
6157 for(i = 256; i < 512; i++) {
6160 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6161 CHECK(!is_empty_signature(&sig2));
6162 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
6163 for (j = 0; j < i; j++) {
6164 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
6171 /* Check that optional nonce arguments do not have equivalent effect. */
6172 const unsigned char zeros[32] = {0};
6173 unsigned char nonce[32];
6174 unsigned char nonce2[32];
6175 unsigned char nonce3[32];
6176 unsigned char nonce4[32];
6178 VG_UNDEF(nonce2,32);
6179 VG_UNDEF(nonce3,32);
6180 VG_UNDEF(nonce4,32);
6181 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
6183 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
6184 VG_CHECK(nonce2,32);
6185 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
6186 VG_CHECK(nonce3,32);
6187 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
6188 VG_CHECK(nonce4,32);
6189 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
6190 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
6191 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
6192 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
6193 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
6194 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
6198 /* Privkey export where pubkey is the point at infinity. */
6200 unsigned char privkey[300];
6201 unsigned char seckey[32] = {
6202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6204 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6205 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
6207 size_t outlen = 300;
6208 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
6210 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
6214 void run_ecdsa_edge_cases(void) {
6215 test_ecdsa_edge_cases();
6218 #ifdef ENABLE_OPENSSL_TESTS
6219 EC_KEY *get_openssl_key(const unsigned char *key32) {
6220 unsigned char privkey[300];
6222 const unsigned char* pbegin = privkey;
6223 int compr = secp256k1_testrand_bits(1);
6224 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
6225 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
6226 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
6227 CHECK(EC_KEY_check_key(ec_key));
6231 void test_ecdsa_openssl(void) {
6234 secp256k1_scalar sigr, sigs;
6235 secp256k1_scalar one;
6236 secp256k1_scalar msg2;
6237 secp256k1_scalar key, msg;
6239 unsigned int sigsize = 80;
6240 size_t secp_sigsize = 80;
6241 unsigned char message[32];
6242 unsigned char signature[80];
6243 unsigned char key32[32];
6244 secp256k1_testrand256_test(message);
6245 secp256k1_scalar_set_b32(&msg, message, NULL);
6246 random_scalar_order_test(&key);
6247 secp256k1_scalar_get_b32(key32, &key);
6248 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
6249 secp256k1_ge_set_gej(&q, &qj);
6250 ec_key = get_openssl_key(key32);
6251 CHECK(ec_key != NULL);
6252 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
6253 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
6254 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
6255 secp256k1_scalar_set_int(&one, 1);
6256 secp256k1_scalar_add(&msg2, &msg, &one);
6257 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
6259 random_sign(&sigr, &sigs, &key, &msg, NULL);
6260 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
6261 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
6263 EC_KEY_free(ec_key);
6266 void run_ecdsa_openssl(void) {
6268 for (i = 0; i < 10*count; i++) {
6269 test_ecdsa_openssl();
6274 #ifdef ENABLE_MODULE_ECDH
6275 # include "modules/ecdh/tests_impl.h"
6278 #ifdef ENABLE_MODULE_RECOVERY
6279 # include "modules/recovery/tests_impl.h"
6282 #ifdef ENABLE_MODULE_EXTRAKEYS
6283 # include "modules/extrakeys/tests_impl.h"
6286 #ifdef ENABLE_MODULE_SCHNORRSIG
6287 # include "modules/schnorrsig/tests_impl.h"
6290 void run_secp256k1_memczero_test(void) {
6291 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
6292 unsigned char buf2[sizeof(buf1)];
6294 /* secp256k1_memczero(..., ..., 0) is a noop. */
6295 memcpy(buf2, buf1, sizeof(buf1));
6296 secp256k1_memczero(buf1, sizeof(buf1), 0);
6297 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
6299 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
6300 memset(buf2, 0, sizeof(buf2));
6301 secp256k1_memczero(buf1, sizeof(buf1) , 1);
6302 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
6305 void int_cmov_test(void) {
6309 secp256k1_int_cmov(&r, &a, 0);
6310 CHECK(r == INT_MAX);
6313 secp256k1_int_cmov(&r, &a, 1);
6314 CHECK(r == INT_MAX);
6317 secp256k1_int_cmov(&r, &a, 1);
6321 secp256k1_int_cmov(&r, &a, 1);
6325 secp256k1_int_cmov(&r, &a, 0);
6330 void fe_cmov_test(void) {
6331 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6332 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6333 static const secp256k1_fe max = SECP256K1_FE_CONST(
6334 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6335 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6337 secp256k1_fe r = max;
6338 secp256k1_fe a = zero;
6340 secp256k1_fe_cmov(&r, &a, 0);
6341 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6344 secp256k1_fe_cmov(&r, &a, 1);
6345 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6348 secp256k1_fe_cmov(&r, &a, 1);
6349 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6352 secp256k1_fe_cmov(&r, &a, 1);
6353 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6356 secp256k1_fe_cmov(&r, &a, 0);
6357 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6360 void fe_storage_cmov_test(void) {
6361 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6362 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6363 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
6364 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6365 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6367 secp256k1_fe_storage r = max;
6368 secp256k1_fe_storage a = zero;
6370 secp256k1_fe_storage_cmov(&r, &a, 0);
6371 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6374 secp256k1_fe_storage_cmov(&r, &a, 1);
6375 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6378 secp256k1_fe_storage_cmov(&r, &a, 1);
6379 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6382 secp256k1_fe_storage_cmov(&r, &a, 1);
6383 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6386 secp256k1_fe_storage_cmov(&r, &a, 0);
6387 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6390 void scalar_cmov_test(void) {
6391 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6392 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6393 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
6394 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6395 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6397 secp256k1_scalar r = max;
6398 secp256k1_scalar a = zero;
6400 secp256k1_scalar_cmov(&r, &a, 0);
6401 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6404 secp256k1_scalar_cmov(&r, &a, 1);
6405 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6408 secp256k1_scalar_cmov(&r, &a, 1);
6409 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6412 secp256k1_scalar_cmov(&r, &a, 1);
6413 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6416 secp256k1_scalar_cmov(&r, &a, 0);
6417 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6420 void ge_storage_cmov_test(void) {
6421 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
6422 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
6423 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
6424 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6425 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6426 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6427 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6429 secp256k1_ge_storage r = max;
6430 secp256k1_ge_storage a = zero;
6432 secp256k1_ge_storage_cmov(&r, &a, 0);
6433 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6436 secp256k1_ge_storage_cmov(&r, &a, 1);
6437 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6440 secp256k1_ge_storage_cmov(&r, &a, 1);
6441 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6444 secp256k1_ge_storage_cmov(&r, &a, 1);
6445 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6448 secp256k1_ge_storage_cmov(&r, &a, 0);
6449 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6452 void run_cmov_tests(void) {
6455 fe_storage_cmov_test();
6457 ge_storage_cmov_test();
6460 int main(int argc, char **argv) {
6461 /* Disable buffering for stdout to improve reliability of getting
6462 * diagnostic information. Happens right at the start of main because
6463 * setbuf must be used before any other operation on the stream. */
6464 setbuf(stdout, NULL);
6465 /* Also disable buffering for stderr because it's not guaranteed that it's
6466 * unbuffered on all systems. */
6467 setbuf(stderr, NULL);
6469 /* find iteration count */
6471 count = strtol(argv[1], NULL, 0);
6473 const char* env = getenv("SECP256K1_TEST_ITERS");
6475 count = strtol(env, NULL, 0);
6479 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
6480 return EXIT_FAILURE;
6482 printf("test count = %i\n", count);
6484 /* find random seed */
6485 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
6488 run_context_tests(0);
6489 run_context_tests(1);
6490 run_scratch_tests();
6491 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
6492 if (secp256k1_testrand_bits(1)) {
6493 unsigned char rand32[32];
6494 secp256k1_testrand256(rand32);
6495 CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL));
6503 run_inverse_tests();
6506 run_hmac_sha256_tests();
6507 run_rfc6979_hmac_sha256_tests();
6514 run_field_convert();
6520 run_group_decompress();
6524 run_point_times_order();
6525 run_ecmult_near_split_bound();
6527 run_ecmult_constants();
6528 run_ecmult_gen_blind();
6529 run_ecmult_const_tests();
6530 run_ecmult_multi_tests();
6533 /* endomorphism tests */
6534 run_endomorphism_tests();
6536 /* EC point parser test */
6537 run_ec_pubkey_parse_test();
6539 /* EC key edge cases */
6540 run_eckey_edge_case_test();
6542 /* EC key arithmetic test */
6543 run_eckey_negate_test();
6545 #ifdef ENABLE_MODULE_ECDH
6551 run_pubkey_comparison();
6552 run_random_pubkeys();
6553 run_ecdsa_der_parse();
6554 run_ecdsa_sign_verify();
6555 run_ecdsa_end_to_end();
6556 run_ecdsa_edge_cases();
6557 #ifdef ENABLE_OPENSSL_TESTS
6558 run_ecdsa_openssl();
6561 #ifdef ENABLE_MODULE_RECOVERY
6562 /* ECDSA pubkey recovery tests */
6563 run_recovery_tests();
6566 #ifdef ENABLE_MODULE_EXTRAKEYS
6567 run_extrakeys_tests();
6570 #ifdef ENABLE_MODULE_SCHNORRSIG
6571 run_schnorrsig_tests();
6575 run_secp256k1_memczero_test();
6579 secp256k1_testrand_finish();
6582 secp256k1_context_destroy(ctx);
6584 printf("no problems found\n");
projects / secp256k1.git / blob