tests.c
1 /*********************************************************************** 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #include <stdio.h> 8 #include <stdlib.h> 9 #include <string.h> 10 11 #include <time.h> 12 13 #ifdef USE_EXTERNAL_DEFAULT_CALLBACKS 14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.") 15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS 16 #endif 17 #if defined(VERIFY) && defined(COVERAGE) 18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.") 19 #endif 20 #include "secp256k1.c" 21 22 #include "../include/secp256k1.h" 23 #include "../include/secp256k1_preallocated.h" 24 #include "testrand_impl.h" 25 #include "checkmem.h" 26 #include "testutil.h" 27 #include "util.h" 28 #include "unit_test.h" 29 #include "unit_test.c" 30 31 #include "../contrib/lax_der_parsing.c" 32 #include "../contrib/lax_der_privatekey_parsing.c" 33 34 #include "modinv32_impl.h" 35 #ifdef SECP256K1_WIDEMUL_INT128 36 #include "modinv64_impl.h" 37 #include "int128_impl.h" 38 #endif 39 40 #define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else 41 42 static secp256k1_context *CTX = NULL; 43 static secp256k1_context *STATIC_CTX = NULL; 44 45 static int all_bytes_equal(const void* s, unsigned char value, size_t n) { 46 const unsigned char *p = s; 47 size_t i; 48 49 for (i = 0; i < n; i++) { 50 if (p[i] != value) { 51 return 0; 52 } 53 } 54 return 1; 55 } 56 57 #define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \ 58 int32_t _calls_to_callback = 0; \ 59 secp256k1_callback _saved_callback = ctx->callback; \ 60 callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \ 61 { expr_or_stmt; } \ 62 ctx->callback = _saved_callback; \ 63 CHECK(_calls_to_callback == 1); \ 64 } while(0); 65 66 /* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once 67 * 68 * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */ 69 #define CHECK_ERROR_VOID(ctx, expr_or_stmt) \ 70 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback) 71 #define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \ 72 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback) 73 74 /* CHECK that 75 * - expr calls the illegal callback of ctx exactly once and, 76 * - expr == 0 (or equivalently, expr == NULL) 77 * 78 * Useful for checking functions that return an integer or a pointer. */ 79 #define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0)) 80 #define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0)) 81 82 static void counting_callback_fn(const char* str, void* data) { 83 /* Dummy callback function that just counts. */ 84 int32_t *p; 85 (void)str; 86 p = data; 87 CHECK(*p != INT32_MAX); 88 (*p)++; 89 } 90 91 static void run_xoshiro256pp_tests(void) { 92 { 93 size_t i; 94 /* Sanity check that we run before the actual seeding. */ 95 for (i = 0; i < ARRAY_SIZE(secp256k1_test_state); i++) { 96 CHECK(secp256k1_test_state[i] == 0); 97 } 98 } 99 { 100 int i; 101 unsigned char buf32[32]; 102 unsigned char seed16[16] = { 103 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!', 104 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!', 105 }; 106 unsigned char buf32_expected[32] = { 107 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0, 108 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36, 109 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF, 110 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30, 111 }; 112 testrand_seed(seed16); 113 for (i = 0; i < 17; i++) { 114 testrand256(buf32); 115 } 116 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0); 117 } 118 } 119 120 static void run_selftest_tests(void) { 121 /* Test public API */ 122 secp256k1_selftest(); 123 } 124 125 static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) { 126 return a->built == b->built 127 && secp256k1_scalar_eq(&a->scalar_offset, &b->scalar_offset) 128 && secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset) 129 && secp256k1_fe_equal(&a->proj_blind, &b->proj_blind); 130 } 131 132 static int context_eq(const secp256k1_context *a, const secp256k1_context *b) { 133 return a->declassify == b->declassify 134 && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx) 135 && a->hash_ctx.fn_sha256_compression == b->hash_ctx.fn_sha256_compression 136 && a->illegal_callback.fn == b->illegal_callback.fn 137 && a->illegal_callback.data == b->illegal_callback.data 138 && a->error_callback.fn == b->error_callback.fn 139 && a->error_callback.data == b->error_callback.data; 140 } 141 142 static void run_deprecated_context_flags_test(void) { 143 /* Check that a context created with any of the flags in the flags array is 144 * identical to the NONE context. */ 145 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN, 146 SECP256K1_CONTEXT_VERIFY, 147 SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY }; 148 secp256k1_context *none_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 149 int i; 150 for (i = 0; i < (int)(ARRAY_SIZE(flags)); i++) { 151 secp256k1_context *tmp_ctx; 152 CHECK(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE) == secp256k1_context_preallocated_size(flags[i])); 153 tmp_ctx = secp256k1_context_create(flags[i]); 154 CHECK(context_eq(none_ctx, tmp_ctx)); 155 secp256k1_context_destroy(tmp_ctx); 156 } 157 secp256k1_context_destroy(none_ctx); 158 } 159 160 static void run_ec_illegal_argument_tests(void) { 161 secp256k1_pubkey pubkey; 162 secp256k1_pubkey zero_pubkey; 163 secp256k1_ecdsa_signature sig; 164 unsigned char ctmp[32]; 165 166 /* Setup */ 167 memset(ctmp, 1, 32); 168 memset(&zero_pubkey, 0, sizeof(zero_pubkey)); 169 170 /* Verify context-type checking illegal-argument errors. */ 171 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ec_pubkey_create(STATIC_CTX, &pubkey, ctmp)); 172 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 173 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1); 174 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 175 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL)); 176 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig)); 177 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1); 178 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig)); 179 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1); 180 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1); 181 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1); 182 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1); 183 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1); 184 CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &pubkey) == 1); 185 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1); 186 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ec_pubkey_negate(STATIC_CTX, &zero_pubkey)); 187 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_negate(CTX, NULL)); 188 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1); 189 } 190 191 static void run_static_context_tests(int use_prealloc) { 192 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */ 193 CHECK(secp256k1_context_no_precomp == secp256k1_context_static); 194 195 { 196 unsigned char seed[32] = {0x17}; 197 198 /* Randomizing secp256k1_context_static is not supported. */ 199 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, seed)); 200 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, NULL)); 201 202 /* Destroying or cloning secp256k1_context_static is not supported. */ 203 if (use_prealloc) { 204 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone_size(STATIC_CTX)); 205 { 206 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX)); 207 CHECK(my_static_ctx != NULL); 208 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx)); 209 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone(STATIC_CTX, my_static_ctx)); 210 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx))); 211 free(my_static_ctx); 212 } 213 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_preallocated_destroy(STATIC_CTX)); 214 } else { 215 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_clone(STATIC_CTX)); 216 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_destroy(STATIC_CTX)); 217 } 218 } 219 220 { 221 /* Verify that setting and resetting illegal callback works */ 222 int32_t dummy = 0; 223 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_callback_fn, &dummy); 224 CHECK(STATIC_CTX->illegal_callback.fn == counting_callback_fn); 225 CHECK(STATIC_CTX->illegal_callback.data == &dummy); 226 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); 227 CHECK(STATIC_CTX->illegal_callback.fn == secp256k1_default_illegal_callback_fn); 228 CHECK(STATIC_CTX->illegal_callback.data == NULL); 229 } 230 } 231 232 static void run_all_static_context_tests(void) 233 { 234 run_static_context_tests(0); 235 run_static_context_tests(1); 236 } 237 238 static void run_proper_context_tests(int use_prealloc) { 239 int32_t dummy = 0; 240 secp256k1_context *my_ctx, *my_ctx_fresh; 241 void *my_ctx_prealloc = NULL; 242 unsigned char seed[32] = {0x17}; 243 244 secp256k1_gej pubj; 245 secp256k1_ge pub; 246 secp256k1_scalar msg, key, nonce; 247 secp256k1_scalar sigr, sigs; 248 249 /* Fresh reference context for comparison */ 250 my_ctx_fresh = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 251 252 if (use_prealloc) { 253 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 254 CHECK(my_ctx_prealloc != NULL); 255 my_ctx = secp256k1_context_preallocated_create(my_ctx_prealloc, SECP256K1_CONTEXT_NONE); 256 } else { 257 my_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 258 } 259 260 /* Randomize and reset randomization */ 261 CHECK(context_eq(my_ctx, my_ctx_fresh)); 262 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1); 263 CHECK(!context_eq(my_ctx, my_ctx_fresh)); 264 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1); 265 CHECK(context_eq(my_ctx, my_ctx_fresh)); 266 267 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */ 268 secp256k1_context_set_error_callback(my_ctx, secp256k1_default_illegal_callback_fn, NULL); 269 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn); 270 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn); 271 272 /* check if sizes for cloning are consistent */ 273 CHECK(secp256k1_context_preallocated_clone_size(my_ctx) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 274 275 /*** clone and destroy all of them to make sure cloning was complete ***/ 276 { 277 secp256k1_context *ctx_tmp; 278 279 if (use_prealloc) { 280 /* clone into a non-preallocated context and then again into a new preallocated one. */ 281 ctx_tmp = my_ctx; 282 my_ctx = secp256k1_context_clone(my_ctx); 283 CHECK(context_eq(ctx_tmp, my_ctx)); 284 secp256k1_context_preallocated_destroy(ctx_tmp); 285 286 free(my_ctx_prealloc); 287 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 288 CHECK(my_ctx_prealloc != NULL); 289 ctx_tmp = my_ctx; 290 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc); 291 CHECK(context_eq(ctx_tmp, my_ctx)); 292 secp256k1_context_destroy(ctx_tmp); 293 } else { 294 /* clone into a preallocated context and then again into a new non-preallocated one. */ 295 void *prealloc_tmp; 296 297 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 298 CHECK(prealloc_tmp != NULL); 299 ctx_tmp = my_ctx; 300 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp); 301 CHECK(context_eq(ctx_tmp, my_ctx)); 302 secp256k1_context_destroy(ctx_tmp); 303 304 ctx_tmp = my_ctx; 305 my_ctx = secp256k1_context_clone(my_ctx); 306 CHECK(context_eq(ctx_tmp, my_ctx)); 307 secp256k1_context_preallocated_destroy(ctx_tmp); 308 free(prealloc_tmp); 309 } 310 } 311 312 /* Verify that the error callback makes it across the clone. */ 313 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn); 314 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn); 315 /* And that it resets back to default. */ 316 secp256k1_context_set_error_callback(my_ctx, NULL, NULL); 317 CHECK(my_ctx->error_callback.fn == secp256k1_default_error_callback_fn); 318 CHECK(context_eq(my_ctx, my_ctx_fresh)); 319 320 /* Verify that setting and resetting illegal callback works */ 321 secp256k1_context_set_illegal_callback(my_ctx, counting_callback_fn, &dummy); 322 CHECK(my_ctx->illegal_callback.fn == counting_callback_fn); 323 CHECK(my_ctx->illegal_callback.data == &dummy); 324 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL); 325 CHECK(my_ctx->illegal_callback.fn == secp256k1_default_illegal_callback_fn); 326 CHECK(my_ctx->illegal_callback.data == NULL); 327 CHECK(context_eq(my_ctx, my_ctx_fresh)); 328 329 /*** attempt to use them ***/ 330 testutil_random_scalar_order_test(&msg); 331 testutil_random_scalar_order_test(&key); 332 secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key); 333 secp256k1_ge_set_gej(&pub, &pubj); 334 335 /* obtain a working nonce */ 336 do { 337 testutil_random_scalar_order_test(&nonce); 338 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 339 340 /* try signing */ 341 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 342 343 /* try verifying */ 344 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); 345 346 /* cleanup */ 347 if (use_prealloc) { 348 secp256k1_context_preallocated_destroy(my_ctx); 349 free(my_ctx_prealloc); 350 } else { 351 secp256k1_context_destroy(my_ctx); 352 } 353 secp256k1_context_destroy(my_ctx_fresh); 354 355 /* Defined as no-op. */ 356 secp256k1_context_destroy(NULL); 357 secp256k1_context_preallocated_destroy(NULL); 358 } 359 360 static void run_all_proper_context_tests(void) 361 { 362 run_proper_context_tests(0); 363 run_proper_context_tests(1); 364 } 365 366 static void run_scratch_tests(void) { 367 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT; 368 369 size_t checkpoint; 370 size_t checkpoint_2; 371 secp256k1_scratch_space *scratch; 372 secp256k1_scratch_space local_scratch; 373 374 /* Test public API */ 375 scratch = secp256k1_scratch_space_create(CTX, 1000); 376 CHECK(scratch != NULL); 377 378 /* Test internal API */ 379 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000); 380 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1)); 381 CHECK(scratch->alloc_size == 0); 382 CHECK(scratch->alloc_size % ALIGNMENT == 0); 383 384 /* Allocating 500 bytes succeeds */ 385 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch); 386 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL); 387 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc); 388 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); 389 CHECK(scratch->alloc_size != 0); 390 CHECK(scratch->alloc_size % ALIGNMENT == 0); 391 392 /* Allocating another 501 bytes fails */ 393 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL); 394 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc); 395 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); 396 CHECK(scratch->alloc_size != 0); 397 CHECK(scratch->alloc_size % ALIGNMENT == 0); 398 399 /* ...but it succeeds once we apply the checkpoint to undo it */ 400 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint); 401 CHECK(scratch->alloc_size == 0); 402 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000); 403 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL); 404 CHECK(scratch->alloc_size != 0); 405 406 /* try to apply a bad checkpoint */ 407 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch); 408 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint); 409 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */ 410 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */ 411 412 /* try to use badly initialized scratch space */ 413 secp256k1_scratch_space_destroy(CTX, scratch); 414 memset(&local_scratch, 0, sizeof(local_scratch)); 415 scratch = &local_scratch; 416 CHECK_ERROR(CTX, secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0)); 417 CHECK_ERROR(CTX, secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500)); 418 CHECK_ERROR_VOID(CTX, secp256k1_scratch_space_destroy(CTX, scratch)); 419 420 /* Test that large integers do not wrap around in a bad way */ 421 scratch = secp256k1_scratch_space_create(CTX, 1000); 422 /* Try max allocation with a large number of objects. Only makes sense if 423 * ALIGNMENT is greater than 1 because otherwise the objects take no extra 424 * space. */ 425 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1)); 426 /* Try allocating SIZE_MAX to test wrap around which only happens if 427 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch 428 * space is too small. */ 429 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL); 430 secp256k1_scratch_space_destroy(CTX, scratch); 431 432 /* cleanup */ 433 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */ 434 } 435 436 /* A compression function that does nothing */ 437 static void invalid_sha256_compression(uint32_t *s, const unsigned char *msg, size_t rounds) { 438 (void)s; (void)msg; (void)rounds; 439 } 440 441 static int own_transform_called = 0; 442 static void good_sha256_compression(uint32_t *s, const unsigned char *msg, size_t rounds) { 443 own_transform_called = 1; 444 secp256k1_sha256_transform(s, msg, rounds); 445 } 446 447 static void run_plug_sha256_compression_tests(void) { 448 secp256k1_context *ctx, *ctx_cloned; 449 secp256k1_sha256 sha; 450 unsigned char sha_out[32]; 451 /* 1) Verify the context is initialized with the default compression function */ 452 ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 453 CHECK(ctx->hash_ctx.fn_sha256_compression == secp256k1_sha256_transform); 454 455 /* 2) Verify providing a bad compression function fails during set */ 456 CHECK_ILLEGAL_VOID(ctx, secp256k1_context_set_sha256_compression(ctx, invalid_sha256_compression)); 457 CHECK(ctx->hash_ctx.fn_sha256_compression == secp256k1_sha256_transform); 458 459 /* 3) Provide sha256 to ctx and verify it is called when provided */ 460 own_transform_called = 0; 461 secp256k1_context_set_sha256_compression(ctx, good_sha256_compression); 462 CHECK(own_transform_called); 463 464 /* 4) Verify callback makes it across clone */ 465 ctx_cloned = secp256k1_context_clone(ctx); 466 CHECK(ctx_cloned->hash_ctx.fn_sha256_compression == good_sha256_compression); 467 468 /* 5) A hash operation should invoke the installed callback */ 469 own_transform_called = 0; 470 secp256k1_sha256_initialize(&sha); 471 secp256k1_sha256_write(secp256k1_get_hash_context(ctx), &sha, (const unsigned char*)"a", 1); 472 secp256k1_sha256_finalize(secp256k1_get_hash_context(ctx), &sha, sha_out); 473 CHECK(own_transform_called); 474 475 /* 6) Unset sha256 and verify the default one is set again */ 476 secp256k1_context_set_sha256_compression(ctx, NULL); 477 CHECK(ctx->hash_ctx.fn_sha256_compression == secp256k1_sha256_transform); 478 479 secp256k1_context_destroy(ctx); 480 secp256k1_context_destroy(ctx_cloned); 481 } 482 483 static void run_sha256_multi_block_compression_tests(void) { 484 secp256k1_hash_ctx hash_ctx; 485 secp256k1_sha256 sha256_one; 486 secp256k1_sha256 sha256_two; 487 unsigned char out_one[32], out_two[32]; 488 489 hash_ctx.fn_sha256_compression = secp256k1_sha256_transform; 490 491 { /* 1) Writing one 64-byte full block vs two 32-byte blocks */ 492 const unsigned char data[64] = "totally serious test message to hash, definitely no random data"; 493 unsigned char data32[32]; 494 495 secp256k1_sha256_initialize(&sha256_one); 496 secp256k1_sha256_initialize(&sha256_two); 497 498 /* Write the 64-byte block */ 499 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 64); 500 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one); 501 502 /* Write the two 32-byte blocks */ 503 memcpy(data32, data, 32); 504 secp256k1_sha256_write(&hash_ctx, &sha256_two, data32, 32); 505 memcpy(data32, data + 32, 32); 506 secp256k1_sha256_write(&hash_ctx, &sha256_two, data32, 32); 507 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two); 508 509 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0); 510 } 511 512 { /* 2) Writing one 80-byte block vs two 40-byte blocks */ 513 const unsigned char data[80] = "Genesis: The Times 03/Jan/2009 Chancellor on brink of second bailout for banks "; 514 unsigned char data40[40]; 515 516 secp256k1_sha256_initialize(&sha256_one); 517 secp256k1_sha256_initialize(&sha256_two); 518 519 /* Write the 80-byte block */ 520 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 80); 521 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one); 522 523 /* Write the two 40-byte blocks */ 524 memcpy(data40, data, 40); 525 secp256k1_sha256_write(&hash_ctx, &sha256_two, data40, 40); 526 memcpy(data40, data + 40, 40); 527 secp256k1_sha256_write(&hash_ctx, &sha256_two, data40, 40); 528 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two); 529 530 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0); 531 } 532 533 { /* 3) Writing multiple consecutive full blocks in one write (128 bytes) */ 534 unsigned char data[128]; 535 unsigned char i; 536 for (i = 0; i < 128; i++) data[i] = i; 537 538 secp256k1_sha256_initialize(&sha256_one); 539 secp256k1_sha256_initialize(&sha256_two); 540 541 /* Single write of 128 bytes (two full 64-byte blocks) */ 542 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 128); 543 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one); 544 545 /* Two separate writes of 64 bytes each */ 546 secp256k1_sha256_write(&hash_ctx, &sha256_two, data, 64); 547 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 64, 64); 548 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two); 549 550 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0); 551 } 552 553 { /* 4) Mixed small + large writes in sequence */ 554 unsigned char data[150]; 555 unsigned char i; 556 for (i = 0; i < 150; i++) data[i] = i; 557 558 secp256k1_sha256_initialize(&sha256_one); 559 secp256k1_sha256_initialize(&sha256_two); 560 561 /* Single write of 150 bytes */ 562 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 150); 563 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one); 564 565 /* Split writes: 10, 64, 64, 12 bytes */ 566 secp256k1_sha256_write(&hash_ctx, &sha256_two, data, 10); 567 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 10, 64); 568 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 74, 64); 569 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 138, 12); 570 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two); 571 572 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0); 573 } 574 } 575 576 static void run_ctz_tests(void) { 577 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129}; 578 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef}; 579 int shift; 580 unsigned i; 581 for (i = 0; i < ARRAY_SIZE(b32); ++i) { 582 for (shift = 0; shift < 32; ++shift) { 583 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift); 584 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift); 585 } 586 } 587 for (i = 0; i < ARRAY_SIZE(b64); ++i) { 588 for (shift = 0; shift < 64; ++shift) { 589 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift); 590 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift); 591 } 592 } 593 } 594 595 /***** HASH TESTS *****/ 596 597 static void run_sha256_known_output_tests(void) { 598 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX); 599 static const char *inputs[] = { 600 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe", 601 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 602 "For this sample, this 63-byte string will be used as input data", 603 "This is exactly 64 bytes long, not counting the terminating byte", 604 "aaaaa", 605 }; 606 static const unsigned int repeat[] = { 607 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5 608 }; 609 static const unsigned char outputs[][32] = { 610 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}, 611 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad}, 612 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50}, 613 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d}, 614 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30}, 615 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1}, 616 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42}, 617 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}, 618 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0}, 619 }; 620 unsigned int i, ninputs; 621 622 /* Skip last input vector for low iteration counts */ 623 ninputs = ARRAY_SIZE(inputs) - 1; 624 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++; 625 626 for (i = 0; i < ninputs; i++) { 627 unsigned char out[32]; 628 secp256k1_sha256 hasher; 629 unsigned int j; 630 /* 1. Run: simply write the input bytestrings */ 631 j = repeat[i]; 632 secp256k1_sha256_initialize(&hasher); 633 while (j > 0) { 634 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); 635 j--; 636 } 637 secp256k1_sha256_finalize(hash_ctx, &hasher, out); 638 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); 639 /* 2. Run: split the input bytestrings randomly before writing */ 640 if (strlen(inputs[i]) > 0) { 641 int split = testrand_int(strlen(inputs[i])); 642 secp256k1_sha256_initialize(&hasher); 643 j = repeat[i]; 644 while (j > 0) { 645 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), split); 646 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); 647 j--; 648 } 649 secp256k1_sha256_finalize(hash_ctx, &hasher, out); 650 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); 651 } 652 } 653 } 654 655 /** SHA256 counter tests 656 657 The tests verify that the SHA256 counter doesn't wrap around at message length 658 2^i bytes for i = 20, ..., 33. This wide range aims at being independent of the 659 implementation of the counter and it catches multiple natural 32-bit overflows 660 (e.g., counting bits, counting bytes, counting blocks, ...). 661 662 The test vectors have been generated using following Python script which relies 663 on https://github.com/cloudtools/sha256/ (v0.3 on Python v3.10.2). 664 665 ``` 666 from sha256 import sha256 667 from copy import copy 668 669 def midstate_c_definition(hasher): 670 ret = ' {{0x' + hasher.state[0].hex('_', 4).replace('_', ', 0x') + '},\n' 671 ret += ' {0x00}, ' + str(hex(hasher.state[1])) + '}' 672 return ret 673 674 def output_c_literal(hasher): 675 return '{0x' + hasher.digest().hex('_').replace('_', ', 0x') + '}' 676 677 MESSAGE = b'abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno' 678 assert(len(MESSAGE) == 64) 679 BYTE_BOUNDARIES = [(2**b)//len(MESSAGE) - 1 for b in range(20, 34)] 680 681 midstates = [] 682 digests = [] 683 hasher = sha256() 684 for i in range(BYTE_BOUNDARIES[-1] + 1): 685 if i in BYTE_BOUNDARIES: 686 midstates.append(midstate_c_definition(hasher)) 687 hasher_copy = copy(hasher) 688 hasher_copy.update(MESSAGE) 689 digests.append(output_c_literal(hasher_copy)) 690 hasher.update(MESSAGE) 691 692 for x in midstates: 693 print(x + ',') 694 695 for x in digests: 696 print(x + ',') 697 ``` 698 */ 699 static void run_sha256_counter_tests(void) { 700 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno"; 701 static const secp256k1_sha256 midstates[] = { 702 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda}, 703 {0x00}, 0xfffc0}, 704 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26}, 705 {0x00}, 0x1fffc0}, 706 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1}, 707 {0x00}, 0x3fffc0}, 708 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6}, 709 {0x00}, 0x7fffc0}, 710 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c}, 711 {0x00}, 0xffffc0}, 712 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2}, 713 {0x00}, 0x1ffffc0}, 714 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c}, 715 {0x00}, 0x3ffffc0}, 716 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0}, 717 {0x00}, 0x7ffffc0}, 718 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad}, 719 {0x00}, 0xfffffc0}, 720 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023}, 721 {0x00}, 0x1fffffc0}, 722 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1}, 723 {0x00}, 0x3fffffc0}, 724 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec}, 725 {0x00}, 0x7fffffc0}, 726 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162}, 727 {0x00}, 0xffffffc0}, 728 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a}, 729 {0x00}, 0x1ffffffc0}, 730 }; 731 static const unsigned char outputs[][32] = { 732 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15}, 733 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb}, 734 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e}, 735 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9}, 736 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7}, 737 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07}, 738 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76}, 739 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0}, 740 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8}, 741 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6}, 742 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e}, 743 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b}, 744 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34}, 745 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e}, 746 }; 747 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX); 748 unsigned int i; 749 for (i = 0; i < ARRAY_SIZE(midstates); i++) { 750 unsigned char out[32]; 751 secp256k1_sha256 hasher = midstates[i]; 752 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)input, strlen(input)); 753 secp256k1_sha256_finalize(hash_ctx, &hasher, out); 754 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); 755 } 756 } 757 758 /* Tests for the equality of two sha256 structs. This function only produces a 759 * correct result if an integer multiple of 64 many bytes have been written 760 * into the hash functions. This function is used by some module tests. */ 761 static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) { 762 /* Is buffer fully consumed? */ 763 CHECK((sha1->bytes & 0x3F) == 0); 764 765 CHECK(sha1->bytes == sha2->bytes); 766 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0); 767 } 768 /* Convenience function for using test_sha256_eq to verify the correctness of a 769 * tagged hash midstate. This function is used by some module tests. */ 770 static void test_sha256_tag_midstate(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen) { 771 secp256k1_sha256 sha; 772 secp256k1_sha256_initialize_tagged(hash_ctx, &sha, tag, taglen); 773 test_sha256_eq(&sha, sha_tagged); 774 } 775 776 static void run_hmac_sha256_tests(void) { 777 static const char *keys[6] = { 778 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 779 "\x4a\x65\x66\x65", 780 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 781 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19", 782 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 783 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 784 }; 785 static const char *inputs[6] = { 786 "\x48\x69\x20\x54\x68\x65\x72\x65", 787 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f", 788 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd", 789 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd", 790 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74", 791 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e" 792 }; 793 static const unsigned char outputs[6][32] = { 794 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7}, 795 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43}, 796 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe}, 797 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b}, 798 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54}, 799 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2} 800 }; 801 int i; 802 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX); 803 for (i = 0; i < 6; i++) { 804 secp256k1_hmac_sha256 hasher; 805 unsigned char out[32]; 806 secp256k1_hmac_sha256_initialize(hash_ctx, &hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); 807 secp256k1_hmac_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); 808 secp256k1_hmac_sha256_finalize(hash_ctx, &hasher, out); 809 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); 810 if (strlen(inputs[i]) > 0) { 811 int split = testrand_int(strlen(inputs[i])); 812 secp256k1_hmac_sha256_initialize(hash_ctx, &hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); 813 secp256k1_hmac_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), split); 814 secp256k1_hmac_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); 815 secp256k1_hmac_sha256_finalize(hash_ctx, &hasher, out); 816 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); 817 } 818 } 819 } 820 821 static void run_rfc6979_hmac_sha256_tests(void) { 822 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0}; 823 static const unsigned char out1[3][32] = { 824 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb}, 825 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a}, 826 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e} 827 }; 828 829 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}; 830 static const unsigned char out2[3][32] = { 831 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95}, 832 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9}, 833 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94} 834 }; 835 836 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX); 837 secp256k1_rfc6979_hmac_sha256 rng; 838 unsigned char out[32]; 839 int i; 840 841 secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, key1, 64); 842 for (i = 0; i < 3; i++) { 843 secp256k1_rfc6979_hmac_sha256_generate(hash_ctx, &rng, out, 32); 844 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0); 845 } 846 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 847 848 secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, key1, 65); 849 for (i = 0; i < 3; i++) { 850 secp256k1_rfc6979_hmac_sha256_generate(hash_ctx, &rng, out, 32); 851 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0); 852 } 853 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 854 855 secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, key2, 64); 856 for (i = 0; i < 3; i++) { 857 secp256k1_rfc6979_hmac_sha256_generate(hash_ctx, &rng, out, 32); 858 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0); 859 } 860 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 861 } 862 863 static void run_tagged_sha256_tests(void) { 864 unsigned char tag[32] = { 0 }; 865 unsigned char msg[32] = { 0 }; 866 unsigned char hash32[32]; 867 unsigned char hash_expected[32] = { 868 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1, 869 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62, 870 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C, 871 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3 872 }; 873 874 /* API test */ 875 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1); 876 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg))); 877 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg))); 878 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0)); 879 880 /* Static test vector */ 881 memcpy(tag, "tag", 3); 882 memcpy(msg, "msg", 3); 883 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1); 884 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0); 885 } 886 887 static void run_sha256_initialize_midstate_tests(void) { 888 /* Midstate for the tagged hash with tag "sha256_midstate_test_tag". */ 889 static const unsigned char tag[] = "sha256_midstate_test_tag"; 890 static const uint32_t midstate[8] = { 891 0xa9ec59eaul, 0x9b4c2ffful, 0x400821e2ul, 0x0dcf3847ul, 892 0xbe7ea179ul, 0xa5772bdcul, 0x7d29bfe3ul, 0xa486b855ul 893 }; 894 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX); 895 secp256k1_sha256 sha; 896 897 secp256k1_sha256_initialize_midstate(&sha, 64, midstate); 898 test_sha256_tag_midstate(hash_ctx, &sha, tag, sizeof(tag) - 1); 899 } 900 901 /***** MODINV TESTS *****/ 902 903 /* Compute the modular inverse of (odd) x mod 2^64. */ 904 static uint64_t modinv2p64(uint64_t x) { 905 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See 906 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for 907 * why. Start with L=0, for which it is true for every odd x that 908 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */ 909 int l; 910 uint64_t w = 1; 911 CHECK(x & 1); 912 for (l = 0; l < 6; ++l) w *= (2 - w*x); 913 return w; 914 } 915 916 917 /* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity. 918 * 919 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other 920 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */ 921 static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) { 922 uint16_t mul[32]; 923 uint64_t c = 0; 924 int i, j; 925 int m_bitlen = 0; 926 int mul_bitlen = 0; 927 928 if (b != NULL) { 929 /* Compute the product of a and b, and put it in mul. */ 930 for (i = 0; i < 32; ++i) { 931 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) { 932 c += (uint64_t)a[j] * b[i - j]; 933 } 934 mul[i] = c & 0xFFFF; 935 c >>= 16; 936 } 937 CHECK(c == 0); 938 939 /* compute the highest set bit in mul */ 940 for (i = 511; i >= 0; --i) { 941 if ((mul[i >> 4] >> (i & 15)) & 1) { 942 mul_bitlen = i; 943 break; 944 } 945 } 946 } else { 947 /* if b==NULL, set mul=a. */ 948 memcpy(mul, a, 32); 949 memset(mul + 16, 0, 32); 950 /* compute the highest set bit in mul */ 951 for (i = 255; i >= 0; --i) { 952 if ((mul[i >> 4] >> (i & 15)) & 1) { 953 mul_bitlen = i; 954 break; 955 } 956 } 957 } 958 959 if (m) { 960 /* Compute the highest set bit in m. */ 961 for (i = 255; i >= 0; --i) { 962 if ((m[i >> 4] >> (i & 15)) & 1) { 963 m_bitlen = i; 964 break; 965 } 966 } 967 968 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */ 969 for (i = mul_bitlen - m_bitlen; i >= 0; --i) { 970 uint16_t mul2[32]; 971 int64_t cs; 972 973 /* Compute mul2 = mul - m<<i. */ 974 cs = 0; /* accumulator */ 975 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */ 976 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */ 977 uint16_t sub = 0; 978 int p; 979 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */ 980 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */ 981 if (bitpos >= 0 && bitpos < 256) { 982 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p; 983 } 984 } 985 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */ 986 cs += mul[j]; 987 cs -= sub; 988 mul2[j] = (cs & 0xFFFF); 989 cs >>= 16; 990 } 991 /* If remainder of subtraction is 0, set mul = mul2. */ 992 if (cs == 0) { 993 memcpy(mul, mul2, sizeof(mul)); 994 } 995 } 996 /* Sanity check: test that all limbs higher than m's highest are zero */ 997 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) { 998 CHECK(mul[i] == 0); 999 } 1000 } 1001 memcpy(out, mul, 32); 1002 } 1003 1004 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */ 1005 static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) { 1006 int i; 1007 memset(out->v, 0, sizeof(out->v)); 1008 for (i = 0; i < 256; ++i) { 1009 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30); 1010 } 1011 } 1012 1013 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */ 1014 static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) { 1015 int i; 1016 memset(out, 0, 32); 1017 for (i = 0; i < 256; ++i) { 1018 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15); 1019 } 1020 } 1021 1022 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */ 1023 static void mutate_sign_signed30(secp256k1_modinv32_signed30* x) { 1024 int i; 1025 for (i = 0; i < 16; ++i) { 1026 int pos = testrand_bits(3); 1027 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) { 1028 x->v[pos] -= 0x40000000; 1029 x->v[pos + 1] += 1; 1030 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) { 1031 x->v[pos] += 0x40000000; 1032 x->v[pos + 1] -= 1; 1033 } 1034 } 1035 } 1036 1037 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */ 1038 static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) { 1039 uint16_t tmp[16]; 1040 secp256k1_modinv32_signed30 x; 1041 secp256k1_modinv32_modinfo m; 1042 int i, vartime, nonzero; 1043 1044 uint16_to_signed30(&x, in); 1045 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0; 1046 uint16_to_signed30(&m.modulus, mod); 1047 1048 /* compute 1/modulus mod 2^30 */ 1049 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff; 1050 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1); 1051 1052 /* Test secp256k1_jacobi32_maybe_var. */ 1053 if (nonzero) { 1054 int jac; 1055 uint16_t sqr[16], negone[16]; 1056 mulmod256(sqr, in, in, mod); 1057 uint16_to_signed30(&x, sqr); 1058 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */ 1059 jac = secp256k1_jacobi32_maybe_var(&x, &m); 1060 CHECK(jac == 0 || jac == 1); 1061 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite 1062 * jacobi symbols if and only if (mod % 4) == 3. */ 1063 negone[0] = mod[0] - 1; 1064 for (i = 1; i < 16; ++i) negone[i] = mod[i]; 1065 mulmod256(sqr, sqr, negone, mod); 1066 uint16_to_signed30(&x, sqr); 1067 jac = secp256k1_jacobi32_maybe_var(&x, &m); 1068 CHECK(jac == 0 || jac == 1 - (mod[0] & 2)); 1069 } 1070 1071 uint16_to_signed30(&x, in); 1072 mutate_sign_signed30(&m.modulus); 1073 for (vartime = 0; vartime < 2; ++vartime) { 1074 /* compute inverse */ 1075 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m); 1076 1077 /* produce output */ 1078 signed30_to_uint16(out, &x); 1079 1080 /* check if the inverse times the input is 1 (mod m), unless x is 0. */ 1081 mulmod256(tmp, out, in, mod); 1082 CHECK(tmp[0] == nonzero); 1083 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0); 1084 1085 /* invert again */ 1086 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m); 1087 1088 /* check if the result is equal to the input */ 1089 signed30_to_uint16(tmp, &x); 1090 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]); 1091 } 1092 } 1093 1094 #ifdef SECP256K1_WIDEMUL_INT128 1095 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */ 1096 static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) { 1097 int i; 1098 memset(out->v, 0, sizeof(out->v)); 1099 for (i = 0; i < 256; ++i) { 1100 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62); 1101 } 1102 } 1103 1104 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */ 1105 static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) { 1106 int i; 1107 memset(out, 0, 32); 1108 for (i = 0; i < 256; ++i) { 1109 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15); 1110 } 1111 } 1112 1113 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */ 1114 static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) { 1115 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2); 1116 int i; 1117 for (i = 0; i < 8; ++i) { 1118 int pos = testrand_bits(2); 1119 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) { 1120 x->v[pos] -= (M62 + 1); 1121 x->v[pos + 1] += 1; 1122 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) { 1123 x->v[pos] += (M62 + 1); 1124 x->v[pos + 1] -= 1; 1125 } 1126 } 1127 } 1128 1129 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */ 1130 static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) { 1131 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2); 1132 uint16_t tmp[16]; 1133 secp256k1_modinv64_signed62 x; 1134 secp256k1_modinv64_modinfo m; 1135 int i, vartime, nonzero; 1136 1137 uint16_to_signed62(&x, in); 1138 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0; 1139 uint16_to_signed62(&m.modulus, mod); 1140 1141 /* compute 1/modulus mod 2^62 */ 1142 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62; 1143 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1); 1144 1145 /* Test secp256k1_jacobi64_maybe_var. */ 1146 if (nonzero) { 1147 int jac; 1148 uint16_t sqr[16], negone[16]; 1149 mulmod256(sqr, in, in, mod); 1150 uint16_to_signed62(&x, sqr); 1151 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */ 1152 jac = secp256k1_jacobi64_maybe_var(&x, &m); 1153 CHECK(jac == 0 || jac == 1); 1154 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite 1155 * jacobi symbols if and only if (mod % 4) == 3. */ 1156 negone[0] = mod[0] - 1; 1157 for (i = 1; i < 16; ++i) negone[i] = mod[i]; 1158 mulmod256(sqr, sqr, negone, mod); 1159 uint16_to_signed62(&x, sqr); 1160 jac = secp256k1_jacobi64_maybe_var(&x, &m); 1161 CHECK(jac == 0 || jac == 1 - (mod[0] & 2)); 1162 } 1163 1164 uint16_to_signed62(&x, in); 1165 mutate_sign_signed62(&m.modulus); 1166 for (vartime = 0; vartime < 2; ++vartime) { 1167 /* compute inverse */ 1168 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m); 1169 1170 /* produce output */ 1171 signed62_to_uint16(out, &x); 1172 1173 /* check if the inverse times the input is 1 (mod m), unless x is 0. */ 1174 mulmod256(tmp, out, in, mod); 1175 CHECK(tmp[0] == nonzero); 1176 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0); 1177 1178 /* invert again */ 1179 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m); 1180 1181 /* check if the result is equal to the input */ 1182 signed62_to_uint16(tmp, &x); 1183 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]); 1184 } 1185 } 1186 #endif 1187 1188 /* test if a and b are coprime */ 1189 static int coprime(const uint16_t* a, const uint16_t* b) { 1190 uint16_t x[16], y[16], t[16]; 1191 int i; 1192 int iszero; 1193 memcpy(x, a, 32); 1194 memcpy(y, b, 32); 1195 1196 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */ 1197 while (1) { 1198 iszero = 1; 1199 for (i = 0; i < 16; ++i) { 1200 if (x[i] != 0) { 1201 iszero = 0; 1202 break; 1203 } 1204 } 1205 if (iszero) break; 1206 mulmod256(t, y, NULL, x); 1207 memcpy(y, x, 32); 1208 memcpy(x, t, 32); 1209 } 1210 1211 /* return whether y=1 */ 1212 if (y[0] != 1) return 0; 1213 for (i = 1; i < 16; ++i) { 1214 if (y[i] != 0) return 0; 1215 } 1216 return 1; 1217 } 1218 1219 static void run_modinv_tests(void) { 1220 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */ 1221 static const uint16_t CASES[][3][16] = { 1222 /* Test cases triggering edge cases in divsteps */ 1223 1224 /* Test case known to need 713 divsteps */ 1225 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477, 1226 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e}, 1227 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54, 1228 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b}, 1229 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab, 1230 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}}, 1231 /* Test case known to need 589 divsteps, reaching delta=-140 and 1232 delta=141. */ 1233 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9, 1234 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c}, 1235 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da, 1236 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3}, 1237 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0, 1238 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}}, 1239 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */ 1240 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94, 1241 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040}, 1242 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d, 1243 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3}, 1244 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005, 1245 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}}, 1246 /* example needing 713 divsteps; delta=-2..3 */ 1247 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9, 1248 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d}, 1249 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772, 1250 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298}, 1251 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797, 1252 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}}, 1253 /* example needing 713 divsteps; delta=-2..3 */ 1254 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850, 1255 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78}, 1256 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c, 1257 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2}, 1258 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358, 1259 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}}, 1260 /* example needing 713 divsteps; delta=-2..3 */ 1261 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9, 1262 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc}, 1263 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e, 1264 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29}, 1265 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da, 1266 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}}, 1267 /* example reaching delta=-64..65; 661 divsteps */ 1268 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2, 1269 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530}, 1270 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16, 1271 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598}, 1272 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f, 1273 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}}, 1274 /* example reaching delta=-64..65; 661 divsteps */ 1275 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717, 1276 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a}, 1277 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94, 1278 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108}, 1279 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187, 1280 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}}, 1281 /* example reaching delta=-64..65; 661 divsteps */ 1282 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb, 1283 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a}, 1284 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6, 1285 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230}, 1286 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb, 1287 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}}, 1288 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */ 1289 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee, 1290 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc}, 1291 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005, 1292 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67}, 1293 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572, 1294 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}}, 1295 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */ 1296 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185, 1297 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d}, 1298 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde, 1299 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5}, 1300 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0, 1301 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}}, 1302 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */ 1303 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7, 1304 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50}, 1305 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a, 1306 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24}, 1307 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb, 1308 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}}, 1309 /* example doing 446 (f,g/2) steps; 523 divsteps */ 1310 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf, 1311 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a}, 1312 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f, 1313 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32}, 1314 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c, 1315 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}}, 1316 /* example doing 446 (f,g/2) steps; 523 divsteps */ 1317 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd, 1318 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7}, 1319 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283, 1320 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087}, 1321 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8, 1322 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}}, 1323 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */ 1324 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878, 1325 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5}, 1326 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703, 1327 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b}, 1328 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d, 1329 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}}, 1330 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */ 1331 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836, 1332 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c}, 1333 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6, 1334 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62}, 1335 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344, 1336 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}}, 1337 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */ 1338 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5, 1339 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5}, 1340 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153, 1341 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032}, 1342 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2, 1343 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}}, 1344 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */ 1345 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c, 1346 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f}, 1347 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717, 1348 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b}, 1349 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951, 1350 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}}, 1351 1352 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */ 1353 1354 /* example needing 590 divsteps; delta=-5/2..7/2 */ 1355 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a, 1356 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e}, 1357 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0, 1358 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8}, 1359 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54, 1360 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}}, 1361 /* example needing 590 divsteps; delta=-3/2..5/2 */ 1362 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e, 1363 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d}, 1364 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a, 1365 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7}, 1366 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451, 1367 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}}, 1368 /* example needing 590 divsteps; delta=-3/2..5/2 */ 1369 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11, 1370 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40}, 1371 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805, 1372 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9}, 1373 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7, 1374 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}}, 1375 /* example needing 590 divsteps; delta=-5/2..7/2 */ 1376 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce, 1377 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1}, 1378 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba, 1379 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5}, 1380 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c, 1381 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}}, 1382 /* example needing 590 divsteps; delta=-3/2..5/2 */ 1383 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7, 1384 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82}, 1385 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712, 1386 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89}, 1387 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919, 1388 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}}, 1389 /* example reaching delta=-127/2..129/2; 571 divsteps */ 1390 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681, 1391 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56}, 1392 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868, 1393 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f}, 1394 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db, 1395 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}}, 1396 /* example reaching delta=-127/2..129/2; 571 divsteps */ 1397 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7, 1398 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c}, 1399 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1, 1400 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36}, 1401 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074, 1402 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}}, 1403 /* example reaching delta=-127/2..129/2; 571 divsteps */ 1404 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d, 1405 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56}, 1406 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669, 1407 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f}, 1408 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0, 1409 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}}, 1410 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ 1411 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a, 1412 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14}, 1413 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae, 1414 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943}, 1415 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa, 1416 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}}, 1417 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ 1418 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8, 1419 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4}, 1420 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332, 1421 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4}, 1422 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9, 1423 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}}, 1424 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ 1425 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982, 1426 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14}, 1427 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d, 1428 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943}, 1429 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495, 1430 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}}, 1431 /* example doing 453 (f,g/2) steps; 514 divsteps */ 1432 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae, 1433 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448}, 1434 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089, 1435 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7}, 1436 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241, 1437 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}}, 1438 /* example doing 453 (f,g/2) steps; 514 divsteps */ 1439 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1, 1440 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2}, 1441 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5, 1442 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823}, 1443 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159, 1444 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}}, 1445 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */ 1446 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877, 1447 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19}, 1448 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49, 1449 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9}, 1450 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e, 1451 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}}, 1452 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */ 1453 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3, 1454 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b}, 1455 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4, 1456 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf}, 1457 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042, 1458 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}}, 1459 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */ 1460 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6, 1461 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42}, 1462 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936, 1463 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305}, 1464 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a, 1465 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}}, 1466 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */ 1467 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52, 1468 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359}, 1469 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a, 1470 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f}, 1471 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9, 1472 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}}, 1473 1474 /* Test cases with the group order as modulus. */ 1475 1476 /* Test case with the group order as modulus, needing 635 divsteps. */ 1477 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120, 1478 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686}, 1479 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1480 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1481 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc, 1482 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}}, 1483 /* example with group size as modulus needing 631 divsteps */ 1484 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7, 1485 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b}, 1486 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1487 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1488 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb, 1489 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}}, 1490 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */ 1491 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce, 1492 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf}, 1493 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1494 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1495 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32, 1496 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}}, 1497 /* Test case with the group size as modulus, needing 981 divsteps with 1498 broken eta handling. */ 1499 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae, 1500 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2}, 1501 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1502 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1503 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126, 1504 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}}, 1505 /* Test case with the group size as modulus, input = 0. */ 1506 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1507 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1508 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1509 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1510 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1511 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1512 /* Test case with the group size as modulus, input = 1. */ 1513 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1514 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1515 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1516 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1517 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1518 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1519 /* Test case with the group size as modulus, input = 2. */ 1520 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1521 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1522 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1523 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1524 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57, 1525 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}}, 1526 /* Test case with the group size as modulus, input = group - 1. */ 1527 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1528 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1529 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1530 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1531 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1532 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}, 1533 1534 /* Test cases with the field size as modulus. */ 1535 1536 /* Test case with the field size as modulus, needing 637 divsteps. */ 1537 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688, 1538 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e}, 1539 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1540 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1541 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701, 1542 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}}, 1543 /* example with field size as modulus needing 637 divsteps */ 1544 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff, 1545 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8}, 1546 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1547 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1548 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce, 1549 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}}, 1550 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */ 1551 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e, 1552 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f}, 1553 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1554 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1555 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291, 1556 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}}, 1557 /* Test case with the field size as modulus, needing 935 divsteps with 1558 broken eta handling. */ 1559 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8, 1560 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93}, 1561 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1562 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1563 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed, 1564 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}}, 1565 /* Test case with the field size as modulus, input = 0. */ 1566 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1567 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1568 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1569 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1570 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1571 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1572 /* Test case with the field size as modulus, input = 1. */ 1573 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1574 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1575 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1576 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1577 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1578 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1579 /* Test case with the field size as modulus, input = 2. */ 1580 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1581 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1582 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1583 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1584 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1585 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}}, 1586 /* Test case with the field size as modulus, input = field - 1. */ 1587 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1588 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1589 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1590 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1591 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1592 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}, 1593 1594 /* Selected from a large number of random inputs to reach small/large 1595 * d/e values in various configurations. */ 1596 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70, 1597 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30}, 1598 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8, 1599 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff}, 1600 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842, 1601 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}}, 1602 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98, 1603 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e}, 1604 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43, 1605 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6}, 1606 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae, 1607 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}}, 1608 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5, 1609 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac}, 1610 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969, 1611 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb}, 1612 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512, 1613 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}}, 1614 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c, 1615 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8}, 1616 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702, 1617 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2}, 1618 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce, 1619 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}}, 1620 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737, 1621 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4}, 1622 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4, 1623 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff}, 1624 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33, 1625 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}}, 1626 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb, 1627 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97}, 1628 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311, 1629 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640}, 1630 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7, 1631 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}}, 1632 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd, 1633 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576}, 1634 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621, 1635 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64}, 1636 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821, 1637 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}}, 1638 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89, 1639 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e}, 1640 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa, 1641 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5}, 1642 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0, 1643 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}}, 1644 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3, 1645 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c}, 1646 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd, 1647 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff}, 1648 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c, 1649 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}}, 1650 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f, 1651 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a}, 1652 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b, 1653 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff}, 1654 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf, 1655 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}}, 1656 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49, 1657 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe}, 1658 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8, 1659 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff}, 1660 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac, 1661 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}}, 1662 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e, 1663 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e}, 1664 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba, 1665 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77}, 1666 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569, 1667 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}}, 1668 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611, 1669 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d}, 1670 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a, 1671 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff}, 1672 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376, 1673 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}}, 1674 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b, 1675 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4}, 1676 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016, 1677 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff}, 1678 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f, 1679 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}}, 1680 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7, 1681 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8}, 1682 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104, 1683 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff}, 1684 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405, 1685 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}}, 1686 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033, 1687 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914}, 1688 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346, 1689 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3}, 1690 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c, 1691 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}}, 1692 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c, 1693 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025}, 1694 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb, 1695 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93}, 1696 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744, 1697 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}}, 1698 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904, 1699 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94}, 1700 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94, 1701 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b}, 1702 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e, 1703 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}}, 1704 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4, 1705 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f}, 1706 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550, 1707 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97}, 1708 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618, 1709 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}}, 1710 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7, 1711 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166}, 1712 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54, 1713 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa}, 1714 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5, 1715 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}}, 1716 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a, 1717 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1}, 1718 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328, 1719 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb}, 1720 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857, 1721 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}}, 1722 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413, 1723 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3}, 1724 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92, 1725 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c}, 1726 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f, 1727 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}}, 1728 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe, 1729 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d}, 1730 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e, 1731 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb}, 1732 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424, 1733 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}}, 1734 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56, 1735 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428}, 1736 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998, 1737 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff}, 1738 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8, 1739 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}}, 1740 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9, 1741 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d}, 1742 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e, 1743 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a}, 1744 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614, 1745 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}}, 1746 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7, 1747 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067}, 1748 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b, 1749 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185}, 1750 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42, 1751 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}}, 1752 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74, 1753 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4}, 1754 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781, 1755 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351}, 1756 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65, 1757 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}}, 1758 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced, 1759 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79}, 1760 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c, 1761 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0}, 1762 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145, 1763 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}}, 1764 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a, 1765 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096}, 1766 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf, 1767 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628}, 1768 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da, 1769 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}}, 1770 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91, 1771 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4}, 1772 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5, 1773 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad}, 1774 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41, 1775 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}}, 1776 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224, 1777 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000}, 1778 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183, 1779 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000}, 1780 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3, 1781 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}}, 1782 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b, 1783 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f}, 1784 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35, 1785 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb}, 1786 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3, 1787 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}}, 1788 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995, 1789 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c}, 1790 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60, 1791 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb}, 1792 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134, 1793 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}}, 1794 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6, 1795 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097}, 1796 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40, 1797 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0}, 1798 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0, 1799 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}}, 1800 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82, 1801 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14}, 1802 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee, 1803 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80}, 1804 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051, 1805 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}} 1806 }; 1807 1808 int i, j, ok; 1809 1810 /* Test known inputs/outputs */ 1811 for (i = 0; (size_t)i < ARRAY_SIZE(CASES); ++i) { 1812 uint16_t out[16]; 1813 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]); 1814 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]); 1815 #ifdef SECP256K1_WIDEMUL_INT128 1816 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]); 1817 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]); 1818 #endif 1819 } 1820 1821 for (i = 0; i < 100 * COUNT; ++i) { 1822 /* 256-bit numbers in 16-uint16_t's notation */ 1823 static const uint16_t ZERO[16] = {0}; 1824 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */ 1825 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */ 1826 uint16_t id[16]; /* the inverse of xd mod md */ 1827 1828 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */ 1829 do { 1830 /* generate random xd and md (with many subsequent 0s and 1s) */ 1831 testrand256_test((unsigned char*)xd); 1832 testrand256_test((unsigned char*)md); 1833 md[0] |= 1; /* modulus must be odd */ 1834 /* If modulus is 1, find another one. */ 1835 ok = md[0] != 1; 1836 for (j = 1; j < 16; ++j) ok |= md[j] != 0; 1837 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */ 1838 } while (!(ok && coprime(xd, md))); 1839 1840 test_modinv32_uint16(id, xd, md); 1841 #ifdef SECP256K1_WIDEMUL_INT128 1842 test_modinv64_uint16(id, xd, md); 1843 #endif 1844 1845 /* In a few cases, also test with input=0 */ 1846 if (i < COUNT) { 1847 test_modinv32_uint16(id, ZERO, md); 1848 #ifdef SECP256K1_WIDEMUL_INT128 1849 test_modinv64_uint16(id, ZERO, md); 1850 #endif 1851 } 1852 } 1853 } 1854 1855 /***** INT128 TESTS *****/ 1856 1857 #ifdef SECP256K1_WIDEMUL_INT128 1858 /* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */ 1859 static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) { 1860 int i; 1861 uint32_t carry = 0; 1862 for (i = 0; i < 16; ++i) { 1863 carry += a[i]; 1864 carry += b[i]; 1865 out[i] = carry; 1866 carry >>= 16; 1867 } 1868 } 1869 1870 /* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */ 1871 static void neg256(uint16_t* out, const uint16_t* a) { 1872 int i; 1873 uint32_t carry = 1; 1874 for (i = 0; i < 16; ++i) { 1875 carry += (uint16_t)~a[i]; 1876 out[i] = carry; 1877 carry >>= 16; 1878 } 1879 } 1880 1881 /* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */ 1882 static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) { 1883 uint16_t sign = sign_extend && (a[15] >> 15); 1884 int i, j; 1885 for (i = 15; i >= 0; --i) { 1886 uint16_t v = 0; 1887 for (j = 0; j < 16; ++j) { 1888 int frompos = i*16 + j + n; 1889 if (frompos >= 256) { 1890 v |= sign << j; 1891 } else { 1892 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j; 1893 } 1894 } 1895 out[i] = v; 1896 } 1897 } 1898 1899 /* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */ 1900 static void load256u64(uint16_t* out, uint64_t v, int is_signed) { 1901 int i; 1902 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0; 1903 for (i = 0; i < 4; ++i) { 1904 out[i] = v >> (16 * i); 1905 } 1906 for (i = 4; i < 16; ++i) { 1907 out[i] = sign; 1908 } 1909 } 1910 1911 /* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */ 1912 static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) { 1913 int i; 1914 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0; 1915 for (i = 0; i < 4; ++i) { 1916 out[i] = lo >> (16 * i); 1917 } 1918 for (i = 4; i < 8; ++i) { 1919 out[i] = hi >> (16 * (i - 4)); 1920 } 1921 for (i = 8; i < 16; ++i) { 1922 out[i] = sign; 1923 } 1924 } 1925 1926 /* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */ 1927 static int int256is127(const uint16_t* v) { 1928 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000); 1929 int i; 1930 for (i = 8; i < 16; ++i) { 1931 if (v[i] != 0) all_0 = 0; 1932 if (v[i] != 0xffff) all_1 = 0; 1933 } 1934 return all_0 || all_1; 1935 } 1936 1937 static void load256u128(uint16_t* out, const secp256k1_uint128* v) { 1938 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v); 1939 load256two64(out, hi, lo, 0); 1940 } 1941 1942 static void load256i128(uint16_t* out, const secp256k1_int128* v) { 1943 uint64_t lo; 1944 int64_t hi; 1945 secp256k1_int128 c = *v; 1946 lo = secp256k1_i128_to_u64(&c); 1947 secp256k1_i128_rshift(&c, 64); 1948 hi = secp256k1_i128_to_i64(&c); 1949 load256two64(out, hi, lo, 1); 1950 } 1951 1952 static void run_int128_test_case(void) { 1953 unsigned char buf[32]; 1954 uint64_t v[4]; 1955 secp256k1_int128 swa, swz; 1956 secp256k1_uint128 uwa, uwz; 1957 uint64_t ub, uc; 1958 int64_t sb, sc; 1959 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32]; 1960 uint16_t rub[16], ruc[16], rsb[16], rsc[16]; 1961 int i; 1962 1963 /* Generate 32-byte random value. */ 1964 testrand256_test(buf); 1965 /* Convert into 4 64-bit integers. */ 1966 for (i = 0; i < 4; ++i) { 1967 uint64_t vi = 0; 1968 int j; 1969 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j]; 1970 v[i] = vi; 1971 } 1972 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */ 1973 secp256k1_u128_load(&uwa, v[1], v[0]); 1974 secp256k1_i128_load(&swa, v[1], v[0]); 1975 ub = v[2]; 1976 sb = v[2]; 1977 uc = v[3]; 1978 sc = v[3]; 1979 /* Load those also into 16-bit array representations. */ 1980 load256u128(ruwa, &uwa); 1981 load256i128(rswa, &swa); 1982 load256u64(rub, ub, 0); 1983 load256u64(rsb, sb, 1); 1984 load256u64(ruc, uc, 0); 1985 load256u64(rsc, sc, 1); 1986 /* test secp256k1_u128_mul */ 1987 mulmod256(ruwr, rub, ruc, NULL); 1988 secp256k1_u128_mul(&uwz, ub, uc); 1989 load256u128(ruwz, &uwz); 1990 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0); 1991 /* test secp256k1_u128_accum_mul */ 1992 mulmod256(ruwr, rub, ruc, NULL); 1993 add256(ruwr, ruwr, ruwa); 1994 uwz = uwa; 1995 secp256k1_u128_accum_mul(&uwz, ub, uc); 1996 load256u128(ruwz, &uwz); 1997 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0); 1998 /* test secp256k1_u128_accum_u64 */ 1999 add256(ruwr, rub, ruwa); 2000 uwz = uwa; 2001 secp256k1_u128_accum_u64(&uwz, ub); 2002 load256u128(ruwz, &uwz); 2003 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0); 2004 /* test secp256k1_u128_rshift */ 2005 rshift256(ruwr, ruwa, uc % 128, 0); 2006 uwz = uwa; 2007 secp256k1_u128_rshift(&uwz, uc % 128); 2008 load256u128(ruwz, &uwz); 2009 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0); 2010 /* test secp256k1_u128_to_u64 */ 2011 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]); 2012 /* test secp256k1_u128_hi_u64 */ 2013 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]); 2014 /* test secp256k1_u128_from_u64 */ 2015 secp256k1_u128_from_u64(&uwz, ub); 2016 load256u128(ruwz, &uwz); 2017 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0); 2018 /* test secp256k1_u128_check_bits */ 2019 { 2020 int uwa_bits = 0; 2021 int j; 2022 for (j = 0; j < 128; ++j) { 2023 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j; 2024 } 2025 for (j = 0; j < 128; ++j) { 2026 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j)); 2027 } 2028 } 2029 /* test secp256k1_i128_mul */ 2030 mulmod256(rswr, rsb, rsc, NULL); 2031 secp256k1_i128_mul(&swz, sb, sc); 2032 load256i128(rswz, &swz); 2033 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0); 2034 /* test secp256k1_i128_accum_mul */ 2035 mulmod256(rswr, rsb, rsc, NULL); 2036 add256(rswr, rswr, rswa); 2037 if (int256is127(rswr)) { 2038 swz = swa; 2039 secp256k1_i128_accum_mul(&swz, sb, sc); 2040 load256i128(rswz, &swz); 2041 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0); 2042 } 2043 /* test secp256k1_i128_det */ 2044 { 2045 uint16_t rsd[16], rse[16], rst[32]; 2046 int64_t sd = v[0], se = v[1]; 2047 load256u64(rsd, sd, 1); 2048 load256u64(rse, se, 1); 2049 mulmod256(rst, rsc, rsd, NULL); 2050 neg256(rst, rst); 2051 mulmod256(rswr, rsb, rse, NULL); 2052 add256(rswr, rswr, rst); 2053 secp256k1_i128_det(&swz, sb, sc, sd, se); 2054 load256i128(rswz, &swz); 2055 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0); 2056 } 2057 /* test secp256k1_i128_rshift */ 2058 rshift256(rswr, rswa, uc % 127, 1); 2059 swz = swa; 2060 secp256k1_i128_rshift(&swz, uc % 127); 2061 load256i128(rswz, &swz); 2062 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0); 2063 /* test secp256k1_i128_to_u64 */ 2064 CHECK(secp256k1_i128_to_u64(&swa) == v[0]); 2065 /* test secp256k1_i128_from_i64 */ 2066 secp256k1_i128_from_i64(&swz, sb); 2067 load256i128(rswz, &swz); 2068 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0); 2069 /* test secp256k1_i128_to_i64 */ 2070 CHECK(secp256k1_i128_to_i64(&swz) == sb); 2071 /* test secp256k1_i128_eq_var */ 2072 { 2073 int expect = (uc & 1); 2074 swz = swa; 2075 if (!expect) { 2076 /* Make sure swz != swa */ 2077 uint64_t v0c = v[0], v1c = v[1]; 2078 if (ub & 64) { 2079 v1c ^= (((uint64_t)1) << (ub & 63)); 2080 } else { 2081 v0c ^= (((uint64_t)1) << (ub & 63)); 2082 } 2083 secp256k1_i128_load(&swz, v1c, v0c); 2084 } 2085 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect); 2086 } 2087 /* test secp256k1_i128_check_pow2 (sign == 1) */ 2088 { 2089 int expect = (uc & 1); 2090 int pos = ub % 127; 2091 if (expect) { 2092 /* If expect==1, set swz to exactly 2^pos. */ 2093 uint64_t hi = 0; 2094 uint64_t lo = 0; 2095 if (pos >= 64) { 2096 hi = (((uint64_t)1) << (pos & 63)); 2097 } else { 2098 lo = (((uint64_t)1) << (pos & 63)); 2099 } 2100 secp256k1_i128_load(&swz, hi, lo); 2101 } else { 2102 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */ 2103 if (pos >= 64) { 2104 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1; 2105 } else { 2106 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1; 2107 } 2108 swz = swa; 2109 } 2110 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect); 2111 } 2112 /* test secp256k1_i128_check_pow2 (sign == -1) */ 2113 { 2114 int expect = (uc & 1); 2115 int pos = ub % 127; 2116 if (expect) { 2117 /* If expect==1, set swz to exactly -2^pos. */ 2118 uint64_t hi = ~(uint64_t)0; 2119 uint64_t lo = ~(uint64_t)0; 2120 if (pos >= 64) { 2121 hi <<= (pos & 63); 2122 lo = 0; 2123 } else { 2124 lo <<= (pos & 63); 2125 } 2126 secp256k1_i128_load(&swz, hi, lo); 2127 } else { 2128 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */ 2129 if (pos >= 64) { 2130 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1; 2131 } else { 2132 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1; 2133 } 2134 swz = swa; 2135 } 2136 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect); 2137 } 2138 } 2139 2140 static void run_int128_tests(void) { 2141 { /* secp256k1_u128_accum_mul */ 2142 secp256k1_uint128 res; 2143 2144 /* Check secp256k1_u128_accum_mul overflow */ 2145 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX); 2146 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX); 2147 CHECK(secp256k1_u128_to_u64(&res) == 2); 2148 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U); 2149 } 2150 { /* secp256k1_u128_accum_mul */ 2151 secp256k1_int128 res; 2152 2153 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */ 2154 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX); 2155 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX); 2156 CHECK(secp256k1_i128_to_u64(&res) == 2); 2157 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807); 2158 secp256k1_i128_accum_mul(&res, 1, 1); 2159 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX); 2160 secp256k1_i128_rshift(&res, 64); 2161 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX); 2162 2163 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */ 2164 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN); 2165 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN); 2166 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN); 2167 CHECK(secp256k1_i128_to_u64(&res) == 0); 2168 secp256k1_i128_accum_mul(&res, 2, INT64_MIN); 2169 CHECK(secp256k1_i128_to_u64(&res) == 0); 2170 secp256k1_i128_rshift(&res, 64); 2171 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN); 2172 } 2173 { 2174 /* Randomized tests. */ 2175 int i; 2176 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case(); 2177 } 2178 } 2179 #endif 2180 2181 /***** SCALAR TESTS *****/ 2182 2183 static void scalar_test(void) { 2184 secp256k1_scalar s; 2185 secp256k1_scalar s1; 2186 secp256k1_scalar s2; 2187 unsigned char c[32]; 2188 2189 /* Set 's' to a random scalar, with value 'snum'. */ 2190 testutil_random_scalar_order_test(&s); 2191 2192 /* Set 's1' to a random scalar, with value 's1num'. */ 2193 testutil_random_scalar_order_test(&s1); 2194 2195 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */ 2196 testutil_random_scalar_order_test(&s2); 2197 secp256k1_scalar_get_b32(c, &s2); 2198 2199 { 2200 int i; 2201 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */ 2202 secp256k1_scalar n; 2203 secp256k1_scalar_set_int(&n, 0); 2204 for (i = 0; i < 256; i += 4) { 2205 secp256k1_scalar t; 2206 int j; 2207 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_limb32(&s, 256 - 4 - i, 4)); 2208 for (j = 0; j < 4; j++) { 2209 secp256k1_scalar_add(&n, &n, &n); 2210 } 2211 secp256k1_scalar_add(&n, &n, &t); 2212 } 2213 CHECK(secp256k1_scalar_eq(&n, &s)); 2214 } 2215 2216 { 2217 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */ 2218 secp256k1_scalar n; 2219 int i = 0; 2220 secp256k1_scalar_set_int(&n, 0); 2221 while (i < 256) { 2222 secp256k1_scalar t; 2223 int j; 2224 int now = testrand_int(15) + 1; 2225 if (now + i > 256) { 2226 now = 256 - i; 2227 } 2228 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now)); 2229 for (j = 0; j < now; j++) { 2230 secp256k1_scalar_add(&n, &n, &n); 2231 } 2232 secp256k1_scalar_add(&n, &n, &t); 2233 i += now; 2234 } 2235 CHECK(secp256k1_scalar_eq(&n, &s)); 2236 } 2237 2238 { 2239 /* Test commutativity of add. */ 2240 secp256k1_scalar r1, r2; 2241 secp256k1_scalar_add(&r1, &s1, &s2); 2242 secp256k1_scalar_add(&r2, &s2, &s1); 2243 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2244 } 2245 2246 { 2247 secp256k1_scalar r1, r2; 2248 secp256k1_scalar b; 2249 int i; 2250 /* Test add_bit. */ 2251 int bit = testrand_bits(8); 2252 secp256k1_scalar_set_int(&b, 1); 2253 CHECK(secp256k1_scalar_is_one(&b)); 2254 for (i = 0; i < bit; i++) { 2255 secp256k1_scalar_add(&b, &b, &b); 2256 } 2257 r1 = s1; 2258 r2 = s1; 2259 if (!secp256k1_scalar_add(&r1, &r1, &b)) { 2260 /* No overflow happened. */ 2261 secp256k1_scalar_cadd_bit(&r2, bit, 1); 2262 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2263 /* cadd is a noop when flag is zero */ 2264 secp256k1_scalar_cadd_bit(&r2, bit, 0); 2265 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2266 } 2267 } 2268 2269 { 2270 /* Test commutativity of mul. */ 2271 secp256k1_scalar r1, r2; 2272 secp256k1_scalar_mul(&r1, &s1, &s2); 2273 secp256k1_scalar_mul(&r2, &s2, &s1); 2274 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2275 } 2276 2277 { 2278 /* Test associativity of add. */ 2279 secp256k1_scalar r1, r2; 2280 secp256k1_scalar_add(&r1, &s1, &s2); 2281 secp256k1_scalar_add(&r1, &r1, &s); 2282 secp256k1_scalar_add(&r2, &s2, &s); 2283 secp256k1_scalar_add(&r2, &s1, &r2); 2284 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2285 } 2286 2287 { 2288 /* Test associativity of mul. */ 2289 secp256k1_scalar r1, r2; 2290 secp256k1_scalar_mul(&r1, &s1, &s2); 2291 secp256k1_scalar_mul(&r1, &r1, &s); 2292 secp256k1_scalar_mul(&r2, &s2, &s); 2293 secp256k1_scalar_mul(&r2, &s1, &r2); 2294 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2295 } 2296 2297 { 2298 /* Test distributitivity of mul over add. */ 2299 secp256k1_scalar r1, r2, t; 2300 secp256k1_scalar_add(&r1, &s1, &s2); 2301 secp256k1_scalar_mul(&r1, &r1, &s); 2302 secp256k1_scalar_mul(&r2, &s1, &s); 2303 secp256k1_scalar_mul(&t, &s2, &s); 2304 secp256k1_scalar_add(&r2, &r2, &t); 2305 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2306 } 2307 2308 { 2309 /* Test multiplicative identity. */ 2310 secp256k1_scalar r1; 2311 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_one); 2312 CHECK(secp256k1_scalar_eq(&r1, &s1)); 2313 } 2314 2315 { 2316 /* Test additive identity. */ 2317 secp256k1_scalar r1; 2318 secp256k1_scalar_add(&r1, &s1, &secp256k1_scalar_zero); 2319 CHECK(secp256k1_scalar_eq(&r1, &s1)); 2320 } 2321 2322 { 2323 /* Test zero product property. */ 2324 secp256k1_scalar r1; 2325 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_zero); 2326 CHECK(secp256k1_scalar_eq(&r1, &secp256k1_scalar_zero)); 2327 } 2328 2329 { 2330 /* Test halving. */ 2331 secp256k1_scalar r; 2332 secp256k1_scalar_add(&r, &s, &s); 2333 secp256k1_scalar_half(&r, &r); 2334 CHECK(secp256k1_scalar_eq(&r, &s)); 2335 } 2336 } 2337 2338 static void run_scalar_set_b32_seckey_tests(void) { 2339 unsigned char b32[32]; 2340 secp256k1_scalar s1; 2341 secp256k1_scalar s2; 2342 2343 /* Usually set_b32 and set_b32_seckey give the same result */ 2344 testutil_random_scalar_order_b32(b32); 2345 secp256k1_scalar_set_b32(&s1, b32, NULL); 2346 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1); 2347 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1); 2348 2349 memset(b32, 0, sizeof(b32)); 2350 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0); 2351 memset(b32, 0xFF, sizeof(b32)); 2352 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0); 2353 } 2354 2355 static void test_scalar_check_overflow(void) { 2356 secp256k1_scalar s; 2357 const secp256k1_scalar n_minus_1 = SECP256K1_SCALAR_CONST( 2358 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 2359 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL 2360 ); 2361 const secp256k1_scalar n = SECP256K1_SCALAR_CONST( 2362 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 2363 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL 2364 ); 2365 const secp256k1_scalar n_plus_1 = SECP256K1_SCALAR_CONST( 2366 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 2367 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364142UL 2368 ); 2369 const secp256k1_scalar max = SECP256K1_SCALAR_CONST( 2370 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 2371 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 2372 ); 2373 2374 int i; 2375 2376 secp256k1_scalar_set_int(&s, 0); 2377 CHECK(secp256k1_scalar_check_overflow(&s) == 0); 2378 CHECK(secp256k1_scalar_check_overflow(&n_minus_1) == 0); 2379 CHECK(secp256k1_scalar_check_overflow(&n) == 1); 2380 CHECK(secp256k1_scalar_check_overflow(&n_plus_1) == 1); 2381 CHECK(secp256k1_scalar_check_overflow(&max) == 1); 2382 2383 for (i = 0; i < 2 * COUNT; i++) { 2384 int expected_overflow; 2385 int overflow = 0; 2386 unsigned char b32[32]; 2387 2388 testrand256(b32); 2389 2390 /* Force top bits to be 0xFF sometimes to ensure we hit overflows */ 2391 if (i % 2 == 0) { 2392 memset(b32, 0xFF, 16); 2393 } 2394 2395 expected_overflow = (secp256k1_memcmp_var(b32, secp256k1_group_order_bytes, 32) >= 0); 2396 2397 secp256k1_scalar_set_b32(&s, b32, &overflow); 2398 CHECK(overflow == expected_overflow); 2399 } 2400 } 2401 2402 static void run_scalar_tests(void) { 2403 int i; 2404 2405 test_scalar_check_overflow(); 2406 2407 for (i = 0; i < 128 * COUNT; i++) { 2408 scalar_test(); 2409 } 2410 for (i = 0; i < COUNT; i++) { 2411 run_scalar_set_b32_seckey_tests(); 2412 } 2413 2414 { 2415 /* Check that the scalar constants secp256k1_scalar_zero and 2416 secp256k1_scalar_one contain the expected values. */ 2417 secp256k1_scalar zero, one; 2418 2419 CHECK(secp256k1_scalar_is_zero(&secp256k1_scalar_zero)); 2420 secp256k1_scalar_set_int(&zero, 0); 2421 CHECK(secp256k1_scalar_eq(&zero, &secp256k1_scalar_zero)); 2422 2423 CHECK(secp256k1_scalar_is_one(&secp256k1_scalar_one)); 2424 secp256k1_scalar_set_int(&one, 1); 2425 CHECK(secp256k1_scalar_eq(&one, &secp256k1_scalar_one)); 2426 } 2427 2428 { 2429 /* (-1)+1 should be zero. */ 2430 secp256k1_scalar o; 2431 secp256k1_scalar_negate(&o, &secp256k1_scalar_one); 2432 secp256k1_scalar_add(&o, &o, &secp256k1_scalar_one); 2433 CHECK(secp256k1_scalar_is_zero(&o)); 2434 secp256k1_scalar_negate(&o, &o); 2435 CHECK(secp256k1_scalar_is_zero(&o)); 2436 } 2437 2438 { 2439 /* Test that halving and doubling roundtrips on some fixed values. */ 2440 static const secp256k1_scalar HALF_TESTS[] = { 2441 /* 0 */ 2442 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0), 2443 /* 1 */ 2444 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1), 2445 /* -1 */ 2446 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul), 2447 /* -2 (largest odd value) */ 2448 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful), 2449 /* Half the secp256k1 order */ 2450 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul), 2451 /* Half the secp256k1 order + 1 */ 2452 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul), 2453 /* 2^255 */ 2454 SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0), 2455 /* 2^255 - 1 */ 2456 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful), 2457 }; 2458 unsigned n; 2459 for (n = 0; n < ARRAY_SIZE(HALF_TESTS); ++n) { 2460 secp256k1_scalar s; 2461 secp256k1_scalar_half(&s, &HALF_TESTS[n]); 2462 secp256k1_scalar_add(&s, &s, &s); 2463 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n])); 2464 secp256k1_scalar_add(&s, &s, &s); 2465 secp256k1_scalar_half(&s, &s); 2466 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n])); 2467 } 2468 } 2469 2470 { 2471 /* Static test vectors. 2472 * These were reduced from ~10^12 random vectors based on comparison-decision 2473 * and edge-case coverage on 32-bit and 64-bit implementations. 2474 * The responses were generated with Sage 5.9. 2475 */ 2476 secp256k1_scalar x; 2477 secp256k1_scalar y; 2478 secp256k1_scalar z; 2479 secp256k1_scalar zz; 2480 secp256k1_scalar r1; 2481 secp256k1_scalar r2; 2482 secp256k1_scalar zzv; 2483 int overflow; 2484 unsigned char chal[33][2][32] = { 2485 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00, 2486 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 2487 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 2488 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff}, 2489 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00, 2490 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 2491 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2492 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}}, 2493 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00, 2494 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 2495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2497 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 2499 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, 2500 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}}, 2501 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2502 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 2503 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00, 2504 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00}, 2505 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80, 2506 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0, 2507 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 2508 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}}, 2509 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2510 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2511 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2512 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff}, 2513 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 2514 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0, 2515 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff, 2516 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2517 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00, 2518 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 2519 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00, 2520 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff}, 2521 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 2522 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2523 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f, 2524 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}}, 2525 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f, 2526 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80, 2527 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00, 2528 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2529 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2530 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff, 2531 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 2532 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}}, 2533 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 2534 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 2535 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00, 2536 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0}, 2537 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 2538 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 2539 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 2540 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2541 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00, 2542 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2543 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 2544 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff}, 2545 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 2546 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0, 2547 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2548 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2549 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2550 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 2551 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2552 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2553 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2554 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2555 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2556 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2557 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff, 2558 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2559 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80, 2560 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f}, 2561 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 2562 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff, 2563 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 2564 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}}, 2565 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff, 2566 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 2567 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80, 2568 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff}, 2569 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 2570 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 2572 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}}, 2573 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2574 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2575 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2576 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80}, 2577 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2578 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff, 2579 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 2580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2581 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2582 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2584 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00}, 2585 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 2586 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f, 2587 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff, 2588 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}}, 2589 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2590 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2591 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2592 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00}, 2593 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 2594 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2595 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00, 2596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}}, 2597 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00, 2598 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03, 2599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2600 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2601 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff, 2602 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2603 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2604 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}}, 2605 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 2606 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2608 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2609 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2610 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff, 2611 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 2612 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}}, 2613 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2614 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2615 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00, 2616 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80}, 2617 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2618 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 2619 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e, 2620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2621 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2622 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 2623 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 2624 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00}, 2625 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2626 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00, 2627 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2628 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2629 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80, 2630 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2631 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2632 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2633 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2634 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80, 2635 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 2636 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}}, 2637 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff, 2638 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00, 2639 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2640 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07}, 2641 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2642 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2643 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff, 2644 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}}, 2645 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2646 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2647 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2648 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2649 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2650 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 2651 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 2652 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}}, 2653 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2654 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2655 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, 2657 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2659 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2660 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2661 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2662 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2663 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2664 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2665 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2666 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2667 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2668 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2669 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0, 2670 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2671 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 2672 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f}, 2673 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 2674 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00, 2675 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 2676 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}}, 2677 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2678 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2679 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2680 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2681 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2682 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2683 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2684 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}}, 2685 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2686 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 2687 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 2688 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}, 2689 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 2693 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2694 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00, 2695 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 2696 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2697 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 2698 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80, 2699 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 2700 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2701 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00, 2702 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2703 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 2704 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff}, 2705 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 2706 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff, 2707 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2708 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}}, 2709 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2710 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff, 2711 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2712 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00}, 2713 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 2714 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 2715 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f, 2716 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}}, 2717 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2718 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01, 2719 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff, 2720 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2721 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 2722 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80, 2723 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, 2724 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}}, 2725 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2726 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2727 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8, 2728 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80}, 2729 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2730 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00, 2731 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f, 2732 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}}, 2733 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00, 2734 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83, 2735 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2736 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0}, 2737 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 2738 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00, 2739 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 2740 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}}, 2741 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2742 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2743 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb, 2744 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}, 2745 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2746 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2747 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb, 2748 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}} 2749 }; 2750 unsigned char res[33][2][32] = { 2751 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9, 2752 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1, 2753 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6, 2754 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35}, 2755 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d, 2756 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c, 2757 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49, 2758 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}}, 2759 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22, 2760 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c, 2761 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f, 2762 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8}, 2763 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77, 2764 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4, 2765 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59, 2766 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}}, 2767 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef, 2768 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab, 2769 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55, 2770 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c}, 2771 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96, 2772 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f, 2773 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12, 2774 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}}, 2775 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c, 2776 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf, 2777 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9, 2778 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48}, 2779 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42, 2780 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5, 2781 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c, 2782 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}}, 2783 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb, 2784 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74, 2785 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6, 2786 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63}, 2787 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3, 2788 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99, 2789 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58, 2790 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}}, 2791 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b, 2792 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7, 2793 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f, 2794 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0}, 2795 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d, 2796 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d, 2797 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9, 2798 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}}, 2799 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7, 2800 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70, 2801 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06, 2802 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e}, 2803 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9, 2804 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79, 2805 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e, 2806 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}}, 2807 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb, 2808 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5, 2809 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a, 2810 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe}, 2811 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48, 2812 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e, 2813 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc, 2814 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}}, 2815 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b, 2816 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0, 2817 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53, 2818 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8}, 2819 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c, 2820 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01, 2821 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f, 2822 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}}, 2823 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7, 2824 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c, 2825 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92, 2826 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30}, 2827 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62, 2828 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e, 2829 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb, 2830 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}}, 2831 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25, 2832 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d, 2833 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0, 2834 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13}, 2835 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60, 2836 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00, 2837 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4, 2838 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}}, 2839 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31, 2840 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4, 2841 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88, 2842 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa}, 2843 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57, 2844 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38, 2845 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51, 2846 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}}, 2847 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c, 2848 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f, 2849 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2, 2850 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4}, 2851 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01, 2852 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4, 2853 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86, 2854 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}}, 2855 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5, 2856 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51, 2857 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3, 2858 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62}, 2859 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c, 2860 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91, 2861 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c, 2862 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}}, 2863 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e, 2864 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56, 2865 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58, 2866 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4}, 2867 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41, 2868 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7, 2869 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92, 2870 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}}, 2871 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec, 2872 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19, 2873 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3, 2874 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4}, 2875 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87, 2876 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a, 2877 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92, 2878 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}}, 2879 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64, 2880 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3, 2881 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f, 2882 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33}, 2883 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c, 2884 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d, 2885 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea, 2886 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}}, 2887 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7, 2888 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a, 2889 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae, 2890 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe}, 2891 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc, 2892 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39, 2893 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14, 2894 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}}, 2895 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23, 2896 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d, 2897 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2, 2898 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16}, 2899 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c, 2900 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84, 2901 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0, 2902 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}}, 2903 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb, 2904 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94, 2905 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b, 2906 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e}, 2907 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54, 2908 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00, 2909 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb, 2910 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}}, 2911 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2914 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2915 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2916 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2917 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2918 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2919 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2920 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2921 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2922 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2923 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2924 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2925 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2926 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 2927 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 2928 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 2929 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 2930 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}, 2931 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 2932 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 2933 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 2934 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}}, 2935 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0, 2936 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b, 2937 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94, 2938 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8}, 2939 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26, 2940 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d, 2941 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a, 2942 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}}, 2943 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2944 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 2945 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 2946 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd}, 2947 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 2948 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 2949 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 2950 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}}, 2951 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2952 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 2953 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 2954 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}, 2955 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2956 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2957 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2958 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 2959 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39, 2960 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea, 2961 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf, 2962 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae}, 2963 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b, 2964 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb, 2965 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6, 2966 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}}, 2967 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a, 2968 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f, 2969 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9, 2970 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56}, 2971 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93, 2972 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07, 2973 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71, 2974 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}}, 2975 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87, 2976 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9, 2977 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55, 2978 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73}, 2979 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d, 2980 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86, 2981 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb, 2982 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}}, 2983 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2, 2984 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7, 2985 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41, 2986 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7}, 2987 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06, 2988 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04, 2989 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08, 2990 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}}, 2991 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2, 2992 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b, 2993 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40, 2994 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68}, 2995 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e, 2996 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a, 2997 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b, 2998 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}}, 2999 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67, 3000 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f, 3001 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a, 3002 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51}, 3003 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2, 3004 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38, 3005 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34, 3006 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}}, 3007 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34, 3008 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13, 3009 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, 3010 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}, 3011 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34, 3012 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13, 3013 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, 3014 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}} 3015 }; 3016 for (i = 0; i < 33; i++) { 3017 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow); 3018 CHECK(!overflow); 3019 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow); 3020 CHECK(!overflow); 3021 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow); 3022 CHECK(!overflow); 3023 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow); 3024 CHECK(!overflow); 3025 secp256k1_scalar_mul(&z, &x, &y); 3026 CHECK(secp256k1_scalar_eq(&r1, &z)); 3027 if (!secp256k1_scalar_is_zero(&y)) { 3028 secp256k1_scalar_inverse(&zz, &y); 3029 secp256k1_scalar_inverse_var(&zzv, &y); 3030 CHECK(secp256k1_scalar_eq(&zzv, &zz)); 3031 secp256k1_scalar_mul(&z, &z, &zz); 3032 CHECK(secp256k1_scalar_eq(&x, &z)); 3033 secp256k1_scalar_mul(&zz, &zz, &y); 3034 CHECK(secp256k1_scalar_eq(&secp256k1_scalar_one, &zz)); 3035 } 3036 secp256k1_scalar_mul(&z, &x, &x); 3037 CHECK(secp256k1_scalar_eq(&r2, &z)); 3038 } 3039 } 3040 } 3041 3042 /***** FIELD TESTS *****/ 3043 3044 static void random_fe_non_square(secp256k1_fe *ns) { 3045 secp256k1_fe r; 3046 testutil_random_fe_non_zero(ns); 3047 if (secp256k1_fe_sqrt(&r, ns)) { 3048 secp256k1_fe_negate(ns, ns, 1); 3049 } 3050 } 3051 3052 static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) { 3053 secp256k1_fe an = *a; 3054 secp256k1_fe bn = *b; 3055 secp256k1_fe_normalize_weak(&an); 3056 return secp256k1_fe_equal(&an, &bn); 3057 } 3058 3059 static void run_field_convert(void) { 3060 static const unsigned char b32[32] = { 3061 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 3062 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 3063 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 3064 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40 3065 }; 3066 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST( 3067 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 3068 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL 3069 ); 3070 static const secp256k1_fe fe = SECP256K1_FE_CONST( 3071 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 3072 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL 3073 ); 3074 secp256k1_fe fe2; 3075 unsigned char b322[32]; 3076 secp256k1_fe_storage fes2; 3077 /* Check conversions to fe. */ 3078 CHECK(secp256k1_fe_set_b32_limit(&fe2, b32)); 3079 CHECK(secp256k1_fe_equal(&fe, &fe2)); 3080 secp256k1_fe_from_storage(&fe2, &fes); 3081 CHECK(secp256k1_fe_equal(&fe, &fe2)); 3082 /* Check conversion from fe. */ 3083 secp256k1_fe_get_b32(b322, &fe); 3084 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0); 3085 secp256k1_fe_to_storage(&fes2, &fe); 3086 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0); 3087 } 3088 3089 static void run_field_be32_overflow(void) { 3090 { 3091 static const unsigned char zero_overflow[32] = { 3092 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3093 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3094 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3095 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, 3096 }; 3097 static const unsigned char zero[32] = { 0x00 }; 3098 unsigned char out[32]; 3099 secp256k1_fe fe; 3100 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0); 3101 secp256k1_fe_set_b32_mod(&fe, zero_overflow); 3102 CHECK(secp256k1_fe_normalizes_to_zero(&fe) == 1); 3103 secp256k1_fe_normalize(&fe); 3104 CHECK(secp256k1_fe_is_zero(&fe) == 1); 3105 secp256k1_fe_get_b32(out, &fe); 3106 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0); 3107 } 3108 { 3109 static const unsigned char one_overflow[32] = { 3110 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3111 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3112 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3113 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30, 3114 }; 3115 static const unsigned char one[32] = { 3116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3117 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 3120 }; 3121 unsigned char out[32]; 3122 secp256k1_fe fe; 3123 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0); 3124 secp256k1_fe_set_b32_mod(&fe, one_overflow); 3125 secp256k1_fe_normalize(&fe); 3126 CHECK(secp256k1_fe_cmp_var(&fe, &secp256k1_fe_one) == 0); 3127 secp256k1_fe_get_b32(out, &fe); 3128 CHECK(secp256k1_memcmp_var(out, one, 32) == 0); 3129 } 3130 { 3131 static const unsigned char ff_overflow[32] = { 3132 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3133 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3134 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3135 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3136 }; 3137 static const unsigned char ff[32] = { 3138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3139 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3141 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0, 3142 }; 3143 unsigned char out[32]; 3144 secp256k1_fe fe; 3145 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0); 3146 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0); 3147 secp256k1_fe_set_b32_mod(&fe, ff_overflow); 3148 secp256k1_fe_normalize(&fe); 3149 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0); 3150 secp256k1_fe_get_b32(out, &fe); 3151 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0); 3152 } 3153 } 3154 3155 /* Returns true if two field elements have the same representation. */ 3156 static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) { 3157 int ret = 1; 3158 /* Compare the struct member that holds the limbs. */ 3159 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0); 3160 return ret; 3161 } 3162 3163 static void run_field_half(void) { 3164 secp256k1_fe t, u; 3165 int m; 3166 3167 /* Check magnitude 0 input */ 3168 secp256k1_fe_get_bounds(&t, 0); 3169 secp256k1_fe_half(&t); 3170 #ifdef VERIFY 3171 CHECK(t.magnitude == 1); 3172 CHECK(t.normalized == 0); 3173 #endif 3174 CHECK(secp256k1_fe_normalizes_to_zero(&t)); 3175 3176 /* Check non-zero magnitudes in the supported range */ 3177 for (m = 1; m < 32; m++) { 3178 /* Check max-value input */ 3179 secp256k1_fe_get_bounds(&t, m); 3180 3181 u = t; 3182 secp256k1_fe_half(&u); 3183 #ifdef VERIFY 3184 CHECK(u.magnitude == (m >> 1) + 1); 3185 CHECK(u.normalized == 0); 3186 #endif 3187 secp256k1_fe_normalize_weak(&u); 3188 secp256k1_fe_add(&u, &u); 3189 CHECK(fe_equal(&t, &u)); 3190 3191 /* Check worst-case input: ensure the LSB is 1 so that P will be added, 3192 * which will also cause all carries to be 1, since all limbs that can 3193 * generate a carry are initially even and all limbs of P are odd in 3194 * every existing field implementation. */ 3195 secp256k1_fe_get_bounds(&t, m); 3196 CHECK(t.n[0] > 0); 3197 CHECK((t.n[0] & 1) == 0); 3198 --t.n[0]; 3199 3200 u = t; 3201 secp256k1_fe_half(&u); 3202 #ifdef VERIFY 3203 CHECK(u.magnitude == (m >> 1) + 1); 3204 CHECK(u.normalized == 0); 3205 #endif 3206 secp256k1_fe_normalize_weak(&u); 3207 secp256k1_fe_add(&u, &u); 3208 CHECK(fe_equal(&t, &u)); 3209 } 3210 } 3211 3212 static void run_field_misc(void) { 3213 secp256k1_fe x; 3214 secp256k1_fe y; 3215 secp256k1_fe z; 3216 secp256k1_fe q; 3217 int v; 3218 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5); 3219 int i, j; 3220 for (i = 0; i < 1000 * COUNT; i++) { 3221 secp256k1_fe_storage xs, ys, zs; 3222 if (i & 1) { 3223 testutil_random_fe(&x); 3224 } else { 3225 testutil_random_fe_test(&x); 3226 } 3227 testutil_random_fe_non_zero(&y); 3228 v = testrand_bits(15); 3229 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */ 3230 secp256k1_fe_set_int(&q, v); /* q = v */ 3231 z = x; /* z = x */ 3232 secp256k1_fe_add(&z, &q); /* z = x+v */ 3233 q = x; /* q = x */ 3234 secp256k1_fe_add_int(&q, v); /* q = x+v */ 3235 CHECK(fe_equal(&q, &z)); 3236 /* Test the fe equality and comparison operations. */ 3237 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0); 3238 CHECK(secp256k1_fe_equal(&x, &x)); 3239 z = x; 3240 secp256k1_fe_add(&z,&y); 3241 /* Test fe conditional move; z is not normalized here. */ 3242 q = x; 3243 secp256k1_fe_cmov(&x, &z, 0); 3244 #ifdef VERIFY 3245 CHECK(!x.normalized); 3246 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude)); 3247 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude)); 3248 #endif 3249 x = q; 3250 secp256k1_fe_cmov(&x, &x, 1); 3251 CHECK(!fe_identical(&x, &z)); 3252 CHECK(fe_identical(&x, &q)); 3253 secp256k1_fe_cmov(&q, &z, 1); 3254 #ifdef VERIFY 3255 CHECK(!q.normalized); 3256 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude)); 3257 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude)); 3258 #endif 3259 CHECK(fe_identical(&q, &z)); 3260 q = z; 3261 secp256k1_fe_normalize_var(&x); 3262 secp256k1_fe_normalize_var(&z); 3263 CHECK(!secp256k1_fe_equal(&x, &z)); 3264 secp256k1_fe_normalize_var(&q); 3265 secp256k1_fe_cmov(&q, &z, (i&1)); 3266 #ifdef VERIFY 3267 CHECK(q.normalized && q.magnitude == 1); 3268 #endif 3269 for (j = 0; j < 6; j++) { 3270 secp256k1_fe_negate_unchecked(&z, &z, j+1); 3271 secp256k1_fe_normalize_var(&q); 3272 secp256k1_fe_cmov(&q, &z, (j&1)); 3273 #ifdef VERIFY 3274 CHECK(!q.normalized && q.magnitude == z.magnitude); 3275 #endif 3276 } 3277 secp256k1_fe_normalize_var(&z); 3278 /* Test storage conversion and conditional moves. */ 3279 secp256k1_fe_to_storage(&xs, &x); 3280 secp256k1_fe_to_storage(&ys, &y); 3281 secp256k1_fe_to_storage(&zs, &z); 3282 secp256k1_fe_storage_cmov(&zs, &xs, 0); 3283 secp256k1_fe_storage_cmov(&zs, &zs, 1); 3284 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0); 3285 secp256k1_fe_storage_cmov(&ys, &xs, 1); 3286 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0); 3287 secp256k1_fe_from_storage(&x, &xs); 3288 secp256k1_fe_from_storage(&y, &ys); 3289 secp256k1_fe_from_storage(&z, &zs); 3290 /* Test that mul_int, mul, and add agree. */ 3291 secp256k1_fe_add(&y, &x); 3292 secp256k1_fe_add(&y, &x); 3293 z = x; 3294 secp256k1_fe_mul_int(&z, 3); 3295 CHECK(fe_equal(&y, &z)); 3296 secp256k1_fe_add(&y, &x); 3297 secp256k1_fe_add(&z, &x); 3298 CHECK(fe_equal(&z, &y)); 3299 z = x; 3300 secp256k1_fe_mul_int(&z, 5); 3301 secp256k1_fe_mul(&q, &x, &fe5); 3302 CHECK(fe_equal(&z, &q)); 3303 secp256k1_fe_negate(&x, &x, 1); 3304 secp256k1_fe_add(&z, &x); 3305 secp256k1_fe_add(&q, &x); 3306 CHECK(fe_equal(&y, &z)); 3307 CHECK(fe_equal(&q, &y)); 3308 /* Check secp256k1_fe_half. */ 3309 z = x; 3310 secp256k1_fe_half(&z); 3311 secp256k1_fe_add(&z, &z); 3312 CHECK(fe_equal(&x, &z)); 3313 secp256k1_fe_add(&z, &z); 3314 secp256k1_fe_half(&z); 3315 CHECK(fe_equal(&x, &z)); 3316 } 3317 } 3318 3319 static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr) 3320 { 3321 secp256k1_fe c, an, bn; 3322 /* Variables in BE 32-byte format. */ 3323 unsigned char a32[32], b32[32], c32[32]; 3324 /* Variables in LE 16x uint16_t format. */ 3325 uint16_t a16[16], b16[16], c16[16]; 3326 /* Field modulus in LE 16x uint16_t format. */ 3327 static const uint16_t m16[16] = { 3328 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 3329 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 3330 }; 3331 uint16_t t16[32]; 3332 int i; 3333 3334 /* Compute C = A * B in fe format. */ 3335 c = *a; 3336 if (use_sqr) { 3337 secp256k1_fe_sqr(&c, &c); 3338 } else { 3339 secp256k1_fe_mul(&c, &c, b); 3340 } 3341 3342 /* Convert A, B, C into LE 16x uint16_t format. */ 3343 an = *a; 3344 bn = *b; 3345 secp256k1_fe_normalize_var(&c); 3346 secp256k1_fe_normalize_var(&an); 3347 secp256k1_fe_normalize_var(&bn); 3348 secp256k1_fe_get_b32(a32, &an); 3349 secp256k1_fe_get_b32(b32, &bn); 3350 secp256k1_fe_get_b32(c32, &c); 3351 for (i = 0; i < 16; ++i) { 3352 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8); 3353 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8); 3354 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8); 3355 } 3356 /* Compute T = A * B in LE 16x uint16_t format. */ 3357 mulmod256(t16, a16, b16, m16); 3358 /* Compare */ 3359 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0); 3360 } 3361 3362 static void run_fe_mul(void) { 3363 int i; 3364 for (i = 0; i < 100 * COUNT; ++i) { 3365 secp256k1_fe a, b, c, d; 3366 testutil_random_fe(&a); 3367 testutil_random_fe_magnitude(&a, 8); 3368 testutil_random_fe(&b); 3369 testutil_random_fe_magnitude(&b, 8); 3370 testutil_random_fe_test(&c); 3371 testutil_random_fe_magnitude(&c, 8); 3372 testutil_random_fe_test(&d); 3373 testutil_random_fe_magnitude(&d, 8); 3374 test_fe_mul(&a, &a, 1); 3375 test_fe_mul(&c, &c, 1); 3376 test_fe_mul(&a, &b, 0); 3377 test_fe_mul(&a, &c, 0); 3378 test_fe_mul(&c, &b, 0); 3379 test_fe_mul(&c, &d, 0); 3380 } 3381 } 3382 3383 static void run_sqr(void) { 3384 int i; 3385 secp256k1_fe x, y, lhs, rhs, tmp; 3386 3387 secp256k1_fe_set_int(&x, 1); 3388 secp256k1_fe_negate(&x, &x, 1); 3389 3390 for (i = 1; i <= 512; ++i) { 3391 secp256k1_fe_mul_int(&x, 2); 3392 secp256k1_fe_normalize(&x); 3393 3394 /* Check that (x+y)*(x-y) = x^2 - y*2 for some random values y */ 3395 testutil_random_fe_test(&y); 3396 3397 lhs = x; 3398 secp256k1_fe_add(&lhs, &y); /* lhs = x+y */ 3399 secp256k1_fe_negate(&tmp, &y, 1); /* tmp = -y */ 3400 secp256k1_fe_add(&tmp, &x); /* tmp = x-y */ 3401 secp256k1_fe_mul(&lhs, &lhs, &tmp); /* lhs = (x+y)*(x-y) */ 3402 3403 secp256k1_fe_sqr(&rhs, &x); /* rhs = x^2 */ 3404 secp256k1_fe_sqr(&tmp, &y); /* tmp = y^2 */ 3405 secp256k1_fe_negate(&tmp, &tmp, 1); /* tmp = -y^2 */ 3406 secp256k1_fe_add(&rhs, &tmp); /* rhs = x^2 - y^2 */ 3407 3408 CHECK(fe_equal(&lhs, &rhs)); 3409 } 3410 } 3411 3412 static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) { 3413 secp256k1_fe r1, r2; 3414 int v = secp256k1_fe_sqrt(&r1, a); 3415 CHECK((v == 0) == (k == NULL)); 3416 3417 if (k != NULL) { 3418 /* Check that the returned root is +/- the given known answer */ 3419 secp256k1_fe_negate(&r2, &r1, 1); 3420 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k); 3421 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2); 3422 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2)); 3423 } 3424 } 3425 3426 static void run_sqrt(void) { 3427 secp256k1_fe ns, x, s, t; 3428 int i; 3429 3430 /* Check sqrt(0) is 0 */ 3431 secp256k1_fe_set_int(&x, 0); 3432 secp256k1_fe_sqr(&s, &x); 3433 test_sqrt(&s, &x); 3434 3435 /* Check sqrt of small squares (and their negatives) */ 3436 for (i = 1; i <= 100; i++) { 3437 secp256k1_fe_set_int(&x, i); 3438 secp256k1_fe_sqr(&s, &x); 3439 test_sqrt(&s, &x); 3440 secp256k1_fe_negate(&t, &s, 1); 3441 test_sqrt(&t, NULL); 3442 } 3443 3444 /* Consistency checks for large random values */ 3445 for (i = 0; i < 10; i++) { 3446 int j; 3447 random_fe_non_square(&ns); 3448 for (j = 0; j < COUNT; j++) { 3449 testutil_random_fe(&x); 3450 secp256k1_fe_sqr(&s, &x); 3451 CHECK(secp256k1_fe_is_square_var(&s)); 3452 test_sqrt(&s, &x); 3453 secp256k1_fe_negate(&t, &s, 1); 3454 CHECK(!secp256k1_fe_is_square_var(&t)); 3455 test_sqrt(&t, NULL); 3456 secp256k1_fe_mul(&t, &s, &ns); 3457 test_sqrt(&t, NULL); 3458 } 3459 } 3460 } 3461 3462 /***** FIELD/SCALAR INVERSE TESTS *****/ 3463 3464 static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST( 3465 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 3466 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140 3467 ); 3468 3469 static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST( 3470 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 3471 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E 3472 ); 3473 3474 /* These tests test the following identities: 3475 * 3476 * for x==0: 1/x == 0 3477 * for x!=0: x*(1/x) == 1 3478 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1) 3479 */ 3480 3481 static void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var) 3482 { 3483 secp256k1_scalar l, r, t; 3484 3485 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */ 3486 if (out) *out = l; 3487 if (secp256k1_scalar_is_zero(x)) { 3488 CHECK(secp256k1_scalar_is_zero(&l)); 3489 return; 3490 } 3491 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */ 3492 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */ 3493 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */ 3494 if (secp256k1_scalar_is_zero(&r)) return; 3495 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */ 3496 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */ 3497 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */ 3498 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */ 3499 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */ 3500 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */ 3501 } 3502 3503 static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var) 3504 { 3505 secp256k1_fe l, r, t; 3506 3507 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */ 3508 if (out) *out = l; 3509 t = *x; /* t = x */ 3510 if (secp256k1_fe_normalizes_to_zero_var(&t)) { 3511 CHECK(secp256k1_fe_normalizes_to_zero(&l)); 3512 return; 3513 } 3514 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */ 3515 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */ 3516 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */ 3517 r = *x; /* r = x */ 3518 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */ 3519 if (secp256k1_fe_normalizes_to_zero_var(&r)) return; 3520 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */ 3521 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */ 3522 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */ 3523 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */ 3524 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */ 3525 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */ 3526 } 3527 3528 static void run_inverse_tests(void) 3529 { 3530 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */ 3531 static const secp256k1_fe fe_cases[][2] = { 3532 /* 0 */ 3533 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 3534 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)}, 3535 /* 1 */ 3536 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), 3537 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)}, 3538 /* -1 */ 3539 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e), 3540 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)}, 3541 /* 2 */ 3542 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2), 3543 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)}, 3544 /* 2**128 */ 3545 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0), 3546 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)}, 3547 /* Input known to need 637 divsteps */ 3548 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3), 3549 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)}, 3550 /* Input known to need 567 divsteps starting with delta=1/2. */ 3551 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc), 3552 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)}, 3553 /* Input known to need 566 divsteps starting with delta=1/2. */ 3554 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae), 3555 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)}, 3556 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */ 3557 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000), 3558 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)}, 3559 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192), 3560 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)}, 3561 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100), 3562 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)}, 3563 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8), 3564 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)}, 3565 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440), 3566 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)}, 3567 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff), 3568 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)}, 3569 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe), 3570 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)}, 3571 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f), 3572 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)}, 3573 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690), 3574 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)}, 3575 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000), 3576 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)}, 3577 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */ 3578 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950), 3579 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)}, 3580 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057), 3581 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)}, 3582 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058), 3583 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)}, 3584 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a), 3585 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)}, 3586 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c), 3587 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)}, 3588 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21), 3589 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)}, 3590 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600), 3591 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)}, 3592 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec), 3593 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)}, 3594 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c), 3595 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)}, 3596 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696), 3597 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)}, 3598 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e), 3599 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)}, 3600 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78), 3601 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)}, 3602 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d), 3603 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)}, 3604 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870), 3605 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)}, 3606 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc), 3607 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)}, 3608 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef), 3609 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)}, 3610 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6), 3611 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)}, 3612 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709), 3613 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)}, 3614 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787), 3615 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)}, 3616 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760), 3617 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)}, 3618 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d), 3619 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)}, 3620 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3), 3621 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)}, 3622 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4), 3623 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)}, 3624 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91), 3625 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)}, 3626 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a), 3627 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)}, 3628 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9), 3629 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)}, 3630 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd), 3631 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)}, 3632 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb), 3633 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)} 3634 }; 3635 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */ 3636 static const secp256k1_scalar scalar_cases[][2] = { 3637 /* 0 */ 3638 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0), 3639 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)}, 3640 /* 1 */ 3641 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1), 3642 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)}, 3643 /* -1 */ 3644 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140), 3645 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)}, 3646 /* 2 */ 3647 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2), 3648 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)}, 3649 /* 2**128 */ 3650 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0), 3651 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)}, 3652 /* Input known to need 635 divsteps */ 3653 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3), 3654 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)}, 3655 /* Input known to need 566 divsteps starting with delta=1/2. */ 3656 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72), 3657 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)}, 3658 /* Input known to need 565 divsteps starting with delta=1/2. */ 3659 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4), 3660 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)}, 3661 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */ 3662 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e), 3663 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)}, 3664 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0), 3665 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)}, 3666 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9), 3667 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)}, 3668 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2), 3669 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)}, 3670 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905), 3671 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)}, 3672 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec), 3673 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)}, 3674 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816), 3675 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)}, 3676 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f), 3677 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)}, 3678 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a), 3679 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)}, 3680 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504), 3681 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)}, 3682 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7), 3683 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)}, 3684 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640), 3685 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)}, 3686 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03), 3687 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)}, 3688 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4), 3689 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)}, 3690 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730), 3691 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)}, 3692 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948), 3693 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)}, 3694 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f), 3695 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)}, 3696 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000), 3697 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)}, 3698 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9), 3699 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)}, 3700 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3), 3701 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)}, 3702 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189), 3703 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)}, 3704 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141), 3705 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)}, 3706 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13), 3707 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)}, 3708 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0), 3709 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)}, 3710 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785), 3711 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)}, 3712 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0), 3713 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)}, 3714 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265), 3715 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)}, 3716 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5), 3717 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)}, 3718 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8), 3719 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)} 3720 }; 3721 int i, var, testrand; 3722 unsigned char b32[32]; 3723 secp256k1_fe x_fe; 3724 secp256k1_scalar x_scalar; 3725 memset(b32, 0, sizeof(b32)); 3726 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */ 3727 for (i = 0; (size_t)i < ARRAY_SIZE(fe_cases); ++i) { 3728 for (var = 0; var <= 1; ++var) { 3729 test_inverse_field(&x_fe, &fe_cases[i][0], var); 3730 CHECK(fe_equal(&x_fe, &fe_cases[i][1])); 3731 test_inverse_field(&x_fe, &fe_cases[i][1], var); 3732 CHECK(fe_equal(&x_fe, &fe_cases[i][0])); 3733 } 3734 } 3735 for (i = 0; (size_t)i < ARRAY_SIZE(scalar_cases); ++i) { 3736 for (var = 0; var <= 1; ++var) { 3737 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var); 3738 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1])); 3739 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var); 3740 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0])); 3741 } 3742 } 3743 /* Test inputs 0..999 and their respective negations. */ 3744 for (i = 0; i < 1000; ++i) { 3745 b32[31] = i & 0xff; 3746 b32[30] = (i >> 8) & 0xff; 3747 secp256k1_scalar_set_b32(&x_scalar, b32, NULL); 3748 secp256k1_fe_set_b32_mod(&x_fe, b32); 3749 for (var = 0; var <= 1; ++var) { 3750 test_inverse_scalar(NULL, &x_scalar, var); 3751 test_inverse_field(NULL, &x_fe, var); 3752 } 3753 secp256k1_scalar_negate(&x_scalar, &x_scalar); 3754 secp256k1_fe_negate(&x_fe, &x_fe, 1); 3755 for (var = 0; var <= 1; ++var) { 3756 test_inverse_scalar(NULL, &x_scalar, var); 3757 test_inverse_field(NULL, &x_fe, var); 3758 } 3759 } 3760 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */ 3761 for (testrand = 0; testrand <= 1; ++testrand) { 3762 for (i = 0; i < 64 * COUNT; ++i) { 3763 (testrand ? testrand256_test : testrand256)(b32); 3764 secp256k1_scalar_set_b32(&x_scalar, b32, NULL); 3765 secp256k1_fe_set_b32_mod(&x_fe, b32); 3766 for (var = 0; var <= 1; ++var) { 3767 test_inverse_scalar(NULL, &x_scalar, var); 3768 test_inverse_field(NULL, &x_fe, var); 3769 } 3770 } 3771 } 3772 } 3773 3774 /***** HSORT TESTS *****/ 3775 3776 static void test_heap_swap(void) { 3777 unsigned char a[600]; 3778 unsigned char e[sizeof(a)]; 3779 memset(a, 21, 200); 3780 memset(a + 200, 99, 200); 3781 memset(a + 400, 42, 200); 3782 memset(e, 42, 200); 3783 memset(e + 200, 99, 200); 3784 memset(e + 400, 21, 200); 3785 secp256k1_heap_swap(a, 0, 2, 200); 3786 CHECK(secp256k1_memcmp_var(a, e, sizeof(a)) == 0); 3787 } 3788 3789 static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len) { 3790 size_t i; 3791 for (i = 1; i < n; i++) { 3792 CHECK(secp256k1_memcmp_var(&elements[(i-1) * len], &elements[i * len], len) <= 0); 3793 } 3794 } 3795 3796 struct test_hsort_cmp_data { 3797 size_t counter; 3798 size_t element_len; 3799 }; 3800 3801 3802 static int test_hsort_cmp(const void *ele1, const void *ele2, void *data) { 3803 struct test_hsort_cmp_data *d = (struct test_hsort_cmp_data *) data; 3804 d->counter += 1; 3805 return secp256k1_memcmp_var((unsigned char *)ele1, (unsigned char *)ele2, d->element_len); 3806 } 3807 3808 #define NUM 65 3809 #define MAX_ELEMENT_LEN 65 3810 static void test_hsort(size_t element_len) { 3811 unsigned char elements[NUM * MAX_ELEMENT_LEN] = { 0 }; 3812 struct test_hsort_cmp_data data; 3813 int i; 3814 3815 VERIFY_CHECK(element_len <= MAX_ELEMENT_LEN); 3816 data.counter = 0; 3817 data.element_len = element_len; 3818 3819 secp256k1_hsort(elements, 0, element_len, test_hsort_cmp, &data); 3820 CHECK(data.counter == 0); 3821 secp256k1_hsort(elements, 1, element_len, test_hsort_cmp, &data); 3822 CHECK(data.counter == 0); 3823 secp256k1_hsort(elements, NUM, element_len, test_hsort_cmp, &data); 3824 CHECK(data.counter >= NUM - 1); 3825 test_hsort_is_sorted(elements, NUM, element_len); 3826 3827 /* Test hsort with array of random length n */ 3828 for (i = 0; i < COUNT; i++) { 3829 int n = testrand_int(NUM); 3830 testrand_bytes_test(elements, n*element_len); 3831 secp256k1_hsort(elements, n, element_len, test_hsort_cmp, &data); 3832 test_hsort_is_sorted(elements, n, element_len); 3833 } 3834 } 3835 #undef NUM 3836 #undef MAX_ELEMENT_LEN 3837 3838 3839 static void run_hsort_tests(void) { 3840 test_heap_swap(); 3841 test_hsort(1); 3842 test_hsort(64); 3843 test_hsort(65); 3844 } 3845 3846 /***** GROUP TESTS *****/ 3847 3848 /* This compares jacobian points including their Z, not just their geometric meaning. */ 3849 static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) { 3850 secp256k1_gej a2; 3851 secp256k1_gej b2; 3852 int ret = 1; 3853 ret &= a->infinity == b->infinity; 3854 if (ret && !a->infinity) { 3855 a2 = *a; 3856 b2 = *b; 3857 secp256k1_fe_normalize(&a2.x); 3858 secp256k1_fe_normalize(&a2.y); 3859 secp256k1_fe_normalize(&a2.z); 3860 secp256k1_fe_normalize(&b2.x); 3861 secp256k1_fe_normalize(&b2.y); 3862 secp256k1_fe_normalize(&b2.z); 3863 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0; 3864 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0; 3865 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0; 3866 } 3867 return ret; 3868 } 3869 3870 static void test_ge(void) { 3871 int i, i1; 3872 int runs = 6; 3873 /* 25 points are used: 3874 * - infinity 3875 * - for each of four random points p1 p2 p3 p4, we add the point, its 3876 * negation, and then those two again but with randomized Z coordinate. 3877 * - The same is then done for lambda*p1 and lambda^2*p1. 3878 */ 3879 secp256k1_ge *ge = checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs)); 3880 secp256k1_gej *gej = checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs)); 3881 secp256k1_fe zf, r; 3882 secp256k1_fe zfi2, zfi3; 3883 3884 secp256k1_gej_set_infinity(&gej[0]); 3885 secp256k1_ge_set_infinity(&ge[0]); 3886 for (i = 0; i < runs; i++) { 3887 int j, k; 3888 secp256k1_ge g; 3889 testutil_random_ge_test(&g); 3890 if (i >= runs - 2) { 3891 secp256k1_ge_mul_lambda(&g, &ge[1]); 3892 CHECK(!secp256k1_ge_eq_var(&g, &ge[1])); 3893 } 3894 if (i >= runs - 1) { 3895 secp256k1_ge_mul_lambda(&g, &g); 3896 } 3897 ge[1 + 4 * i] = g; 3898 ge[2 + 4 * i] = g; 3899 secp256k1_ge_neg(&ge[3 + 4 * i], &g); 3900 secp256k1_ge_neg(&ge[4 + 4 * i], &g); 3901 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]); 3902 testutil_random_ge_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]); 3903 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]); 3904 testutil_random_ge_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]); 3905 for (j = 0; j < 4; j++) { 3906 testutil_random_ge_x_magnitude(&ge[1 + j + 4 * i]); 3907 testutil_random_ge_y_magnitude(&ge[1 + j + 4 * i]); 3908 testutil_random_gej_x_magnitude(&gej[1 + j + 4 * i]); 3909 testutil_random_gej_y_magnitude(&gej[1 + j + 4 * i]); 3910 testutil_random_gej_z_magnitude(&gej[1 + j + 4 * i]); 3911 } 3912 3913 for (j = 0; j < 4; ++j) { 3914 for (k = 0; k < 4; ++k) { 3915 int expect_equal = (j >> 1) == (k >> 1); 3916 CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal); 3917 CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal); 3918 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal); 3919 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal); 3920 } 3921 } 3922 } 3923 3924 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */ 3925 testutil_random_fe_non_zero_test(&zf); 3926 testutil_random_fe_magnitude(&zf, 8); 3927 secp256k1_fe_inv_var(&zfi3, &zf); 3928 secp256k1_fe_sqr(&zfi2, &zfi3); 3929 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2); 3930 3931 /* Generate random r */ 3932 testutil_random_fe_non_zero_test(&r); 3933 3934 for (i1 = 0; i1 < 1 + 4 * runs; i1++) { 3935 int i2; 3936 for (i2 = 0; i2 < 1 + 4 * runs; i2++) { 3937 /* Compute reference result using gej + gej (var). */ 3938 secp256k1_gej refj, resj; 3939 secp256k1_ge ref; 3940 secp256k1_fe zr; 3941 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr); 3942 /* Check Z ratio. */ 3943 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) { 3944 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z); 3945 CHECK(secp256k1_fe_equal(&zrz, &refj.z)); 3946 } 3947 secp256k1_ge_set_gej_var(&ref, &refj); 3948 3949 /* Test gej + ge with Z ratio result (var). */ 3950 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr); 3951 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3952 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) { 3953 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z); 3954 CHECK(secp256k1_fe_equal(&zrz, &resj.z)); 3955 } 3956 3957 /* Test gej + ge (var, with additional Z factor). */ 3958 { 3959 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */ 3960 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2); 3961 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3); 3962 testutil_random_ge_x_magnitude(&ge2_zfi); 3963 testutil_random_ge_y_magnitude(&ge2_zfi); 3964 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf); 3965 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3966 } 3967 3968 /* Test gej + ge (const). */ 3969 if (i2 != 0) { 3970 /* secp256k1_gej_add_ge does not support its second argument being infinity. */ 3971 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]); 3972 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3973 } 3974 3975 /* Test doubling (var). */ 3976 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) { 3977 secp256k1_fe zr2; 3978 /* Normal doubling with Z ratio result. */ 3979 secp256k1_gej_double_var(&resj, &gej[i1], &zr2); 3980 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3981 /* Check Z ratio. */ 3982 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z); 3983 CHECK(secp256k1_fe_equal(&zr2, &resj.z)); 3984 /* Normal doubling. */ 3985 secp256k1_gej_double_var(&resj, &gej[i2], NULL); 3986 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3987 /* Constant-time doubling. */ 3988 secp256k1_gej_double(&resj, &gej[i2]); 3989 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3990 } 3991 3992 /* Test adding opposites. */ 3993 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) { 3994 CHECK(secp256k1_ge_is_infinity(&ref)); 3995 } 3996 3997 /* Test adding infinity. */ 3998 if (i1 == 0) { 3999 CHECK(secp256k1_ge_is_infinity(&ge[i1])); 4000 CHECK(secp256k1_gej_is_infinity(&gej[i1])); 4001 CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref)); 4002 } 4003 if (i2 == 0) { 4004 CHECK(secp256k1_ge_is_infinity(&ge[i2])); 4005 CHECK(secp256k1_gej_is_infinity(&gej[i2])); 4006 CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref)); 4007 } 4008 } 4009 } 4010 4011 /* Test adding all points together in random order equals infinity. */ 4012 { 4013 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY; 4014 secp256k1_gej *gej_shuffled = checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej)); 4015 for (i = 0; i < 4 * runs + 1; i++) { 4016 gej_shuffled[i] = gej[i]; 4017 } 4018 for (i = 0; i < 4 * runs + 1; i++) { 4019 int swap = i + testrand_int(4 * runs + 1 - i); 4020 if (swap != i) { 4021 secp256k1_gej t = gej_shuffled[i]; 4022 gej_shuffled[i] = gej_shuffled[swap]; 4023 gej_shuffled[swap] = t; 4024 } 4025 } 4026 for (i = 0; i < 4 * runs + 1; i++) { 4027 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL); 4028 } 4029 CHECK(secp256k1_gej_is_infinity(&sum)); 4030 free(gej_shuffled); 4031 } 4032 4033 /* Test batch gej -> ge conversion without known z ratios. */ 4034 { 4035 secp256k1_ge *ge_set_all_var = checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge)); 4036 secp256k1_ge *ge_set_all = checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge)); 4037 secp256k1_ge_set_all_gej_var(&ge_set_all_var[0], &gej[0], 4 * runs + 1); 4038 for (i = 0; i < 4 * runs + 1; i++) { 4039 secp256k1_fe s; 4040 testutil_random_fe_non_zero(&s); 4041 secp256k1_gej_rescale(&gej[i], &s); 4042 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all_var[i])); 4043 } 4044 4045 /* Skip infinity at &gej[0]. */ 4046 secp256k1_ge_set_all_gej(&ge_set_all[1], &gej[1], 4 * runs); 4047 for (i = 1; i < 4 * runs + 1; i++) { 4048 secp256k1_fe s; 4049 testutil_random_fe_non_zero(&s); 4050 secp256k1_gej_rescale(&gej[i], &s); 4051 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i])); 4052 CHECK(secp256k1_ge_eq_var(&ge_set_all_var[i], &ge_set_all[i])); 4053 } 4054 4055 /* Test with an array of length 1. */ 4056 secp256k1_ge_set_all_gej_var(ge_set_all_var, &gej[1], 1); 4057 secp256k1_ge_set_all_gej(ge_set_all, &gej[1], 1); 4058 CHECK(secp256k1_gej_eq_ge_var(&gej[1], &ge_set_all_var[1])); 4059 CHECK(secp256k1_gej_eq_ge_var(&gej[1], &ge_set_all[1])); 4060 CHECK(secp256k1_ge_eq_var(&ge_set_all_var[1], &ge_set_all[1])); 4061 4062 /* Test with an array of length 0. */ 4063 secp256k1_ge_set_all_gej_var(NULL, NULL, 0); 4064 secp256k1_ge_set_all_gej(NULL, NULL, 0); 4065 4066 free(ge_set_all_var); 4067 free(ge_set_all); 4068 } 4069 4070 /* Test that all elements have X coordinates on the curve. */ 4071 for (i = 1; i < 4 * runs + 1; i++) { 4072 secp256k1_fe n; 4073 CHECK(secp256k1_ge_x_on_curve_var(&ge[i].x)); 4074 /* And the same holds after random rescaling. */ 4075 secp256k1_fe_mul(&n, &zf, &ge[i].x); 4076 CHECK(secp256k1_ge_x_frac_on_curve_var(&n, &zf)); 4077 } 4078 4079 /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */ 4080 { 4081 secp256k1_fe n; 4082 secp256k1_ge q; 4083 int ret_on_curve, ret_frac_on_curve, ret_set_xo; 4084 secp256k1_fe_mul(&n, &zf, &r); 4085 ret_on_curve = secp256k1_ge_x_on_curve_var(&r); 4086 ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf); 4087 ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0); 4088 CHECK(ret_on_curve == ret_frac_on_curve); 4089 CHECK(ret_on_curve == ret_set_xo); 4090 if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x)); 4091 } 4092 4093 /* Test batch gej -> ge conversion with many infinities. */ 4094 for (i = 0; i < 4 * runs + 1; i++) { 4095 int odd; 4096 testutil_random_ge_test(&ge[i]); 4097 odd = secp256k1_fe_is_odd(&ge[i].x); 4098 CHECK(odd == 0 || odd == 1); 4099 /* randomly set half the points to infinity */ 4100 if (odd == i % 2) { 4101 secp256k1_ge_set_infinity(&ge[i]); 4102 } 4103 secp256k1_gej_set_ge(&gej[i], &ge[i]); 4104 } 4105 /* batch convert */ 4106 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1); 4107 /* check result */ 4108 for (i = 0; i < 4 * runs + 1; i++) { 4109 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i])); 4110 } 4111 4112 /* Test batch gej -> ge conversion with all infinities. */ 4113 for (i = 0; i < 4 * runs + 1; i++) { 4114 secp256k1_gej_set_infinity(&gej[i]); 4115 } 4116 /* batch convert */ 4117 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1); 4118 /* check result */ 4119 for (i = 0; i < 4 * runs + 1; i++) { 4120 CHECK(secp256k1_ge_is_infinity(&ge[i])); 4121 } 4122 4123 free(ge); 4124 free(gej); 4125 } 4126 4127 static void test_initialized_inf(void) { 4128 secp256k1_ge p; 4129 secp256k1_gej pj, npj, infj1, infj2, infj3; 4130 secp256k1_fe zinv; 4131 4132 /* Test that adding P+(-P) results in a fully initialized infinity*/ 4133 testutil_random_ge_test(&p); 4134 secp256k1_gej_set_ge(&pj, &p); 4135 secp256k1_gej_neg(&npj, &pj); 4136 4137 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL); 4138 CHECK(secp256k1_gej_is_infinity(&infj1)); 4139 CHECK(secp256k1_fe_is_zero(&infj1.x)); 4140 CHECK(secp256k1_fe_is_zero(&infj1.y)); 4141 CHECK(secp256k1_fe_is_zero(&infj1.z)); 4142 4143 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL); 4144 CHECK(secp256k1_gej_is_infinity(&infj2)); 4145 CHECK(secp256k1_fe_is_zero(&infj2.x)); 4146 CHECK(secp256k1_fe_is_zero(&infj2.y)); 4147 CHECK(secp256k1_fe_is_zero(&infj2.z)); 4148 4149 secp256k1_fe_set_int(&zinv, 1); 4150 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv); 4151 CHECK(secp256k1_gej_is_infinity(&infj3)); 4152 CHECK(secp256k1_fe_is_zero(&infj3.x)); 4153 CHECK(secp256k1_fe_is_zero(&infj3.y)); 4154 CHECK(secp256k1_fe_is_zero(&infj3.z)); 4155 4156 4157 } 4158 4159 static void test_add_neg_y_diff_x(void) { 4160 /* The point of this test is to check that we can add two points 4161 * whose y-coordinates are negatives of each other but whose x 4162 * coordinates differ. If the x-coordinates were the same, these 4163 * points would be negatives of each other and their sum is 4164 * infinity. This is cool because it "covers up" any degeneracy 4165 * in the addition algorithm that would cause the xy coordinates 4166 * of the sum to be wrong (since infinity has no xy coordinates). 4167 * HOWEVER, if the x-coordinates are different, infinity is the 4168 * wrong answer, and such degeneracies are exposed. This is the 4169 * root of https://github.com/bitcoin-core/secp256k1/issues/257 4170 * which this test is a regression test for. 4171 * 4172 * These points were generated in sage as 4173 * 4174 * load("secp256k1_params.sage") 4175 * 4176 * # random "bad pair" 4177 * P = C.random_element() 4178 * Q = -int(LAMBDA) * P 4179 * print(" P: %x %x" % P.xy()) 4180 * print(" Q: %x %x" % Q.xy()) 4181 * print("P + Q: %x %x" % (P + Q).xy()) 4182 */ 4183 secp256k1_gej aj = SECP256K1_GEJ_CONST( 4184 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30, 4185 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb, 4186 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8, 4187 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d 4188 ); 4189 secp256k1_gej bj = SECP256K1_GEJ_CONST( 4190 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86, 4191 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7, 4192 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57, 4193 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2 4194 ); 4195 secp256k1_gej sumj = SECP256K1_GEJ_CONST( 4196 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027, 4197 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a, 4198 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08, 4199 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe 4200 ); 4201 secp256k1_ge b; 4202 secp256k1_gej resj; 4203 secp256k1_ge res; 4204 secp256k1_ge_set_gej(&b, &bj); 4205 4206 secp256k1_gej_add_var(&resj, &aj, &bj, NULL); 4207 secp256k1_ge_set_gej(&res, &resj); 4208 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res)); 4209 4210 secp256k1_gej_add_ge(&resj, &aj, &b); 4211 secp256k1_ge_set_gej(&res, &resj); 4212 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res)); 4213 4214 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL); 4215 secp256k1_ge_set_gej(&res, &resj); 4216 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res)); 4217 } 4218 4219 static void test_ge_bytes(void) { 4220 int i; 4221 4222 for (i = 0; i < COUNT + 1; i++) { 4223 unsigned char buf[64]; 4224 secp256k1_ge p, q; 4225 4226 if (i == 0) { 4227 secp256k1_ge_set_infinity(&p); 4228 } else { 4229 testutil_random_ge_test(&p); 4230 } 4231 4232 if (!secp256k1_ge_is_infinity(&p)) { 4233 secp256k1_ge_to_bytes(buf, &p); 4234 4235 secp256k1_ge_from_bytes(&q, buf); 4236 CHECK(secp256k1_ge_eq_var(&p, &q)); 4237 4238 secp256k1_ge_from_bytes_ext(&q, buf); 4239 CHECK(secp256k1_ge_eq_var(&p, &q)); 4240 } 4241 secp256k1_ge_to_bytes_ext(buf, &p); 4242 secp256k1_ge_from_bytes_ext(&q, buf); 4243 CHECK(secp256k1_ge_eq_var(&p, &q)); 4244 } 4245 } 4246 4247 static void run_ge(void) { 4248 int i; 4249 for (i = 0; i < COUNT * 32; i++) { 4250 test_ge(); 4251 } 4252 test_add_neg_y_diff_x(); 4253 test_initialized_inf(); 4254 test_ge_bytes(); 4255 } 4256 4257 static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) { 4258 secp256k1_gej t = *a; 4259 secp256k1_gej_cmov(&t, b, 0); 4260 CHECK(gej_xyz_equals_gej(&t, a)); 4261 secp256k1_gej_cmov(&t, b, 1); 4262 CHECK(gej_xyz_equals_gej(&t, b)); 4263 } 4264 4265 static void run_gej(void) { 4266 int i; 4267 secp256k1_gej a, b; 4268 4269 /* Tests for secp256k1_gej_cmov */ 4270 for (i = 0; i < COUNT; i++) { 4271 secp256k1_gej_set_infinity(&a); 4272 secp256k1_gej_set_infinity(&b); 4273 test_gej_cmov(&a, &b); 4274 4275 testutil_random_gej_test(&a); 4276 test_gej_cmov(&a, &b); 4277 test_gej_cmov(&b, &a); 4278 4279 b = a; 4280 test_gej_cmov(&a, &b); 4281 4282 testutil_random_gej_test(&b); 4283 test_gej_cmov(&a, &b); 4284 test_gej_cmov(&b, &a); 4285 } 4286 4287 /* Tests for secp256k1_gej_eq_var */ 4288 for (i = 0; i < COUNT; i++) { 4289 secp256k1_fe fe; 4290 testutil_random_gej_test(&a); 4291 testutil_random_gej_test(&b); 4292 CHECK(!secp256k1_gej_eq_var(&a, &b)); 4293 4294 b = a; 4295 testutil_random_fe_non_zero_test(&fe); 4296 secp256k1_gej_rescale(&a, &fe); 4297 CHECK(secp256k1_gej_eq_var(&a, &b)); 4298 } 4299 } 4300 4301 static void test_ec_combine(void) { 4302 secp256k1_scalar sum = secp256k1_scalar_zero; 4303 secp256k1_pubkey data[6]; 4304 const secp256k1_pubkey* d[6]; 4305 secp256k1_pubkey sd; 4306 secp256k1_pubkey sd2; 4307 secp256k1_gej Qj; 4308 secp256k1_ge Q; 4309 int i; 4310 for (i = 1; i <= 6; i++) { 4311 secp256k1_scalar s; 4312 testutil_random_scalar_order_test(&s); 4313 secp256k1_scalar_add(&sum, &sum, &s); 4314 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &s); 4315 secp256k1_ge_set_gej(&Q, &Qj); 4316 secp256k1_pubkey_save(&data[i - 1], &Q); 4317 d[i - 1] = &data[i - 1]; 4318 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &sum); 4319 secp256k1_ge_set_gej(&Q, &Qj); 4320 secp256k1_pubkey_save(&sd, &Q); 4321 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1); 4322 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0); 4323 } 4324 } 4325 4326 static void run_ec_combine(void) { 4327 int i; 4328 for (i = 0; i < COUNT * 8; i++) { 4329 test_ec_combine(); 4330 } 4331 } 4332 4333 static void test_group_decompress(const secp256k1_fe* x) { 4334 /* The input itself, normalized. */ 4335 secp256k1_fe fex = *x; 4336 /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */ 4337 secp256k1_ge ge_even, ge_odd; 4338 /* Return values of the above calls. */ 4339 int res_even, res_odd; 4340 4341 secp256k1_fe_normalize_var(&fex); 4342 4343 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0); 4344 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1); 4345 4346 CHECK(res_even == res_odd); 4347 4348 if (res_even) { 4349 secp256k1_fe_normalize_var(&ge_odd.x); 4350 secp256k1_fe_normalize_var(&ge_even.x); 4351 secp256k1_fe_normalize_var(&ge_odd.y); 4352 secp256k1_fe_normalize_var(&ge_even.y); 4353 4354 /* No infinity allowed. */ 4355 CHECK(!secp256k1_ge_is_infinity(&ge_even)); 4356 CHECK(!secp256k1_ge_is_infinity(&ge_odd)); 4357 4358 /* Check that the x coordinates check out. */ 4359 CHECK(secp256k1_fe_equal(&ge_even.x, x)); 4360 CHECK(secp256k1_fe_equal(&ge_odd.x, x)); 4361 4362 /* Check odd/even Y in ge_odd, ge_even. */ 4363 CHECK(secp256k1_fe_is_odd(&ge_odd.y)); 4364 CHECK(!secp256k1_fe_is_odd(&ge_even.y)); 4365 } 4366 } 4367 4368 static void run_group_decompress(void) { 4369 int i; 4370 for (i = 0; i < COUNT * 4; i++) { 4371 secp256k1_fe fe; 4372 testutil_random_fe_test(&fe); 4373 test_group_decompress(&fe); 4374 } 4375 } 4376 4377 /***** ECMULT TESTS *****/ 4378 4379 static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) { 4380 /* Tests the pre_g / pre_g_128 tables for consistency. 4381 * For independent verification we take a "geometric" approach to verification. 4382 * We check that every entry is on-curve. 4383 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking 4384 * (1) p, gg, and -q are colinear. 4385 * (2) p, gg, and -q are all distinct. 4386 * where gg is twice the generator, where the generator is the first table entry. 4387 * 4388 * Checking the table's generators are correct is done in run_ecmult_pre_g. 4389 */ 4390 secp256k1_gej g2; 4391 secp256k1_ge p, q, gg; 4392 secp256k1_fe dpx, dpy, dqx, dqy; 4393 size_t i; 4394 4395 CHECK(0 < n); 4396 4397 secp256k1_ge_from_storage(&p, &pre_g[0]); 4398 CHECK(secp256k1_ge_is_valid_var(&p)); 4399 4400 secp256k1_gej_set_ge(&g2, &p); 4401 secp256k1_gej_double_var(&g2, &g2, NULL); 4402 secp256k1_ge_set_gej_var(&gg, &g2); 4403 for (i = 1; i < n; ++i) { 4404 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx); 4405 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy); 4406 /* Check that p is not equal to gg */ 4407 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy)); 4408 4409 secp256k1_ge_from_storage(&q, &pre_g[i]); 4410 CHECK(secp256k1_ge_is_valid_var(&q)); 4411 4412 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); 4413 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); 4414 /* Check that -q is not equal to gg */ 4415 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy)); 4416 4417 /* Check that -q is not equal to p */ 4418 CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy)); 4419 4420 /* Check that p, -q and gg are colinear */ 4421 secp256k1_fe_mul(&dpx, &dpx, &dqy); 4422 secp256k1_fe_mul(&dpy, &dpy, &dqx); 4423 CHECK(secp256k1_fe_equal(&dpx, &dpy)); 4424 4425 p = q; 4426 } 4427 } 4428 4429 static void run_ecmult_pre_g(void) { 4430 secp256k1_ge_storage gs; 4431 secp256k1_gej gj; 4432 secp256k1_ge g; 4433 size_t i; 4434 4435 /* Check that the pre_g and pre_g_128 tables are consistent. */ 4436 test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G)); 4437 test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G)); 4438 4439 /* Check the first entry from the pre_g table. */ 4440 secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g); 4441 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0); 4442 4443 /* Check the first entry from the pre_g_128 table. */ 4444 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g); 4445 for (i = 0; i < 128; ++i) { 4446 secp256k1_gej_double_var(&gj, &gj, NULL); 4447 } 4448 secp256k1_ge_set_gej(&g, &gj); 4449 secp256k1_ge_to_storage(&gs, &g); 4450 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0); 4451 } 4452 4453 static void run_ecmult_chain(void) { 4454 /* random starting point A (on the curve) */ 4455 secp256k1_gej a = SECP256K1_GEJ_CONST( 4456 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3, 4457 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004, 4458 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f, 4459 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f 4460 ); 4461 /* two random initial factors xn and gn */ 4462 secp256k1_scalar xn = SECP256K1_SCALAR_CONST( 4463 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c, 4464 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407 4465 ); 4466 secp256k1_scalar gn = SECP256K1_SCALAR_CONST( 4467 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9, 4468 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de 4469 ); 4470 /* two small multipliers to be applied to xn and gn in every iteration: */ 4471 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337); 4472 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113); 4473 /* accumulators with the resulting coefficients to A and G */ 4474 secp256k1_scalar ae = secp256k1_scalar_one; 4475 secp256k1_scalar ge = secp256k1_scalar_zero; 4476 /* actual points */ 4477 secp256k1_gej x; 4478 secp256k1_gej x2; 4479 int i; 4480 4481 /* the point being computed */ 4482 x = a; 4483 for (i = 0; i < 200*COUNT; i++) { 4484 /* in each iteration, compute X = xn*X + gn*G; */ 4485 secp256k1_ecmult(&x, &x, &xn, &gn); 4486 /* also compute ae and ge: the actual accumulated factors for A and G */ 4487 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */ 4488 secp256k1_scalar_mul(&ae, &ae, &xn); 4489 secp256k1_scalar_mul(&ge, &ge, &xn); 4490 secp256k1_scalar_add(&ge, &ge, &gn); 4491 /* modify xn and gn */ 4492 secp256k1_scalar_mul(&xn, &xn, &xf); 4493 secp256k1_scalar_mul(&gn, &gn, &gf); 4494 4495 /* verify */ 4496 if (i == 19999) { 4497 /* expected result after 19999 iterations */ 4498 secp256k1_gej rp = SECP256K1_GEJ_CONST( 4499 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE, 4500 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830, 4501 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D, 4502 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88 4503 ); 4504 CHECK(secp256k1_gej_eq_var(&rp, &x)); 4505 } 4506 } 4507 /* redo the computation, but directly with the resulting ae and ge coefficients: */ 4508 secp256k1_ecmult(&x2, &a, &ae, &ge); 4509 CHECK(secp256k1_gej_eq_var(&x, &x2)); 4510 } 4511 4512 static void test_point_times_order(const secp256k1_gej *point) { 4513 /* X * (point + G) + (order-X) * (pointer + G) = 0 */ 4514 secp256k1_scalar x; 4515 secp256k1_scalar nx; 4516 secp256k1_gej res1, res2; 4517 secp256k1_ge res3; 4518 testutil_random_scalar_order_test(&x); 4519 secp256k1_scalar_negate(&nx, &x); 4520 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */ 4521 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */ 4522 secp256k1_gej_add_var(&res1, &res1, &res2, NULL); 4523 CHECK(secp256k1_gej_is_infinity(&res1)); 4524 secp256k1_ge_set_gej(&res3, &res1); 4525 CHECK(secp256k1_ge_is_infinity(&res3)); 4526 CHECK(secp256k1_ge_is_valid_var(&res3) == 0); 4527 /* check zero/one edge cases */ 4528 secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_zero); 4529 secp256k1_ecmult(&res2, point, &secp256k1_scalar_zero, NULL); 4530 secp256k1_ge_set_gej(&res3, &res1); 4531 CHECK(secp256k1_gej_is_infinity(&res1)); 4532 CHECK(secp256k1_gej_is_infinity(&res2)); 4533 CHECK(secp256k1_ge_is_infinity(&res3)); 4534 4535 secp256k1_ecmult(&res1, point, &secp256k1_scalar_one, &secp256k1_scalar_zero); 4536 secp256k1_ecmult(&res2, point, &secp256k1_scalar_one, NULL); 4537 secp256k1_ge_set_gej(&res3, &res1); 4538 CHECK(secp256k1_gej_eq_ge_var(point, &res3)); 4539 secp256k1_ge_set_gej(&res3, &res2); 4540 CHECK(secp256k1_gej_eq_ge_var(point, &res3)); 4541 4542 secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_one); 4543 secp256k1_ge_set_gej(&res3, &res1); 4544 CHECK(secp256k1_ge_eq_var(&secp256k1_ge_const_g, &res3)); 4545 } 4546 4547 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda. 4548 * 4549 * They are computed as: 4550 * - For a in [-2, -1, 0, 1, 2]: 4551 * - For b in [-3, -1, 1, 3]: 4552 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER 4553 */ 4554 static const secp256k1_scalar scalars_near_split_bounds[20] = { 4555 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc), 4556 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd), 4557 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe), 4558 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff), 4559 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d), 4560 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e), 4561 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f), 4562 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330), 4563 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f), 4564 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0), 4565 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1), 4566 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2), 4567 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11), 4568 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12), 4569 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13), 4570 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14), 4571 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42), 4572 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43), 4573 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44), 4574 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45) 4575 }; 4576 4577 static void test_ecmult_target(const secp256k1_scalar* target, int mode) { 4578 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */ 4579 secp256k1_scalar n1, n2; 4580 secp256k1_ge p; 4581 secp256k1_gej pj, p1j, p2j, ptj; 4582 4583 /* Generate random n1,n2 such that n1+n2 = -target. */ 4584 testutil_random_scalar_order_test(&n1); 4585 secp256k1_scalar_add(&n2, &n1, target); 4586 secp256k1_scalar_negate(&n2, &n2); 4587 4588 /* Generate a random input point. */ 4589 if (mode != 0) { 4590 testutil_random_ge_test(&p); 4591 secp256k1_gej_set_ge(&pj, &p); 4592 } 4593 4594 /* EC multiplications */ 4595 if (mode == 0) { 4596 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1); 4597 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2); 4598 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target); 4599 } else if (mode == 1) { 4600 secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero); 4601 secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero); 4602 secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero); 4603 } else { 4604 secp256k1_ecmult_const(&p1j, &p, &n1); 4605 secp256k1_ecmult_const(&p2j, &p, &n2); 4606 secp256k1_ecmult_const(&ptj, &p, target); 4607 } 4608 4609 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */ 4610 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL); 4611 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL); 4612 CHECK(secp256k1_gej_is_infinity(&ptj)); 4613 } 4614 4615 static void run_ecmult_near_split_bound(void) { 4616 int i; 4617 unsigned j; 4618 for (i = 0; i < 4*COUNT; ++i) { 4619 for (j = 0; j < ARRAY_SIZE(scalars_near_split_bounds); ++j) { 4620 test_ecmult_target(&scalars_near_split_bounds[j], 0); 4621 test_ecmult_target(&scalars_near_split_bounds[j], 1); 4622 test_ecmult_target(&scalars_near_split_bounds[j], 2); 4623 } 4624 } 4625 } 4626 4627 static void run_point_times_order(void) { 4628 int i; 4629 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2); 4630 static const secp256k1_fe xr = SECP256K1_FE_CONST( 4631 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C, 4632 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45 4633 ); 4634 for (i = 0; i < 500; i++) { 4635 secp256k1_ge p; 4636 if (secp256k1_ge_set_xo_var(&p, &x, 1)) { 4637 secp256k1_gej j; 4638 CHECK(secp256k1_ge_is_valid_var(&p)); 4639 secp256k1_gej_set_ge(&j, &p); 4640 test_point_times_order(&j); 4641 } 4642 secp256k1_fe_sqr(&x, &x); 4643 } 4644 secp256k1_fe_normalize_var(&x); 4645 CHECK(secp256k1_fe_equal(&x, &xr)); 4646 } 4647 4648 static void ecmult_const_random_mult(void) { 4649 /* random starting point A (on the curve) */ 4650 secp256k1_ge a = SECP256K1_GE_CONST( 4651 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b, 4652 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a, 4653 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c, 4654 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d 4655 ); 4656 /* random initial factor xn */ 4657 secp256k1_scalar xn = SECP256K1_SCALAR_CONST( 4658 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327, 4659 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b 4660 ); 4661 /* expected xn * A (from sage) */ 4662 secp256k1_ge expected_b = SECP256K1_GE_CONST( 4663 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd, 4664 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786, 4665 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f, 4666 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956 4667 ); 4668 secp256k1_gej b; 4669 secp256k1_ecmult_const(&b, &a, &xn); 4670 4671 CHECK(secp256k1_ge_is_valid_var(&a)); 4672 CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b)); 4673 } 4674 4675 static void ecmult_const_commutativity(void) { 4676 secp256k1_scalar a; 4677 secp256k1_scalar b; 4678 secp256k1_gej res1; 4679 secp256k1_gej res2; 4680 secp256k1_ge mid1; 4681 secp256k1_ge mid2; 4682 testutil_random_scalar_order_test(&a); 4683 testutil_random_scalar_order_test(&b); 4684 4685 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a); 4686 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b); 4687 secp256k1_ge_set_gej(&mid1, &res1); 4688 secp256k1_ge_set_gej(&mid2, &res2); 4689 secp256k1_ecmult_const(&res1, &mid1, &b); 4690 secp256k1_ecmult_const(&res2, &mid2, &a); 4691 secp256k1_ge_set_gej(&mid1, &res1); 4692 secp256k1_ge_set_gej(&mid2, &res2); 4693 CHECK(secp256k1_ge_eq_var(&mid1, &mid2)); 4694 } 4695 4696 static void ecmult_const_mult_zero_one(void) { 4697 secp256k1_scalar s; 4698 secp256k1_scalar negone; 4699 secp256k1_gej res1; 4700 secp256k1_ge res2; 4701 secp256k1_ge point; 4702 secp256k1_ge inf; 4703 4704 testutil_random_scalar_order_test(&s); 4705 secp256k1_scalar_negate(&negone, &secp256k1_scalar_one); 4706 testutil_random_ge_test(&point); 4707 secp256k1_ge_set_infinity(&inf); 4708 4709 /* 0*point */ 4710 secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_zero); 4711 CHECK(secp256k1_gej_is_infinity(&res1)); 4712 4713 /* s*inf */ 4714 secp256k1_ecmult_const(&res1, &inf, &s); 4715 CHECK(secp256k1_gej_is_infinity(&res1)); 4716 4717 /* 1*point */ 4718 secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_one); 4719 secp256k1_ge_set_gej(&res2, &res1); 4720 CHECK(secp256k1_ge_eq_var(&res2, &point)); 4721 4722 /* -1*point */ 4723 secp256k1_ecmult_const(&res1, &point, &negone); 4724 secp256k1_gej_neg(&res1, &res1); 4725 secp256k1_ge_set_gej(&res2, &res1); 4726 CHECK(secp256k1_ge_eq_var(&res2, &point)); 4727 } 4728 4729 static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) { 4730 secp256k1_gej pointj, res2j; 4731 secp256k1_ge res2; 4732 secp256k1_gej_set_ge(&pointj, A); 4733 secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero); 4734 secp256k1_ge_set_gej(&res2, &res2j); 4735 CHECK(secp256k1_gej_eq_ge_var(res, &res2)); 4736 } 4737 4738 static void ecmult_const_edges(void) { 4739 secp256k1_scalar q; 4740 secp256k1_ge point; 4741 secp256k1_gej res; 4742 size_t i; 4743 size_t cases = 1 + ARRAY_SIZE(scalars_near_split_bounds); 4744 4745 /* We are trying to reach the following edge cases (variables are defined as 4746 * in ecmult_const_impl.h): 4747 * 1. i = 0: s = 0 <=> q = -K 4748 * 2. i > 0: v1, v2 large values 4749 * <=> s1, s2 large values 4750 * <=> s = scalars_near_split_bounds[i] 4751 * <=> q = 2*scalars_near_split_bounds[i] - K 4752 */ 4753 for (i = 0; i < cases; ++i) { 4754 secp256k1_scalar_negate(&q, &secp256k1_ecmult_const_K); 4755 if (i > 0) { 4756 secp256k1_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]); 4757 secp256k1_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]); 4758 } 4759 testutil_random_ge_test(&point); 4760 secp256k1_ecmult_const(&res, &point, &q); 4761 ecmult_const_check_result(&point, &q, &res); 4762 } 4763 } 4764 4765 static void ecmult_const_mult_xonly(void) { 4766 int i; 4767 4768 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */ 4769 for (i = 0; i < 2*COUNT; ++i) { 4770 secp256k1_ge base; 4771 secp256k1_gej basej, resj; 4772 secp256k1_fe n, d, resx, v; 4773 secp256k1_scalar q; 4774 int res; 4775 /* Random base point. */ 4776 testutil_random_ge_test(&base); 4777 /* Random scalar to multiply it with. */ 4778 testutil_random_scalar_order_test(&q); 4779 /* If i is odd, n=d*base.x for random non-zero d */ 4780 if (i & 1) { 4781 testutil_random_fe_non_zero_test(&d); 4782 secp256k1_fe_mul(&n, &base.x, &d); 4783 } else { 4784 n = base.x; 4785 } 4786 /* Perform x-only multiplication. */ 4787 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2); 4788 CHECK(res); 4789 /* Perform normal multiplication. */ 4790 secp256k1_gej_set_ge(&basej, &base); 4791 secp256k1_ecmult(&resj, &basej, &q, NULL); 4792 /* Check that resj's X coordinate corresponds with resx. */ 4793 secp256k1_fe_sqr(&v, &resj.z); 4794 secp256k1_fe_mul(&v, &v, &resx); 4795 CHECK(fe_equal(&v, &resj.x)); 4796 } 4797 4798 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */ 4799 for (i = 0; i < 2*COUNT; ++i) { 4800 secp256k1_fe x, n, d, r; 4801 int res; 4802 secp256k1_scalar q; 4803 testutil_random_scalar_order_test(&q); 4804 /* Generate random X coordinate not on the curve. */ 4805 do { 4806 testutil_random_fe_test(&x); 4807 } while (secp256k1_ge_x_on_curve_var(&x)); 4808 /* If i is odd, n=d*x for random non-zero d. */ 4809 if (i & 1) { 4810 testutil_random_fe_non_zero_test(&d); 4811 secp256k1_fe_mul(&n, &x, &d); 4812 } else { 4813 n = x; 4814 } 4815 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0); 4816 CHECK(res == 0); 4817 } 4818 } 4819 4820 static void ecmult_const_chain_multiply(void) { 4821 /* Check known result (randomly generated test problem from sage) */ 4822 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST( 4823 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d, 4824 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b 4825 ); 4826 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST( 4827 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd, 4828 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f, 4829 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196, 4830 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435 4831 ); 4832 secp256k1_gej point; 4833 secp256k1_ge res; 4834 int i; 4835 4836 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g); 4837 for (i = 0; i < 100; ++i) { 4838 secp256k1_ge tmp; 4839 secp256k1_ge_set_gej(&tmp, &point); 4840 secp256k1_ecmult_const(&point, &tmp, &scalar); 4841 } 4842 secp256k1_ge_set_gej(&res, &point); 4843 CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res)); 4844 } 4845 4846 static void run_ecmult_const_tests(void) { 4847 ecmult_const_mult_zero_one(); 4848 ecmult_const_edges(); 4849 ecmult_const_random_mult(); 4850 ecmult_const_commutativity(); 4851 ecmult_const_chain_multiply(); 4852 ecmult_const_mult_xonly(); 4853 } 4854 4855 typedef struct { 4856 secp256k1_scalar *sc; 4857 secp256k1_ge *pt; 4858 } ecmult_multi_data; 4859 4860 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) { 4861 ecmult_multi_data *data = (ecmult_multi_data*) cbdata; 4862 *sc = data->sc[idx]; 4863 *pt = data->pt[idx]; 4864 return 1; 4865 } 4866 4867 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) { 4868 (void)sc; 4869 (void)pt; 4870 (void)idx; 4871 (void)cbdata; 4872 return 0; 4873 } 4874 4875 static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) { 4876 int ncount; 4877 secp256k1_scalar sc[32]; 4878 secp256k1_ge pt[32]; 4879 secp256k1_gej r; 4880 secp256k1_gej r2; 4881 ecmult_multi_data data; 4882 4883 data.sc = sc; 4884 data.pt = pt; 4885 4886 /* No points to multiply */ 4887 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0)); 4888 4889 /* Check 1- and 2-point multiplies against ecmult */ 4890 for (ncount = 0; ncount < COUNT; ncount++) { 4891 secp256k1_ge ptg; 4892 secp256k1_gej ptgj; 4893 testutil_random_scalar_order(&sc[0]); 4894 testutil_random_scalar_order(&sc[1]); 4895 4896 testutil_random_ge_test(&ptg); 4897 secp256k1_gej_set_ge(&ptgj, &ptg); 4898 pt[0] = ptg; 4899 pt[1] = secp256k1_ge_const_g; 4900 4901 /* only G scalar */ 4902 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]); 4903 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0)); 4904 CHECK(secp256k1_gej_eq_var(&r, &r2)); 4905 4906 /* 1-point */ 4907 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero); 4908 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1)); 4909 CHECK(secp256k1_gej_eq_var(&r, &r2)); 4910 4911 /* Try to multiply 1 point, but callback returns false */ 4912 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1)); 4913 4914 /* 2-point */ 4915 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]); 4916 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2)); 4917 CHECK(secp256k1_gej_eq_var(&r, &r2)); 4918 4919 /* 2-point with G scalar */ 4920 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]); 4921 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1)); 4922 CHECK(secp256k1_gej_eq_var(&r, &r2)); 4923 } 4924 4925 /* Check infinite outputs of various forms */ 4926 for (ncount = 0; ncount < COUNT; ncount++) { 4927 secp256k1_ge ptg; 4928 size_t i, j; 4929 size_t sizes[] = { 2, 10, 32 }; 4930 4931 for (j = 0; j < 3; j++) { 4932 for (i = 0; i < 32; i++) { 4933 testutil_random_scalar_order(&sc[i]); 4934 secp256k1_ge_set_infinity(&pt[i]); 4935 } 4936 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4937 CHECK(secp256k1_gej_is_infinity(&r)); 4938 } 4939 4940 for (j = 0; j < 3; j++) { 4941 for (i = 0; i < 32; i++) { 4942 testutil_random_ge_test(&ptg); 4943 pt[i] = ptg; 4944 secp256k1_scalar_set_int(&sc[i], 0); 4945 } 4946 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4947 CHECK(secp256k1_gej_is_infinity(&r)); 4948 } 4949 4950 for (j = 0; j < 3; j++) { 4951 testutil_random_ge_test(&ptg); 4952 for (i = 0; i < 16; i++) { 4953 testutil_random_scalar_order(&sc[2*i]); 4954 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]); 4955 pt[2 * i] = ptg; 4956 pt[2 * i + 1] = ptg; 4957 } 4958 4959 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4960 CHECK(secp256k1_gej_is_infinity(&r)); 4961 4962 testutil_random_scalar_order(&sc[0]); 4963 for (i = 0; i < 16; i++) { 4964 testutil_random_ge_test(&ptg); 4965 4966 sc[2*i] = sc[0]; 4967 sc[2*i+1] = sc[0]; 4968 pt[2 * i] = ptg; 4969 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]); 4970 } 4971 4972 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4973 CHECK(secp256k1_gej_is_infinity(&r)); 4974 } 4975 4976 testutil_random_ge_test(&ptg); 4977 secp256k1_scalar_set_int(&sc[0], 0); 4978 pt[0] = ptg; 4979 for (i = 1; i < 32; i++) { 4980 pt[i] = ptg; 4981 4982 testutil_random_scalar_order(&sc[i]); 4983 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]); 4984 secp256k1_scalar_negate(&sc[i], &sc[i]); 4985 } 4986 4987 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32)); 4988 CHECK(secp256k1_gej_is_infinity(&r)); 4989 } 4990 4991 /* Check random points, constant scalar */ 4992 for (ncount = 0; ncount < COUNT; ncount++) { 4993 size_t i; 4994 secp256k1_gej_set_infinity(&r); 4995 4996 testutil_random_scalar_order(&sc[0]); 4997 for (i = 0; i < 20; i++) { 4998 secp256k1_ge ptg; 4999 sc[i] = sc[0]; 5000 testutil_random_ge_test(&ptg); 5001 pt[i] = ptg; 5002 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL); 5003 } 5004 5005 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero); 5006 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20)); 5007 CHECK(secp256k1_gej_eq_var(&r, &r2)); 5008 } 5009 5010 /* Check random scalars, constant point */ 5011 for (ncount = 0; ncount < COUNT; ncount++) { 5012 size_t i; 5013 secp256k1_ge ptg; 5014 secp256k1_gej p0j; 5015 secp256k1_scalar rs; 5016 secp256k1_scalar_set_int(&rs, 0); 5017 5018 testutil_random_ge_test(&ptg); 5019 for (i = 0; i < 20; i++) { 5020 testutil_random_scalar_order(&sc[i]); 5021 pt[i] = ptg; 5022 secp256k1_scalar_add(&rs, &rs, &sc[i]); 5023 } 5024 5025 secp256k1_gej_set_ge(&p0j, &pt[0]); 5026 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero); 5027 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20)); 5028 CHECK(secp256k1_gej_eq_var(&r, &r2)); 5029 } 5030 5031 /* Sanity check that zero scalars don't cause problems */ 5032 for (ncount = 0; ncount < 20; ncount++) { 5033 testutil_random_scalar_order(&sc[ncount]); 5034 testutil_random_ge_test(&pt[ncount]); 5035 } 5036 5037 secp256k1_scalar_set_int(&sc[0], 0); 5038 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20)); 5039 secp256k1_scalar_set_int(&sc[1], 0); 5040 secp256k1_scalar_set_int(&sc[2], 0); 5041 secp256k1_scalar_set_int(&sc[3], 0); 5042 secp256k1_scalar_set_int(&sc[4], 0); 5043 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6)); 5044 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5)); 5045 CHECK(secp256k1_gej_is_infinity(&r)); 5046 5047 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */ 5048 { 5049 const size_t TOP = 8; 5050 size_t s0i, s1i; 5051 size_t t0i, t1i; 5052 secp256k1_ge ptg; 5053 secp256k1_gej ptgj; 5054 5055 testutil_random_ge_test(&ptg); 5056 secp256k1_gej_set_ge(&ptgj, &ptg); 5057 5058 for(t0i = 0; t0i < TOP; t0i++) { 5059 for(t1i = 0; t1i < TOP; t1i++) { 5060 secp256k1_gej t0p, t1p; 5061 secp256k1_scalar t0, t1; 5062 5063 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2); 5064 secp256k1_scalar_cond_negate(&t0, t0i & 1); 5065 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2); 5066 secp256k1_scalar_cond_negate(&t1, t1i & 1); 5067 5068 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero); 5069 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero); 5070 5071 for(s0i = 0; s0i < TOP; s0i++) { 5072 for(s1i = 0; s1i < TOP; s1i++) { 5073 secp256k1_scalar tmp1, tmp2; 5074 secp256k1_gej expected, actual; 5075 5076 secp256k1_ge_set_gej(&pt[0], &t0p); 5077 secp256k1_ge_set_gej(&pt[1], &t1p); 5078 5079 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2); 5080 secp256k1_scalar_cond_negate(&sc[0], s0i & 1); 5081 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2); 5082 secp256k1_scalar_cond_negate(&sc[1], s1i & 1); 5083 5084 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]); 5085 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]); 5086 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2); 5087 5088 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero); 5089 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2)); 5090 CHECK(secp256k1_gej_eq_var(&actual, &expected)); 5091 } 5092 } 5093 } 5094 } 5095 } 5096 } 5097 5098 static int test_ecmult_multi_random(secp256k1_scratch *scratch) { 5099 /* Large random test for ecmult_multi_* functions which exercises: 5100 * - Few or many inputs (0 up to 128, roughly exponentially distributed). 5101 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed). 5102 * - Including or excluding an nonzero a*G term (or such a term at all). 5103 * - Final expected result equal to infinity or not (roughly 50%). 5104 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch 5105 */ 5106 5107 /* These 4 variables define the eventual input to the ecmult_multi function. 5108 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and 5109 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points 5110 * which form its normal inputs. */ 5111 int filled = 0; 5112 secp256k1_scalar g_scalar = secp256k1_scalar_zero; 5113 secp256k1_scalar scalars[128]; 5114 secp256k1_gej gejs[128]; 5115 /* The expected result, and the computed result. */ 5116 secp256k1_gej expected, computed; 5117 /* Temporaries. */ 5118 secp256k1_scalar sc_tmp; 5119 secp256k1_ge ge_tmp; 5120 /* Variables needed for the actual input to ecmult_multi. */ 5121 secp256k1_ge ges[128]; 5122 ecmult_multi_data data; 5123 5124 int i; 5125 /* Which multiplication function to use */ 5126 int fn = testrand_int(3); 5127 secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var : 5128 fn == 1 ? secp256k1_ecmult_strauss_batch_single : 5129 secp256k1_ecmult_pippenger_batch_single; 5130 /* Simulate exponentially distributed num. */ 5131 int num_bits = 2 + testrand_int(6); 5132 /* Number of (scalar, point) inputs (excluding g). */ 5133 int num = testrand_int((1 << num_bits) + 1); 5134 /* Number of those which are nonzero. */ 5135 int num_nonzero = testrand_int(num + 1); 5136 /* Whether we're aiming to create an input with nonzero expected result. */ 5137 int nonzero_result = testrand_bits(1); 5138 /* Whether we will provide nonzero g multiplicand. In some cases our hand 5139 * is forced here based on num_nonzero and nonzero_result. */ 5140 int g_nonzero = num_nonzero == 0 ? nonzero_result : 5141 num_nonzero == 1 && !nonzero_result ? 1 : 5142 (int)testrand_bits(1); 5143 /* Which g_scalar pointer to pass into ecmult_multi(). */ 5144 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || testrand_bits(1)) ? &g_scalar : NULL; 5145 /* How many EC multiplications were performed in this function. */ 5146 int mults = 0; 5147 /* How many randomization steps to apply to the input list. */ 5148 int rands = (int)testrand_bits(3); 5149 if (rands > num_nonzero) rands = num_nonzero; 5150 5151 secp256k1_gej_set_infinity(&expected); 5152 secp256k1_gej_set_infinity(&gejs[0]); 5153 secp256k1_scalar_set_int(&scalars[0], 0); 5154 5155 if (g_nonzero) { 5156 /* If g_nonzero, set g_scalar to nonzero value r. */ 5157 testutil_random_scalar_order_test(&g_scalar); 5158 if (!nonzero_result) { 5159 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */ 5160 CHECK(num_nonzero > filled); 5161 testutil_random_scalar_order_test(&sc_tmp); 5162 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar); 5163 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp); 5164 secp256k1_scalar_negate(&sc_tmp, &sc_tmp); 5165 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp); 5166 ++filled; 5167 ++mults; 5168 } 5169 } 5170 5171 if (nonzero_result && filled < num_nonzero) { 5172 /* If a nonzero result is desired, and there is space, add a random nonzero term. */ 5173 testutil_random_scalar_order_test(&scalars[filled]); 5174 testutil_random_ge_test(&ge_tmp); 5175 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp); 5176 ++filled; 5177 } 5178 5179 if (nonzero_result) { 5180 /* Compute the expected result using normal ecmult. */ 5181 CHECK(filled <= 1); 5182 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar); 5183 mults += filled + g_nonzero; 5184 } 5185 5186 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */ 5187 CHECK(filled <= 1 + !nonzero_result); 5188 CHECK(filled <= num_nonzero); 5189 5190 /* Add entries to scalars,gejs so that there are num of them. All the added entries 5191 * either have scalar=0 or point=infinity, so these do not change the expected result. */ 5192 while (filled < num) { 5193 if (testrand_bits(1)) { 5194 secp256k1_gej_set_infinity(&gejs[filled]); 5195 testutil_random_scalar_order_test(&scalars[filled]); 5196 } else { 5197 secp256k1_scalar_set_int(&scalars[filled], 0); 5198 testutil_random_ge_test(&ge_tmp); 5199 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp); 5200 } 5201 ++filled; 5202 } 5203 5204 /* Now perform cheapish transformations on gejs and scalars, for indices 5205 * 0..num_nonzero-1, which do not change the expected result, but may 5206 * convert some of them to be both non-0-scalar and non-infinity-point. */ 5207 for (i = 0; i < rands; ++i) { 5208 int j; 5209 secp256k1_scalar v, iv; 5210 /* Shuffle the entries. */ 5211 for (j = 0; j < num_nonzero; ++j) { 5212 int k = testrand_int(num_nonzero - j); 5213 if (k != 0) { 5214 secp256k1_gej gej = gejs[j]; 5215 secp256k1_scalar sc = scalars[j]; 5216 gejs[j] = gejs[j + k]; 5217 scalars[j] = scalars[j + k]; 5218 gejs[j + k] = gej; 5219 scalars[j + k] = sc; 5220 } 5221 } 5222 /* Perturb all consecutive pairs of inputs: 5223 * a*P + b*Q -> (a+b)*P + b*(Q-P). */ 5224 for (j = 0; j + 1 < num_nonzero; j += 2) { 5225 secp256k1_gej gej; 5226 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]); 5227 secp256k1_gej_neg(&gej, &gejs[j]); 5228 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL); 5229 } 5230 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */ 5231 CHECK(num_nonzero >= 1); 5232 testutil_random_scalar_order_test(&v); 5233 secp256k1_scalar_inverse(&iv, &v); 5234 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v); 5235 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL); 5236 ++mults; 5237 } 5238 5239 /* Shuffle all entries (0..num-1). */ 5240 for (i = 0; i < num; ++i) { 5241 int j = testrand_int(num - i); 5242 if (j != 0) { 5243 secp256k1_gej gej = gejs[i]; 5244 secp256k1_scalar sc = scalars[i]; 5245 gejs[i] = gejs[i + j]; 5246 scalars[i] = scalars[i + j]; 5247 gejs[i + j] = gej; 5248 scalars[i + j] = sc; 5249 } 5250 } 5251 5252 /* Compute affine versions of all inputs. */ 5253 secp256k1_ge_set_all_gej_var(ges, gejs, filled); 5254 /* Invoke ecmult_multi code. */ 5255 data.sc = scalars; 5256 data.pt = ges; 5257 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled)); 5258 mults += num_nonzero + g_nonzero; 5259 /* Compare with expected result. */ 5260 CHECK(secp256k1_gej_eq_var(&computed, &expected)); 5261 return mults; 5262 } 5263 5264 static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) { 5265 secp256k1_scalar sc; 5266 secp256k1_ge pt; 5267 secp256k1_gej r; 5268 ecmult_multi_data data; 5269 secp256k1_scratch *scratch_empty; 5270 5271 testutil_random_ge_test(&pt); 5272 testutil_random_scalar_order(&sc); 5273 data.sc = ≻ 5274 data.pt = &pt; 5275 5276 /* Try to multiply 1 point, but scratch space is empty.*/ 5277 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0); 5278 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1)); 5279 secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty); 5280 } 5281 5282 static void test_secp256k1_pippenger_bucket_window_inv(void) { 5283 int i; 5284 5285 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0); 5286 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) { 5287 /* Bucket_window of 8 is not used with endo */ 5288 if (i == 8) { 5289 continue; 5290 } 5291 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i); 5292 if (i != PIPPENGER_MAX_BUCKET_WINDOW) { 5293 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i); 5294 } 5295 } 5296 } 5297 5298 /** 5299 * Probabilistically test the function returning the maximum number of possible points 5300 * for a given scratch space. 5301 */ 5302 static void test_ecmult_multi_pippenger_max_points(void) { 5303 size_t scratch_size = testrand_bits(8); 5304 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12); 5305 secp256k1_scratch *scratch; 5306 size_t n_points_supported; 5307 int bucket_window = 0; 5308 5309 for(; scratch_size < max_size; scratch_size+=256) { 5310 size_t i; 5311 size_t total_alloc; 5312 size_t checkpoint; 5313 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size); 5314 CHECK(scratch != NULL); 5315 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch); 5316 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch); 5317 if (n_points_supported == 0) { 5318 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5319 continue; 5320 } 5321 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported); 5322 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */ 5323 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window); 5324 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) { 5325 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 1)); 5326 total_alloc--; 5327 } 5328 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc)); 5329 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint); 5330 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5331 } 5332 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW); 5333 } 5334 5335 static void test_ecmult_multi_batch_size_helper(void) { 5336 size_t n_batches, n_batch_points, max_n_batch_points, n; 5337 5338 max_n_batch_points = 0; 5339 n = 1; 5340 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0); 5341 5342 max_n_batch_points = 1; 5343 n = 0; 5344 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5345 CHECK(n_batches == 0); 5346 CHECK(n_batch_points == 0); 5347 5348 max_n_batch_points = 2; 5349 n = 5; 5350 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5351 CHECK(n_batches == 3); 5352 CHECK(n_batch_points == 2); 5353 5354 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH; 5355 n = ECMULT_MAX_POINTS_PER_BATCH; 5356 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5357 CHECK(n_batches == 1); 5358 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH); 5359 5360 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1; 5361 n = ECMULT_MAX_POINTS_PER_BATCH + 1; 5362 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5363 CHECK(n_batches == 2); 5364 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1); 5365 5366 max_n_batch_points = 1; 5367 n = SIZE_MAX; 5368 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5369 CHECK(n_batches == SIZE_MAX); 5370 CHECK(n_batch_points == 1); 5371 5372 max_n_batch_points = 2; 5373 n = SIZE_MAX; 5374 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5375 CHECK(n_batches == SIZE_MAX/2 + 1); 5376 CHECK(n_batch_points == 2); 5377 } 5378 5379 /** 5380 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 5381 * 1 <= i <= num points. 5382 */ 5383 static void test_ecmult_multi_batching(void) { 5384 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD; 5385 secp256k1_scalar scG; 5386 secp256k1_scalar *sc = checked_malloc(&CTX->error_callback, sizeof(secp256k1_scalar) * n_points); 5387 secp256k1_ge *pt = checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points); 5388 secp256k1_gej r; 5389 secp256k1_gej r2; 5390 ecmult_multi_data data; 5391 int i; 5392 secp256k1_scratch *scratch; 5393 5394 secp256k1_gej_set_infinity(&r2); 5395 5396 /* Get random scalars and group elements and compute result */ 5397 testutil_random_scalar_order(&scG); 5398 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG); 5399 for(i = 0; i < n_points; i++) { 5400 secp256k1_ge ptg; 5401 secp256k1_gej ptgj; 5402 testutil_random_ge_test(&ptg); 5403 secp256k1_gej_set_ge(&ptgj, &ptg); 5404 pt[i] = ptg; 5405 testutil_random_scalar_order(&sc[i]); 5406 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL); 5407 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL); 5408 } 5409 data.sc = sc; 5410 data.pt = pt; 5411 secp256k1_gej_neg(&r2, &r2); 5412 5413 /* Test with empty scratch space. It should compute the correct result using 5414 * ecmult_mult_simple algorithm which doesn't require a scratch space. */ 5415 scratch = secp256k1_scratch_create(&CTX->error_callback, 0); 5416 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); 5417 secp256k1_gej_add_var(&r, &r, &r2, NULL); 5418 CHECK(secp256k1_gej_is_infinity(&r)); 5419 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5420 5421 /* Test with space for 1 point in pippenger. That's not enough because 5422 * ecmult_multi selects strauss which requires more memory. It should 5423 * therefore select the simple algorithm. */ 5424 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); 5425 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); 5426 secp256k1_gej_add_var(&r, &r, &r2, NULL); 5427 CHECK(secp256k1_gej_is_infinity(&r)); 5428 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5429 5430 for(i = 1; i <= n_points; i++) { 5431 if (i > ECMULT_PIPPENGER_THRESHOLD) { 5432 int bucket_window = secp256k1_pippenger_bucket_window(i); 5433 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window); 5434 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); 5435 } else { 5436 size_t scratch_size = secp256k1_strauss_scratch_size(i); 5437 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); 5438 } 5439 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); 5440 secp256k1_gej_add_var(&r, &r, &r2, NULL); 5441 CHECK(secp256k1_gej_is_infinity(&r)); 5442 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5443 } 5444 free(sc); 5445 free(pt); 5446 } 5447 5448 static void run_ecmult_multi_tests(void) { 5449 secp256k1_scratch *scratch; 5450 int64_t todo = (int64_t)320 * COUNT; 5451 5452 test_secp256k1_pippenger_bucket_window_inv(); 5453 test_ecmult_multi_pippenger_max_points(); 5454 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200); 5455 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var); 5456 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var); 5457 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single); 5458 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single); 5459 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single); 5460 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single); 5461 while (todo > 0) { 5462 todo -= test_ecmult_multi_random(scratch); 5463 } 5464 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5465 5466 /* Run test_ecmult_multi with space for exactly one point */ 5467 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); 5468 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var); 5469 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5470 5471 test_ecmult_multi_batch_size_helper(); 5472 test_ecmult_multi_batching(); 5473 } 5474 5475 static void test_wnaf(const secp256k1_scalar *number, int w) { 5476 secp256k1_scalar x, two, t; 5477 int wnaf[256]; 5478 int zeroes = -1; 5479 int i; 5480 int bits; 5481 secp256k1_scalar_set_int(&x, 0); 5482 secp256k1_scalar_set_int(&two, 2); 5483 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w); 5484 CHECK(bits <= 256); 5485 for (i = bits-1; i >= 0; i--) { 5486 int v = wnaf[i]; 5487 secp256k1_scalar_mul(&x, &x, &two); 5488 if (v) { 5489 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */ 5490 zeroes=0; 5491 CHECK((v & 1) == 1); /* check non-zero elements are odd */ 5492 CHECK(v <= (1 << (w-1)) - 1); /* check range below */ 5493 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */ 5494 } else { 5495 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */ 5496 zeroes++; 5497 } 5498 if (v >= 0) { 5499 secp256k1_scalar_set_int(&t, v); 5500 } else { 5501 secp256k1_scalar_set_int(&t, -v); 5502 secp256k1_scalar_negate(&t, &t); 5503 } 5504 secp256k1_scalar_add(&x, &x, &t); 5505 } 5506 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */ 5507 } 5508 5509 static void test_fixed_wnaf(const secp256k1_scalar *number, int w) { 5510 secp256k1_scalar x, shift; 5511 int wnaf[256] = {0}; 5512 int i; 5513 int skew; 5514 secp256k1_scalar num, unused; 5515 5516 secp256k1_scalar_set_int(&x, 0); 5517 secp256k1_scalar_set_int(&shift, 1 << w); 5518 /* Make num a 128-bit scalar. */ 5519 secp256k1_scalar_split_128(&num, &unused, number); 5520 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5521 5522 for (i = WNAF_SIZE(w)-1; i >= 0; --i) { 5523 secp256k1_scalar t; 5524 int v = wnaf[i]; 5525 CHECK(v == 0 || v & 1); /* check parity */ 5526 CHECK(v > -(1 << w)); /* check range above */ 5527 CHECK(v < (1 << w)); /* check range below */ 5528 5529 secp256k1_scalar_mul(&x, &x, &shift); 5530 if (v >= 0) { 5531 secp256k1_scalar_set_int(&t, v); 5532 } else { 5533 secp256k1_scalar_set_int(&t, -v); 5534 secp256k1_scalar_negate(&t, &t); 5535 } 5536 secp256k1_scalar_add(&x, &x, &t); 5537 } 5538 /* If skew is 1 then add 1 to num */ 5539 secp256k1_scalar_cadd_bit(&num, 0, skew == 1); 5540 CHECK(secp256k1_scalar_eq(&x, &num)); 5541 } 5542 5543 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the 5544 * rest is 0.*/ 5545 static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) { 5546 int i; 5547 for (i = WNAF_SIZE(w)-1; i >= 8; --i) { 5548 CHECK(wnaf[i] == 0); 5549 } 5550 for (i = 7; i >= 0; --i) { 5551 CHECK(wnaf[i] == wnaf_expected[i]); 5552 } 5553 } 5554 5555 static void test_fixed_wnaf_small(void) { 5556 int w = 4; 5557 int wnaf[256] = {0}; 5558 int i; 5559 int skew; 5560 secp256k1_scalar num; 5561 5562 secp256k1_scalar_set_int(&num, 0); 5563 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5564 for (i = WNAF_SIZE(w)-1; i >= 0; --i) { 5565 int v = wnaf[i]; 5566 CHECK(v == 0); 5567 } 5568 CHECK(skew == 0); 5569 5570 secp256k1_scalar_set_int(&num, 1); 5571 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5572 for (i = WNAF_SIZE(w)-1; i >= 1; --i) { 5573 int v = wnaf[i]; 5574 CHECK(v == 0); 5575 } 5576 CHECK(wnaf[0] == 1); 5577 CHECK(skew == 0); 5578 5579 { 5580 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf }; 5581 secp256k1_scalar_set_int(&num, 0xffffffff); 5582 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5583 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5584 CHECK(skew == 0); 5585 } 5586 { 5587 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf }; 5588 secp256k1_scalar_set_int(&num, 0xeeeeeeee); 5589 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5590 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5591 CHECK(skew == 1); 5592 } 5593 { 5594 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 }; 5595 secp256k1_scalar_set_int(&num, 0x01010101); 5596 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5597 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5598 CHECK(skew == 0); 5599 } 5600 { 5601 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 }; 5602 secp256k1_scalar_set_int(&num, 0x01ef1ef1); 5603 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5604 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5605 CHECK(skew == 0); 5606 } 5607 } 5608 5609 static void run_wnaf(void) { 5610 int i; 5611 secp256k1_scalar n; 5612 5613 /* Test 0 for fixed wnaf */ 5614 test_fixed_wnaf_small(); 5615 /* Random tests */ 5616 for (i = 0; i < COUNT; i++) { 5617 testutil_random_scalar_order(&n); 5618 test_wnaf(&n, 4+(i%10)); 5619 test_fixed_wnaf(&n, 4 + (i % 10)); 5620 } 5621 secp256k1_scalar_set_int(&n, 0); 5622 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1); 5623 CHECK(secp256k1_scalar_is_zero(&n)); 5624 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1); 5625 CHECK(secp256k1_scalar_is_zero(&n)); 5626 } 5627 5628 static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) { 5629 const secp256k1_scalar* indata = (const secp256k1_scalar*)data; 5630 *sc = *indata; 5631 *pt = secp256k1_ge_const_g; 5632 CHECK(idx == 0); 5633 return 1; 5634 } 5635 5636 static void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) { 5637 /* Compute x*G in many different ways, serialize it uncompressed, and feed it into acc. */ 5638 secp256k1_gej gj, infj; 5639 secp256k1_ge r; 5640 secp256k1_gej rj[7]; 5641 unsigned char bytes[65]; 5642 size_t i; 5643 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g); 5644 secp256k1_gej_set_infinity(&infj); 5645 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &rj[0], x); 5646 secp256k1_ecmult(&rj[1], &gj, x, NULL); 5647 secp256k1_ecmult(&rj[2], &gj, x, &secp256k1_scalar_zero); 5648 secp256k1_ecmult(&rj[3], &infj, &secp256k1_scalar_zero, x); 5649 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &rj[4], x, NULL, NULL, 0)); 5650 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &rj[5], &secp256k1_scalar_zero, test_ecmult_accumulate_cb, (void*)x, 1)); 5651 secp256k1_ecmult_const(&rj[6], &secp256k1_ge_const_g, x); 5652 secp256k1_ge_set_gej_var(&r, &rj[0]); 5653 for (i = 0; i < ARRAY_SIZE(rj); i++) { 5654 CHECK(secp256k1_gej_eq_ge_var(&rj[i], &r)); 5655 } 5656 if (secp256k1_ge_is_infinity(&r)) { 5657 /* Store infinity as 0x00 */ 5658 const unsigned char zerobyte[1] = {0}; 5659 secp256k1_sha256_write(secp256k1_get_hash_context(CTX), acc, zerobyte, 1); 5660 } else { 5661 /* Store other points using their uncompressed serialization. */ 5662 secp256k1_eckey_pubkey_serialize65(&r, bytes); 5663 secp256k1_sha256_write(secp256k1_get_hash_context(CTX), acc, bytes, sizeof(bytes)); 5664 } 5665 } 5666 5667 static void test_ecmult_constants_2bit(void) { 5668 /* Using test_ecmult_accumulate, test ecmult for: 5669 * - For i in 0..36: 5670 * - Key i 5671 * - Key -i 5672 * - For i in 0..255: 5673 * - For j in 1..255 (only odd values): 5674 * - Key (j*2^i) mod order 5675 */ 5676 secp256k1_scalar x; 5677 secp256k1_sha256 acc; 5678 unsigned char b32[32]; 5679 int i, j; 5680 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536); 5681 5682 /* Expected hash of all the computed points; created with an independent 5683 * implementation. */ 5684 static const unsigned char expected32[32] = { 5685 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48, 5686 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14, 5687 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60, 5688 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4 5689 }; 5690 secp256k1_sha256_initialize(&acc); 5691 for (i = 0; i <= 36; ++i) { 5692 secp256k1_scalar_set_int(&x, i); 5693 test_ecmult_accumulate(&acc, &x, scratch); 5694 secp256k1_scalar_negate(&x, &x); 5695 test_ecmult_accumulate(&acc, &x, scratch); 5696 }; 5697 for (i = 0; i < 256; ++i) { 5698 for (j = 1; j < 256; j += 2) { 5699 int k; 5700 secp256k1_scalar_set_int(&x, j); 5701 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x); 5702 test_ecmult_accumulate(&acc, &x, scratch); 5703 } 5704 } 5705 secp256k1_sha256_finalize(secp256k1_get_hash_context(CTX), &acc, b32); 5706 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0); 5707 5708 secp256k1_scratch_space_destroy(CTX, scratch); 5709 } 5710 5711 static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) { 5712 /* Using test_ecmult_accumulate, test ecmult for: 5713 * - Key 0 5714 * - Key 1 5715 * - Key -1 5716 * - For i in range(iter): 5717 * - Key SHA256(LE32(prefix) || LE16(i)) 5718 */ 5719 secp256k1_scalar x; 5720 secp256k1_sha256 acc; 5721 unsigned char b32[32]; 5722 unsigned char inp[6]; 5723 size_t i; 5724 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX); 5725 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536); 5726 5727 inp[0] = prefix & 0xFF; 5728 inp[1] = (prefix >> 8) & 0xFF; 5729 inp[2] = (prefix >> 16) & 0xFF; 5730 inp[3] = (prefix >> 24) & 0xFF; 5731 secp256k1_sha256_initialize(&acc); 5732 secp256k1_scalar_set_int(&x, 0); 5733 test_ecmult_accumulate(&acc, &x, scratch); 5734 secp256k1_scalar_set_int(&x, 1); 5735 test_ecmult_accumulate(&acc, &x, scratch); 5736 secp256k1_scalar_negate(&x, &x); 5737 test_ecmult_accumulate(&acc, &x, scratch); 5738 5739 for (i = 0; i < iter; ++i) { 5740 secp256k1_sha256 gen; 5741 inp[4] = i & 0xff; 5742 inp[5] = (i >> 8) & 0xff; 5743 secp256k1_sha256_initialize(&gen); 5744 secp256k1_sha256_write(hash_ctx, &gen, inp, sizeof(inp)); 5745 secp256k1_sha256_finalize(hash_ctx, &gen, b32); 5746 secp256k1_scalar_set_b32(&x, b32, NULL); 5747 test_ecmult_accumulate(&acc, &x, scratch); 5748 } 5749 secp256k1_sha256_finalize(hash_ctx, &acc, b32); 5750 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0); 5751 5752 secp256k1_scratch_space_destroy(CTX, scratch); 5753 } 5754 5755 static void run_ecmult_constants(void) { 5756 /* Expected hashes of all points in the tests below. Computed using an 5757 * independent implementation. */ 5758 static const unsigned char expected32_6bit20[32] = { 5759 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f, 5760 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e, 5761 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e, 5762 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e 5763 }; 5764 static const unsigned char expected32_8bit8[32] = { 5765 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95, 5766 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec, 5767 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12, 5768 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6 5769 }; 5770 /* For every combination of 6 bit positions out of 256, restricted to 5771 * 20-bit windows (i.e., the first and last bit position are no more than 5772 * 19 bits apart), all 64 bit patterns occur in the input scalars used in 5773 * this test. */ 5774 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") { 5775 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20); 5776 } 5777 5778 /* For every combination of 8 consecutive bit positions, all 256 bit 5779 * patterns occur in the input scalars used in this test. */ 5780 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") { 5781 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8); 5782 } 5783 5784 CONDITIONAL_TEST(16, "test_ecmult_constants_2bit") { 5785 test_ecmult_constants_2bit(); 5786 } 5787 } 5788 5789 static void test_ecmult_gen_blind(void) { 5790 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */ 5791 secp256k1_scalar key; 5792 secp256k1_scalar b; 5793 unsigned char seed32[32]; 5794 secp256k1_gej pgej; 5795 secp256k1_gej pgej2; 5796 secp256k1_ge p; 5797 secp256k1_ge pge; 5798 testutil_random_scalar_order_test(&key); 5799 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key); 5800 testrand256(seed32); 5801 b = CTX->ecmult_gen_ctx.scalar_offset; 5802 p = CTX->ecmult_gen_ctx.ge_offset; 5803 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, secp256k1_get_hash_context(CTX), seed32); 5804 CHECK(!secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.scalar_offset)); 5805 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key); 5806 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2)); 5807 CHECK(!secp256k1_ge_eq_var(&p, &CTX->ecmult_gen_ctx.ge_offset)); 5808 secp256k1_ge_set_gej(&pge, &pgej); 5809 CHECK(secp256k1_gej_eq_ge_var(&pgej2, &pge)); 5810 } 5811 5812 static void test_ecmult_gen_blind_reset(void) { 5813 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */ 5814 secp256k1_scalar b; 5815 secp256k1_ge p1, p2; 5816 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, secp256k1_get_hash_context(CTX), 0); 5817 b = CTX->ecmult_gen_ctx.scalar_offset; 5818 p1 = CTX->ecmult_gen_ctx.ge_offset; 5819 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, secp256k1_get_hash_context(CTX), 0); 5820 CHECK(secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.scalar_offset)); 5821 p2 = CTX->ecmult_gen_ctx.ge_offset; 5822 CHECK(secp256k1_ge_eq_var(&p1, &p2)); 5823 } 5824 5825 /* Verify that ecmult_gen for scalars gn for which gn + scalar_offset = {-1,0,1}. */ 5826 static void test_ecmult_gen_edge_cases(void) { 5827 int i; 5828 secp256k1_gej res1, res2, res3; 5829 secp256k1_scalar gn = secp256k1_scalar_one; /* gn = 1 */ 5830 secp256k1_scalar_add(&gn, &gn, &CTX->ecmult_gen_ctx.scalar_offset); /* gn = 1 + scalar_offset */ 5831 secp256k1_scalar_negate(&gn, &gn); /* gn = -1 - scalar_offset */ 5832 5833 for (i = -1; i < 2; ++i) { 5834 /* Run test with gn = i - scalar_offset (so that the ecmult_gen recoded value represents i). */ 5835 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &res1, &gn); 5836 secp256k1_ecmult(&res2, NULL, &secp256k1_scalar_zero, &gn); 5837 secp256k1_ecmult_const(&res3, &secp256k1_ge_const_g, &gn); 5838 CHECK(secp256k1_gej_eq_var(&res1, &res2)); 5839 CHECK(secp256k1_gej_eq_var(&res1, &res3)); 5840 secp256k1_scalar_add(&gn, &gn, &secp256k1_scalar_one); 5841 } 5842 } 5843 5844 static void run_ecmult_gen_blind(void) { 5845 int i; 5846 test_ecmult_gen_blind_reset(); 5847 test_ecmult_gen_edge_cases(); 5848 for (i = 0; i < 10; i++) { 5849 test_ecmult_gen_blind(); 5850 } 5851 } 5852 5853 /***** ENDOMORPHISH TESTS *****/ 5854 static void test_scalar_split(const secp256k1_scalar* full) { 5855 secp256k1_scalar s, s1, slam; 5856 const unsigned char zero[32] = {0}; 5857 unsigned char tmp[32]; 5858 5859 secp256k1_scalar_split_lambda(&s1, &slam, full); 5860 5861 /* check slam*lambda + s1 == full */ 5862 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam); 5863 secp256k1_scalar_add(&s, &s, &s1); 5864 CHECK(secp256k1_scalar_eq(&s, full)); 5865 5866 /* check that both are <= 128 bits in size */ 5867 if (secp256k1_scalar_is_high(&s1)) { 5868 secp256k1_scalar_negate(&s1, &s1); 5869 } 5870 if (secp256k1_scalar_is_high(&slam)) { 5871 secp256k1_scalar_negate(&slam, &slam); 5872 } 5873 5874 secp256k1_scalar_get_b32(tmp, &s1); 5875 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0); 5876 secp256k1_scalar_get_b32(tmp, &slam); 5877 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0); 5878 } 5879 5880 5881 static void run_endomorphism_tests(void) { 5882 unsigned i; 5883 static secp256k1_scalar s; 5884 test_scalar_split(&secp256k1_scalar_zero); 5885 test_scalar_split(&secp256k1_scalar_one); 5886 secp256k1_scalar_negate(&s,&secp256k1_scalar_one); 5887 test_scalar_split(&s); 5888 test_scalar_split(&secp256k1_const_lambda); 5889 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one); 5890 test_scalar_split(&s); 5891 5892 for (i = 0; i < 100U * COUNT; ++i) { 5893 secp256k1_scalar full; 5894 testutil_random_scalar_order_test(&full); 5895 test_scalar_split(&full); 5896 } 5897 for (i = 0; i < ARRAY_SIZE(scalars_near_split_bounds); ++i) { 5898 test_scalar_split(&scalars_near_split_bounds[i]); 5899 } 5900 } 5901 5902 static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) { 5903 unsigned char pubkeyc[65]; 5904 secp256k1_pubkey pubkey; 5905 secp256k1_ge ge; 5906 size_t pubkeyclen; 5907 5908 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) { 5909 /* Smaller sizes are tested exhaustively elsewhere. */ 5910 int32_t i; 5911 memcpy(&pubkeyc[1], input, 64); 5912 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen); 5913 for (i = 0; i < 256; i++) { 5914 /* Try all type bytes. */ 5915 int xpass; 5916 int ypass; 5917 int ysign; 5918 pubkeyc[0] = i; 5919 /* What sign does this point have? */ 5920 ysign = (input[63] & 1) + 2; 5921 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */ 5922 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2); 5923 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */ 5924 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) && 5925 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65)); 5926 if (xpass || ypass) { 5927 /* These cases must parse. */ 5928 unsigned char pubkeyo[65]; 5929 size_t outl; 5930 memset(&pubkey, 0, sizeof(pubkey)); 5931 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5932 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1); 5933 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5934 outl = 65; 5935 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65); 5936 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 5937 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl); 5938 CHECK(outl == 33); 5939 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0); 5940 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0])); 5941 if (ypass) { 5942 /* This test isn't always done because we decode with alternative signs, so the y won't match. */ 5943 CHECK(pubkeyo[0] == ysign); 5944 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1); 5945 memset(&pubkey, 0, sizeof(pubkey)); 5946 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5947 secp256k1_pubkey_save(&pubkey, &ge); 5948 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5949 outl = 65; 5950 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65); 5951 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); 5952 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl); 5953 CHECK(outl == 65); 5954 CHECK(pubkeyo[0] == 4); 5955 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0); 5956 } 5957 } else { 5958 /* These cases must fail to parse. */ 5959 memset(&pubkey, 0xfe, sizeof(pubkey)); 5960 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5961 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0); 5962 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5963 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 5964 } 5965 } 5966 } 5967 } 5968 5969 static void run_ec_pubkey_parse_test(void) { 5970 #define SECP256K1_EC_PARSE_TEST_NVALID (12) 5971 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = { 5972 { 5973 /* Point with leading and trailing zeros in x and y serialization. */ 5974 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52, 5975 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5976 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83, 5977 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00 5978 }, 5979 { 5980 /* Point with x equal to a 3rd root of unity.*/ 5981 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9, 5982 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee, 5983 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 5984 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 5985 }, 5986 { 5987 /* Point with largest x. (1/2) */ 5988 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5989 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c, 5990 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e, 5991 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d, 5992 }, 5993 { 5994 /* Point with largest x. (2/2) */ 5995 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5996 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c, 5997 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1, 5998 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2, 5999 }, 6000 { 6001 /* Point with smallest x. (1/2) */ 6002 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6003 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 6004 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 6005 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 6006 }, 6007 { 6008 /* Point with smallest x. (2/2) */ 6009 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6010 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 6011 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb, 6012 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41, 6013 }, 6014 { 6015 /* Point with largest y. (1/3) */ 6016 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 6017 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 6018 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6019 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 6020 }, 6021 { 6022 /* Point with largest y. (2/3) */ 6023 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 6024 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 6025 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6026 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 6027 }, 6028 { 6029 /* Point with largest y. (3/3) */ 6030 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 6031 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 6032 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6033 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 6034 }, 6035 { 6036 /* Point with smallest y. (1/3) */ 6037 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 6038 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 6039 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6040 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 6041 }, 6042 { 6043 /* Point with smallest y. (2/3) */ 6044 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 6045 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 6046 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6047 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 6048 }, 6049 { 6050 /* Point with smallest y. (3/3) */ 6051 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 6052 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 6053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6054 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 6055 } 6056 }; 6057 #define SECP256K1_EC_PARSE_TEST_NXVALID (4) 6058 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = { 6059 { 6060 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */ 6061 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 6062 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 6063 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6064 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 6065 }, 6066 { 6067 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */ 6068 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 6069 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 6070 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6071 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 6072 }, 6073 { 6074 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/ 6075 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 6076 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 6077 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6078 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 6079 }, 6080 { 6081 /* x on curve, y is from y^2 = x^3 + 8. */ 6082 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6083 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 6084 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6085 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 6086 } 6087 }; 6088 #define SECP256K1_EC_PARSE_TEST_NINVALID (7) 6089 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = { 6090 { 6091 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */ 6092 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c, 6093 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53, 6094 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6095 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 6096 }, 6097 { 6098 /* Valid if x overflow ignored (x = 1 mod p). */ 6099 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6100 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 6101 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 6102 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 6103 }, 6104 { 6105 /* Valid if x overflow ignored (x = 1 mod p). */ 6106 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6107 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 6108 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb, 6109 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41, 6110 }, 6111 { 6112 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */ 6113 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6114 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 6115 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f, 6116 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28, 6117 }, 6118 { 6119 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */ 6120 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6121 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 6122 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0, 6123 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07, 6124 }, 6125 { 6126 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */ 6127 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6128 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6129 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d, 6130 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc, 6131 }, 6132 { 6133 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */ 6134 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6135 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6136 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2, 6137 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53 6138 } 6139 }; 6140 const unsigned char pubkeyc[66] = { 6141 /* Serialization of G. */ 6142 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, 6143 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 6144 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08, 6145 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4, 6146 0xB8, 0x00 6147 }; 6148 unsigned char sout[65]; 6149 unsigned char shortkey[2] = { 0 }; 6150 secp256k1_ge ge; 6151 secp256k1_pubkey pubkey; 6152 size_t len; 6153 int32_t i; 6154 6155 /* Nothing should be reading this far into pubkeyc. */ 6156 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1); 6157 /* Zero length claimed, fail, zeroize, no illegal arg error. */ 6158 memset(&pubkey, 0xfe, sizeof(pubkey)); 6159 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2); 6160 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6161 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0); 6162 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6163 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 6164 /* Length one claimed, fail, zeroize, no illegal arg error. */ 6165 for (i = 0; i < 256 ; i++) { 6166 memset(&pubkey, 0xfe, sizeof(pubkey)); 6167 shortkey[0] = i; 6168 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1); 6169 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6170 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0); 6171 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6172 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 6173 } 6174 /* Length two claimed, fail, zeroize, no illegal arg error. */ 6175 for (i = 0; i < 65536 ; i++) { 6176 memset(&pubkey, 0xfe, sizeof(pubkey)); 6177 shortkey[0] = i & 255; 6178 shortkey[1] = i >> 8; 6179 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6180 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0); 6181 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6182 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 6183 } 6184 memset(&pubkey, 0xfe, sizeof(pubkey)); 6185 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6186 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */ 6187 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0); 6188 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6189 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 6190 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */ 6191 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65)); 6192 /* NULL input string. Illegal arg and zeroize output. */ 6193 memset(&pubkey, 0xfe, sizeof(pubkey)); 6194 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6195 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65)); 6196 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6197 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 6198 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */ 6199 memset(&pubkey, 0xfe, sizeof(pubkey)); 6200 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6201 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0); 6202 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6203 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 6204 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */ 6205 memset(&pubkey, 0xfe, sizeof(pubkey)); 6206 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6207 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0); 6208 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6209 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 6210 /* Valid parse. */ 6211 memset(&pubkey, 0, sizeof(pubkey)); 6212 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6213 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1); 6214 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1); 6215 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6216 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge)); 6217 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1); 6218 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x)); 6219 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y)); 6220 SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity)); 6221 CHECK(secp256k1_ge_eq_var(&ge, &secp256k1_ge_const_g)); 6222 /* secp256k1_ec_pubkey_serialize illegal args. */ 6223 len = 65; 6224 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED)); 6225 CHECK(len == 0); 6226 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED)); 6227 len = 65; 6228 SECP256K1_CHECKMEM_UNDEFINE(sout, 65); 6229 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED)); 6230 SECP256K1_CHECKMEM_CHECK(sout, 65); 6231 CHECK(len == 0); 6232 len = 65; 6233 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0)); 6234 CHECK(len == 0); 6235 len = 65; 6236 SECP256K1_CHECKMEM_UNDEFINE(sout, 65); 6237 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); 6238 SECP256K1_CHECKMEM_CHECK(sout, 65); 6239 CHECK(len == 65); 6240 /* Multiple illegal args. Should still set arg error only once. */ 6241 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65)); 6242 /* Try a bunch of prefabbed points with all possible encodings. */ 6243 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) { 6244 ec_pubkey_parse_pointtest(valid[i], 1, 1); 6245 } 6246 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) { 6247 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0); 6248 } 6249 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) { 6250 ec_pubkey_parse_pointtest(invalid[i], 0, 0); 6251 } 6252 } 6253 6254 static void run_eckey_edge_case_test(void) { 6255 const unsigned char *orderc = secp256k1_group_order_bytes; 6256 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00}; 6257 unsigned char ctmp[33]; 6258 unsigned char ctmp2[33]; 6259 secp256k1_pubkey pubkey; 6260 secp256k1_pubkey pubkey2; 6261 secp256k1_pubkey pubkey_one; 6262 secp256k1_pubkey pubkey_negone; 6263 const secp256k1_pubkey *pubkeys[3]; 6264 size_t len; 6265 int i; 6266 /* Group order is too large, reject. */ 6267 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0); 6268 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6269 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0); 6270 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6271 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6272 /* Maximum value is too large, reject. */ 6273 memset(ctmp, 255, 32); 6274 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0); 6275 memset(&pubkey, 1, sizeof(pubkey)); 6276 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6277 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0); 6278 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6279 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6280 /* Zero is too small, reject. */ 6281 memset(ctmp, 0, 32); 6282 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0); 6283 memset(&pubkey, 1, sizeof(pubkey)); 6284 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6285 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0); 6286 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6287 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6288 /* One must be accepted. */ 6289 ctmp[31] = 0x01; 6290 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1); 6291 memset(&pubkey, 0, sizeof(pubkey)); 6292 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6293 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1); 6294 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6295 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 6296 pubkey_one = pubkey; 6297 /* Group order + 1 is too large, reject. */ 6298 memcpy(ctmp, orderc, 32); 6299 ctmp[31] = 0x42; 6300 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0); 6301 memset(&pubkey, 1, sizeof(pubkey)); 6302 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6303 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0); 6304 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6305 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6306 /* -1 must be accepted. */ 6307 ctmp[31] = 0x40; 6308 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1); 6309 memset(&pubkey, 0, sizeof(pubkey)); 6310 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6311 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1); 6312 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6313 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 6314 pubkey_negone = pubkey; 6315 /* Tweak of zero leaves the value unchanged. */ 6316 memset(ctmp2, 0, 32); 6317 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1); 6318 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40); 6319 memcpy(&pubkey2, &pubkey, sizeof(pubkey)); 6320 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1); 6321 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6322 /* Multiply tweak of zero zeroizes the output. */ 6323 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0); 6324 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); 6325 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0); 6326 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6327 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6328 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing 6329 seckey, the seckey is zeroized. */ 6330 memcpy(ctmp, orderc, 32); 6331 memset(ctmp2, 0, 32); 6332 ctmp2[31] = 0x01; 6333 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1); 6334 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0); 6335 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0); 6336 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); 6337 memcpy(ctmp, orderc, 32); 6338 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0); 6339 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); 6340 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing 6341 tweak, the seckey is zeroized. */ 6342 memcpy(ctmp, orderc, 32); 6343 ctmp[31] = 0x40; 6344 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0); 6345 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); 6346 memcpy(ctmp, orderc, 32); 6347 ctmp[31] = 0x40; 6348 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0); 6349 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); 6350 memcpy(ctmp, orderc, 32); 6351 ctmp[31] = 0x40; 6352 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing 6353 tweak, the pubkey is zeroized. */ 6354 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0); 6355 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6356 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6357 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0); 6358 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6359 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6360 /* If the resulting key in secp256k1_ec_seckey_tweak_add and 6361 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter 6362 * case the pubkey is zeroized. */ 6363 memcpy(ctmp, orderc, 32); 6364 ctmp[31] = 0x40; 6365 memset(ctmp2, 0, 32); 6366 ctmp2[31] = 1; 6367 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0); 6368 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0); 6369 ctmp2[31] = 1; 6370 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0); 6371 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6372 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6373 /* Tweak computation wraps and results in a key of 1. */ 6374 ctmp2[31] = 2; 6375 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1); 6376 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1); 6377 ctmp2[31] = 2; 6378 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1); 6379 ctmp2[31] = 1; 6380 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1); 6381 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6382 /* Tweak mul * 2 = 1+1. */ 6383 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1); 6384 ctmp2[31] = 2; 6385 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1); 6386 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6387 /* Zeroize pubkey on parse error. */ 6388 memset(&pubkey, 0, 32); 6389 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2)); 6390 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6391 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6392 memset(&pubkey2, 0, 32); 6393 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2)); 6394 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0); 6395 /* Plain argument errors. */ 6396 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1); 6397 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_verify(CTX, NULL)); 6398 memset(ctmp2, 0, 32); 6399 ctmp2[31] = 4; 6400 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, NULL, ctmp2)); 6401 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, NULL)); 6402 memset(ctmp2, 0, 32); 6403 ctmp2[31] = 4; 6404 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, NULL, ctmp2)); 6405 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, NULL)); 6406 memset(ctmp2, 0, 32); 6407 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_add(CTX, NULL, ctmp2)); 6408 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_add(CTX, ctmp, NULL)); 6409 memset(ctmp2, 0, 32); 6410 ctmp2[31] = 1; 6411 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_mul(CTX, NULL, ctmp2)); 6412 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_mul(CTX, ctmp, NULL)); 6413 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, NULL, ctmp)); 6414 memset(&pubkey, 1, sizeof(pubkey)); 6415 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL)); 6416 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6417 /* secp256k1_ec_pubkey_combine tests. */ 6418 pubkeys[0] = &pubkey_one; 6419 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *)); 6420 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *)); 6421 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *)); 6422 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6423 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6424 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0)); 6425 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6426 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6427 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1)); 6428 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6429 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6430 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6431 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1)); 6432 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6433 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6434 pubkeys[0] = &pubkey_negone; 6435 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6436 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6437 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1); 6438 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6439 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 6440 len = 33; 6441 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 6442 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1); 6443 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0); 6444 /* Result is infinity. */ 6445 pubkeys[0] = &pubkey_one; 6446 pubkeys[1] = &pubkey_negone; 6447 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6448 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6449 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0); 6450 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6451 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6452 /* Passes through infinity but comes out one. */ 6453 pubkeys[2] = &pubkey_one; 6454 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6455 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6456 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1); 6457 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6458 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 6459 /* check that NULL in array of pubkey pointers is not allowed */ 6460 for (i = 0; i < 3; i++) { 6461 const secp256k1_pubkey *original_ptr = pubkeys[i]; 6462 secp256k1_pubkey result; 6463 pubkeys[i] = NULL; 6464 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &result, pubkeys, 3)); 6465 pubkeys[i] = original_ptr; 6466 } 6467 len = 33; 6468 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 6469 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1); 6470 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0); 6471 /* Adds to two. */ 6472 pubkeys[1] = &pubkey_one; 6473 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6474 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6475 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1); 6476 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6477 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 6478 } 6479 6480 static void run_eckey_negate_test(void) { 6481 unsigned char seckey[32]; 6482 unsigned char seckey_tmp[32]; 6483 6484 testutil_random_scalar_order_b32(seckey); 6485 memcpy(seckey_tmp, seckey, 32); 6486 6487 /* Verify negation changes the key and changes it back */ 6488 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1); 6489 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0); 6490 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1); 6491 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); 6492 6493 /* Negating all 0s fails */ 6494 memset(seckey, 0, 32); 6495 memset(seckey_tmp, 0, 32); 6496 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0); 6497 /* Check that seckey is not modified */ 6498 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); 6499 6500 /* Negating an overflowing seckey fails and the seckey is zeroed. In this 6501 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate 6502 * doesn't just set seckey to a constant value in case of failure. */ 6503 testutil_random_scalar_order_b32(seckey); 6504 memset(seckey, 0xFF, 16); 6505 memset(seckey_tmp, 0, 32); 6506 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0); 6507 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); 6508 } 6509 6510 static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) { 6511 secp256k1_scalar nonce; 6512 do { 6513 testutil_random_scalar_order_test(&nonce); 6514 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid)); 6515 } 6516 6517 static void test_ecdsa_sign_verify(void) { 6518 secp256k1_gej pubj; 6519 secp256k1_ge pub; 6520 secp256k1_scalar one; 6521 secp256k1_scalar msg, key; 6522 secp256k1_scalar sigr, sigs; 6523 int getrec; 6524 int recid; 6525 testutil_random_scalar_order_test(&msg); 6526 testutil_random_scalar_order_test(&key); 6527 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key); 6528 secp256k1_ge_set_gej(&pub, &pubj); 6529 getrec = testrand_bits(1); 6530 /* The specific way in which this conditional is written sidesteps a potential bug in clang. 6531 See the commit messages of the commit that introduced this comment for details. */ 6532 if (getrec) { 6533 random_sign(&sigr, &sigs, &key, &msg, &recid); 6534 CHECK(recid >= 0 && recid < 4); 6535 } else { 6536 random_sign(&sigr, &sigs, &key, &msg, NULL); 6537 } 6538 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); 6539 secp256k1_scalar_set_int(&one, 1); 6540 secp256k1_scalar_add(&msg, &msg, &one); 6541 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); 6542 } 6543 6544 static void run_ecdsa_sign_verify(void) { 6545 int i; 6546 for (i = 0; i < 10*COUNT; i++) { 6547 test_ecdsa_sign_verify(); 6548 } 6549 } 6550 6551 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */ 6552 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 6553 (void)msg32; 6554 (void)key32; 6555 (void)algo16; 6556 memcpy(nonce32, data, 32); 6557 return (counter == 0); 6558 } 6559 6560 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 6561 /* Dummy nonce generator that has a fatal error on the first counter value. */ 6562 if (counter == 0) { 6563 return 0; 6564 } 6565 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1); 6566 } 6567 6568 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 6569 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */ 6570 if (counter < 3) { 6571 memset(nonce32, counter==0 ? 0 : 255, 32); 6572 if (counter == 2) { 6573 nonce32[31]--; 6574 } 6575 return 1; 6576 } 6577 if (counter < 5) { 6578 memcpy(nonce32, secp256k1_group_order_bytes, 32); 6579 if (counter == 4) { 6580 nonce32[31]++; 6581 } 6582 return 1; 6583 } 6584 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */ 6585 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */ 6586 if (counter > 5) { 6587 return 0; 6588 } 6589 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5); 6590 } 6591 6592 static int is_empty_signature(const secp256k1_ecdsa_signature *sig) { 6593 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0}; 6594 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0; 6595 } 6596 6597 static void test_ecdsa_end_to_end(void) { 6598 unsigned char extra[32] = {0x00}; 6599 unsigned char privkey[32]; 6600 unsigned char message[32]; 6601 unsigned char privkey2[32]; 6602 secp256k1_ecdsa_signature signature[6]; 6603 secp256k1_scalar r, s; 6604 unsigned char sig[74]; 6605 size_t siglen = 74; 6606 unsigned char pubkeyc[65]; 6607 size_t pubkeyclen = 65; 6608 secp256k1_pubkey pubkey; 6609 secp256k1_pubkey pubkey_tmp; 6610 unsigned char seckey[300]; 6611 size_t seckeylen = 300; 6612 6613 /* Generate a random key and message. */ 6614 { 6615 secp256k1_scalar msg, key; 6616 testutil_random_scalar_order_test(&msg); 6617 testutil_random_scalar_order_test(&key); 6618 secp256k1_scalar_get_b32(privkey, &key); 6619 secp256k1_scalar_get_b32(message, &msg); 6620 } 6621 6622 /* Construct and verify corresponding public key. */ 6623 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1); 6624 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1); 6625 6626 /* Verify exporting and importing public key. */ 6627 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyc, &pubkeyclen, &pubkey, testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED)); 6628 memset(&pubkey, 0, sizeof(pubkey)); 6629 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1); 6630 6631 /* Verify negation changes the key and changes it back */ 6632 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey)); 6633 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1); 6634 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0); 6635 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1); 6636 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0); 6637 6638 /* Verify private key import and export. */ 6639 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, testrand_bits(1) == 1)); 6640 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1); 6641 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0); 6642 6643 /* Optionally tweak the keys using addition. */ 6644 if (testrand_int(3) == 0) { 6645 int ret1; 6646 int ret2; 6647 unsigned char rnd[32]; 6648 secp256k1_pubkey pubkey2; 6649 testrand256_test(rnd); 6650 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd); 6651 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd); 6652 CHECK(ret1 == ret2); 6653 if (ret1 == 0) { 6654 return; 6655 } 6656 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1); 6657 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6658 } 6659 6660 /* Optionally tweak the keys using multiplication. */ 6661 if (testrand_int(3) == 0) { 6662 int ret1; 6663 int ret2; 6664 unsigned char rnd[32]; 6665 secp256k1_pubkey pubkey2; 6666 testrand256_test(rnd); 6667 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd); 6668 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd); 6669 CHECK(ret1 == ret2); 6670 if (ret1 == 0) { 6671 return; 6672 } 6673 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1); 6674 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6675 } 6676 6677 /* Sign. */ 6678 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1); 6679 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1); 6680 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1); 6681 extra[31] = 1; 6682 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1); 6683 extra[31] = 0; 6684 extra[0] = 1; 6685 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1); 6686 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0); 6687 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0); 6688 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0); 6689 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0); 6690 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0); 6691 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0); 6692 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0); 6693 /* Verify. */ 6694 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1); 6695 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1); 6696 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1); 6697 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1); 6698 /* Test lower-S form, malleate, verify and fail, test again, malleate again */ 6699 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0])); 6700 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]); 6701 secp256k1_scalar_negate(&s, &s); 6702 secp256k1_ecdsa_signature_save(&signature[5], &r, &s); 6703 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0); 6704 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5])); 6705 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5])); 6706 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5])); 6707 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5])); 6708 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1); 6709 secp256k1_scalar_negate(&s, &s); 6710 secp256k1_ecdsa_signature_save(&signature[5], &r, &s); 6711 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5])); 6712 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1); 6713 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0); 6714 6715 /* Serialize/parse DER and verify again */ 6716 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1); 6717 memset(&signature[0], 0, sizeof(signature[0])); 6718 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1); 6719 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1); 6720 /* Serialize/destroy/parse DER and verify again. */ 6721 siglen = 74; 6722 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1); 6723 sig[testrand_int(siglen)] += 1 + testrand_int(255); 6724 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 || 6725 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0); 6726 } 6727 6728 static void test_random_pubkeys(void) { 6729 secp256k1_ge elem; 6730 secp256k1_ge elem2; 6731 unsigned char in[65]; 6732 /* Generate some randomly sized pubkeys. */ 6733 size_t len = testrand_bits(2) == 0 ? 65 : 33; 6734 if (testrand_bits(2) == 0) { 6735 len = testrand_bits(6); 6736 } 6737 if (len == 65) { 6738 in[0] = testrand_bits(1) ? 4 : (testrand_bits(1) ? 6 : 7); 6739 } else { 6740 in[0] = testrand_bits(1) ? 2 : 3; 6741 } 6742 if (testrand_bits(3) == 0) { 6743 in[0] = testrand_bits(8); 6744 } 6745 if (len > 1) { 6746 testrand256(&in[1]); 6747 } 6748 if (len > 33) { 6749 testrand256(&in[33]); 6750 } 6751 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) { 6752 unsigned char out[65]; 6753 unsigned char firstb; 6754 int res; 6755 size_t size = len; 6756 firstb = in[0]; 6757 /* If the pubkey can be parsed, it should round-trip... */ 6758 if (len == 33) { 6759 secp256k1_eckey_pubkey_serialize33(&elem, out); 6760 } else { 6761 secp256k1_eckey_pubkey_serialize65(&elem, out); 6762 } 6763 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0); 6764 /* ... except for the type of hybrid inputs. */ 6765 if ((in[0] != 6) && (in[0] != 7)) { 6766 CHECK(in[0] == out[0]); 6767 } 6768 size = 65; 6769 secp256k1_eckey_pubkey_serialize65(&elem, in); 6770 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size)); 6771 CHECK(secp256k1_ge_eq_var(&elem2, &elem)); 6772 /* Check that the X9.62 hybrid type is checked. */ 6773 in[0] = testrand_bits(1) ? 6 : 7; 6774 res = secp256k1_eckey_pubkey_parse(&elem2, in, size); 6775 if (firstb == 2 || firstb == 3) { 6776 if (in[0] == firstb + 4) { 6777 CHECK(res); 6778 } else { 6779 CHECK(!res); 6780 } 6781 } 6782 if (res) { 6783 CHECK(secp256k1_ge_eq_var(&elem, &elem2)); 6784 secp256k1_eckey_pubkey_serialize65(&elem, out); 6785 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0); 6786 } 6787 } 6788 } 6789 6790 static void run_pubkey_comparison(void) { 6791 unsigned char pk1_ser[33] = { 6792 0x02, 6793 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11, 6794 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23 6795 }; 6796 const unsigned char pk2_ser[33] = { 6797 0x02, 6798 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d, 6799 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c 6800 }; 6801 secp256k1_pubkey pk1; 6802 secp256k1_pubkey pk2; 6803 6804 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1); 6805 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1); 6806 6807 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, NULL, &pk2) < 0)); 6808 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, NULL) > 0)); 6809 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0); 6810 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0); 6811 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0); 6812 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0); 6813 { 6814 secp256k1_pubkey pk_tmp; 6815 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */ 6816 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0)); 6817 { 6818 int32_t ecount = 0; 6819 secp256k1_context_set_illegal_callback(CTX, counting_callback_fn, &ecount); 6820 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0); 6821 CHECK(ecount == 2); 6822 secp256k1_context_set_illegal_callback(CTX, NULL, NULL); 6823 } 6824 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0)); 6825 } 6826 6827 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in 6828 * an uncompressed encoding, these would have the opposite ordering */ 6829 pk1_ser[0] = 3; 6830 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1); 6831 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0); 6832 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0); 6833 } 6834 6835 static void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk) { 6836 size_t i; 6837 const secp256k1_pubkey *pk_test[5]; 6838 6839 for (i = 0; i < n_pk; i++) { 6840 pk_test[i] = &pk[pk_order[i]]; 6841 } 6842 secp256k1_ec_pubkey_sort(CTX, pk_test, n_pk); 6843 for (i = 0; i < n_pk; i++) { 6844 CHECK(secp256k1_memcmp_var(pk_test[i], &pk[i], sizeof(*pk_test[i])) == 0); 6845 } 6846 } 6847 6848 static void permute(size_t *arr, size_t n) { 6849 size_t i; 6850 for (i = n - 1; i >= 1; i--) { 6851 size_t tmp, j; 6852 j = testrand_int(i + 1); 6853 tmp = arr[i]; 6854 arr[i] = arr[j]; 6855 arr[j] = tmp; 6856 } 6857 } 6858 6859 static void test_sort_api(void) { 6860 secp256k1_pubkey pks[2]; 6861 const secp256k1_pubkey *pks_ptr[2]; 6862 int i; 6863 6864 pks_ptr[0] = &pks[0]; 6865 pks_ptr[1] = &pks[1]; 6866 6867 testutil_random_pubkey_test(&pks[0]); 6868 testutil_random_pubkey_test(&pks[1]); 6869 6870 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1); 6871 /* check that NULL in array of public key pointers is not allowed */ 6872 for (i = 0; i < 2; i++) { 6873 const secp256k1_pubkey *original_ptr = pks_ptr[i]; 6874 pks_ptr[i] = NULL; 6875 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2)); 6876 pks_ptr[i] = original_ptr; 6877 } 6878 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_sort(CTX, NULL, 2)); 6879 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 0) == 1); 6880 /* Test illegal public keys */ 6881 memset(&pks[0], 0, sizeof(pks[0])); 6882 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1)); 6883 memset(&pks[1], 0, sizeof(pks[1])); 6884 { 6885 int32_t ecount = 0; 6886 secp256k1_context_set_illegal_callback(CTX, counting_callback_fn, &ecount); 6887 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1); 6888 CHECK(ecount == 2); 6889 secp256k1_context_set_illegal_callback(CTX, NULL, NULL); 6890 } 6891 } 6892 6893 static void test_sort(void) { 6894 secp256k1_pubkey pk[5]; 6895 unsigned char pk_ser[5][33] = { 6896 { 0x02, 0x08 }, 6897 { 0x02, 0x0b }, 6898 { 0x02, 0x0c }, 6899 { 0x03, 0x05 }, 6900 { 0x03, 0x0a }, 6901 }; 6902 int i; 6903 size_t pk_order[5] = { 0, 1, 2, 3, 4 }; 6904 6905 for (i = 0; i < 5; i++) { 6906 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk[i], pk_ser[i], sizeof(pk_ser[i]))); 6907 } 6908 6909 permute(pk_order, 1); 6910 test_sort_helper(pk, pk_order, 1); 6911 permute(pk_order, 2); 6912 test_sort_helper(pk, pk_order, 2); 6913 permute(pk_order, 3); 6914 test_sort_helper(pk, pk_order, 3); 6915 for (i = 0; i < COUNT; i++) { 6916 permute(pk_order, 4); 6917 test_sort_helper(pk, pk_order, 4); 6918 } 6919 for (i = 0; i < COUNT; i++) { 6920 permute(pk_order, 5); 6921 test_sort_helper(pk, pk_order, 5); 6922 } 6923 /* Check that sorting also works for random pubkeys */ 6924 for (i = 0; i < COUNT; i++) { 6925 int j; 6926 const secp256k1_pubkey *pk_ptr[5]; 6927 for (j = 0; j < 5; j++) { 6928 testutil_random_pubkey_test(&pk[j]); 6929 pk_ptr[j] = &pk[j]; 6930 } 6931 secp256k1_ec_pubkey_sort(CTX, pk_ptr, 5); 6932 for (j = 1; j < 5; j++) { 6933 CHECK(secp256k1_ec_pubkey_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], CTX) <= 0); 6934 } 6935 } 6936 } 6937 6938 /* Test vectors from BIP-MuSig2 */ 6939 static void test_sort_vectors(void) { 6940 enum { N_PUBKEYS = 6 }; 6941 unsigned char pk_ser[N_PUBKEYS][33] = { 6942 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F, 6943 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09, 6944 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 }, 6945 { 0x02, 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, 0x49, 0x34, 6946 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, 0xB5, 0x31, 0xC8, 0x45, 0x83, 6947 0x6F, 0x99, 0xB0, 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 }, 6948 { 0x03, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 0x36, 0x18, 6949 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 6950 0xDE, 0xCE, 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 }, 6951 { 0x02, 0x35, 0x90, 0xA9, 0x4E, 0x76, 0x8F, 0x8E, 0x18, 0x15, 0xC2, 6952 0xF2, 0x4B, 0x4D, 0x80, 0xA8, 0xE3, 0x14, 0x93, 0x16, 0xC3, 0x51, 6953 0x8C, 0xE7, 0xB7, 0xAD, 0x33, 0x83, 0x68, 0xD0, 0x38, 0xCA, 0x66 }, 6954 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F, 6955 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09, 6956 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xFF }, 6957 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F, 6958 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09, 6959 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 } 6960 }; 6961 secp256k1_pubkey pubkeys[N_PUBKEYS]; 6962 secp256k1_pubkey *sorted[N_PUBKEYS]; 6963 const secp256k1_pubkey *pks_ptr[N_PUBKEYS]; 6964 int i; 6965 6966 sorted[0] = &pubkeys[3]; 6967 sorted[1] = &pubkeys[0]; 6968 sorted[2] = &pubkeys[0]; 6969 sorted[3] = &pubkeys[4]; 6970 sorted[4] = &pubkeys[1]; 6971 sorted[5] = &pubkeys[2]; 6972 6973 for (i = 0; i < N_PUBKEYS; i++) { 6974 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i]))); 6975 pks_ptr[i] = &pubkeys[i]; 6976 } 6977 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, N_PUBKEYS) == 1); 6978 for (i = 0; i < N_PUBKEYS; i++) { 6979 CHECK(secp256k1_memcmp_var(pks_ptr[i], sorted[i], sizeof(secp256k1_pubkey)) == 0); 6980 } 6981 } 6982 6983 static void run_pubkey_sort(void) { 6984 test_sort_api(); 6985 test_sort(); 6986 test_sort_vectors(); 6987 } 6988 6989 6990 static void run_random_pubkeys(void) { 6991 int i; 6992 for (i = 0; i < 10*COUNT; i++) { 6993 test_random_pubkeys(); 6994 } 6995 } 6996 6997 static void run_ecdsa_end_to_end(void) { 6998 int i; 6999 for (i = 0; i < 64*COUNT; i++) { 7000 test_ecdsa_end_to_end(); 7001 } 7002 } 7003 7004 static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) { 7005 static const unsigned char zeroes[32] = {0}; 7006 7007 int ret = 0; 7008 7009 secp256k1_ecdsa_signature sig_der; 7010 unsigned char roundtrip_der[2048]; 7011 unsigned char compact_der[64]; 7012 size_t len_der = 2048; 7013 int parsed_der = 0, valid_der = 0, roundtrips_der = 0; 7014 7015 secp256k1_ecdsa_signature sig_der_lax; 7016 unsigned char roundtrip_der_lax[2048]; 7017 unsigned char compact_der_lax[64]; 7018 size_t len_der_lax = 2048; 7019 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0; 7020 7021 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen); 7022 if (parsed_der) { 7023 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0; 7024 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0); 7025 } 7026 if (valid_der) { 7027 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1; 7028 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0; 7029 } 7030 7031 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen); 7032 if (parsed_der_lax) { 7033 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10; 7034 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0); 7035 } 7036 if (valid_der_lax) { 7037 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11; 7038 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0; 7039 } 7040 7041 if (certainly_der) { 7042 ret |= (!parsed_der) << 2; 7043 } 7044 if (certainly_not_der) { 7045 ret |= (parsed_der) << 17; 7046 } 7047 if (valid_der) { 7048 ret |= (!roundtrips_der) << 3; 7049 } 7050 7051 if (valid_der) { 7052 ret |= (!roundtrips_der_lax) << 12; 7053 ret |= (len_der != len_der_lax) << 13; 7054 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14; 7055 } 7056 ret |= (roundtrips_der != roundtrips_der_lax) << 15; 7057 if (parsed_der) { 7058 ret |= (!parsed_der_lax) << 16; 7059 } 7060 7061 return ret; 7062 } 7063 7064 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) { 7065 size_t i; 7066 for (i = 0; i < ptrlen; i++) { 7067 int shift = ptrlen - 1 - i; 7068 if (shift >= 4) { 7069 ptr[i] = 0; 7070 } else { 7071 ptr[i] = (val >> shift) & 0xFF; 7072 } 7073 } 7074 } 7075 7076 static void damage_array(unsigned char *sig, size_t *len) { 7077 int pos; 7078 int action = testrand_bits(3); 7079 if (action < 1 && *len > 3) { 7080 /* Delete a byte. */ 7081 pos = testrand_int(*len); 7082 memmove(sig + pos, sig + pos + 1, *len - pos - 1); 7083 (*len)--; 7084 return; 7085 } else if (action < 2 && *len < 2048) { 7086 /* Insert a byte. */ 7087 pos = testrand_int(1 + *len); 7088 memmove(sig + pos + 1, sig + pos, *len - pos); 7089 sig[pos] = testrand_bits(8); 7090 (*len)++; 7091 return; 7092 } else if (action < 4) { 7093 /* Modify a byte. */ 7094 sig[testrand_int(*len)] += 1 + testrand_int(255); 7095 return; 7096 } else { /* action < 8 */ 7097 /* Modify a bit. */ 7098 sig[testrand_int(*len)] ^= 1 << testrand_bits(3); 7099 return; 7100 } 7101 } 7102 7103 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) { 7104 int der; 7105 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2]; 7106 size_t tlen, elen, glen; 7107 int indet; 7108 int n; 7109 7110 *len = 0; 7111 der = testrand_bits(2) == 0; 7112 *certainly_der = der; 7113 *certainly_not_der = 0; 7114 indet = der ? 0 : testrand_int(10) == 0; 7115 7116 for (n = 0; n < 2; n++) { 7117 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */ 7118 nlow[n] = der ? 1 : (testrand_bits(3) != 0); 7119 /* The length of the number in bytes (the first byte of which will always be nonzero) */ 7120 nlen[n] = nlow[n] ? testrand_int(33) : 32 + testrand_int(200) * testrand_bits(3) / 8; 7121 CHECK(nlen[n] <= 232); 7122 /* The top bit of the number. */ 7123 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : testrand_bits(1)); 7124 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */ 7125 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + testrand_bits(7) : 1 + testrand_int(127)); 7126 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */ 7127 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? testrand_int(3) : testrand_int(300 - nlen[n]) * testrand_bits(3) / 8); 7128 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) { 7129 *certainly_not_der = 1; 7130 } 7131 CHECK(nlen[n] + nzlen[n] <= 300); 7132 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */ 7133 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2); 7134 if (!der) { 7135 /* nlenlen[n] max 127 bytes */ 7136 int add = testrand_int(127 - nlenlen[n]) * testrand_bits(4) * testrand_bits(4) / 256; 7137 nlenlen[n] += add; 7138 if (add != 0) { 7139 *certainly_not_der = 1; 7140 } 7141 } 7142 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427); 7143 } 7144 7145 /* The total length of the data to go, so far */ 7146 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1]; 7147 CHECK(tlen <= 856); 7148 7149 /* The length of the garbage inside the tuple. */ 7150 elen = (der || indet) ? 0 : testrand_int(980 - tlen) * testrand_bits(3) / 8; 7151 if (elen != 0) { 7152 *certainly_not_der = 1; 7153 } 7154 tlen += elen; 7155 CHECK(tlen <= 980); 7156 7157 /* The length of the garbage after the end of the tuple. */ 7158 glen = der ? 0 : testrand_int(990 - tlen) * testrand_bits(3) / 8; 7159 if (glen != 0) { 7160 *certainly_not_der = 1; 7161 } 7162 CHECK(tlen + glen <= 990); 7163 7164 /* Write the tuple header. */ 7165 sig[(*len)++] = 0x30; 7166 if (indet) { 7167 /* Indeterminate length */ 7168 sig[(*len)++] = 0x80; 7169 *certainly_not_der = 1; 7170 } else { 7171 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2); 7172 if (!der) { 7173 int add = testrand_int(127 - tlenlen) * testrand_bits(4) * testrand_bits(4) / 256; 7174 tlenlen += add; 7175 if (add != 0) { 7176 *certainly_not_der = 1; 7177 } 7178 } 7179 if (tlenlen == 0) { 7180 /* Short length notation */ 7181 sig[(*len)++] = tlen; 7182 } else { 7183 /* Long length notation */ 7184 sig[(*len)++] = 128 + tlenlen; 7185 assign_big_endian(sig + *len, tlenlen, tlen); 7186 *len += tlenlen; 7187 } 7188 tlen += tlenlen; 7189 } 7190 tlen += 2; 7191 CHECK(tlen + glen <= 1119); 7192 7193 for (n = 0; n < 2; n++) { 7194 /* Write the integer header. */ 7195 sig[(*len)++] = 0x02; 7196 if (nlenlen[n] == 0) { 7197 /* Short length notation */ 7198 sig[(*len)++] = nlen[n] + nzlen[n]; 7199 } else { 7200 /* Long length notation. */ 7201 sig[(*len)++] = 128 + nlenlen[n]; 7202 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]); 7203 *len += nlenlen[n]; 7204 } 7205 /* Write zero padding */ 7206 while (nzlen[n] > 0) { 7207 sig[(*len)++] = 0x00; 7208 nzlen[n]--; 7209 } 7210 if (nlen[n] == 32 && !nlow[n]) { 7211 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */ 7212 int i; 7213 for (i = 0; i < 16; i++) { 7214 sig[(*len)++] = 0xFF; 7215 } 7216 nlen[n] -= 16; 7217 } 7218 /* Write first byte of number */ 7219 if (nlen[n] > 0) { 7220 sig[(*len)++] = nhbyte[n]; 7221 nlen[n]--; 7222 } 7223 /* Generate remaining random bytes of number */ 7224 testrand_bytes_test(sig + *len, nlen[n]); 7225 *len += nlen[n]; 7226 nlen[n] = 0; 7227 } 7228 7229 /* Generate random garbage inside tuple. */ 7230 testrand_bytes_test(sig + *len, elen); 7231 *len += elen; 7232 7233 /* Generate end-of-contents bytes. */ 7234 if (indet) { 7235 sig[(*len)++] = 0; 7236 sig[(*len)++] = 0; 7237 tlen += 2; 7238 } 7239 CHECK(tlen + glen <= 1121); 7240 7241 /* Generate random garbage outside tuple. */ 7242 testrand_bytes_test(sig + *len, glen); 7243 *len += glen; 7244 tlen += glen; 7245 CHECK(tlen <= 1121); 7246 CHECK(tlen == *len); 7247 } 7248 7249 static void run_ecdsa_der_parse(void) { 7250 int i,j; 7251 for (i = 0; i < 200 * COUNT; i++) { 7252 unsigned char buffer[2048]; 7253 size_t buflen = 0; 7254 int certainly_der = 0; 7255 int certainly_not_der = 0; 7256 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der); 7257 CHECK(buflen <= 2048); 7258 for (j = 0; j < 16; j++) { 7259 int ret = 0; 7260 if (j > 0) { 7261 damage_array(buffer, &buflen); 7262 /* We don't know anything anymore about the DERness of the result */ 7263 certainly_der = 0; 7264 certainly_not_der = 0; 7265 } 7266 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der); 7267 if (ret != 0) { 7268 size_t k; 7269 fprintf(stderr, "Failure %x on ", ret); 7270 for (k = 0; k < buflen; k++) { 7271 fprintf(stderr, "%02x ", buffer[k]); 7272 } 7273 fprintf(stderr, "\n"); 7274 } 7275 CHECK(ret == 0); 7276 } 7277 } 7278 } 7279 7280 /* Tests several edge cases. */ 7281 static void run_ecdsa_edge_cases(void) { 7282 int t; 7283 secp256k1_ecdsa_signature sig; 7284 7285 /* Test the case where ECDSA recomputes a point that is infinity. */ 7286 { 7287 secp256k1_gej keyj; 7288 secp256k1_ge key; 7289 secp256k1_scalar msg; 7290 secp256k1_scalar sr, ss; 7291 secp256k1_scalar_set_int(&ss, 1); 7292 secp256k1_scalar_negate(&ss, &ss); 7293 secp256k1_scalar_inverse(&ss, &ss); 7294 secp256k1_scalar_set_int(&sr, 1); 7295 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr); 7296 secp256k1_ge_set_gej(&key, &keyj); 7297 msg = ss; 7298 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7299 } 7300 7301 /* Verify signature with r of zero fails. */ 7302 { 7303 const unsigned char pubkey_mods_zero[33] = { 7304 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 7305 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 7306 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 7307 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 7308 0x41 7309 }; 7310 secp256k1_ge key; 7311 secp256k1_scalar msg; 7312 secp256k1_scalar sr, ss; 7313 secp256k1_scalar_set_int(&ss, 1); 7314 secp256k1_scalar_set_int(&msg, 0); 7315 secp256k1_scalar_set_int(&sr, 0); 7316 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33)); 7317 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0); 7318 } 7319 7320 /* Verify signature with s of zero fails. */ 7321 { 7322 const unsigned char pubkey[33] = { 7323 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7325 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7326 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7327 0x01 7328 }; 7329 secp256k1_ge key; 7330 secp256k1_scalar msg; 7331 secp256k1_scalar sr, ss; 7332 secp256k1_scalar_set_int(&ss, 0); 7333 secp256k1_scalar_set_int(&msg, 0); 7334 secp256k1_scalar_set_int(&sr, 1); 7335 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 7336 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7337 } 7338 7339 /* Verify signature with message 0 passes. */ 7340 { 7341 const unsigned char pubkey[33] = { 7342 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7343 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7344 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7345 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7346 0x02 7347 }; 7348 const unsigned char pubkey2[33] = { 7349 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 7350 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 7351 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 7352 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 7353 0x43 7354 }; 7355 secp256k1_ge key; 7356 secp256k1_ge key2; 7357 secp256k1_scalar msg; 7358 secp256k1_scalar sr, ss; 7359 secp256k1_scalar_set_int(&ss, 2); 7360 secp256k1_scalar_set_int(&msg, 0); 7361 secp256k1_scalar_set_int(&sr, 2); 7362 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 7363 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33)); 7364 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7365 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 7366 secp256k1_scalar_negate(&ss, &ss); 7367 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7368 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 7369 secp256k1_scalar_set_int(&ss, 1); 7370 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7371 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0); 7372 } 7373 7374 /* Verify signature with message 1 passes. */ 7375 { 7376 const unsigned char pubkey[33] = { 7377 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22, 7378 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05, 7379 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c, 7380 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76, 7381 0x25 7382 }; 7383 const unsigned char pubkey2[33] = { 7384 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40, 7385 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae, 7386 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f, 7387 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10, 7388 0x62 7389 }; 7390 const unsigned char csr[32] = { 7391 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7392 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7393 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 7394 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb 7395 }; 7396 secp256k1_ge key; 7397 secp256k1_ge key2; 7398 secp256k1_scalar msg; 7399 secp256k1_scalar sr, ss; 7400 secp256k1_scalar_set_int(&ss, 1); 7401 secp256k1_scalar_set_int(&msg, 1); 7402 secp256k1_scalar_set_b32(&sr, csr, NULL); 7403 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 7404 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33)); 7405 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7406 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 7407 secp256k1_scalar_negate(&ss, &ss); 7408 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7409 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 7410 secp256k1_scalar_set_int(&ss, 2); 7411 secp256k1_scalar_inverse_var(&ss, &ss); 7412 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7413 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0); 7414 } 7415 7416 /* Verify signature with message -1 passes. */ 7417 { 7418 const unsigned char pubkey[33] = { 7419 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0, 7420 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52, 7421 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27, 7422 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20, 7423 0xf1 7424 }; 7425 const unsigned char csr[32] = { 7426 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7428 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 7429 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee 7430 }; 7431 secp256k1_ge key; 7432 secp256k1_scalar msg; 7433 secp256k1_scalar sr, ss; 7434 secp256k1_scalar_set_int(&ss, 1); 7435 secp256k1_scalar_set_int(&msg, 1); 7436 secp256k1_scalar_negate(&msg, &msg); 7437 secp256k1_scalar_set_b32(&sr, csr, NULL); 7438 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 7439 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7440 secp256k1_scalar_negate(&ss, &ss); 7441 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7442 secp256k1_scalar_set_int(&ss, 3); 7443 secp256k1_scalar_inverse_var(&ss, &ss); 7444 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7445 } 7446 7447 /* Signature where s would be zero. */ 7448 { 7449 secp256k1_pubkey pubkey; 7450 size_t siglen; 7451 unsigned char signature[72]; 7452 static const unsigned char nonce[32] = { 7453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7457 }; 7458 static const unsigned char nonce2[32] = { 7459 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 7460 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 7461 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, 7462 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40 7463 }; 7464 const unsigned char key[32] = { 7465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7466 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7467 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7468 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7469 }; 7470 unsigned char msg[32] = { 7471 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53, 7472 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7, 7473 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62, 7474 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9, 7475 }; 7476 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 0); 7477 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0); 7478 msg[31] = 0xaa; 7479 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 1); 7480 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, NULL, msg, key, precomputed_nonce_function, nonce2)); 7481 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, &sig, NULL, key, precomputed_nonce_function, nonce2)); 7482 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, &sig, msg, NULL, precomputed_nonce_function, nonce2)); 7483 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1); 7484 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1); 7485 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey)); 7486 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey)); 7487 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, NULL)); 7488 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1); 7489 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL)); 7490 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */ 7491 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey)); 7492 siglen = 72; 7493 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, NULL, &siglen, &sig)); 7494 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, NULL, &sig)); 7495 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL)); 7496 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1); 7497 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen)); 7498 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, &sig, NULL, siglen)); 7499 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1); 7500 siglen = 10; 7501 /* Too little room for a signature does not fail via ARGCHECK. */ 7502 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0); 7503 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_normalize(CTX, NULL, NULL)); 7504 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_compact(CTX, NULL, &sig)); 7505 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_compact(CTX, signature, NULL)); 7506 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1); 7507 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_compact(CTX, NULL, signature)); 7508 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_compact(CTX, &sig, NULL)); 7509 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1); 7510 memset(signature, 255, 64); 7511 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0); 7512 } 7513 7514 /* Nonce function corner cases. */ 7515 for (t = 0; t < 2; t++) { 7516 static const unsigned char zero[32] = {0x00}; 7517 int i; 7518 unsigned char key[32]; 7519 unsigned char msg[32]; 7520 secp256k1_ecdsa_signature sig2; 7521 secp256k1_scalar sr[512], ss; 7522 const unsigned char *extra; 7523 extra = t == 0 ? NULL : zero; 7524 memset(msg, 0, 32); 7525 msg[31] = 1; 7526 /* High key results in signature failure. */ 7527 memset(key, 0xFF, 32); 7528 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0); 7529 CHECK(is_empty_signature(&sig)); 7530 /* Zero key results in signature failure. */ 7531 memset(key, 0, 32); 7532 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0); 7533 CHECK(is_empty_signature(&sig)); 7534 /* Nonce function failure results in signature failure. */ 7535 key[31] = 1; 7536 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0); 7537 CHECK(is_empty_signature(&sig)); 7538 /* The retry loop successfully makes its way to the first good value. */ 7539 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1); 7540 CHECK(!is_empty_signature(&sig)); 7541 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1); 7542 CHECK(!is_empty_signature(&sig2)); 7543 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); 7544 /* The default nonce function is deterministic. */ 7545 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1); 7546 CHECK(!is_empty_signature(&sig2)); 7547 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); 7548 /* The default nonce function changes output with different messages. */ 7549 for(i = 0; i < 256; i++) { 7550 int j; 7551 msg[0] = i; 7552 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1); 7553 CHECK(!is_empty_signature(&sig2)); 7554 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2); 7555 for (j = 0; j < i; j++) { 7556 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j])); 7557 } 7558 } 7559 msg[0] = 0; 7560 msg[31] = 2; 7561 /* The default nonce function changes output with different keys. */ 7562 for(i = 256; i < 512; i++) { 7563 int j; 7564 key[0] = i - 256; 7565 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1); 7566 CHECK(!is_empty_signature(&sig2)); 7567 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2); 7568 for (j = 0; j < i; j++) { 7569 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j])); 7570 } 7571 } 7572 key[0] = 0; 7573 } 7574 7575 { 7576 /* Check that optional nonce arguments do not have equivalent effect. */ 7577 const unsigned char zeros[32] = {0}; 7578 unsigned char nonce[32]; 7579 unsigned char nonce2[32]; 7580 unsigned char nonce3[32]; 7581 unsigned char nonce4[32]; 7582 SECP256K1_CHECKMEM_UNDEFINE(nonce,32); 7583 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32); 7584 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32); 7585 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32); 7586 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1); 7587 SECP256K1_CHECKMEM_CHECK(nonce,32); 7588 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1); 7589 SECP256K1_CHECKMEM_CHECK(nonce2,32); 7590 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1); 7591 SECP256K1_CHECKMEM_CHECK(nonce3,32); 7592 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1); 7593 SECP256K1_CHECKMEM_CHECK(nonce4,32); 7594 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0); 7595 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0); 7596 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0); 7597 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0); 7598 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0); 7599 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0); 7600 } 7601 7602 7603 /* Privkey export where pubkey is the point at infinity. */ 7604 { 7605 unsigned char privkey[300]; 7606 const unsigned char *seckey = secp256k1_group_order_bytes; 7607 size_t outlen = 300; 7608 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0)); 7609 outlen = 300; 7610 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1)); 7611 } 7612 } 7613 7614 DEFINE_SHA256_TRANSFORM_PROBE(sha256_ecdsa) 7615 static void ecdsa_ctx_sha256(void) { 7616 /* Check ctx-provided SHA256 compression override takes effect */ 7617 secp256k1_context *ctx = secp256k1_context_clone(CTX); 7618 secp256k1_ecdsa_signature out_default, out_custom; 7619 unsigned char sk[32] = {1}, msg32[32] = {1}; 7620 7621 /* Default behavior. No ctx-provided SHA256 compression */ 7622 CHECK(secp256k1_ecdsa_sign(ctx, &out_default, msg32, sk, NULL, NULL)); 7623 CHECK(!sha256_ecdsa_called); 7624 7625 /* Override SHA256 compression directly, bypassing the ctx setter sanity checks */ 7626 ctx->hash_ctx.fn_sha256_compression = sha256_ecdsa; 7627 CHECK(secp256k1_ecdsa_sign(ctx, &out_custom, msg32, sk, NULL, NULL)); 7628 CHECK(sha256_ecdsa_called); 7629 /* Outputs must differ if custom compression was used */ 7630 CHECK(secp256k1_memcmp_var(out_default.data, out_custom.data, 64) != 0); 7631 7632 secp256k1_context_destroy(ctx); 7633 } 7634 7635 /** Wycheproof tests 7636 7637 The tests check for known attacks (range checks in (r,s), arithmetic errors, malleability). 7638 */ 7639 static void test_ecdsa_wycheproof(void) { 7640 #include "wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h" 7641 7642 int t; 7643 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX); 7644 for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) { 7645 secp256k1_ecdsa_signature signature; 7646 secp256k1_sha256 hasher; 7647 secp256k1_pubkey pubkey; 7648 const unsigned char *msg, *sig, *pk; 7649 unsigned char out[32] = {0}; 7650 int actual_verify = 0; 7651 7652 memset(&pubkey, 0, sizeof(pubkey)); 7653 pk = &wycheproof_ecdsa_public_keys[testvectors[t].pk_offset]; 7654 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1); 7655 7656 secp256k1_sha256_initialize(&hasher); 7657 msg = &wycheproof_ecdsa_messages[testvectors[t].msg_offset]; 7658 secp256k1_sha256_write(hash_ctx, &hasher, msg, testvectors[t].msg_len); 7659 secp256k1_sha256_finalize(hash_ctx, &hasher, out); 7660 7661 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset]; 7662 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) { 7663 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey); 7664 } 7665 CHECK(testvectors[t].expected_verify == actual_verify); 7666 } 7667 } 7668 7669 /* Tests cases from Wycheproof test suite. */ 7670 static void run_ecdsa_wycheproof(void) { 7671 test_ecdsa_wycheproof(); 7672 } 7673 7674 #ifdef ENABLE_MODULE_ECDH 7675 # include "modules/ecdh/tests_impl.h" 7676 #endif 7677 7678 #ifdef ENABLE_MODULE_RECOVERY 7679 # include "modules/recovery/tests_impl.h" 7680 #endif 7681 7682 #ifdef ENABLE_MODULE_EXTRAKEYS 7683 # include "modules/extrakeys/tests_impl.h" 7684 #endif 7685 7686 #ifdef ENABLE_MODULE_SCHNORRSIG 7687 # include "modules/schnorrsig/tests_impl.h" 7688 #endif 7689 7690 #ifdef ENABLE_MODULE_MUSIG 7691 # include "modules/musig/tests_impl.h" 7692 #endif 7693 7694 #ifdef ENABLE_MODULE_ELLSWIFT 7695 # include "modules/ellswift/tests_impl.h" 7696 #endif 7697 7698 static void run_secp256k1_memczero_test(void) { 7699 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6}; 7700 unsigned char buf2[sizeof(buf1)]; 7701 7702 /* secp256k1_memczero(..., ..., 0) is a noop. */ 7703 memcpy(buf2, buf1, sizeof(buf1)); 7704 secp256k1_memczero(buf1, sizeof(buf1), 0); 7705 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); 7706 7707 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */ 7708 memset(buf2, 0, sizeof(buf2)); 7709 secp256k1_memczero(buf1, sizeof(buf1) , 1); 7710 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); 7711 } 7712 7713 7714 static void run_secp256k1_is_zero_array_test(void) { 7715 unsigned char buf1[3] = {0, 1}; 7716 unsigned char buf2[3] = {1, 0}; 7717 7718 CHECK(secp256k1_is_zero_array(buf1, 0) == 1); 7719 CHECK(secp256k1_is_zero_array(buf1, 1) == 1); 7720 CHECK(secp256k1_is_zero_array(buf1, 2) == 0); 7721 CHECK(secp256k1_is_zero_array(buf2, 1) == 0); 7722 CHECK(secp256k1_is_zero_array(buf2, 2) == 0); 7723 } 7724 7725 static void run_secp256k1_byteorder_tests(void) { 7726 { 7727 const uint32_t x = 0xFF03AB45; 7728 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45}; 7729 unsigned char buf[4]; 7730 uint32_t x_; 7731 7732 secp256k1_write_be32(buf, x); 7733 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0); 7734 7735 x_ = secp256k1_read_be32(buf); 7736 CHECK(x == x_); 7737 } 7738 7739 { 7740 const uint64_t x = 0xCAFE0123BEEF4567; 7741 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67}; 7742 unsigned char buf[8]; 7743 uint64_t x_; 7744 7745 secp256k1_write_be64(buf, x); 7746 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0); 7747 7748 x_ = secp256k1_read_be64(buf); 7749 CHECK(x == x_); 7750 } 7751 } 7752 7753 static void int_cmov_test(void) { 7754 int r = INT_MAX; 7755 int a = 0; 7756 7757 secp256k1_int_cmov(&r, &a, 0); 7758 CHECK(r == INT_MAX); 7759 7760 r = 0; a = INT_MAX; 7761 secp256k1_int_cmov(&r, &a, 1); 7762 CHECK(r == INT_MAX); 7763 7764 a = 0; 7765 secp256k1_int_cmov(&r, &a, 1); 7766 CHECK(r == 0); 7767 7768 a = 1; 7769 secp256k1_int_cmov(&r, &a, 1); 7770 CHECK(r == 1); 7771 7772 r = 1; a = 0; 7773 secp256k1_int_cmov(&r, &a, 0); 7774 CHECK(r == 1); 7775 7776 } 7777 7778 static void fe_cmov_test(void) { 7779 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0); 7780 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); 7781 static const secp256k1_fe max = SECP256K1_FE_CONST( 7782 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7783 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 7784 ); 7785 secp256k1_fe r = max; 7786 secp256k1_fe a = zero; 7787 7788 secp256k1_fe_cmov(&r, &a, 0); 7789 CHECK(fe_identical(&r, &max)); 7790 7791 r = zero; a = max; 7792 secp256k1_fe_cmov(&r, &a, 1); 7793 CHECK(fe_identical(&r, &max)); 7794 7795 a = zero; 7796 secp256k1_fe_cmov(&r, &a, 1); 7797 CHECK(fe_identical(&r, &zero)); 7798 7799 a = one; 7800 secp256k1_fe_cmov(&r, &a, 1); 7801 CHECK(fe_identical(&r, &one)); 7802 7803 r = one; a = zero; 7804 secp256k1_fe_cmov(&r, &a, 0); 7805 CHECK(fe_identical(&r, &one)); 7806 } 7807 7808 static void fe_storage_cmov_test(void) { 7809 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0); 7810 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1); 7811 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST( 7812 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7813 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 7814 ); 7815 secp256k1_fe_storage r = max; 7816 secp256k1_fe_storage a = zero; 7817 7818 secp256k1_fe_storage_cmov(&r, &a, 0); 7819 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7820 7821 r = zero; a = max; 7822 secp256k1_fe_storage_cmov(&r, &a, 1); 7823 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7824 7825 a = zero; 7826 secp256k1_fe_storage_cmov(&r, &a, 1); 7827 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0); 7828 7829 a = one; 7830 secp256k1_fe_storage_cmov(&r, &a, 1); 7831 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); 7832 7833 r = one; a = zero; 7834 secp256k1_fe_storage_cmov(&r, &a, 0); 7835 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); 7836 } 7837 7838 static void scalar_cmov_test(void) { 7839 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST( 7840 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 7841 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL 7842 ); 7843 secp256k1_scalar r = max; 7844 secp256k1_scalar a = secp256k1_scalar_zero; 7845 7846 secp256k1_scalar_cmov(&r, &a, 0); 7847 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7848 7849 r = secp256k1_scalar_zero; a = max; 7850 secp256k1_scalar_cmov(&r, &a, 1); 7851 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7852 7853 a = secp256k1_scalar_zero; 7854 secp256k1_scalar_cmov(&r, &a, 1); 7855 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0); 7856 7857 a = secp256k1_scalar_one; 7858 secp256k1_scalar_cmov(&r, &a, 1); 7859 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0); 7860 7861 r = secp256k1_scalar_one; a = secp256k1_scalar_zero; 7862 secp256k1_scalar_cmov(&r, &a, 0); 7863 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0); 7864 } 7865 7866 static void ge_storage_cmov_test(void) { 7867 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); 7868 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1); 7869 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST( 7870 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7871 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7872 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7873 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 7874 ); 7875 secp256k1_ge_storage r = max; 7876 secp256k1_ge_storage a = zero; 7877 7878 secp256k1_ge_storage_cmov(&r, &a, 0); 7879 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7880 7881 r = zero; a = max; 7882 secp256k1_ge_storage_cmov(&r, &a, 1); 7883 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7884 7885 a = zero; 7886 secp256k1_ge_storage_cmov(&r, &a, 1); 7887 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0); 7888 7889 a = one; 7890 secp256k1_ge_storage_cmov(&r, &a, 1); 7891 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); 7892 7893 r = one; a = zero; 7894 secp256k1_ge_storage_cmov(&r, &a, 0); 7895 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); 7896 } 7897 7898 static void run_cmov_tests(void) { 7899 int_cmov_test(); 7900 fe_cmov_test(); 7901 fe_storage_cmov_test(); 7902 scalar_cmov_test(); 7903 ge_storage_cmov_test(); 7904 } 7905 7906 /* --------------------------------------------------------- */ 7907 /* Test Registry */ 7908 /* --------------------------------------------------------- */ 7909 7910 /* --- Special test cases that must run before RNG initialization --- */ 7911 static const struct tf_test_entry tests_no_rng[] = { 7912 CASE(xoshiro256pp_tests), 7913 }; 7914 static const struct tf_test_module registry_modules_no_rng = MAKE_TEST_MODULE(no_rng); 7915 7916 /* --- Standard test cases start here --- */ 7917 static const struct tf_test_entry tests_general[] = { 7918 CASE(selftest_tests), 7919 CASE(all_proper_context_tests), 7920 CASE(all_static_context_tests), 7921 CASE(deprecated_context_flags_test), 7922 CASE(scratch_tests), 7923 CASE(plug_sha256_compression_tests), 7924 CASE(sha256_multi_block_compression_tests), 7925 }; 7926 7927 static const struct tf_test_entry tests_integer[] = { 7928 #ifdef SECP256K1_WIDEMUL_INT128 7929 CASE(int128_tests), 7930 #endif 7931 CASE(ctz_tests), 7932 CASE(modinv_tests), 7933 CASE(inverse_tests), 7934 }; 7935 7936 static const struct tf_test_entry tests_hash[] = { 7937 CASE(sha256_known_output_tests), 7938 CASE(sha256_counter_tests), 7939 CASE(hmac_sha256_tests), 7940 CASE(rfc6979_hmac_sha256_tests), 7941 CASE(tagged_sha256_tests), 7942 CASE(sha256_initialize_midstate_tests), 7943 }; 7944 7945 static const struct tf_test_entry tests_scalar[] = { 7946 CASE(scalar_tests), 7947 }; 7948 7949 static const struct tf_test_entry tests_field[] = { 7950 CASE(field_half), 7951 CASE(field_misc), 7952 CASE(field_convert), 7953 CASE(field_be32_overflow), 7954 CASE(fe_mul), 7955 CASE(sqr), 7956 CASE(sqrt), 7957 }; 7958 7959 static const struct tf_test_entry tests_group[] = { 7960 CASE(ge), 7961 CASE(gej), 7962 CASE(group_decompress), 7963 }; 7964 7965 static const struct tf_test_entry tests_ecmult[] = { 7966 CASE(ecmult_pre_g), 7967 CASE(wnaf), 7968 CASE(point_times_order), 7969 CASE(ecmult_near_split_bound), 7970 CASE(ecmult_chain), 7971 CASE(ecmult_constants), 7972 CASE(ecmult_gen_blind), 7973 CASE(ecmult_const_tests), 7974 CASE(ecmult_multi_tests), 7975 CASE(ec_combine), 7976 }; 7977 7978 static const struct tf_test_entry tests_ec[] = { 7979 CASE(endomorphism_tests), 7980 CASE(ec_pubkey_parse_test), 7981 CASE(eckey_edge_case_test), 7982 CASE(eckey_negate_test), 7983 }; 7984 7985 static const struct tf_test_entry tests_ecdsa[] = { 7986 CASE(ec_illegal_argument_tests), 7987 CASE(pubkey_comparison), 7988 CASE(pubkey_sort), 7989 CASE(random_pubkeys), 7990 CASE(ecdsa_der_parse), 7991 CASE(ecdsa_sign_verify), 7992 CASE(ecdsa_end_to_end), 7993 CASE(ecdsa_edge_cases), 7994 CASE(ecdsa_wycheproof), 7995 CASE1(ecdsa_ctx_sha256), 7996 }; 7997 7998 static const struct tf_test_entry tests_utils[] = { 7999 CASE(hsort_tests), 8000 CASE(secp256k1_memczero_test), 8001 CASE(secp256k1_is_zero_array_test), 8002 CASE(secp256k1_byteorder_tests), 8003 CASE(cmov_tests), 8004 }; 8005 8006 /* Register test modules */ 8007 static const struct tf_test_module registry_modules[] = { 8008 MAKE_TEST_MODULE(general), 8009 MAKE_TEST_MODULE(integer), 8010 MAKE_TEST_MODULE(hash), 8011 MAKE_TEST_MODULE(scalar), 8012 MAKE_TEST_MODULE(field), 8013 MAKE_TEST_MODULE(group), 8014 MAKE_TEST_MODULE(ecmult), 8015 MAKE_TEST_MODULE(ec), 8016 #ifdef ENABLE_MODULE_ECDH 8017 MAKE_TEST_MODULE(ecdh), 8018 #endif 8019 MAKE_TEST_MODULE(ecdsa), 8020 #ifdef ENABLE_MODULE_RECOVERY 8021 /* ECDSA pubkey recovery tests */ 8022 MAKE_TEST_MODULE(recovery), 8023 #endif 8024 #ifdef ENABLE_MODULE_EXTRAKEYS 8025 MAKE_TEST_MODULE(extrakeys), 8026 #endif 8027 #ifdef ENABLE_MODULE_SCHNORRSIG 8028 MAKE_TEST_MODULE(schnorrsig), 8029 #endif 8030 #ifdef ENABLE_MODULE_MUSIG 8031 MAKE_TEST_MODULE(musig), 8032 #endif 8033 #ifdef ENABLE_MODULE_ELLSWIFT 8034 MAKE_TEST_MODULE(ellswift), 8035 #endif 8036 MAKE_TEST_MODULE(utils), 8037 }; 8038 8039 /* Setup test environment */ 8040 static int setup(void) { 8041 /* Create a global context available to all tests */ 8042 CTX = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 8043 /* Randomize the context only with probability 15/16 8044 to make sure we test without context randomization from time to time. 8045 TODO Reconsider this when recalibrating the tests. */ 8046 if (testrand_bits(4)) { 8047 unsigned char rand32[32]; 8048 testrand256(rand32); 8049 CHECK(secp256k1_context_randomize(CTX, rand32)); 8050 } 8051 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions 8052 that write to the context. The API does not support cloning the static context, so we use 8053 memcpy instead. The user is not supposed to copy a context but we should still ensure that 8054 the API functions handle copies of the static context gracefully. */ 8055 STATIC_CTX = malloc(sizeof(*secp256k1_context_static)); 8056 CHECK(STATIC_CTX != NULL); 8057 memcpy(STATIC_CTX, secp256k1_context_static, sizeof(secp256k1_context)); 8058 CHECK(!secp256k1_context_is_proper(STATIC_CTX)); 8059 return 0; 8060 } 8061 8062 /* Shutdown test environment */ 8063 static int teardown(void) { 8064 free(STATIC_CTX); 8065 secp256k1_context_destroy(CTX); 8066 return 0; 8067 } 8068 8069 int main(int argc, char **argv) { 8070 struct tf_framework tf = {0}; 8071 tf.registry_modules = registry_modules; 8072 tf.num_modules = ARRAY_SIZE(registry_modules); 8073 tf.registry_no_rng = ®istry_modules_no_rng; 8074 8075 /* Add context creation/destruction functions */ 8076 tf.fn_setup = setup; 8077 tf.fn_teardown = teardown; 8078 8079 /* Init and run framework */ 8080 if (tf_init(&tf, argc, argv) != 0) return EXIT_FAILURE; 8081 return tf_run(&tf); 8082 }