From ebad8414b0e68041568d0b5ebe0bd395dbfbed9e Mon Sep 17 00:00:00 2001 From: Gregory Maxwell Date: Sat, 10 Oct 2020 20:46:36 +0000 Subject: [PATCH] Check correctness of lambda split without -DVERIFY The VERIFY macro turns on various paranoid consistency checks, but the complete functionality should still be tested without it. This also adds a couple of static test points for extremely small split inputs/outputs. The existing bounds vectors already check extremely large outputs. --- src/tests.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/tests.c b/src/tests.c index ca997cfde8040..539977f2ffa3f 100644 --- a/src/tests.c +++ b/src/tests.c @@ -3635,12 +3635,17 @@ void run_ecmult_gen_blind(void) { #ifdef USE_ENDOMORPHISM /***** ENDOMORPHISH TESTS *****/ void test_scalar_split(const secp256k1_scalar* full) { - secp256k1_scalar s1, slam; + secp256k1_scalar s, s1, slam; const unsigned char zero[32] = {0}; unsigned char tmp[32]; secp256k1_scalar_split_lambda(&s1, &slam, full); + /* check slam*lambda + s1 == full */ + secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam); + secp256k1_scalar_add(&s, &s, &s1); + CHECK(secp256k1_scalar_eq(&s, full)); + /* check that both are <= 128 bits in size */ if (secp256k1_scalar_is_high(&s1)) { secp256k1_scalar_negate(&s1, &s1); @@ -3658,6 +3663,15 @@ void test_scalar_split(const secp256k1_scalar* full) { void run_endomorphism_tests(void) { unsigned i; + static secp256k1_scalar s; + test_scalar_split(&secp256k1_scalar_zero); + test_scalar_split(&secp256k1_scalar_one); + secp256k1_scalar_negate(&s,&secp256k1_scalar_one); + test_scalar_split(&s); + test_scalar_split(&secp256k1_const_lambda); + secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one); + test_scalar_split(&s); + for (i = 0; i < 100U * count; ++i) { secp256k1_scalar full; random_scalar_order_test(&full);