Check correctness of lambda split without -DVERIFY

The VERIFY macro turns on various paranoid consistency checks, but the complete functionality should still be tested without it. This also adds a couple of static test points for extremely small split inputs/outputs. The existing bounds vectors already check extremely large outputs.
2020-10-10 20:46:36 +00:00 · 2020-10-10 20:46:36 +00:00 · ebad8414b0
commit ebad8414b0
parent fe7fc1fda8
1 changed files with 15 additions and 1 deletions
--- a/src/tests.c
+++ b/src/tests.c
@ -3635,12 +3635,17 @@ void run_ecmult_gen_blind(void) {
 #ifdef USE_ENDOMORPHISM
 /***** ENDOMORPHISH TESTS *****/
 void test_scalar_split(const secp256k1_scalar* full) {
-    secp256k1_scalar s1, slam;
+    secp256k1_scalar s, s1, slam;
    const unsigned char zero[32] = {0};
    unsigned char tmp[32];

    secp256k1_scalar_split_lambda(&s1, &slam, full);

+    /* check slam*lambda + s1 == full */
+    secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
+    secp256k1_scalar_add(&s, &s, &s1);
+    CHECK(secp256k1_scalar_eq(&s, full));
+
    /* check that both are <= 128 bits in size */
    if (secp256k1_scalar_is_high(&s1)) {
        secp256k1_scalar_negate(&s1, &s1);
@ -3658,6 +3663,15 @@ void test_scalar_split(const secp256k1_scalar* full) {

 void run_endomorphism_tests(void) {
    unsigned i;
+    static secp256k1_scalar s;
+    test_scalar_split(&secp256k1_scalar_zero);
+    test_scalar_split(&secp256k1_scalar_one);
+    secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
+    test_scalar_split(&s);
+    test_scalar_split(&secp256k1_const_lambda);
+    secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
+    test_scalar_split(&s);
+
    for (i = 0; i < 100U * count; ++i) {
        secp256k1_scalar full;
        random_scalar_order_test(&full);