Merge bitcoin-core/secp256k1#1490: tests: improve fe_sqr test (issue #1472)

2028069df2 doc: clarify input requirements for secp256k1_fe_mul (Sebastian Falbesoner) 11420a7a28 tests: improve fe_sqr test (Sebastian Falbesoner) Pull request description: ACKs for top commit: real-or-random: utACK 2028069df2 jonasnick: ACK 2028069df2 Tree-SHA512: bb01bf6ceb34f0475a60b8dcb0cec000859a0c20f1009426bd8cab609f1941f44f84802f1565a719f7d2a55466076fb1591a353b1b75e6c0ceac44806d908176
2024-02-27 17:14:25 +00:00
parent cdc9a6258e 2028069df2
commit 427e86b9ed
2 changed files with 25 additions and 12 deletions
--- a/src/field.h
+++ b/src/field.h
@@ -255,8 +255,8 @@ static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a);
 /** Multiply two field elements.
 *
 * On input, a and b must be valid field elements; r does not need to be initialized.
- * r and a may point to the same object, but neither can be equal to b. The magnitudes
- * of a and b must not exceed 8.
+ * r and a may point to the same object, but neither may point to the object pointed
+ * to by b. The magnitudes of a and b must not exceed 8.
 * Performs {r = a * b}
 * On output, r will have magnitude 1, but won't be normalized.
 */
--- a/src/tests.c
+++ b/src/tests.c
@@ -3285,18 +3285,31 @@ static void run_fe_mul(void) {
 }

 static void run_sqr(void) {
-    secp256k1_fe x, s;
+    int i;
+    secp256k1_fe x, y, lhs, rhs, tmp;

-    {
-        int i;
-        secp256k1_fe_set_int(&x, 1);
-        secp256k1_fe_negate(&x, &x, 1);
+    secp256k1_fe_set_int(&x, 1);
+    secp256k1_fe_negate(&x, &x, 1);

-        for (i = 1; i <= 512; ++i) {
-            secp256k1_fe_mul_int(&x, 2);
-            secp256k1_fe_normalize(&x);
-            secp256k1_fe_sqr(&s, &x);
-        }
+    for (i = 1; i <= 512; ++i) {
+        secp256k1_fe_mul_int(&x, 2);
+        secp256k1_fe_normalize(&x);
+
+        /* Check that (x+y)*(x-y) = x^2 - y*2 for some random values y */
+        random_fe_test(&y);
+
+        lhs = x;
+        secp256k1_fe_add(&lhs, &y);         /* lhs = x+y */
+        secp256k1_fe_negate(&tmp, &y, 1);   /* tmp = -y */
+        secp256k1_fe_add(&tmp, &x);         /* tmp = x-y */
+        secp256k1_fe_mul(&lhs, &lhs, &tmp); /* lhs = (x+y)*(x-y) */
+
+        secp256k1_fe_sqr(&rhs, &x);         /* rhs = x^2 */
+        secp256k1_fe_sqr(&tmp, &y);         /* tmp = y^2 */
+        secp256k1_fe_negate(&tmp, &tmp, 1); /* tmp = -y^2 */
+        secp256k1_fe_add(&rhs, &tmp);       /* rhs = x^2 - y^2 */
+
+        CHECK(fe_equal(&lhs, &rhs));
    }
 }