Skip to content

Commit 63c6b71

Browse files
sipasipa
committed
Reorder comments/function around scalar_split_lambda
1 parent 2edc514 commit 63c6b71

File tree

1 file changed

+53
-48
lines changed

1 file changed

+53
-48
lines changed

src/scalar_impl.h

+53-48
Original file line numberDiff line numberDiff line change
@@ -279,9 +279,17 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
279279
#else
280280
/**
281281
* The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where
282-
* lambda is {0x53,0x63,0xad,0x4c,0xc0,0x5c,0x30,0xe0,0xa5,0x26,0x1c,0x02,0x88,0x12,0x64,0x5a,
283-
* 0x12,0x2e,0x22,0xea,0x20,0x81,0x66,0x78,0xdf,0x02,0x96,0x7c,0x1b,0x23,0xbd,0x72}
284-
*
282+
* lambda is: */
283+
static const secp256k1_scalar secp256k1_const_lambda = SECP256K1_SCALAR_CONST(
284+
0x5363AD4CUL, 0xC05C30E0UL, 0xA5261C02UL, 0x8812645AUL,
285+
0x122E22EAUL, 0x20816678UL, 0xDF02967CUL, 0x1B23BD72UL
286+
);
287+
288+
#ifdef VERIFY
289+
static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, const secp256k1_scalar *r2, const secp256k1_scalar *k);
290+
#endif
291+
292+
/*
285293
* Both lambda and beta are primitive cube roots of unity. That is lamba^3 == 1 mod n and
286294
* beta^3 == 1 mod p, where n is the curve order and p is the field order.
287295
*
@@ -329,7 +337,46 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
329337
* - either r1 < 2^128 or -r1 mod n < 2^128
330338
* - either r2 < 2^128 or -r2 mod n < 2^128
331339
*
332-
* Proof.
340+
* See proof below.
341+
*/
342+
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
343+
secp256k1_scalar c1, c2;
344+
static const secp256k1_scalar minus_b1 = SECP256K1_SCALAR_CONST(
345+
0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000000UL,
346+
0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C3UL
347+
);
348+
static const secp256k1_scalar minus_b2 = SECP256K1_SCALAR_CONST(
349+
0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
350+
0x8A280AC5UL, 0x0774346DUL, 0xD765CDA8UL, 0x3DB1562CUL
351+
);
352+
static const secp256k1_scalar g1 = SECP256K1_SCALAR_CONST(
353+
0x3086D221UL, 0xA7D46BCDUL, 0xE86C90E4UL, 0x9284EB15UL,
354+
0x3DAA8A14UL, 0x71E8CA7FUL, 0xE893209AUL, 0x45DBB031UL
355+
);
356+
static const secp256k1_scalar g2 = SECP256K1_SCALAR_CONST(
357+
0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C4UL,
358+
0x221208ACUL, 0x9DF506C6UL, 0x1571B4AEUL, 0x8AC47F71UL
359+
);
360+
VERIFY_CHECK(r1 != k);
361+
VERIFY_CHECK(r2 != k);
362+
/* these _var calls are constant time since the shift amount is constant */
363+
secp256k1_scalar_mul_shift_var(&c1, k, &g1, 384);
364+
secp256k1_scalar_mul_shift_var(&c2, k, &g2, 384);
365+
secp256k1_scalar_mul(&c1, &c1, &minus_b1);
366+
secp256k1_scalar_mul(&c2, &c2, &minus_b2);
367+
secp256k1_scalar_add(r2, &c1, &c2);
368+
secp256k1_scalar_mul(r1, r2, &secp256k1_const_lambda);
369+
secp256k1_scalar_negate(r1, r1);
370+
secp256k1_scalar_add(r1, r1, k);
371+
372+
#ifdef VERIFY
373+
secp256k1_scalar_split_lambda_verify(r1, r2, k);
374+
#endif
375+
}
376+
377+
#ifdef VERIFY
378+
/*
379+
* Proof for secp256k1_scalar_split_lambda's bounds.
333380
*
334381
* Let
335382
* - epsilon1 = 2^256 * |g1/2^384 - b2/d|
@@ -432,13 +479,6 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
432479
*
433480
* Q.E.D.
434481
*/
435-
436-
static const secp256k1_scalar secp256k1_const_lambda = SECP256K1_SCALAR_CONST(
437-
0x5363AD4CUL, 0xC05C30E0UL, 0xA5261C02UL, 0x8812645AUL,
438-
0x122E22EAUL, 0x20816678UL, 0xDF02967CUL, 0x1B23BD72UL
439-
);
440-
441-
#ifdef VERIFY
442482
static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, const secp256k1_scalar *r2, const secp256k1_scalar *k) {
443483
secp256k1_scalar s;
444484
unsigned char buf1[32];
@@ -470,42 +510,7 @@ static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, con
470510
secp256k1_scalar_get_b32(buf2, &s);
471511
VERIFY_CHECK(secp256k1_memcmp_var(buf1, k2_bound, 32) < 0 || secp256k1_memcmp_var(buf2, k2_bound, 32) < 0);
472512
}
473-
#endif
474-
475-
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
476-
secp256k1_scalar c1, c2;
477-
static const secp256k1_scalar minus_b1 = SECP256K1_SCALAR_CONST(
478-
0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000000UL,
479-
0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C3UL
480-
);
481-
static const secp256k1_scalar minus_b2 = SECP256K1_SCALAR_CONST(
482-
0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
483-
0x8A280AC5UL, 0x0774346DUL, 0xD765CDA8UL, 0x3DB1562CUL
484-
);
485-
static const secp256k1_scalar g1 = SECP256K1_SCALAR_CONST(
486-
0x3086D221UL, 0xA7D46BCDUL, 0xE86C90E4UL, 0x9284EB15UL,
487-
0x3DAA8A14UL, 0x71E8CA7FUL, 0xE893209AUL, 0x45DBB031UL
488-
);
489-
static const secp256k1_scalar g2 = SECP256K1_SCALAR_CONST(
490-
0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C4UL,
491-
0x221208ACUL, 0x9DF506C6UL, 0x1571B4AEUL, 0x8AC47F71UL
492-
);
493-
VERIFY_CHECK(r1 != k);
494-
VERIFY_CHECK(r2 != k);
495-
/* these _var calls are constant time since the shift amount is constant */
496-
secp256k1_scalar_mul_shift_var(&c1, k, &g1, 384);
497-
secp256k1_scalar_mul_shift_var(&c2, k, &g2, 384);
498-
secp256k1_scalar_mul(&c1, &c1, &minus_b1);
499-
secp256k1_scalar_mul(&c2, &c2, &minus_b2);
500-
secp256k1_scalar_add(r2, &c1, &c2);
501-
secp256k1_scalar_mul(r1, r2, &secp256k1_const_lambda);
502-
secp256k1_scalar_negate(r1, r1);
503-
secp256k1_scalar_add(r1, r1, k);
504-
505-
#ifdef VERIFY
506-
secp256k1_scalar_split_lambda_verify(r1, r2, k);
507-
#endif
508-
}
509-
#endif
513+
#endif /* VERIFY */
514+
#endif /* !defined(EXHAUSTIVE_TEST_ORDER) */
510515

511516
#endif /* SECP256K1_SCALAR_IMPL_H */

0 commit comments

Comments
 (0)