Skip to content

Commit c582aba

Browse files
sipasipa
committed
Consistency improvements to the comments
1 parent 63c6b71 commit c582aba

File tree

1 file changed

+8
-8
lines changed

1 file changed

+8
-8
lines changed

src/scalar_impl.h

+8-8
Original file line numberDiff line numberDiff line change
@@ -267,14 +267,14 @@ static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_sc
267267
# endif
268268

269269
/**
270-
* Find k1 and k2 given k, such that k1 + k2 * lambda == k mod n; unlike in the
271-
* full case we don't bother making k1 and k2 be small, we just want them to be
270+
* Find r1 and r2 given k, such that r1 + r2 * lambda == k mod n; unlike in the
271+
* full case we don't bother making r1 and r2 be small, we just want them to be
272272
* nontrivial to get full test coverage for the exhaustive tests. We therefore
273-
* (arbitrarily) set k2 = k + 5 and k1 = k - k2 * lambda.
273+
* (arbitrarily) set r2 = k + 5 (mod n) and r1 = k - r2 * lambda (mod n).
274274
*/
275-
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
276-
*r2 = (*a + 5) % EXHAUSTIVE_TEST_ORDER;
277-
*r1 = (*a + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER;
275+
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
276+
*r2 = (*k + 5) % EXHAUSTIVE_TEST_ORDER;
277+
*r1 = (*k + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER;
278278
}
279279
#else
280280
/**
@@ -309,11 +309,11 @@ static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, con
309309
*
310310
* "Guide to Elliptic Curve Cryptography" (Hankerson, Menezes, Vanstone) gives an algorithm
311311
* (algorithm 3.74) to find k1 and k2 given k, such that k1 + k2 * lambda == k mod n, and k1
312-
* and k2 have a small size.
312+
* and k2 are small in absolute value.
313313
*
314314
* The algorithm computes c1 = round(b2 * k / n) and c2 = round((-b1) * k / n), and gives
315315
* k1 = k - (c1*a1 + c2*a2) and k2 = -(c1*b1 + c2*b2). Instead, we use modular arithmetic, and
316-
* compute k - k2 * lambda (mod n) which is equivalent to k1 (mod n), avoiding the need for
316+
* compute r2 = k2 mod n, and r1 = k1 mod n = (k - r2 * lambda) mod n, avoiding the need for
317317
* the constants a1 and a2.
318318
*
319319
* g1, g2 are precomputed constants used to replace division with a rounded multiplication

0 commit comments

Comments
 (0)