Skip to content

Commit 41e3df2

Browse files
sipasipa
committed
Consistency improvements to the comments
1 parent 6ecbc9f commit 41e3df2

File tree

1 file changed

+8
-8
lines changed

1 file changed

+8
-8
lines changed

src/scalar_impl.h

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -267,14 +267,14 @@ static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_sc
267267
# endif
268268

269269
/**
270-
* Find k1 and k2 given k, such that k1 + k2 * lambda == k mod n; unlike in the
271-
* full case we don't bother making k1 and k2 be small, we just want them to be
270+
* Find r1 and r2 given k, such that r1 + r2 * lambda == k mod n; unlike in the
271+
* full case we don't bother making r1 and r2 be small, we just want them to be
272272
* nontrivial to get full test coverage for the exhaustive tests. We therefore
273-
* (arbitrarily) set k2 = k + 5 and k1 = k - k2 * lambda.
273+
* (arbitrarily) set r2 = k + 5 (mod n) and r1 = k - r2 * lambda (mod n).
274274
*/
275-
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
276-
*r2 = (*a + 5) % EXHAUSTIVE_TEST_ORDER;
277-
*r1 = (*a + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER;
275+
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
276+
*r2 = (*k + 5) % EXHAUSTIVE_TEST_ORDER;
277+
*r1 = (*k + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER;
278278
}
279279
#else
280280
/**
@@ -305,11 +305,11 @@ static const secp256k1_scalar secp256k1_const_lambda = SECP256K1_SCALAR_CONST(
305305
*
306306
* "Guide to Elliptic Curve Cryptography" (Hankerson, Menezes, Vanstone) gives an algorithm
307307
* (algorithm 3.74) to find k1 and k2 given k, such that k1 + k2 * lambda == k mod n, and k1
308-
* and k2 have a small size.
308+
* and k2 are small in absolute value.
309309
*
310310
* The algorithm computes c1 = round(b2 * k / n) and c2 = round((-b1) * k / n), and gives
311311
* k1 = k - (c1*a1 + c2*a2) and k2 = -(c1*b1 + c2*b2). Instead, we use modular arithmetic, and
312-
* compute k - k2 * lambda (mod n) which is equivalent to k1 (mod n), avoiding the need for
312+
* compute r2 = k2 (mod n), and r1 = k1 (mod n) = k - r2 * lambda (mod n), avoiding the need for
313313
* the constants a1 and a2.
314314
*
315315
* g1, g2 are precomputed constants used to replace division with a rounded multiplication

0 commit comments

Comments
 (0)