Cleanup and comments

peterdettman · peterdettman · commit 7ef4a3ebe73a · 2021-12-22T17:24:03.000+07:00
diff --git a/src/scalar_4x64_impl.h b/src/scalar_4x64_impl.h
@@ -493,7 +493,7 @@ static void secp256k1_scalar_reduce_512(secp256k1_scalar *r, const uint64_t *l)
     uint64_t p0, p1, p2, p3, p4;
 
     /* Reduce 512 bits into 385. */
-    /* m[0..6] = l[0..3] + n[0..3] * SECP256K1_N_C. */
+    /* m[0..6] = l[0..3] + l[4..7] * SECP256K1_N_C. */
     c    = (uint128_t)n4 * SECP256K1_N_C_0;
     c   += l[0];
     m0   = (uint64_t)c; c >>= 64;
@@ -504,29 +504,29 @@ static void secp256k1_scalar_reduce_512(secp256k1_scalar *r, const uint64_t *l)
     c   += (uint64_t)u; u >>= 64;
     m1   = (uint64_t)c; c >>= 64;
 
-    c   += n4;
+    c   += n4; /* SECP256K1_N_C_2 == 1 */
     u   += (uint128_t)n5 * SECP256K1_N_C_1;
     u   += l[2];
     v    = (uint128_t)n6 * SECP256K1_N_C_0;
     c   += (uint64_t)u; u >>= 64;
     c   += (uint64_t)v; v >>= 64;
     m2   = (uint64_t)c; c >>= 64;
 
-    c   += n5;
+    c   += n5; /* SECP256K1_N_C_2 == 1 */
     u   += (uint128_t)n6 * SECP256K1_N_C_1;
     u   += l[3];
     v   += (uint128_t)n7 * SECP256K1_N_C_0;
     c   += (uint64_t)u; u >>= 64;
     c   += (uint64_t)v; v >>= 64;
     m3   = (uint64_t)c; c >>= 64;
 
-    c   += n6;
+    c   += n6; /* SECP256K1_N_C_2 == 1 */
     u   += (uint128_t)n7 * SECP256K1_N_C_1;
     c   += (uint64_t)u; u >>= 64;
     c   += (uint64_t)v;
     m4   = (uint64_t)c; c >>= 64;
 
-    c   += n7;
+    c   += n7; /* SECP256K1_N_C_2 == 1 */
     c   += (uint64_t)u;
     m5   = (uint64_t)c; c >>= 64;
 
@@ -546,25 +546,25 @@ static void secp256k1_scalar_reduce_512(secp256k1_scalar *r, const uint64_t *l)
     c   += (uint64_t)u; u >>= 64;
     p1   = (uint64_t)c; c >>= 64;
 
-    c   += m4;
+    c   += m4; /* SECP256K1_N_C_2 == 1 */
     u   += (uint128_t)m5 * SECP256K1_N_C_1;
     u   += m2;
-    c   += (m6 & SECP256K1_N_C_0);
+    c   += m6 & SECP256K1_N_C_0;
     c   += (uint64_t)u; u >>= 64;
     p2   = (uint64_t)c; c >>= 64;
 
-    c   += m5;
-    c   += (m6 & SECP256K1_N_C_1);
+    c   += m5; /* SECP256K1_N_C_2 == 1 */
+    c   += m6 & SECP256K1_N_C_1;
     c   += m3;
     c   += (uint64_t)u;
     p3   = (uint64_t)c; c >>= 64;
 
-    p4   = (uint64_t)c - m6;;
+    p4   = (uint64_t)c - m6; /* SECP256K1_N_C_2 == 1 */
     VERIFY_CHECK(p4 <= 3);
 
     /* Effectively add an extra SECP256K1_N_C during the next pass.
-     * Values that would have landed in the range [SECP256K_N, 2^256)
-     * will instead "wrap" and carry back to p4 */
+     * Values that would have landed in the range [SECP256K_N, 2^256) will
+     * instead "wrap" and carry back to p4 */
     ++p4;
 
     /* Reduce 258 bits into 256. */
@@ -575,19 +575,20 @@ static void secp256k1_scalar_reduce_512(secp256k1_scalar *r, const uint64_t *l)
     c   += (uint128_t)SECP256K1_N_C_1 * p4;
     c   += p1;
     p1   = (uint64_t)c; c >>= 64;
-    c   += p4;
+    c   += p4; /* SECP256K1_N_C_2 == 1 */
     c   += p2;
     p2   = (uint64_t)c; c >>= 64;
     c   += p3;
     p3   = (uint64_t)c; c >>= 64;
-    VERIFY_CHECK((uint64_t)c <= 1);
     p4   = (uint64_t)c;
+    VERIFY_CHECK(p4 <= 1);
 
     /* Recover the extra SECP256K1_N_C from the previous pass.
      * If p4 is 1, it becomes a 0 mask - the final pass is a no-op
      * If p4 is 0, the decrement creates a UINT64_MAX mask that enables the
-     * addition of SECP256K_N in the final pass, which must result
-     * in a final carry, which balances the accounts. */
+     * addition of SECP256K_N in the final pass, which MUST result in a final
+     * carry (because the current value in p[0..3] is >= SECP256K1_N_C), which
+     * can then be dropped to balance the accounts. */
     --p4;
 
     c    = p4 & SECP256K1_N_0;
