Detailed comments for secp256k1_scalar_split_lambda.

roconnor-blockstream · roconnor-blockstream · commit a582c3f475d8 · 2020-09-21T18:05:12.000-04:00
diff --git a/src/scalar_impl.h b/src/scalar_impl.h
@@ -270,19 +270,30 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
  * lambda is {0x53,0x63,0xad,0x4c,0xc0,0x5c,0x30,0xe0,0xa5,0x26,0x1c,0x02,0x88,0x12,0x64,0x5a,
  *            0x12,0x2e,0x22,0xea,0x20,0x81,0x66,0x78,0xdf,0x02,0x96,0x7c,0x1b,0x23,0xbd,0x72}
  *
- * "Guide to Elliptic Curve Cryptography" (Hankerson, Menezes, Vanstone) gives an algorithm
- * (algorithm 3.74) to find k1 and k2 given k, such that k1 + k2 * lambda == k mod n, and k1
- * and k2 have a small size.
- * It relies on constants a1, b1, a2, b2. These constants for the value of lambda above are:
+ * Both lambda and beta are primitive cube roots of unity.  That is lamba^3 == 1 mod n and
+ * beta^3 == 1 mod p, where n is the curve order and p is the field order.
+ *
+ * Futhermore, because (X^3 - 1) = (X - 1)(X^2 + X + 1), the primitive cube roots of unity are
+ * roots of X^2 + X + 1.  Therefore lambda^2 + lamba == -1 mod n and beta^2 + beta == -1 mod p.
+ * (The other primitive cube roots of unity are lambda^2 and beta^2 respectively.)
+ *
+ * Let l = -1/2 + i*sqrt(3)/2, the complex root of X^2 + X + 1. We can define a ring
+ * homomorphism phi : Z[l] -> Z_n where phi(a + b*l) == a + b*lambda mod n. The kernel of phi
+ * is a lattice over Z[l]. A reduced basis of this lattice is generated by the values  a1 + b1*l
+ * and a2 + b2*l where:
  *
  * - a1 =      {0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd,0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15}
  * - b1 =     -{0xe4,0x43,0x7e,0xd6,0x01,0x0e,0x88,0x28,0x6f,0x54,0x7f,0xa9,0x0a,0xbf,0xe4,0xc3}
  * - a2 = {0x01,0x14,0xca,0x50,0xf7,0xa8,0xe2,0xf3,0xf6,0x57,0xc1,0x10,0x8d,0x9d,0x44,0xcf,0xd8}
  * - b2 =      {0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd,0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15}
  *
- * The algorithm then computes c1 = round(b1 * k / n) and c2 = round(b2 * k / n), and gives
- * k1 = k - (c1*a1 + c2*a2) and k2 = -(c1*b1 + c2*b2). Instead, we use modular arithmetic, and
- * compute k1 as k - k2 * lambda, avoiding the need for constants a1 and a2.
+ * "Guide to Elliptic Curve Cryptography" (Hankerson, Menezes, Vanstone) gives an algorithm
+ * (algorithm 3.74) to find r1 and r2 given a, such that r1 + r2 * lambda == a mod n, and r1
+ * and r2 have a small size.
+ *
+ * The algorithm computes c1 = round(b2 * a / n) and c2 = round((-b1) * a / n), and gives
+ * r1 = a - (c1*a1 + c2*a2) and r2 = -(c1*b1 + c2*b2). Instead, we use modular arithmetic, and
+ * compute r1 as a - r2 * lambda (mod n), avoiding the need for constants a1 and a2.
  *
  * g1, g2 are precomputed constants used to replace division with a rounded multiplication
  * when decomposing the scalar for an endomorphism-based point multiplication.
@@ -297,10 +308,127 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
  * g1 = round((2^384)*b2/d)
  * g2 = round((2^384)*(-b1)/d)
  *
- * (Note that 'd' is also equal to the curve order here because [a1,b1] and [a2,b2] are found
- * as outputs of the Extended Euclidean Algorithm on inputs 'order' and 'lambda').
+ * (Note that 'd' is also equal to the curve order, n, here because [a1,b1] and [a2,b2]
+ * can be found as outputs of the Extended Euclidean Algorithm on inputs 'n' and 'lambda').
+ *
+ * The function below splits a in r1 and r2, such that
+ * - r1 + lambda * r2 == a (mod n)
+ * - either 0 <= r1 <= (a1 + a2 + 1) / 2 or n - (a1 + a2 + 1)/2 <= r1 < n.
+ * - either 0 <= r2 <= (-b1 + b2) / 2 or n - (-b1 + b2)/2 <= r2 < n.
+ *
+ * Proof.
+ *
+ * Let
+ *  - epsilon1 = |g1/2^384 - b2/d|
+ *  - epsilon2 = |g2/2^384 - (-b1)/d|
+ *  - c1 = round(a*g1/2^384)
+ *  - c2 = round(a*g2/2^384)
+ *
+ * Lemma 1: |c1 - a*b2/d| < 2^-1 + 2^-129
+ *
+ *    |c1 - a*b2/d|
+ *  =
+ *    |c1 - a*g1/2^384 + a*g1/2^384 - a*b2/d|
+ * <=   {triangle inequality}
+ *    |c1 - a*g1/2^384| + |a*g1/2^384 - a*b2/d|
+ *  =
+ *    |c1 - a*g1/2^384| + a*|g1/2^384 - b2/d|
+ * <=   {property of rounding in c1 & definition of epsilon1
+ *    2^-1 + a*epsilon1
+ * <    {a < 2^256 and epsilon1 < 2^-385}
+ *    2^-1 + 2^256 * 2^-385
+ *  =
+ *    2^-1 + 2^-129
+ *
+ * Lemma 2: |c2 - a*(-b1)/d| < 2^-1 + 2^-129
+ *
+ *    |c2 - a*(-b1)/d|
+ *  =
+ *    |c2 - a*g2/2^384 + a*g2/2^384 - a*(-b1)/d|
+ * <=   {triangle inequality}
+ *    |c1 - a*g2/2^384| + |a*g2/2^384 - a*(-b1)/d|
+ *  =
+ *    |c1 - a*g2/2^384| + a*|g2/2^384 - (-b1)/d|
+ * <=   {property of rounding in c1 & definition of epsilon2
+ *    2^-1 + a*epsilon2
+ * <    {a < 2^256 and epsilon2 < 2^-385}
+ *    2^-1 + 2^256 * 2^-385
+ *  =
+ *    2^-1 + 2^-129
+ *
+ * Let
+ *  - k1 = a - c1*a1 - c2*a2
+ *  - k2 = - c1*b1 - c2*b2
+ *
+ * Lemma 3: |k1| < (a1 + a2)(2^-1 + 2^-129) < (a1 + a2 + 3)/2
+ *
+ *    |k1|
+ *  =   {definition of k1}
+ *    |a - c1*a1 - c2*a2|
+ *  =   {(a1*b2 - b1*a2)/n = 1}
+ *    |a*(a1*b2 - b1*a2)/n - c1*a1 - c2*a2|
+ *  =
+ *    |a1*(a*b2/n - c1) + a2*(a*(-b1)/n - c2)|
+ * <=   {triangle inequality}
+ *    a1*|a*b2/n - c1| + a2*|a*(-b1)/n - c2|
+ * <    {Lemma 1 and Lemma 2}
+ *    a1*(2^-1 + 2^-129) + a2*(2^-1 + 2^-129)
+ *  =
+ *    (a1 + a2)(2^-1 + 2^-129)
+ * <    {calculation}
+ *    (a1 + a2 + 3)/2
+ *
+ * Corollary 4: |k1| <= (a1 + a2 + 1)/2.
+ * This follows from Lemma 3 and the fact that k1 and (a1 + a2 + 3)/2 are integers.
+ *
+ * Lemma 5: |k2| < (-b1 + b2)(2^-1 + 2^-129) < (-b1 + b2 + 2)/2
+ *
+ *    |k2|
+ *  =   {definition of k2}
+ *    |- c1*a1 - c2*a2|
+ *  =   {a*(b1*b2 - b1*b2)/n = 0}
+ *    |a*(b1*b2 - b1*b2)/n - c1*b1 - c2*b2|
+ *  =
+ *    |b1*(a*b2/n - c1) + b2*(a*(-b1)/n - c2)|
+ * <=   {triangle inequality}
+ *    (-b1)*|a*b2/n - c1| + b2*|a*(-b1)/n - c2|
+ * <    {Lemma 1 and Lemma 2}
+ *    (-b1)*(2^-1 + 2^-129) + b2*(2^-1 + 2^-129)
+ *  =
+ *    (-b1 + b2)(2^-1 + 2^-129)
+ * <    {calculation}
+ *    (-b1 + b2 + 2)/2
+ *
+ * Corollary 4: |k2| <= (-b1 + b2)/2.
+ * This follows from Lemma 5 and the fact that k2 and (-b1 + b2 + 2)/2 are integers.
+ *
+ * Let
+ *  - r2 = k2 mod n
+ *  - r1 = a - r2*lambda mod n.
+ *
+ * Notice that r1 is defined such that r1 + r2 * lambda == a (mod n).
+ *
+ * Lemma 6: r1 == k1 mod n.
+ *
+ *    r1
+ * ==   {definition of r1 and r2}
+ *    a - k2*lambda
+ * ==   {definition of k2}
+ *    a - (- c1*b1 - c2*b2)*lambda
+ * ==
+ *    a + c1*b1*lambda + c2*b2*lambda
+ * ==  {a1 + b1*lambda == 0 mod n and a2 + b2*lambda == 0 mod n}
+ *    a - c1*a1 - c2*a2
+ * ==  {definition of k1}
+ *    k1
+ *
+ * From Corollary 4, Corollary 5 and Lemma 6 we can conclude that
+ *
+ *  - either r1 <= (a1 + a2 + 1) / 2 or n - (a1 + a2 + 1)/2 <= r1
+ *  - either r2 <= (-b1 + b2) / 2 or n - (-b1 + b2)/2 <= r2.
+ *
+ * Q.E.D.
  *
- * The function below splits a in r1 and r2, such that r1 + lambda * r2 == a (mod order).
  */
 
 static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
