Remove secp256k1_num_mul from num.h

This function isn't used anywhere and will cause test failures if we
implement the full num.h API for a fixed-width 256-bit numeric type.

We lose the unit test for secp256k1_scalar_mul_shift_var; we compensate
by improving the unit test for secp256k1_scalar_split_lambda (which is
the only user of this function) to test that the algebraic relation
`N = s_lam * lambda + s_1` actually holds for the lambda decomposition.

Author: apoelstra

src/num.h

@@ -44,9 +44,6 @@ static void secp256k1_num_add(secp256k1_num *r, const secp256k1_num *a, const se
 /** Subtract two (signed) numbers. */
 static void secp256k1_num_sub(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b);
 
-/** Multiply two (signed) numbers. */
-static void secp256k1_num_mul(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b);
-
 /** Replace a number by its remainder modulo m. M's sign is ignored. The result is a number between 0 and m-1,
     even if r was negative. */
 static void secp256k1_num_mod(secp256k1_num *r, const secp256k1_num *m);

src/num_gmp_impl.h

@@ -206,33 +206,6 @@ static void secp256k1_num_sub(secp256k1_num *r, const secp256k1_num *a, const se
     secp256k1_num_subadd(r, a, b, 1);
 }
 
-static void secp256k1_num_mul(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b) {
-    mp_limb_t tmp[2*NUM_LIMBS+1];
-    secp256k1_num_sanity(a);
-    secp256k1_num_sanity(b);
-
-    VERIFY_CHECK(a->limbs + b->limbs <= 2*NUM_LIMBS+1);
-    if ((a->limbs==1 && a->data[0]==0) || (b->limbs==1 && b->data[0]==0)) {
-        r->limbs = 1;
-        r->neg = 0;
-        r->data[0] = 0;
-        return;
-    }
-    if (a->limbs >= b->limbs) {
-        mpn_mul(tmp, a->data, a->limbs, b->data, b->limbs);
-    } else {
-        mpn_mul(tmp, b->data, b->limbs, a->data, a->limbs);
-    }
-    r->limbs = a->limbs + b->limbs;
-    if (r->limbs > 1 && tmp[r->limbs - 1]==0) {
-        r->limbs--;
-    }
-    VERIFY_CHECK(r->limbs <= 2*NUM_LIMBS);
-    mpn_copyi(r->data, tmp, r->limbs);
-    r->neg = a->neg ^ b->neg;
-    memset(tmp, 0, sizeof(tmp));
-}
-
 static void secp256k1_num_shift(secp256k1_num *r, int bits) {
     if (bits % GMP_NUMB_BITS) {
         /* Shift within limbs. */

src/tests.c

@@ -593,23 +593,6 @@ void scalar_test(void) {
         CHECK(secp256k1_num_eq(&rnum, &r2num));
     }
 
-    {
-        /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
-        secp256k1_scalar r;
-        secp256k1_num r2num;
-        secp256k1_num rnum;
-        secp256k1_num_mul(&rnum, &snum, &s2num);
-        secp256k1_num_mod(&rnum, &order);
-        secp256k1_scalar_mul(&r, &s, &s2);
-        secp256k1_scalar_get_num(&r2num, &r);
-        CHECK(secp256k1_num_eq(&rnum, &r2num));
-        /* The result can only be zero if at least one of the factors was zero. */
-        CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
-        /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
-        CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
-        CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
-    }
-
     {
         secp256k1_scalar neg;
         secp256k1_num negnum;
@@ -636,24 +619,6 @@ void scalar_test(void) {
         CHECK(secp256k1_scalar_is_zero(&neg));
     }
 
-    {
-        /* Test secp256k1_scalar_mul_shift_var. */
-        secp256k1_scalar r;
-        secp256k1_num one;
-        secp256k1_num rnum;
-        secp256k1_num rnum2;
-        unsigned char cone[1] = {0x01};
-        unsigned int shift = 256 + secp256k1_rand_int(257);
-        secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
-        secp256k1_num_mul(&rnum, &s1num, &s2num);
-        secp256k1_num_shift(&rnum, shift - 1);
-        secp256k1_num_set_bin(&one, cone, 1);
-        secp256k1_num_add(&rnum, &rnum, &one);
-        secp256k1_num_shift(&rnum, 1);
-        secp256k1_scalar_get_num(&rnum2, &r);
-        CHECK(secp256k1_num_eq(&rnum, &rnum2));
-    }
-
     {
         /* test secp256k1_scalar_shr_int */
         secp256k1_scalar r;
@@ -2532,13 +2497,22 @@ void run_ecmult_gen_blind(void) {
 /***** ENDOMORPHISH TESTS *****/
 void test_scalar_split(void) {
     secp256k1_scalar full;
-    secp256k1_scalar s1, slam;
+    secp256k1_scalar s1, slam, stmp;
     const unsigned char zero[32] = {0};
     unsigned char tmp[32];
+    secp256k1_scalar lambda = SECP256K1_SCALAR_CONST(
+        0x5363ad4c, 0xc05c30e0, 0xa5261c02, 0x8812645a,
+        0x122e22ea, 0x20816678, 0xdf02967c, 0x1b23bd72
+    );
 
     random_scalar_order_test(&full);
     secp256k1_scalar_split_lambda(&s1, &slam, &full);
 
+    /* check that they are a lambda decomposition */
+    secp256k1_scalar_mul(&stmp, &lambda, &slam);
+    secp256k1_scalar_add(&stmp, &stmp, &s1);
+    CHECK(secp256k1_scalar_eq(&stmp, &full));
+
     /* check that both are <= 128 bits in size */
     if (secp256k1_scalar_is_high(&s1)) {
         secp256k1_scalar_negate(&s1, &s1);