Skip to content

Commit d6cc066

Browse files
roconnor-blockstreamroconnor-blockstream
committed
Add secp256k1_split_lambda_verify.
1 parent 6db24e9 commit d6cc066

File tree

1 file changed

+43
-0
lines changed

1 file changed

+43
-0
lines changed

src/scalar_impl.h

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -420,6 +420,45 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
420420
* Q.E.D.
421421
*/
422422

423+
#ifdef VERIFY
424+
static void secp256k1_split_lambda_verify(const secp256k1_scalar *r1, const secp256k1_scalar *r2, const secp256k1_scalar *a) {
425+
secp256k1_scalar s;
426+
unsigned char buf1[32];
427+
unsigned char buf2[32];
428+
429+
static const secp256k1_scalar lambda = SECP256K1_SCALAR_CONST(
430+
0x5363AD4CUL, 0xC05C30E0UL, 0xA5261C02UL, 0x8812645AUL,
431+
0x122E22EAUL, 0x20816678UL, 0xDF02967CUL, 0x1B23BD72UL
432+
);
433+
434+
/* (a1 + a2 + 1)/2 is 0xa2a8918ca85bafe22016d0b917e4dd77 */
435+
static const unsigned char k1_bound[32] = {
436+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
437+
0xa2, 0xa8, 0x91, 0x8c, 0xa8, 0x5b, 0xaf, 0xe2, 0x20, 0x16, 0xd0, 0xb9, 0x17, 0xe4, 0xdd, 0x77
438+
};
439+
440+
/* (-b1 + b2)/2 + 1 is 0x8a65287bd47179fb2be08846cea267ed */
441+
static const unsigned char k2_bound[32] = {
442+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
443+
0x8a, 0x65, 0x28, 0x7b, 0xd4, 0x71, 0x79, 0xfb, 0x2b, 0xe0, 0x88, 0x46, 0xce, 0xa2, 0x67, 0xed
444+
};
445+
446+
secp256k1_scalar_mul(&s, &lambda, r2);
447+
secp256k1_scalar_add(&s, &s, r1);
448+
VERIFY_CHECK(secp256k1_scalar_eq(&s, a));
449+
450+
secp256k1_scalar_negate(&s, r1);
451+
secp256k1_scalar_get_b32(buf1, r1);
452+
secp256k1_scalar_get_b32(buf2, &s);
453+
VERIFY_CHECK(memcmp(buf1, k1_bound, 32) < 0 || memcmp(buf2, k1_bound, 32) < 0);
454+
455+
secp256k1_scalar_negate(&s, r2);
456+
secp256k1_scalar_get_b32(buf1, r2);
457+
secp256k1_scalar_get_b32(buf2, &s);
458+
VERIFY_CHECK(memcmp(buf1, k2_bound, 32) < 0 || memcmp(buf2, k2_bound, 32) < 0);
459+
}
460+
#endif
461+
423462
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
424463
secp256k1_scalar c1, c2;
425464
static const secp256k1_scalar minus_lambda = SECP256K1_SCALAR_CONST(
@@ -452,6 +491,10 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
452491
secp256k1_scalar_add(r2, &c1, &c2);
453492
secp256k1_scalar_mul(r1, r2, &minus_lambda);
454493
secp256k1_scalar_add(r1, r1, a);
494+
495+
#ifdef VERIFY
496+
secp256k1_split_lambda_verify(r1, r2, a);
497+
#endif
455498
}
456499
#endif
457500
#endif

0 commit comments

Comments
 (0)