Skip to content

Commit aa83360

Browse files
roconnor-blockstreamroconnor-blockstream
committed
Add secp256k1_split_lambda_verify.
1 parent aaa11e6 commit aa83360

File tree

1 file changed

+43
-0
lines changed

1 file changed

+43
-0
lines changed

src/scalar_impl.h

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -421,6 +421,45 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
421421
* Q.E.D.
422422
*/
423423

424+
#ifdef VERIFY
425+
static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, const secp256k1_scalar *r2, const secp256k1_scalar *k) {
426+
secp256k1_scalar s;
427+
unsigned char buf1[32];
428+
unsigned char buf2[32];
429+
430+
static const secp256k1_scalar lambda = SECP256K1_SCALAR_CONST(
431+
0x5363AD4CUL, 0xC05C30E0UL, 0xA5261C02UL, 0x8812645AUL,
432+
0x122E22EAUL, 0x20816678UL, 0xDF02967CUL, 0x1B23BD72UL
433+
);
434+
435+
/* (a1 + a2 + 1)/2 is 0xa2a8918ca85bafe22016d0b917e4dd77 */
436+
static const unsigned char k1_bound[32] = {
437+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
438+
0xa2, 0xa8, 0x91, 0x8c, 0xa8, 0x5b, 0xaf, 0xe2, 0x20, 0x16, 0xd0, 0xb9, 0x17, 0xe4, 0xdd, 0x77
439+
};
440+
441+
/* (-b1 + b2)/2 + 1 is 0x8a65287bd47179fb2be08846cea267ed */
442+
static const unsigned char k2_bound[32] = {
443+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
444+
0x8a, 0x65, 0x28, 0x7b, 0xd4, 0x71, 0x79, 0xfb, 0x2b, 0xe0, 0x88, 0x46, 0xce, 0xa2, 0x67, 0xed
445+
};
446+
447+
secp256k1_scalar_mul(&s, &lambda, r2);
448+
secp256k1_scalar_add(&s, &s, r1);
449+
VERIFY_CHECK(secp256k1_scalar_eq(&s, k));
450+
451+
secp256k1_scalar_negate(&s, r1);
452+
secp256k1_scalar_get_b32(buf1, r1);
453+
secp256k1_scalar_get_b32(buf2, &s);
454+
VERIFY_CHECK(memcmp(buf1, k1_bound, 32) < 0 || memcmp(buf2, k1_bound, 32) < 0);
455+
456+
secp256k1_scalar_negate(&s, r2);
457+
secp256k1_scalar_get_b32(buf1, r2);
458+
secp256k1_scalar_get_b32(buf2, &s);
459+
VERIFY_CHECK(memcmp(buf1, k2_bound, 32) < 0 || memcmp(buf2, k2_bound, 32) < 0);
460+
}
461+
#endif
462+
424463
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
425464
secp256k1_scalar c1, c2;
426465
static const secp256k1_scalar minus_lambda = SECP256K1_SCALAR_CONST(
@@ -453,6 +492,10 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
453492
secp256k1_scalar_add(r2, &c1, &c2);
454493
secp256k1_scalar_mul(r1, r2, &minus_lambda);
455494
secp256k1_scalar_add(r1, r1, k);
495+
496+
#ifdef VERIFY
497+
secp256k1_scalar_split_lambda_verify(r1, r2, k);
498+
#endif
456499
}
457500
#endif
458501
#endif

0 commit comments

Comments
 (0)