Skip to content

Commit 5fdfd75

Browse files
jonasnickjonasnick
committed
scalar: restrict split_lambda args, improve doc and VERIFY_CHECKs
VERIFY_CHECK(r1 != r2) is added because otherwise the verify_scalar_split fails.
1 parent c50177a commit 5fdfd75

File tree

2 files changed

+10
-5
lines changed

2 files changed

+10
-5
lines changed

src/scalar.h

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -88,9 +88,10 @@ static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar
8888

8989
/** Find r1 and r2 such that r1+r2*2^128 = k. */
9090
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k);
91-
/** Find r1 and r2 such that r1+r2*lambda = k,
92-
* where r1 and r2 or their negations are maximum 128 bits long (see secp256k1_ge_mul_lambda). */
93-
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k);
91+
/** Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their
92+
* negations are maximum 128 bits long (see secp256k1_ge_mul_lambda). It is
93+
* required that r1, r2, and k all point to different objects. */
94+
static void secp256k1_scalar_split_lambda(secp256k1_scalar * SECP256K1_RESTRICT r1, secp256k1_scalar * SECP256K1_RESTRICT r2, const secp256k1_scalar * SECP256K1_RESTRICT k);
9495

9596
/** Multiply a and b (without taking the modulus!), divide by 2**shift, and round to the nearest integer. Shift must be at least 256. */
9697
static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift);

src/scalar_impl.h

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,10 @@ static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned c
5252
* nontrivial to get full test coverage for the exhaustive tests. We therefore
5353
* (arbitrarily) set r2 = k + 5 (mod n) and r1 = k - r2 * lambda (mod n).
5454
*/
55-
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
55+
static void secp256k1_scalar_split_lambda(secp256k1_scalar * SECP256K1_RESTRICT r1, secp256k1_scalar * SECP256K1_RESTRICT r2, const secp256k1_scalar * SECP256K1_RESTRICT k) {
56+
VERIFY_CHECK(r1 != k);
57+
VERIFY_CHECK(r2 != k);
58+
VERIFY_CHECK(r1 != r2);
5659
*r2 = (*k + 5) % EXHAUSTIVE_TEST_ORDER;
5760
*r1 = (*k + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER;
5861
}
@@ -119,7 +122,7 @@ static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, con
119122
*
120123
* See proof below.
121124
*/
122-
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
125+
static void secp256k1_scalar_split_lambda(secp256k1_scalar * SECP256K1_RESTRICT r1, secp256k1_scalar * SECP256K1_RESTRICT r2, const secp256k1_scalar * SECP256K1_RESTRICT k) {
123126
secp256k1_scalar c1, c2;
124127
static const secp256k1_scalar minus_b1 = SECP256K1_SCALAR_CONST(
125128
0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000000UL,
@@ -139,6 +142,7 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
139142
);
140143
VERIFY_CHECK(r1 != k);
141144
VERIFY_CHECK(r2 != k);
145+
VERIFY_CHECK(r1 != r2);
142146
/* these _var calls are constant time since the shift amount is constant */
143147
secp256k1_scalar_mul_shift_var(&c1, k, &g1, 384);
144148
secp256k1_scalar_mul_shift_var(&c2, k, &g2, 384);

0 commit comments

Comments
 (0)