scalar: improve split_lambda doc and VERIFY_CHECK

jonasnick · jonasnick · commit 95fe2151cd12 · 2023-01-03T16:28:39.000Z
VERIFY_CHECK(r1 != r2) is added because otherwise the verify_scalar_split fails.
diff --git a/src/scalar_impl.h b/src/scalar_impl.h
@@ -54,6 +54,9 @@ static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned c
  * (arbitrarily) set r2 = k + 5 (mod n) and r1 = k - r2 * lambda (mod n).
  */
 static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
+    VERIFY_CHECK(r1 != k);
+    VERIFY_CHECK(r2 != k);
+    VERIFY_CHECK(r1 != r2);
     *r2 = (*k + 5) % EXHAUSTIVE_TEST_ORDER;
     *r1 = (*k + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER;
 }
@@ -71,6 +74,14 @@ static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, con
 #endif
 
 /*
+ * The function below splits k into r1 and r2, such that
+ * - r1 + lambda * r2 == k (mod n)
+ * - either r1 < 2^128 or -r1 mod n < 2^128
+ * - either r2 < 2^128 or -r2 mod n < 2^128
+ *
+ * It is required that `r1`, `r2`, and `k` all point to different objects. An
+ * explanation for this function and a proof of the bounds follows below.
+ *
  * Both lambda and beta are primitive cube roots of unity.  That is lamba^3 == 1 mod n and
  * beta^3 == 1 mod p, where n is the curve order and p is the field order.
  *
@@ -113,12 +124,6 @@ static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, con
  * (Note that d is also equal to the curve order, n, here because [a1,b1] and [a2,b2]
  * can be found as outputs of the Extended Euclidean Algorithm on inputs n and lambda).
  *
- * The function below splits k into r1 and r2, such that
- * - r1 + lambda * r2 == k (mod n)
- * - either r1 < 2^128 or -r1 mod n < 2^128
- * - either r2 < 2^128 or -r2 mod n < 2^128
- *
- * See proof below.
  */
 static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
     secp256k1_scalar c1, c2;
@@ -140,6 +145,7 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
     );
     VERIFY_CHECK(r1 != k);
     VERIFY_CHECK(r2 != k);
+    VERIFY_CHECK(r1 != r2);
     /* these _var calls are constant time since the shift amount is constant */
     secp256k1_scalar_mul_shift_var(&c1, k, &g1, 384);
     secp256k1_scalar_mul_shift_var(&c2, k, &g2, 384);
