From 6794be6080e489f83d7fa2205e530ebc64d8759d Mon Sep 17 00:00:00 2001 From: Pieter Wuille Date: Wed, 26 Nov 2014 16:22:02 +0100 Subject: [PATCH] Add scalar splitting functions Which currently delegate to the lambda-splitter in group. --- src/scalar.h | 7 +++++++ src/scalar_4x64_impl.h | 11 +++++++++++ src/scalar_8x32_impl.h | 19 +++++++++++++++++++ src/scalar_impl.h | 23 +++++++++++++++++++++++ 4 files changed, 60 insertions(+) diff --git a/src/scalar.h b/src/scalar.h index eae727cb9d1..cd9d59932ad 100644 --- a/src/scalar.h +++ b/src/scalar.h @@ -72,4 +72,11 @@ static int secp256k1_scalar_is_high(const secp256k1_scalar_t *a); /** Convert a scalar to a number. */ static void secp256k1_scalar_get_num(secp256k1_num_t *r, const secp256k1_scalar_t *a); +static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a); + +#ifdef USE_ENDOMORPHISM +/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (see secp256k1_gej_mul_lambda). */ +static void secp256k1_scalar_split_lambda_var(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a); +#endif + #endif diff --git a/src/scalar_4x64_impl.h b/src/scalar_4x64_impl.h index fff9119173f..d95b7754eba 100644 --- a/src/scalar_4x64_impl.h +++ b/src/scalar_4x64_impl.h @@ -390,4 +390,15 @@ static void secp256k1_scalar_sqr(secp256k1_scalar_t *r, const secp256k1_scalar_t #undef extract #undef extract_fast +static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) { + r1->d[0] = a->d[0]; + r1->d[1] = a->d[1]; + r1->d[2] = 0; + r1->d[3] = 0; + r2->d[0] = a->d[2]; + r2->d[1] = a->d[3]; + r2->d[2] = 0; + r2->d[3] = 0; +} + #endif diff --git a/src/scalar_8x32_impl.h b/src/scalar_8x32_impl.h index 2a4afc89a2d..74c47de7deb 100644 --- a/src/scalar_8x32_impl.h +++ b/src/scalar_8x32_impl.h @@ -615,4 +615,23 @@ static void secp256k1_scalar_sqr(secp256k1_scalar_t *r, const secp256k1_scalar_t #undef extract #undef extract_fast +static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) { + r1->d[0] = a->d[0]; + r1->d[1] = a->d[1]; + r1->d[2] = a->d[2]; + r1->d[3] = a->d[3]; + r1->d[4] = 0; + r1->d[5] = 0; + r1->d[6] = 0; + r1->d[7] = 0; + r2->d[0] = a->d[4]; + r2->d[1] = a->d[5]; + r2->d[2] = a->d[6]; + r2->d[3] = a->d[7]; + r2->d[4] = 0; + r2->d[5] = 0; + r2->d[6] = 0; + r2->d[7] = 0; +} + #endif diff --git a/src/scalar_impl.h b/src/scalar_impl.h index 8624f44db32..9f04c597727 100644 --- a/src/scalar_impl.h +++ b/src/scalar_impl.h @@ -198,4 +198,27 @@ static void secp256k1_scalar_inverse_var(secp256k1_scalar_t *r, const secp256k1_ #endif } +#ifdef USE_ENDOMORPHISM +static void secp256k1_scalar_split_lambda_var(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) { + unsigned char b[32]; + secp256k1_scalar_get_b32(b, a); + secp256k1_num_t na; + secp256k1_num_set_bin(&na, b, 32); + + secp256k1_num_t rn1, rn2; + secp256k1_gej_split_exp_var(&rn1, &rn2, &na); + + secp256k1_num_get_bin(b, 32, &rn1); + secp256k1_scalar_set_b32(r1, b, NULL); + if (secp256k1_num_is_neg(&rn1)) { + secp256k1_scalar_negate(r1, r1); + } + secp256k1_num_get_bin(b, 32, &rn2); + secp256k1_scalar_set_b32(r2, b, NULL); + if (secp256k1_num_is_neg(&rn2)) { + secp256k1_scalar_negate(r2, r2); + } +} +#endif + #endif