Add scalar splitting functions

Which currently delegate to the lambda-splitter in group.
8 years ago · 6794be6080
4 changed files with 60 additions and 0 deletions
--- a/src/scalar.h
+++ b/src/scalar.h
@ -72,4 +72,11 @@ static int secp256k1_scalar_is_high(const secp256k1_scalar_t *a);
				@@ -72,4 +72,11 @@ static int secp256k1_scalar_is_high(const secp256k1_scalar_t *a);
 /** Convert a scalar to a number. */
 static void secp256k1_scalar_get_num(secp256k1_num_t *r, const secp256k1_scalar_t *a);

+static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a);
+
+#ifdef USE_ENDOMORPHISM
+/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (see secp256k1_gej_mul_lambda). */
+static void secp256k1_scalar_split_lambda_var(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a);
+#endif
+
 #endif
--- a/src/scalar_4x64_impl.h
+++ b/src/scalar_4x64_impl.h
@ -390,4 +390,15 @@ static void secp256k1_scalar_sqr(secp256k1_scalar_t *r, const secp256k1_scalar_t
				@@ -390,4 +390,15 @@ static void secp256k1_scalar_sqr(secp256k1_scalar_t *r, const secp256k1_scalar_t
 #undef extract
 #undef extract_fast

+static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) {
+    r1->d[0] = a->d[0];
+    r1->d[1] = a->d[1];
+    r1->d[2] = 0;
+    r1->d[3] = 0;
+    r2->d[0] = a->d[2];
+    r2->d[1] = a->d[3];
+    r2->d[2] = 0;
+    r2->d[3] = 0;
+}
+
 #endif
--- a/src/scalar_8x32_impl.h
+++ b/src/scalar_8x32_impl.h
@ -615,4 +615,23 @@ static void secp256k1_scalar_sqr(secp256k1_scalar_t *r, const secp256k1_scalar_t
				@@ -615,4 +615,23 @@ static void secp256k1_scalar_sqr(secp256k1_scalar_t *r, const secp256k1_scalar_t
 #undef extract
 #undef extract_fast

+static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) {
+    r1->d[0] = a->d[0];
+    r1->d[1] = a->d[1];
+    r1->d[2] = a->d[2];
+    r1->d[3] = a->d[3];
+    r1->d[4] = 0;
+    r1->d[5] = 0;
+    r1->d[6] = 0;
+    r1->d[7] = 0;
+    r2->d[0] = a->d[4];
+    r2->d[1] = a->d[5];
+    r2->d[2] = a->d[6];
+    r2->d[3] = a->d[7];
+    r2->d[4] = 0;
+    r2->d[5] = 0;
+    r2->d[6] = 0;
+    r2->d[7] = 0;
+}
+
 #endif
--- a/src/scalar_impl.h
+++ b/src/scalar_impl.h
@ -198,4 +198,27 @@ static void secp256k1_scalar_inverse_var(secp256k1_scalar_t *r, const secp256k1_
				@@ -198,4 +198,27 @@ static void secp256k1_scalar_inverse_var(secp256k1_scalar_t *r, const secp256k1_
 #endif
 }

+#ifdef USE_ENDOMORPHISM
+static void secp256k1_scalar_split_lambda_var(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) {
+    unsigned char b[32];
+    secp256k1_scalar_get_b32(b, a);
+    secp256k1_num_t na;
+    secp256k1_num_set_bin(&na, b, 32);
+
+    secp256k1_num_t rn1, rn2;
+    secp256k1_gej_split_exp_var(&rn1, &rn2, &na);
+
+    secp256k1_num_get_bin(b, 32, &rn1);
+    secp256k1_scalar_set_b32(r1, b, NULL);
+    if (secp256k1_num_is_neg(&rn1)) {
+        secp256k1_scalar_negate(r1, r1);
+    }
+    secp256k1_num_get_bin(b, 32, &rn2);
+    secp256k1_scalar_set_b32(r2, b, NULL);
+    if (secp256k1_num_is_neg(&rn2)) {
+        secp256k1_scalar_negate(r2, r2);
+    }
+}
+#endif
+
 #endif