Add scalar splitting functions

sipa · sipa · commit 6794be6080e4 · 2014-11-30T23:38:01.000+01:00
Which currently delegate to the lambda-splitter in group.
diff --git a/src/scalar.h b/src/scalar.h
@@ -72,4 +72,11 @@ static int secp256k1_scalar_is_high(const secp256k1_scalar_t *a);
 /** Convert a scalar to a number. */
 static void secp256k1_scalar_get_num(secp256k1_num_t *r, const secp256k1_scalar_t *a);
 
+static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a);
+
+#ifdef USE_ENDOMORPHISM
+/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (see secp256k1_gej_mul_lambda). */
+static void secp256k1_scalar_split_lambda_var(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a);
+#endif
+
 #endif
diff --git a/src/scalar_4x64_impl.h b/src/scalar_4x64_impl.h
@@ -390,4 +390,15 @@ static void secp256k1_scalar_sqr(secp256k1_scalar_t *r, const secp256k1_scalar_t
 #undef extract
 #undef extract_fast
 
+static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) {
+    r1->d[0] = a->d[0];
+    r1->d[1] = a->d[1];
+    r1->d[2] = 0;
+    r1->d[3] = 0;
+    r2->d[0] = a->d[2];
+    r2->d[1] = a->d[3];
+    r2->d[2] = 0;
+    r2->d[3] = 0;
+}
+
 #endif
diff --git a/src/scalar_8x32_impl.h b/src/scalar_8x32_impl.h
@@ -615,4 +615,23 @@ static void secp256k1_scalar_sqr(secp256k1_scalar_t *r, const secp256k1_scalar_t
 #undef extract
 #undef extract_fast
 
+static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) {
+    r1->d[0] = a->d[0];
+    r1->d[1] = a->d[1];
+    r1->d[2] = a->d[2];
+    r1->d[3] = a->d[3];
+    r1->d[4] = 0;
+    r1->d[5] = 0;
+    r1->d[6] = 0;
+    r1->d[7] = 0;
+    r2->d[0] = a->d[4];
+    r2->d[1] = a->d[5];
+    r2->d[2] = a->d[6];
+    r2->d[3] = a->d[7];
+    r2->d[4] = 0;
+    r2->d[5] = 0;
+    r2->d[6] = 0;
+    r2->d[7] = 0;
+}
+
 #endif
diff --git a/src/scalar_impl.h b/src/scalar_impl.h
@@ -198,4 +198,27 @@ static void secp256k1_scalar_inverse_var(secp256k1_scalar_t *r, const secp256k1_
 #endif
 }
 
+#ifdef USE_ENDOMORPHISM
+static void secp256k1_scalar_split_lambda_var(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) {
+    unsigned char b[32];
+    secp256k1_scalar_get_b32(b, a);
+    secp256k1_num_t na;
+    secp256k1_num_set_bin(&na, b, 32);
+
+    secp256k1_num_t rn1, rn2;
+    secp256k1_gej_split_exp_var(&rn1, &rn2, &na);
+
+    secp256k1_num_get_bin(b, 32, &rn1);
+    secp256k1_scalar_set_b32(r1, b, NULL);
+    if (secp256k1_num_is_neg(&rn1)) {
+        secp256k1_scalar_negate(r1, r1);
+    }
+    secp256k1_num_get_bin(b, 32, &rn2);
+    secp256k1_scalar_set_b32(r2, b, NULL);
+    if (secp256k1_num_is_neg(&rn2)) {
+        secp256k1_scalar_negate(r2, r2);
+    }
+}
+#endif
+
 #endif
