Function splitScalar [src]

Compute r1 and r2 so that k = r1 + r2*lambda (mod L).

Prototype

pub fn splitScalar(s: [32]u8, endian: std.builtin.Endian) NonCanonicalError!SplitScalar

Parameters

s: [32]u8endian: std.builtin.Endian

Possible Errors

Source

  pub fn splitScalar(s: [32]u8, endian: std.builtin.Endian) NonCanonicalError!SplitScalar {
    const b1_neg_s = comptime s: {
        var buf: [32]u8 = undefined;
        mem.writeInt(u256, &buf, 303414439467246543595250775667605759171, .little);
        break :s buf;
    };
    const b2_neg_s = comptime s: {
        var buf: [32]u8 = undefined;
        mem.writeInt(u256, &buf, scalar.field_order - 64502973549206556628585045361533709077, .little);
        break :s buf;
    };
    const k = mem.readInt(u256, &s, endian);

    const t1 = math.mulWide(u256, k, 21949224512762693861512883645436906316123769664773102907882521278123970637873);
    const t2 = math.mulWide(u256, k, 103246583619904461035481197785446227098457807945486720222659797044629401272177);

    const c1 = @as(u128, @truncate(t1 >> 384)) + @as(u1, @truncate(t1 >> 383));
    const c2 = @as(u128, @truncate(t2 >> 384)) + @as(u1, @truncate(t2 >> 383));

    var buf: [32]u8 = undefined;

    mem.writeInt(u256, &buf, c1, .little);
    const c1x = try scalar.mul(buf, b1_neg_s, .little);

    mem.writeInt(u256, &buf, c2, .little);
    const c2x = try scalar.mul(buf, b2_neg_s, .little);

    const r2 = try scalar.add(c1x, c2x, .little);

    var r1 = try scalar.mul(r2, lambda_s, .little);
    r1 = try scalar.sub(s, r1, .little);

    return SplitScalar{ .r1 = r1, .r2 = r2 };
}  