From 6efd6e77778fae56ebf050cb7cdbba913ee41df6 Mon Sep 17 00:00:00 2001
From: Gregory Maxwell <greg@xiph.org>
Date: Mon, 2 Feb 2015 01:47:23 +0000
Subject: [PATCH] Some comments explaining some of the constants in the code.

---
 src/ecdsa_impl.h      | 22 ++++++++++++++++++++++
 src/field_10x26.h     |  1 +
 src/field_5x52.h      |  1 +
 src/field_5x52_impl.h |  1 +
 src/field_impl.h      |  3 +++
 src/group_impl.h      |  3 +++
 src/scalar_impl.h     |  1 +
 7 files changed, 32 insertions(+)

diff --git a/src/ecdsa_impl.h b/src/ecdsa_impl.h
index 879b4a588f..1a77649390 100644
--- a/src/ecdsa_impl.h
+++ b/src/ecdsa_impl.h
@@ -15,11 +15,33 @@
 #include "ecmult_gen.h"
 #include "ecdsa.h"
 
+/** Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2.7.1
+ *  sage: for t in xrange(1023, -1, -1):
+ *     ..   p = 2**256 - 2**32 - t
+ *     ..   if p.is_prime():
+ *     ..     print '%x'%p
+ *     ..     break
+ *   'fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'
+ *  sage: a = 0
+ *  sage: b = 7
+ *  sage: F = FiniteField (p)
+ *  sage: '%x' % (EllipticCurve ([F (a), F (b)]).order())
+ *   'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'
+ */
 static const secp256k1_fe_t secp256k1_ecdsa_const_order_as_fe = SECP256K1_FE_CONST(
     0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
     0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL
 );
 
+/** Difference between field and order, values 'p' and 'n' values defined in
+ *  "Standards for Efficient Cryptography" (SEC2) 2.7.1.
+ *  sage: p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
+ *  sage: a = 0
+ *  sage: b = 7
+ *  sage: F = FiniteField (p)
+ *  sage: '%x' % (p - EllipticCurve ([F (a), F (b)]).order())
+ *   '14551231950b75fc4402da1722fc9baee'
+ */
 static const secp256k1_fe_t secp256k1_ecdsa_const_p_minus_order = SECP256K1_FE_CONST(
     0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL
 );
diff --git a/src/field_10x26.h b/src/field_10x26.h
index 1f855285e1..44bce6525d 100644
--- a/src/field_10x26.h
+++ b/src/field_10x26.h
@@ -18,6 +18,7 @@ typedef struct {
 #endif
 } secp256k1_fe_t;
 
+/* Unpacks a constant into a overlapping multi-limbed FE element. */
 #define SECP256K1_FE_CONST_INNER(d7, d6, d5, d4, d3, d2, d1, d0) { \
     (d0) & 0x3FFFFFFUL, \
     ((d0) >> 26) | ((d1) & 0xFFFFFUL) << 6, \
diff --git a/src/field_5x52.h b/src/field_5x52.h
index 7b38324143..4513d36f49 100644
--- a/src/field_5x52.h
+++ b/src/field_5x52.h
@@ -18,6 +18,7 @@ typedef struct {
 #endif
 } secp256k1_fe_t;
 
+/* Unpacks a constant into a overlapping multi-limbed FE element. */
 #define SECP256K1_FE_CONST_INNER(d7, d6, d5, d4, d3, d2, d1, d0) { \
     (d0) | ((uint64_t)(d1) & 0xFFFFFUL) << 32, \
     ((d1) >> 20) | ((uint64_t)(d2)) << 12 | ((uint64_t)(d3) & 0xFFUL) << 44, \
diff --git a/src/field_5x52_impl.h b/src/field_5x52_impl.h
index 71ab472b12..a281e9a339 100644
--- a/src/field_5x52_impl.h
+++ b/src/field_5x52_impl.h
@@ -34,6 +34,7 @@
 static void secp256k1_fe_verify(const secp256k1_fe_t *a) {
     const uint64_t *d = a->n;
     int m = a->normalized ? 1 : 2 * a->magnitude, r = 1;
+   /* secp256k1 'p' value defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */
     r &= (d[0] <= 0xFFFFFFFFFFFFFULL * m);
     r &= (d[1] <= 0xFFFFFFFFFFFFFULL * m);
     r &= (d[2] <= 0xFFFFFFFFFFFFFULL * m);
diff --git a/src/field_impl.h b/src/field_impl.h
index fbf7b2b921..56692e3408 100644
--- a/src/field_impl.h
+++ b/src/field_impl.h
@@ -29,6 +29,7 @@ static void secp256k1_fe_get_hex(char *r64, const secp256k1_fe_t *a) {
     secp256k1_fe_normalize(&b);
     secp256k1_fe_get_b32(tmp, &b);
     for (i=0; i<32; i++) {
+        /* Hex character table. */
         static const char *c = "0123456789ABCDEF";
         r64[2*i]   = c[(tmp[i] >> 4) & 0xF];
         r64[2*i+1] = c[(tmp[i]) & 0xF];
@@ -38,6 +39,7 @@ static void secp256k1_fe_get_hex(char *r64, const secp256k1_fe_t *a) {
 static int secp256k1_fe_set_hex(secp256k1_fe_t *r, const char *a64) {
     int i;
     unsigned char tmp[32];
+    /* Byte to hex value table. */
     static const int cvt[256] = {0, 0, 0, 0, 0, 0, 0,0,0,0,0,0,0,0,0,0,
                                  0, 0, 0, 0, 0, 0, 0,0,0,0,0,0,0,0,0,0,
                                  0, 0, 0, 0, 0, 0, 0,0,0,0,0,0,0,0,0,0,
@@ -203,6 +205,7 @@ static void secp256k1_fe_inv_var(secp256k1_fe_t *r, const secp256k1_fe_t *a) {
     secp256k1_fe_inv(r, a);
 #elif defined(USE_FIELD_INV_NUM)
     secp256k1_num_t n, m;
+    /* secp256k1 field prime, value p defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */
     static const unsigned char prime[32] = {
         0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
         0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
diff --git a/src/group_impl.h b/src/group_impl.h
index d67045c33a..c606894a6b 100644
--- a/src/group_impl.h
+++ b/src/group_impl.h
@@ -13,6 +13,9 @@
 #include "field.h"
 #include "group.h"
 
+/** Generator for secp256k1, value 'g' defined in
+ *  "Standards for Efficient Cryptography" (SEC2) 2.7.1.
+ */
 static const secp256k1_ge_t secp256k1_ge_const_g = {
     SECP256K1_FE_CONST(
         0x79BE667EUL, 0xF9DCBBACUL, 0x55A06295UL, 0xCE870B07UL,
diff --git a/src/scalar_impl.h b/src/scalar_impl.h
index b3e6f1eb85..3acbe264ae 100644
--- a/src/scalar_impl.h
+++ b/src/scalar_impl.h
@@ -31,6 +31,7 @@ static void secp256k1_scalar_get_num(secp256k1_num_t *r, const secp256k1_scalar_
     secp256k1_num_set_bin(r, c, 32);
 }
 
+/** secp256k1 curve order, see secp256k1_ecdsa_const_order_as_fe in ecdsa_impl.h */
 static void secp256k1_scalar_order_get_num(secp256k1_num_t *r) {
     static const unsigned char order[32] = {
         0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,