scalar: improve split_lambda doc and VERIFY_CHECK

VERIFY_CHECK(r1 != r2) is added because otherwise the verify_scalar_split fails.

src/scalar.h

@@ -92,8 +92,9 @@ static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar
 
 /** Find r1 and r2 such that r1+r2*2^128 = k. */
 static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k);
-/** Find r1 and r2 such that r1+r2*lambda = k,
- * where r1 and r2 or their negations are maximum 128 bits long (see secp256k1_ge_mul_lambda). */
+/** Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their
+ *  negations are maximum 128 bits long (see secp256k1_ge_mul_lambda). It is
+ *  required that r1, r2, and k all point to different objects. */
 static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k);
 
 /** Multiply a and b (without taking the modulus!), divide by 2**shift, and round to the nearest integer. Shift must be at least 256. */

src/scalar_impl.h

@@ -54,6 +54,9 @@ static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned c
  * (arbitrarily) set r2 = k + 5 (mod n) and r1 = k - r2 * lambda (mod n).
  */
 static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
+    VERIFY_CHECK(r1 != k);
+    VERIFY_CHECK(r2 != k);
+    VERIFY_CHECK(r1 != r2);
     *r2 = (*k + 5) % EXHAUSTIVE_TEST_ORDER;
     *r1 = (*k + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER;
 }
@@ -140,6 +143,7 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
     );
     VERIFY_CHECK(r1 != k);
     VERIFY_CHECK(r2 != k);
+    VERIFY_CHECK(r1 != r2);
     /* these _var calls are constant time since the shift amount is constant */
     secp256k1_scalar_mul_shift_var(&c1, k, &g1, 384);
     secp256k1_scalar_mul_shift_var(&c2, k, &g2, 384);