in src/shamir.c [230:282]
void SSS_shamir_to_additive(int k, const octet *X_j, const octet *Y_j, const octet *X, octet *S)
{
BIG_256_56 x_j;
BIG_256_56 q;
BIG_256_56 w;
DBIG_256_56 dw;
BIG_256_56 n;
BIG_256_56 d;
BIG_256_56_rcopy(q, CURVE_Order_SECP256K1);
BIG_256_56_fromBytesLen(x_j, X_j->val, X_j->len);
// Initialize accumulators for numerator and denominator
BIG_256_56_one(n);
BIG_256_56_one(d);
// x_j = -x_j mod q
BIG_256_56_sub(x_j, q, x_j);
for (int i = 0; i < k-1; i++)
{
// n = prod(x_i)
BIG_256_56_fromBytesLen(w, X[i].val, X[i].len);
BIG_256_56_mul(dw, n, w);
BIG_256_56_dmod(n, dw, q);
// d = prod(x_i - x_j)
BIG_256_56_add(w, w, x_j);
BIG_256_56_norm(w);
BIG_256_56_mul(dw, d, w);
BIG_256_56_dmod(d, dw, q);
}
// s = n/d * y
BIG_256_56_invmodp(d, d, q);
BIG_256_56_mul(dw, n, d);
BIG_256_56_dmod(w, dw, q);
BIG_256_56_fromBytesLen(x_j, Y_j->val, Y_j->len);
BIG_256_56_mul(dw, w, x_j);
BIG_256_56_dmod(w, dw, q);
// Output additive share
BIG_256_56_toBytes(S->val, w);
S->len = SGS_SECP256K1;
// Clean memory
BIG_256_56_zero(w);
BIG_256_56_dzero(dw);
}