Optimization: move (2^COMB_BITS-1)/2 term into ctx->scalar_offset

sipa · sipa · commit fdd22998663a · 2021-12-31T10:46:13.000-05:00
It is unnecessary to recompute this term needed by the SDMC algorithm
for every multiplication; move it into the context scalar_offset value
instead.
diff --git a/src/ecmult_gen_impl.h b/src/ecmult_gen_impl.h
@@ -68,15 +68,13 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
      * (gn - b + (2^COMB_BITS - 1)/2). In other words, the bits of that scalar select
      * whether to add normal or negated versions of 2^(i-1)*G together.
      *
-     * We have precomputed -b = ctx->scalar_offset, and b*G = ctx->final_point_add, so our
-     * overall result becomes R = sum((2*d_i-1)*2^(i-1)*G) + ctx->final_point_add, with
-     * d_i the bits of scalar (gn + ctx->scalar_offset + (2^COMB_BITS - 1)/2).
+     * We have precomputed -b + (2^COMB_BITS - 1)/2) = ctx->scalar_offset, and b*G =
+     * ctx->final_point_add, so our overall result becomes R = sum((2*d_i-1)*2^(i-1)*G)
+     * + ctx->final_point_add, with d_i the bits of scalar (gn + ctx->scalar_offset).
      */
 
-    /* Compute the scalar (gn + ctx->scalar_offset + (2^COMB_BITS - 1)/2). */
-    secp256k1_ecmult_gen_scalar_diff(&recoded);
-    secp256k1_scalar_add(&recoded, &recoded, &ctx->scalar_offset);
-    secp256k1_scalar_add(&recoded, &recoded, gn);
+    /* Compute the scalar (gn + ctx->scalar_offset). */
+    secp256k1_scalar_add(&recoded, &ctx->scalar_offset, gn);
 
     /* In secp256k1_ecmult_gen_prec_table we have precomputed sums of the
      * (2*d_i-1) * 2^(i-1) * G points, for various combinations of i positions.
@@ -200,14 +198,19 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
 /* Setup blinding values for secp256k1_ecmult_gen. */
 static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32) {
     secp256k1_scalar b;
+    secp256k1_scalar diff;
     secp256k1_gej gb;
     unsigned char nonce32[32];
     secp256k1_rfc6979_hmac_sha256 rng;
     unsigned char keydata[64] = {0};
+
+    /* Compute the (2^COMB_BITS - 1)/2 term once. */
+    secp256k1_ecmult_gen_scalar_diff(&diff);
+
     if (seed32 == NULL) {
         /* When seed is NULL, reset the final point and blinding value. */
         secp256k1_ge_neg(&ctx->final_point_add, &secp256k1_ge_const_g);
-        ctx->scalar_offset = secp256k1_scalar_one;
+        secp256k1_scalar_add(&ctx->scalar_offset, &secp256k1_scalar_one, &diff);
     }
     /* The prior blinding value (if not reset) is chained forward by including it in the hash. */
     secp256k1_scalar_get_b32(nonce32, &ctx->scalar_offset);
@@ -224,7 +227,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
 
     /* TODO: reintroduce projective blinding. */
 
-    /* For a random blinding value b, set ctx->scalar_offset=-b, ctx->final_point_add=bG. */
+    /* For a random blinding value b, set scalar_offset=diff-n, final_point_add=bG */
     secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
     secp256k1_scalar_set_b32(&b, nonce32, NULL);
     /* The blinding value cannot be zero, as that would mean final_point_add = infinity,
@@ -234,7 +237,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
     memset(nonce32, 0, 32);
     secp256k1_ecmult_gen(ctx, &gb, &b);
     secp256k1_scalar_negate(&b, &b);
-    ctx->scalar_offset = b;
+    secp256k1_scalar_add(&ctx->scalar_offset, &b, &diff);
     secp256k1_ge_set_gej(&ctx->final_point_add, &gb);
 
     /* Clean up. */
