Avoids the first few doublings in EdDSA verification

Legitimate scalars with EdDSA verification are at most 253-bit long.
That's 3 bits less than the full 256 bits.  By starting the loop at the
highest bit set, we can save a couple doublings.  It's not much, but
it's measurable.

diff --git a/src/monocypher.c b/src/monocypher.c
index 361d0ed97973a2214b74e3fd2e2bb3d37838ef4b..582d02f456d580365d5ea4fc60e9a6e04662db96 100644 (file)
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -1565,12 +1565,24 @@ static void ge_double_scalarmult_vartime(ge *sum, const ge *P,
     i8 p_adds[256];   slide(p_adds, p);
     i8 b_adds[256];   slide(b_adds, b);
 
+    // Avoid the first doublings
+    int i = 255;
+    while (i >= 0          &&
+           p_adds[i] == -1 &&
+           b_adds[i] == -1) {
+        i--;
+    }
+
     // Merged double and add ladder
     ge_zero(sum);
-    for (int i = 255; i >= 0; i--) {
+    if (p_adds[i] != -1) { ge_add(sum, sum, &cP[p_adds[i]]); }
+    if (b_adds[i] != -1) { ge_add(sum, sum, &cB[b_adds[i]]); }
+    i--;
+    while (i >= 0) {
         ge_double(sum, sum, &B); // B is no longer used, we can overwrite it
         if (p_adds[i] != -1) { ge_add(sum, sum, &cP[p_adds[i]]); }
         if (b_adds[i] != -1) { ge_add(sum, sum, &cB[b_adds[i]]); }
+        i--;
     }
 }