From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Sat, 4 Aug 2018 19:37:14 +0000 (+0200)
Subject: Avoids the first few doublings in EdDSA verification
X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=3e6dc5fd9fef4a789ff60cc59428421dd101617a;p=Monocypher.git

Avoids the first few doublings in EdDSA verification

Legitimate scalars with EdDSA verification are at most 253-bit long.
That's 3 bits less than the full 256 bits.  By starting the loop at the
highest bit set, we can save a couple doublings.  It's not much, but
it's measurable.
---

diff --git a/src/monocypher.c b/src/monocypher.c
index 361d0ed..582d02f 100644
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -1565,12 +1565,24 @@ static void ge_double_scalarmult_vartime(ge *sum, const ge *P,
     i8 p_adds[256];   slide(p_adds, p);
     i8 b_adds[256];   slide(b_adds, b);
 
+    // Avoid the first doublings
+    int i = 255;
+    while (i >= 0          &&
+           p_adds[i] == -1 &&
+           b_adds[i] == -1) {
+        i--;
+    }
+
     // Merged double and add ladder
     ge_zero(sum);
-    for (int i = 255; i >= 0; i--) {
+    if (p_adds[i] != -1) { ge_add(sum, sum, &cP[p_adds[i]]); }
+    if (b_adds[i] != -1) { ge_add(sum, sum, &cB[b_adds[i]]); }
+    i--;
+    while (i >= 0) {
         ge_double(sum, sum, &B); // B is no longer used, we can overwrite it
         if (p_adds[i] != -1) { ge_add(sum, sum, &cP[p_adds[i]]); }
         if (b_adds[i] != -1) { ge_add(sum, sum, &cB[b_adds[i]]); }
+        i--;
     }
 }