Skip to content

Commit 4eb8b93

Browse files
peterdettmanpeterdettman
committed
Further improve doubling formula using fe_half
1 parent 557b31f commit 4eb8b93

File tree

1 file changed

+20
-20
lines changed

1 file changed

+20
-20
lines changed

src/group_impl.h

+20-20
Original file line numberDiff line numberDiff line change
@@ -271,36 +271,35 @@ static int secp256k1_ge_is_valid_var(const secp256k1_ge *a) {
271271
}
272272

273273
static SECP256K1_INLINE void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a) {
274-
secp256k1_fe l, s, t, q;
274+
/* Operations: 3 mul, 4 sqr, 8 add/half/mul_int/negate */
275+
secp256k1_fe l, s, t;
275276

276277
r->infinity = a->infinity;
277278

278279
/* Formula used:
279280
* L = (3/2) * X1^2
280281
* S = Y1^2
281-
* T = X1*S
282-
* X3 = L^2 - 2*T
283-
* Y3 = L*(T - X3) - S^2
282+
* T = -X1*S
283+
* X3 = L^2 + 2*T
284+
* Y3 = -(L*(X3 + T) + S^2)
284285
* Z3 = Y1*Z1
285286
*/
286287

287288
secp256k1_fe_mul(&r->z, &a->z, &a->y); /* Z3 = Y1*Z1 (1) */
288-
secp256k1_fe_sqr(&l, &a->x); /* L = X1^2 (1) */
289-
secp256k1_fe_mul_int(&l, 3); /* L = 3*X1^2 (3) */
290-
secp256k1_fe_half(&l); /* L = 3/2*X1^2 (2) */
291-
secp256k1_fe_sqr(&s, &a->y); /* S = Y1^2 (1) */
292-
secp256k1_fe_mul(&t, &a->x, &s); /* T = X1*S (1) */
293-
q = t;
294-
secp256k1_fe_add(&q, &t); /* Q = 2*T (2) */
295-
secp256k1_fe_negate(&r->x, &q, 2); /* X3 = -2*T (3) */
296-
secp256k1_fe_sqr(&q, &l); /* Q = L^2 (1) */
297-
secp256k1_fe_add(&r->x, &q); /* X3 = L^2 - 2*T (4) */
298-
secp256k1_fe_negate(&q, &r->x, 4); /* Q = -X3 (5) */
299-
secp256k1_fe_add(&q, &t); /* Q = T-X3 (6) */
300-
secp256k1_fe_mul(&q, &q, &l); /* Q = L*(T-X3) (1) */
301-
secp256k1_fe_sqr(&s, &s);
302-
secp256k1_fe_negate(&r->y, &s, 1); /* Y3 = -S^2 (2) */
303-
secp256k1_fe_add(&r->y, &q); /* Y3 = L*(T-X3) - S^2 (3) */
289+
secp256k1_fe_sqr(&s, &a->y); /* S = Y1^2 (1) */
290+
secp256k1_fe_sqr(&l, &a->x); /* L = X1^2 (1) */
291+
secp256k1_fe_mul_int(&l, 3); /* L = 3*X1^2 (3) */
292+
secp256k1_fe_half(&l); /* L = 3/2*X1^2 (2) */
293+
secp256k1_fe_negate(&t, &s, 1); /* T = -S (2) */
294+
secp256k1_fe_mul(&t, &t, &a->x); /* T = -X1*S (1) */
295+
secp256k1_fe_sqr(&r->x, &l); /* X3 = L^2 (1) */
296+
secp256k1_fe_add(&r->x, &t); /* X3 = L^2 + T (2) */
297+
secp256k1_fe_add(&r->x, &t); /* X3 = L^2 + 2*T (3) */
298+
secp256k1_fe_sqr(&s, &s); /* S' = S^2 (1) */
299+
secp256k1_fe_add(&t, &r->x); /* T' = X3 + T (4) */
300+
secp256k1_fe_mul(&r->y, &t, &l); /* Y3 = L*(X3 + T) (1) */
301+
secp256k1_fe_add(&r->y, &s); /* Y3 = L*(X3 + T) + S^2 (2) */
302+
secp256k1_fe_negate(&r->y, &r->y, 2); /* Y3 = -(L*(X3 + T) + S^2) (3) */
304303
}
305304

306305
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr) {
@@ -324,6 +323,7 @@ static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, s
324323

325324
if (rzr != NULL) {
326325
*rzr = a->y;
326+
secp256k1_fe_normalize_weak(rzr);
327327
}
328328

329329
secp256k1_gej_double(r, a);

0 commit comments

Comments
 (0)