From 205e2c8f1b3f2f696851a42d449db2a04867ef2e Mon Sep 17 00:00:00 2001 From: Sebastian Falbesoner Date: Wed, 14 Jun 2023 17:15:46 +0200 Subject: [PATCH] group: remove unneeded normalize_weak in `secp256k1_gej_eq_x_var` By requiring that the input group element's X coordinate (`a->x`) has a magnitude of <= 31, the normalize_weak call and also the field element variable `r2` are not needed anymore and hence can be dropped. This makes ECDSA verification a little faster. On my machine: Benchmark , Min(us) , Avg(us) , Max(us) [ master ] ecdsa_verify , 68.9 , 72.4 , 77.8 [ PR ] ecdsa_verify , 65.4 , 68.2 , 76.6 --- src/group.h | 3 ++- src/group_impl.h | 10 +++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/group.h b/src/group.h index 77ad7435f8..85c40b8b18 100644 --- a/src/group.h +++ b/src/group.h @@ -100,7 +100,8 @@ static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a); /** Check two group elements (jacobian) for equality in variable time. */ static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b); -/** Compare the X coordinate of a group element (jacobian). */ +/** Compare the X coordinate of a group element (jacobian). + * The magnitude of the group element's X coordinate must not exceed 31. */ static int secp256k1_gej_eq_x_var(const secp256k1_fe *x, const secp256k1_gej *a); /** Set r equal to the inverse of a (i.e., mirrored around the X axis) */ diff --git a/src/group_impl.h b/src/group_impl.h index 83a45c2d33..1176c7f2f8 100644 --- a/src/group_impl.h +++ b/src/group_impl.h @@ -314,13 +314,17 @@ static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b) } static int secp256k1_gej_eq_x_var(const secp256k1_fe *x, const secp256k1_gej *a) { - secp256k1_fe r, r2; + secp256k1_fe r; + +#ifdef VERIFY secp256k1_fe_verify(x); + VERIFY_CHECK(a->x.magnitude <= 31); secp256k1_gej_verify(a); VERIFY_CHECK(!a->infinity); +#endif + secp256k1_fe_sqr(&r, &a->z); secp256k1_fe_mul(&r, &r, x); - r2 = a->x; secp256k1_fe_normalize_weak(&r2); - return secp256k1_fe_equal_var(&r, &r2); + return secp256k1_fe_equal_var(&r, &a->x); } static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a) {