@@ -461,7 +461,7 @@ static void secp256k1_gej_add_zinv_var(secp256k1_gej_t *r, const secp256k1_gej_t
461461
462462
463463static void secp256k1_gej_add_ge (secp256k1_gej_t * r , const secp256k1_gej_t * a , const secp256k1_ge_t * b ) {
464- /* Operations: 7 mul, 5 sqr, 4 normalize, 17 mul_int/add/negate/cmov */
464+ /* Operations: 7 mul, 5 sqr, 4 normalize, 22 mul_int/add/negate/cmov */
465465 static const secp256k1_fe_t fe_1 = SECP256K1_FE_CONST (0 , 0 , 0 , 0 , 0 , 0 , 0 , 1 );
466466 secp256k1_fe_t zz , u1 , u2 , s1 , s2 , t , tt , m , n , q , rr ;
467467 secp256k1_fe_t m_alt , rr_alt ;
@@ -528,8 +528,9 @@ static void secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, c
528528 t = u1 ; secp256k1_fe_add (& t , & u2 ); /* t = T = U1+U2 (2) */
529529 m = s1 ; secp256k1_fe_add (& m , & s2 ); /* m = M = S1+S2 (2) */
530530 secp256k1_fe_sqr (& rr , & t ); /* rr = T^2 (1) */
531- secp256k1_fe_mul (& tt , & u1 , & u2 ); secp256k1_fe_negate (& tt , & tt , 1 ); /* tt = -U1*U2 (2) */
532- secp256k1_fe_add (& rr , & tt ); /* rr = R = T^2-U1*U2 (3) */
531+ secp256k1_fe_negate (& m_alt , & u2 , 1 ); /* m = -X2*Z1^2 */
532+ secp256k1_fe_mul (& tt , & u1 , & m_alt ); /* tt = -U1*U2 (2) */
533+ secp256k1_fe_add (& rr , & tt ); /* rr = R = T^2-U1*U2 (3) */
533534 /** If lambda = R/M = 0/0 we have a problem (except in the "trivial"
534535 * case that Z = z1z2 = 0, and this is special-cased later on). */
535536 degenerate = secp256k1_fe_normalizes_to_zero (& m ) &
@@ -541,7 +542,6 @@ static void secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, c
541542 * so we set R/M equal to this. */
542543 secp256k1_fe_negate (& rr_alt , & s2 , 1 ); /* rr = -Y2*Z1^3 */
543544 secp256k1_fe_add (& rr_alt , & s1 ); /* rr = Y1*Z2^3 - Y2*Z1^3 */
544- secp256k1_fe_negate (& m_alt , & u2 , 1 ); /* m = -X2*Z1^2 */
545545 secp256k1_fe_add (& m_alt , & u1 ); /* m = X1*Z2^2 - X2*Z1^2 */
546546
547547 secp256k1_fe_cmov (& rr_alt , & rr , !degenerate );
0 commit comments