ecdsa: use mul_by_generator_and_mul_add_vartime for verification (#1302)

tarcieri · web-flow · commit 6752ba4cbe95 · 2026-04-15T12:49:14.000-06:00
This high-level method can plug into various strategies for efficiently
implementing `aG + bP`, including using basepoint tables, wNAF, or
linear combinations, depending on what crate features are enabled and
what curve-specific optimizations have been implemented.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -29,3 +29,5 @@ rfc6979 = { path = "./rfc6979" }
 slh-dsa = { path = "./slh-dsa" }
 xmss = { path = "./xmss" }
 bign-genk = { path = "./bign-genk" }
+
+elliptic-curve = { git = "https://github.com/RustCrypto/traits" }
diff --git a/ecdsa/src/hazmat.rs b/ecdsa/src/hazmat.rs
@@ -24,7 +24,7 @@ use {
         CurveArithmetic, NonZeroScalar, ProjectivePoint, Scalar,
         ff::PrimeField,
         group::{Curve as _, Group},
-        ops::{Invert, LinearCombination, Reduce},
+        ops::{Invert, MulByGeneratorVartime, Reduce},
         point::AffineCoordinates,
         scalar::IsHigh,
     },
@@ -213,7 +213,7 @@ where
     let s_inv = *s.invert_vartime();
     let u1 = z * s_inv;
     let u2 = *r * s_inv;
-    let x = ProjectivePoint::<C>::lincomb(&[(ProjectivePoint::<C>::generator(), u1), (*q, u2)])
+    let x = ProjectivePoint::<C>::mul_by_generator_and_mul_add_vartime(&u1, &u2, q)
         .to_affine()
         .x();
 
