Comment fixes for ecc_add_eh

c87bd88c · Niels Möller · b33eea3b · c87bd88c
Commit c87bd88c authored 5 years ago by Niels Möller
--- a/ecc-add-eh.c
+++ b/ecc-add-eh.c
@@ -55,20 +55,26 @@ ecc_add_eh (const struct ecc_curve *ecc,
 #define z3 (r + 2*ecc->p.size)
  /* Formulas (from djb,
-     http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl):
+     http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#addition-madd-2008-bbjlp
     Computation	Operation	Live variables
     C = x1*x2		mul		C
     D = y1*y2		mul		C, D
-     T = (x1+y1)(x2+y2) - C - D		C, D, T
+     T = (x1+y1)*(x2+y2) mul		C, D, T
-     E = b*C*D		2 mul		C, E, T  (Replace C <-- D - C)
+         - C - D
+     E = b*C*D          2 mul		C, E, T  (Replace C <-- D+C)
     B = z1^2		sqr		B, C, E, T
     F = B - E				B, C, E, F, T
     G = B + E     			C, F, G, T
-     x3 = z1*F*T	3 mul		C, F, G, T
+     x3 = z1 * F * T    2 mul		C, F, G, T
-     y3 = z1*G*(D-C)	2 mul		F, G
+     y3 = z1*G*(D+C)	2 mul		F, G
     z3 = F*G		mul
+     10M + 1S
+     We have different sign for E, hence swapping F and G, because our
+     ecc->b corresponds to -b above.
  */
 #define C (scratch)
 #define D (scratch + 1*ecc->p.size)
@@ -88,17 +94,17 @@ ecc_add_eh (const struct ecc_curve *ecc,
  ecc_modp_mul (ecc, x3, C, D);
  ecc_modp_mul (ecc, E, x3, ecc->b);
-  ecc_modp_add (ecc, C, D, C); /* ! */
+  ecc_modp_add (ecc, C, D, C);
  ecc_modp_sqr (ecc, B, z1);
  ecc_modp_sub (ecc, F, B, E);
  ecc_modp_add (ecc, G, B, E);
  /* x3 */
-  ecc_modp_mul (ecc, B, G, T); /* ! */
+  ecc_modp_mul (ecc, B, G, T);
  ecc_modp_mul (ecc, x3, B, z1);
  /* y3 */
-  ecc_modp_mul (ecc, B, F, z1); /* ! */
+  ecc_modp_mul (ecc, B, F, z1);
  ecc_modp_mul (ecc, y3, B, C); /* Clobbers z1 in case r == p. */
  /* z3 */