secp256k1_ec_pubkey_combine
, so the faster variable-time addition function _gej_add_ge_var
can be used instead. Happy to add a benchmark if wanted.
_ec_pubkey_combine
#1587
secp256k1_ec_pubkey_combine
, so the faster variable-time addition function _gej_add_ge_var
can be used instead. Happy to add a benchmark if wanted.
I don’t know what the original intention of using constant time addition was. Maybe @sipa remembers. It was added here: https://github.com/bitcoin-core/secp256k1/pull/212/files#diff-6f71b0372be086d45b4f2740508c03a21835d87008840032fbb767f419fd988aR552
I’m aware that some implementations use pubkey_combine
to add “secret” group elements in a “blind DH” (see here, here and here). I haven’t checked in detail if using variable time addition leads to a sidechannel that isn’t already there with constant time addition. In any case, constant time addition is not something one can expect from libsecp’s API (it’s called “public key combine”).