From 76849f0bd6be2d07c80cb68bc7ab9a548e7ad226 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Vejpustek?= <ondrej.vejpustek@satoshilabs.com>
Date: Fri, 12 Jun 2020 14:07:30 +0200
Subject: [PATCH] crypto: make ecdsa_recover_pub_from_sig faster

---
 crypto/ecdsa.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
index ad0e00933..3b50c4ad2 100644
--- a/crypto/ecdsa.c
+++ b/crypto/ecdsa.c
@@ -999,19 +999,22 @@ int ecdsa_recover_pub_from_sig(const ecdsa_curve *curve, uint8_t *pub_key,
   }
   // e = -digest
   bn_read_be(digest, &e);
-  bn_subtractmod(&curve->order, &e, &e, &curve->order);
-  bn_fast_mod(&e, &curve->order);
   bn_mod(&e, &curve->order);
-  // r := r^-1
+  bn_subtract(&curve->order, &e, &e);
+  // r = r^-1
   bn_inverse(&r, &curve->order);
-  // cp := s * R = s * k *G
+  // e = -digest * r^-1
+  bn_multiply(&r, &e, &curve->order);
+  bn_mod(&e, &curve->order);
+  // s = s * r^-1
+  bn_multiply(&r, &s, &curve->order);
+  bn_mod(&s, &curve->order);
+  // cp = s * r^-1 * k * G
   point_multiply(curve, &s, &cp, &cp);
-  // cp2 := -digest * G
+  // cp2 = -digest * r^-1 * G
   scalar_multiply(curve, &e, &cp2);
-  // cp := (s * k - digest) * G = (r*priv) * G = r * Pub
+  // cp = (s * r^-1 * k - digest * r^-1) * G = Pub
   point_add(curve, &cp2, &cp);
-  // cp := r^{-1} * r * Pub = Pub
-  point_multiply(curve, &r, &cp, &cp);
   pub_key[0] = 0x04;
   bn_write_be(&cp.x, pub_key + 1);
   bn_write_be(&cp.y, pub_key + 33);