Currently the torsion check (is_torsion_free) is implemented using a variable base constant time multiplication. However the group order is public so there is no need for side channel countermeasures regarding the scalar. This would save the overhead from LookupTable::select, both the constant time lookup as well as the cost of doing the point negation in the case it's not needed. You could also precompute the NAF encoding of the group order, though I'm not sure if that's worthwhile.
randombit
commented
1 month ago
Currently the torsion check (
is_torsion_free) is implemented using a variable base constant time multiplication. However the group order is public so there is no need for side channel countermeasures regarding the scalar. This would save the overhead fromLookupTable::select, both the constant time lookup as well as the cost of doing the point negation in the case it's not needed. You could also precompute the NAF encoding of the group order, though I'm not sure if that's worthwhile.