From e78587c8e97142c0e162e0f2e9e3cb04a9e62b69 Mon Sep 17 00:00:00 2001
From: Bogdan Opanchuk <bogdan@opanchuk.net>
Date: Tue, 13 Jul 2021 21:40:48 -0700
Subject: [PATCH] Use linear combination in ECDSA verification

---
 k256/src/ecdsa/verify.rs | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/k256/src/ecdsa/verify.rs b/k256/src/ecdsa/verify.rs
index 57c9ef900..f2efc4cce 100644
--- a/k256/src/ecdsa/verify.rs
+++ b/k256/src/ecdsa/verify.rs
@@ -1,6 +1,7 @@
 //! ECDSA verifier
 
 use super::{recoverable, Error, Signature};
+use crate::arithmetic::lincomb;
 use crate::{
     AffinePoint, CompressedPoint, EncodedPoint, ProjectivePoint, PublicKey, Scalar, Secp256k1,
 };
@@ -90,9 +91,15 @@ impl VerifyPrimitive<Secp256k1> for AffinePoint {
         let u1 = z * &s_inv;
         let u2 = *r * s_inv;
 
-        let x = ((ProjectivePoint::generator() * u1) + (ProjectivePoint::from(*self) * u2))
-            .to_affine()
-            .x;
+        //let x = ((ProjectivePoint::generator() * u1) + (ProjectivePoint::from(*self) * u2))
+        let x = lincomb(
+            &ProjectivePoint::generator(),
+            &ProjectivePoint::from(*self),
+            &u1,
+            &u2,
+        )
+        .to_affine()
+        .x;
 
         if Scalar::from_bytes_reduced(&x.to_bytes()).eq(&r) {
             Ok(())