From f4a8c082a92f16e2d7f4339a90c6d07219a3e612 Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@electriccoin.co>
Date: Fri, 6 Aug 2021 13:43:19 +0100
Subject: [PATCH] Use w-NAF in `ka_orchard`

Improves the base-line cost of trial decryption by over 40%.
---
 Cargo.toml  | 2 +-
 src/spec.rs | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 9cec9cbc..959ec95f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -29,7 +29,7 @@ fpe = "0.4"
 group = "0.10"
 halo2 = "0.0"
 lazy_static = "1"
-pasta_curves = "0.1"
+pasta_curves = "0.1.2"
 proptest = { version = "1.0.0", optional = true }
 rand = "0.8"
 nonempty = "0.7"
diff --git a/src/spec.rs b/src/spec.rs
index ee48e7d1..1fae12b5 100644
--- a/src/spec.rs
+++ b/src/spec.rs
@@ -218,7 +218,8 @@ pub(crate) fn ka_orchard(
     sk: &NonZeroPallasScalar,
     b: &NonIdentityPallasPoint,
 ) -> NonIdentityPallasPoint {
-    NonIdentityPallasPoint(b.deref() * sk.deref())
+    let mut wnaf = group::Wnaf::new();
+    NonIdentityPallasPoint(wnaf.scalar(sk.deref()).base(*b.deref()))
 }
 
 /// Coordinate extractor for Pallas.