Pieter Wuille

I don't think that matters? Even/odd has no special meaning when working modulo a prime. The PR currently uses the bits of scalar `(input + 2^COMB_BITS - 1 - blind)...

It seems I'm wrong, but I'm confused why!

It works, but you need to use the bits of `input - blind + (2^COMB_BITS - 1)/2` instead. That's what you get when you substitute `2*(input-blind)` for `e` in the...

Updated to use the avoid-halving-scalar trick.

@peterdettman FWIW, the easiest way of achieving the same would be: 1. Modify configure.ac to support a new option 2. Run configure with that option 3. make clean-precomp && make...

Nice, that's much better explained than my current comments. I'll try to include it.

@peterdettman Making this change causes instant failure during the tests, at least: ```diff --- a/src/ecmult_gen_impl.h +++ b/src/ecmult_gen_impl.h @@ -78,7 +78,7 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25 */ /* Compute...

For the 43/6/1 configuration it is 0x80000000000000000000000000000001e7f9b4a5f9130fa66044722cc7ae9e1e For the 11/6/4 configuration it is 0x8000000000000000000000000000000987e0873ddd5f4e3fe1563adfe6691698

@peterdettman I've incorporated your derivation in the comments in ecmult_gen_impl.h, and added a test case for recoded={-1,0,1}.

I've worked on an additional change that introduces a COMB_RANGE which is normally 256, but in exhaustive test mode corresponds to the number of bits in EXHAUSTIVE_TEST_ORDER. Then COMB_BITS only...