From 7685338122dd94fbd5891de0a672107953e38674 Mon Sep 17 00:00:00 2001
From: Jack Grigg <thestr4d@gmail.com>
Date: Tue, 5 May 2020 17:51:14 +1200
Subject: [PATCH] RistrettoPoint::vartime_check_double_scalar_mul_basepoint

Checks whether [a]A + [b]B = C in variable time.
---
 curve25519-dalek/CHANGELOG.md     |  1 +
 curve25519-dalek/src/ristretto.rs | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/curve25519-dalek/CHANGELOG.md b/curve25519-dalek/CHANGELOG.md
index 15e56985..93d31f3f 100644
--- a/curve25519-dalek/CHANGELOG.md
+++ b/curve25519-dalek/CHANGELOG.md
@@ -8,6 +8,7 @@ major series.
 ### Unreleased
 
 * Add `EdwardsPoint::vartime_check_double_scalar_mul_basepoint`.
+* Add `RistrettoPoint::vartime_check_double_scalar_mul_basepoint`.
 
 ### 4.1.2
 
diff --git a/curve25519-dalek/src/ristretto.rs b/curve25519-dalek/src/ristretto.rs
index c9d16aba..50a2c77b 100644
--- a/curve25519-dalek/src/ristretto.rs
+++ b/curve25519-dalek/src/ristretto.rs
@@ -1062,6 +1062,18 @@ impl RistrettoPoint {
             a, &A.0, b,
         ))
     }
+
+    /// Checks whether \\([a]A + [b]B = C\\) in variable time.
+    pub fn vartime_check_double_scalar_mul_basepoint(
+        a: &Scalar,
+        A: &RistrettoPoint,
+        b: &Scalar,
+        C: &RistrettoPoint,
+    ) -> bool {
+        use crate::traits::IsIdentity;
+
+        crate::backend::scalar_mul_abglsv_pornin(a, &A.0, b, &C.0).is_identity()
+    }
 }
 
 /// A precomputed table of multiples of a basepoint, used to accelerate