crypto/internal/fips140/edwards25519: fix zero coeff. skip optimization

This was reported first by Adrian Grigore in private and then by
github.com/shaharcohen1 in FiloSottile/edwards25519#53.

fips140: off
goos: linux
goarch: amd64
pkg: crypto/internal/fips140/edwards25519
cpu: AMD EPYC 7443P 24-Core Processor
                               │ 6837583eec  │          6837583eec-dirty           │
                               │   sec/op    │   sec/op     vs base                │
VarTimeDoubleScalarBaseMult-48   43.51µ ± 1%   42.92µ ± 0%  -1.34% (p=0.000 n=100)

Change-Id: I14523fc62732ae9233b8c198a3a626a36a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/745860
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/src/crypto/internal/fips140/edwards25519/scalarmult.go b/src/crypto/internal/fips140/edwards25519/scalarmult.go
index f7ca3cef99..3d91bb592d 100644
--- a/src/crypto/internal/fips140/edwards25519/scalarmult.go
+++ b/src/crypto/internal/fips140/edwards25519/scalarmult.go
@@ -167,10 +167,11 @@ func (v *Point) VarTimeDoubleScalarBaseMult(a *Scalar, A *Point, b *Scalar) *Poi
 
 	// Find the first nonzero coefficient.
 	i := 255
-	for j := i; j >= 0; j-- {
-		if aNaf[j] != 0 || bNaf[j] != 0 {
+	for i >= 0 {
+		if aNaf[i] != 0 || bNaf[i] != 0 {
 			break
 		}
+		i--
 	}
 
 	multA := &projCached{}