From e3d692ff75f47890ec53054b79c75cd903170505 Mon Sep 17 00:00:00 2001
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Fri, 28 Nov 2014 22:07:32 +0100
Subject: [PATCH] Explain why no y=0 check is necessary for doubling

Explanation suggested by Greg Maxwell.
---
 src/group_impl.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/group_impl.h b/src/group_impl.h
index b00f428..bfc38c2 100644
--- a/src/group_impl.h
+++ b/src/group_impl.h
@@ -208,6 +208,9 @@ static int secp256k1_ge_is_valid(const secp256k1_ge_t *a) {
 }
 
 static void secp256k1_gej_double_var(secp256k1_gej_t *r, const secp256k1_gej_t *a) {
+    // For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity,
+    // Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have
+    // y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p.
     r->infinity = a->infinity;
     if (r->infinity) {
         return;
-- 
2.42.0