[openssl-dev] Partially- vs. full- reduced inputs to ecp_nistz256_neg
Brian Smith
brian at briansmith.org
Mon Aug 15 22:25:28 UTC 2016
Andy Polyakov <appro at openssl.org> wrote:
> No, it subtraction subroutine uses *borrow* to determine if modulus is
> to be added. I.e. (a >= b) ? (a - b) : (P - (b - a)). If both a and b
> are less than P, then result is less than P.
Consider the case where a > P and a >= b and b is very small (e.g. 1).
For example, a == P + 2 and b == 1, so a >= b, and a - b == P + 2 - 1
== P + 1.
Of course, this reduces the question of whether the multiplication
that precedes the subtraction can ever have a result in [P, 2**256 -
1).
Cheers,
Brian
--
https://briansmith.org/
More information about the openssl-dev
mailing list