[openssl-dev] Partially- vs. full- reduced inputs to ecp_nistz256_neg
Andy Polyakov
appro at openssl.org
Mon Aug 15 22:51:43 UTC 2016
>> No, it subtraction subroutine uses *borrow* to determine if modulus is
>> to be added. I.e. (a >= b) ? (a - b) : (P - (b - a)). If both a and b
>> are less than P, then result is less than P.
>
> Consider the case where a > P and a >= b and b is very small (e.g. 1).
> For example, a == P + 2 and b == 1, so a >= b, and a - b == P + 2 - 1
> == P + 1.
But assertion was "if *both* a and b are less than P". I can also tell
that multiplication result is fully reduced. So that if we consider
referred snippets, one from *your* previous message, then we'll see that
if we assume that inputs to subtraction subroutines are reduced, then
result of subtraction is too. You also established that negate for fully
reduced input works correctly. And then it all boils down to initial
user input, right?
Off for today...
More information about the openssl-dev
mailing list