[openssl-dev] Partially- vs. full- reduced inputs to ecp_nistz256_neg

[Andy Polyakov]

> Let's recall that result of multiplication prior final reduction is
> actually n+1-limb value, with +1 limb being single bit,

This came out wrong. Result is N+1 *bits* wide, it's just in this
particular case you have to spend additional limb on the the additional
bit. It's just that particular cases are most common ones, that's why
you'd tend to put it as wrong as above :-)