Andy Polyakov <ap...@openssl.org> wrote: > No, it subtraction subroutine uses *borrow* to determine if modulus is > to be added. I.e. (a >= b) ? (a - b) : (P - (b - a)). If both a and b > are less than P, then result is less than P.
Consider the case where a > P and a >= b and b is very small (e.g. 1). For example, a == P + 2 and b == 1, so a >= b, and a - b == P + 2 - 1 == P + 1. Of course, this reduces the question of whether the multiplication that precedes the subtraction can ever have a result in [P, 2**256 - 1). Cheers, Brian -- https://briansmith.org/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
