>> No, it subtraction subroutine uses *borrow* to determine if modulus is >> to be added. I.e. (a >= b) ? (a - b) : (P - (b - a)). If both a and b >> are less than P, then result is less than P. > > Consider the case where a > P and a >= b and b is very small (e.g. 1). > For example, a == P + 2 and b == 1, so a >= b, and a - b == P + 2 - 1 > == P + 1.
But assertion was "if *both* a and b are less than P". I can also tell that multiplication result is fully reduced. So that if we consider referred snippets, one from *your* previous message, then we'll see that if we assume that inputs to subtraction subroutines are reduced, then result of subtraction is too. You also established that negate for fully reduced input works correctly. And then it all boils down to initial user input, right? Off for today... -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev