On Thu, Aug 18, 2016 at 04:24:56PM +0200, Andy Polyakov wrote:
> >> I think you are assuming that ret is in the range [0, 2P), so that if
> >> you subtract P, the result would be in the range [0, P). That is the
> >> case in normal Montgomery multiplication, where the inputs are in the
> >> range [0, P). But, my understanding is that if the inputs are in the
> >> range [P, 2**256), e.g. they are the result of ecp_nistz256_add, then
> >> that assumption doesn't necessarily hold.
> > 
> > Looks like you are right. I mean it indeed appears to be possible for
> > multiplication (and squaring) subroutine to return partially reduced
> > result. But *only* if input was partially reduced. I.e. if input is
> > fully reduced, the output *shall* be too. And if input is not fully
> > reduced, then output *can* be.
> 
> It appears to me that with multiplication, squaring, subtraction,
> negation, halving *preserving* property of being fully reduced (i.e. if
> inputs are fully reduced, then output is too), we only have to watch out
> for mul_by_[23], i.e. ensure that their outputs are fully reduced. This
> would ensure that output will always be fully reduced.

Can you document some of those things?


Kurt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to