On Thu, Aug 18, 2016 at 04:24:56PM +0200, Andy Polyakov wrote: > >> I think you are assuming that ret is in the range [0, 2P), so that if > >> you subtract P, the result would be in the range [0, P). That is the > >> case in normal Montgomery multiplication, where the inputs are in the > >> range [0, P). But, my understanding is that if the inputs are in the > >> range [P, 2**256), e.g. they are the result of ecp_nistz256_add, then > >> that assumption doesn't necessarily hold. > > > > Looks like you are right. I mean it indeed appears to be possible for > > multiplication (and squaring) subroutine to return partially reduced > > result. But *only* if input was partially reduced. I.e. if input is > > fully reduced, the output *shall* be too. And if input is not fully > > reduced, then output *can* be. > > It appears to me that with multiplication, squaring, subtraction, > negation, halving *preserving* property of being fully reduced (i.e. if > inputs are fully reduced, then output is too), we only have to watch out > for mul_by_[23], i.e. ensure that their outputs are fully reduced. This > would ensure that output will always be fully reduced.
Can you document some of those things? Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev