Hello,
чт, 31 окт. 2019 г. в 17:55, Niels Möller nisse@lysator.liu.se:
Dmitry Eremin-Solenikov dbaryshkov@gmail.com writes:
After ecc_modp_mul() call value of `t` should be already lower than `ecc->p.m`. So subtract will always return a carry.
No, the reduction after mul and sqr doesn't produce canonical results. They only ensure that than t < 2*m. The pattern you see is needed in places where a canonical representation, t < m, is required.
Ok, thanks for the clarification. Is it only the case for 521-bit curve and for redc-based reduce? Because for all other cases 2 * p > B, so mul (and sqr) can not return value greater or equal to 2*m (= 2 * p).
Result is the same as with if (mpn_cmp(...)) mpn_sub_n(...), but an unconditional subtraction + cnd_cpy makes that logic side-channel silent.
Yes, this part is understandable. I was concerned about not copying the result straight ahead.