31 Oct
2019
31 Oct
'19
2:55 p.m.
Dmitry Eremin-Solenikov dbaryshkov@gmail.com writes:
After ecc_modp_mul() call value of `t` should be already lower than `ecc->p.m`. So subtract will always return a carry.
No, the reduction after mul and sqr doesn't produce canonical results. They only ensure that than t < 2*m. The pattern you see is needed in places where a canonical representation, t < m, is required.
Result is the same as with if (mpn_cmp(...)) mpn_sub_n(...), but an unconditional subtraction + cnd_cpy makes that logic side-channel silent.
Regards, /Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.