Improve comments on parity trick

2024-11-22 11:45:42 +01:00 · 2017-08-24 14:21:05 +02:00 · 2017-08-24 14:21:05 +02:00 · fd87e354f6
commit fd87e354f6
parent 95aedfea33
2 changed files with 5 additions and 2 deletions
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@ -119,7 +119,7 @@ mbedtls_ecp_point;
 * 1. Short Weierstrass y^2 = x^3 + A x + B     mod P   (SEC1 + RFC 4492)
 * 2. Montgomery,       y^2 = x^3 + A x^2 + x   mod P   (Curve25519 + draft)
 * In both cases, a generator G for a prime-order subgroup is fixed. In the
- * short weierstrass, this subgroup is actually the whole curve, and its
+ * Short Weierstrass case, this subgroup is actually the whole curve, and its
 * cardinal is denoted by N.
 *
 * In the case of Short Weierstrass curves, our code requires that N is an odd
--- a/library/ecp.c
+++ b/library/ecp.c
@ -1751,6 +1751,9 @@ cleanup:
 * this wrapper ensures that by replacing m by N - m if necessary, and
 * informs the caller that the result of multiplication will be negated.
 *
+ * This works because we only support large prime order for Short Weierstrass
+ * curves, so N is always odd hence either m or N - m is.
+ *
 * See ecp_comb_recode_core() for background.
 */
 static int ecp_comb_recode_scalar( const mbedtls_ecp_group *grp,
@ -1766,7 +1769,7 @@ static int ecp_comb_recode_scalar( const mbedtls_ecp_group *grp,
    mbedtls_mpi_init( &M );
    mbedtls_mpi_init( &mm );

-    /* N is odd with all real-world curves, just make extra sure */
+    /* N is always odd (see above), just make extra sure */
    if( mbedtls_mpi_get_bit( &grp->N, 0 ) != 1 )
        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );