04018c5929
ECDSA converts digests to scalars by taking the leftmost n bits, where n is the number of bits in the group order. This does not necessarily produce a fully-reduced scalar. Montgomery multiplication actually tolerates this slightly looser bound, so we did not bother with the conditional subtraction. However, this subtraction is free compared to the multiplication, inversion, and base point multiplication. Simplify things by keeping it fully-reduced. Change-Id: If49dffefccc21510f40418dc52ea4da7e3ff198f Reviewed-on: https://boringssl-review.googlesource.com/26968 Reviewed-by: Adam Langley <agl@google.com> |
||
---|---|---|
.. | ||
aes | ||
bn | ||
cipher | ||
des | ||
digest | ||
ec | ||
ecdsa | ||
hmac | ||
md4 | ||
md5 | ||
modes | ||
policydocs | ||
rand | ||
rsa | ||
self_check | ||
sha | ||
tls | ||
bcm.c | ||
CMakeLists.txt | ||
delocate.h | ||
FIPS.md | ||
intcheck1.png | ||
intcheck2.png | ||
intcheck3.png | ||
is_fips.c |