commit e6750b2a0bf750d35172bdef12c2dcfc28213207
author Janos Follath <janos.follath@arm.com> Wed Dec 27 10:22:59 2023 +0000
committer Dave Rodgman <dave.rodgman@arm.com> Mon Jan 22 15:33:19 2024 +0000
tree 8c4d739517973159629f8e4b5f7c925e06d69c97
parent a62a554071a0599bb7522d08c4c605588715e508

RSA: document Montgomery trick in unblind

Signed-off-by: Janos Follath <janos.follath@arm.com>

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index 97e7228..f57909b 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -991,9 +991,14 @@
     MBEDTLS_MPI_CHK(mbedtls_mpi_grow(T, nlimbs));
     MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Vf, nlimbs));
 
-    // T = T * R mod N
+    /* T = T * Vf mod N
+     * Reminder: montmul(A, B, N) = A * B * R^-1 mod N
+     * Usually both operands are multiplied by R mod N beforehand (by calling
+     * `to_mont_rep()` on them), yielding a result that's also * R mod N (aka
+     * "in the Montgomery domain"). Here we only multiply one operand by R mod
+     * N, so the result is directly what we want - no need to call
+     * `from_mont_rep()` on it. */
     mbedtls_mpi_core_to_mont_rep(T->p, T->p, N->p, nlimbs, mm, RR.p, M_T.p);
-    // T = T * Vf mod N
     mbedtls_mpi_core_montmul(T->p, T->p, Vf->p, nlimbs, N->p, nlimbs, mm, M_T.p);
 
 cleanup: