Improve comments on parity trick
diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 07ed110..a30e876 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -119,7 +119,7 @@
* 1. Short Weierstrass y^2 = x^3 + A x + B mod P (SEC1 + RFC 4492)
* 2. Montgomery, y^2 = x^3 + A x^2 + x mod P (Curve25519 + draft)
* In both cases, a generator G for a prime-order subgroup is fixed. In the
- * short weierstrass, this subgroup is actually the whole curve, and its
+ * Short Weierstrass case, this subgroup is actually the whole curve, and its
* cardinal is denoted by N.
*
* In the case of Short Weierstrass curves, our code requires that N is an odd
diff --git a/library/ecp.c b/library/ecp.c
index 454820a..41bf03d 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1751,6 +1751,9 @@
* this wrapper ensures that by replacing m by N - m if necessary, and
* informs the caller that the result of multiplication will be negated.
*
+ * This works because we only support large prime order for Short Weierstrass
+ * curves, so N is always odd hence either m or N - m is.
+ *
* See ecp_comb_recode_core() for background.
*/
static int ecp_comb_recode_scalar( const mbedtls_ecp_group *grp,
@@ -1766,7 +1769,7 @@
mbedtls_mpi_init( &M );
mbedtls_mpi_init( &mm );
- /* N is odd with all real-world curves, just make extra sure */
+ /* N is always odd (see above), just make extra sure */
if( mbedtls_mpi_get_bit( &grp->N, 0 ) != 1 )
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );