Lucas/lilcrypto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

impl/poly1305: add a comment

Browse Source 
Explain why it's fine to skip clamping while doing t4 t3 t2 t1 t0 + 5.
This commit is contained in:
Lucas Gabriel Vuotto 2024-06-30 14:10:46 +00:00
parent 35258f2b67
commit 2f31fe73e5
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
impl_poly1305.c
View File

@ -224,6 +224,11 @@ poly1305_reduce(struct poly1305_state *state,
mask = ~(g4 >> 2) + 1; mask = ~(g4 >> 2) + 1;
/*
* In the case that t4 t3 t2 t1 t0 > 2^130 - 5, g0 thru g3 will
* overflow 32 bits. Given that mask is 32-bits wide, AND-ing it here
* will perform the required clamping.
*/
t0 = (t0 & ~mask) | (g0 & mask); t0 = (t0 & ~mask) | (g0 & mask);
t1 = (t1 & ~mask) | (g1 & mask); t1 = (t1 & ~mask) | (g1 & mask);
t2 = (t2 & ~mask) | (g2 & mask); t2 = (t2 & ~mask) | (g2 & mask);