impl/poly1305: add a comment

Explain why it's fine to skip clamping while doing t4 t3 t2 t1 t0 + 5.
2024-06-30 14:10:46 +00:00 · 2024-06-30 14:10:46 +00:00 · 2f31fe73e5
commit 2f31fe73e5
parent 35258f2b67
1 changed files with 5 additions and 0 deletions
--- a/impl_poly1305.c
+++ b/impl_poly1305.c
@ -224,6 +224,11 @@ poly1305_reduce(struct poly1305_state *state,

 	mask = ~(g4 >> 2) + 1;

+	/*
+	 * In the case that t4 t3 t2 t1 t0 > 2^130 - 5, g0 thru g3 will
+	 * overflow 32 bits. Given that mask is 32-bits wide, AND-ing it here
+	 * will perform the required clamping.
+	 */
 	t0 = (t0 & ~mask) | (g0 & mask);
 	t1 = (t1 & ~mask) | (g1 & mask);
 	t2 = (t2 & ~mask) | (g2 & mask);