> BN_mod_mul_montgomery returns wrong answers when computing
> R = C*D mod P, where the size of P is smaller then the size of
> C and D by some amount X of words.
The return value is not really wrong; it is congruent to C*D mod P.
BN_from_montgomery() intentionally uses
if (BN_ucmp(ret, &(mont->N)) >= 0)
{
BN_usub(ret,ret,&(mont->N));
}
instead of
BN_mod(ret,ret,&(mont->N),ctx);
because that's what makes it fast.
If you need R < P, you'll get best performance if you take the factors
mod P first. That's what BN_mod_exp_mont() does, too.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
