Adjust comment on potential R^3 optimization.
It's doable, but a bit of effort due to the different radix.
Change-Id: Ibfa15c31bb37de930f155ee6d19551a2b6437073
Reviewed-on: https://boringssl-review.googlesource.com/25944
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
diff --git a/crypto/fipsmodule/rsa/rsa_impl.c b/crypto/fipsmodule/rsa/rsa_impl.c
index 43392df..625f101 100644
--- a/crypto/fipsmodule/rsa/rsa_impl.c
+++ b/crypto/fipsmodule/rsa/rsa_impl.c
@@ -798,7 +798,10 @@
// By precomputing R^3 mod p (normally |BN_MONT_CTX| only uses R^2 mod p) and
// adjusting the API for |BN_mod_exp_mont_consttime|, we could instead compute
// I * R mod p here and save a reduction per prime. But this would require
- // changing the RSAZ code and may not be worth it.
+ // changing the RSAZ code and may not be worth it. Note that the RSAZ code
+ // uses a different radix, so it uses R' = 2^1044. There we'd actually want
+ // R^2 * R', and would futher benefit from a precomputed R'^2. It currently
+ // converts |mont_p->RR| to R'^2.
return 1;
}