Adjust comment on potential R^3 optimization.

It's doable, but a bit of effort due to the different radix.

Change-Id: Ibfa15c31bb37de930f155ee6d19551a2b6437073
Reviewed-on: https://boringssl-review.googlesource.com/25944
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
diff --git a/crypto/fipsmodule/rsa/rsa_impl.c b/crypto/fipsmodule/rsa/rsa_impl.c
index 43392df..625f101 100644
--- a/crypto/fipsmodule/rsa/rsa_impl.c
+++ b/crypto/fipsmodule/rsa/rsa_impl.c
@@ -798,7 +798,10 @@
   // By precomputing R^3 mod p (normally |BN_MONT_CTX| only uses R^2 mod p) and
   // adjusting the API for |BN_mod_exp_mont_consttime|, we could instead compute
   // I * R mod p here and save a reduction per prime. But this would require
-  // changing the RSAZ code and may not be worth it.
+  // changing the RSAZ code and may not be worth it. Note that the RSAZ code
+  // uses a different radix, so it uses R' = 2^1044. There we'd actually want
+  // R^2 * R', and would futher benefit from a precomputed R'^2. It currently
+  // converts |mont_p->RR| to R'^2.
   return 1;
 }