From 7868396e78fdf761f0e7fce231aff4d4c30899a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 16 Jul 2020 09:48:54 +0200
Subject: [PATCH] Clarify some comments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 library/rsa.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/library/rsa.c b/library/rsa.c
index 1f53708b2..e6f863b00 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -807,25 +807,27 @@ static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
 
         MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
 
-        /* Compute the Vf^1 as R * (R Vf)^-1 to avoid leaks from inv_mod.
-         * There's a negligible but non-zero probability that R is not
-         * invertible mod N, in that case we'd just loop one more time,
-         * just as if Vf itself wasn't invertible - no need to distinguish. */
+        /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
         MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
 
+        /* At this point, Vi is invertible mod N if and only if both Vf and R
+         * are invertible mod N. If one of them isn't, we don't need to know
+         * which one, we just loop and choose new values for both of them.
+         * (Each iteration succeeds with overwhelming probability.) */
         ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
         if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
             continue;
         if( ret != 0 )
             goto cleanup;
 
+        /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
     } while( 0 );
 
-    /* Blinding value: Vi =  Vf^(-e) mod N
+    /* Blinding value: Vi = Vf^(-e) mod N
      * (Vi already contains Vf^-1 at this point) */
     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );