From 9c5eb9ea4b84d195a720ed6230790f980a84d782 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 27 Mar 2014 15:12:21 +0900
Subject: [PATCH] Add implementation note

---
 src/ecc-edwards.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/ecc-edwards.c b/src/ecc-edwards.c
index eab9f0a..ba1f5b2 100644
--- a/src/ecc-edwards.c
+++ b/src/ecc-edwards.c
@@ -45,6 +45,22 @@
  *     http://cr.yp.to/papers.html#twisted
  */
 
+/*
+ * IMPLEMENTATION NOTE
+ *
+ * (0) We assume that the processor has no cache, nor branch target
+ *     prediction.  Thus, we don't avoid indexing by secret value. 
+ *     We don't avoid conditional jump if both cases have same timing,
+ *     either.
+ *
+ * (1) We use Radix-32 field arithmetic.  It's a representation like
+ *     2^256-38, but it's more redundant.  For example, "1" can be
+ *     represented in three ways in 256-bit: 1, 2^255-18, and
+ *     2^256-37.
+ *
+ * (2) We use comb multiplication.
+ */
+
 /*
  * Identity element: (0,1)
  * Negation: -(x,y) = (-x,y)