On 6 February 2018 at 19:59, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote: > Thanks a lot for debugging that. As I said, I don't have test vectors, > or I would have tested it myself, and most likely would have found > this as well.
No problem. I spent a surprisingly long time looking at the inside of the loop trying to check whether it matched the pseudocode and why the fourth iteration only would misbehave, before I spotted what was actually happening :-) -- PMM
