Make memory access pattern constant
diff --git a/include/polarssl/bignum.h b/include/polarssl/bignum.h
index 6e2afac..f225fc3 100644
--- a/include/polarssl/bignum.h
+++ b/include/polarssl/bignum.h
@@ -246,7 +246,8 @@
* if( assign ) mpi_copy( X, Y );
* except that it avoids leaking any information about whether
* the assignment was done or not (the above code may leak
- * information through branch prediction analysis).
+ * information through branch prediction and/or memory access
+ * patterns analysis).
*/
int mpi_safe_cond_assign( mpi *X, mpi *Y, unsigned char assign );
diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h
index 81b789e..33c09fc 100644
--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@@ -463,15 +463,15 @@
* or P is not a valid pubkey,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
*
- * \note In order to prevent simple timing attacks, this function
- * executes a constant number of operations (that is, point
- * doubling and addition of distinct points) for random m in
- * the allowed range.
+ * \note In order to prevent timing attacks, this function
+ * executes the exact same sequence of (base field)
+ * operations for any valid m. It avoids any if-branch or
+ * array index depending on the value of m.
*
* \note If f_rng is not NULL, it is used to randomize intermediate
- * results in order to prevent potential attacks targetting
- * these results. It is recommended to always provide a
- * non-NULL f_rng (the overhead is negligible).
+ * results in order to prevent potential timing attacks
+ * targetting these results. It is recommended to always
+ * provide a non-NULL f_rng (the overhead is negligible).
*/
int ecp_mul( ecp_group *grp, ecp_point *R,
const mpi *m, const ecp_point *P,