[openssl-dev] Partially- vs. full- reduced inputs to ecp_nistz256_neg
Andy Polyakov
appro at openssl.org
Mon Aug 15 20:24:51 UTC 2016
> Note in particular that, IIUC, ecp_nistz256_neg will never get an
> unreduced input when applied to the the based point multiples, because
> those are already fully reduced. But, when it is used in
> ecp_nistz256_windowed_mul, it isn't clear whether or how the input Y
> coordinate is fully reduced mod P before passed to ecp_nistz256_neg.
Is it correctly understood that concern is that input to
ecp_nistz256_windowed_mul, which in turn can be *user* input, would be
not fully reduced? I mean that user would supply such input for a gain,
obviously with malicious intent. In such case one can probably argue
that it would be more appropriate to *reject* such input rather than to
play along and reduce it. Just for reference, conditional reduction can
be done by simply subtracting modulus, i.e. one doesn't need special
subroutine. Attempt to subtract modulus from fully reduced value results
in adding it back.
> More generally, I'm think it might be a good idea to unit test all of
> the primitive operations in ecp_nistz256, with particular emphasis
> placed on whether unreduced inputs are supposed to be accepted for
> certain functions and, if so, whether unreduced inputs are handled
> correctly.
But primitives are private and don't have to work in most general cases,
only in specific context. In other words it's not unreasonable to
expect/demand that inputs are fully reduced. Well, except when we are
looking at user input. But then, as just mentioned, question is if
silent reductions is actually appropriate.
> And also, since many of the ecp_nistz256 field arithmetic functions
> are inlined into the ecp_nistz256_point functions, I think it would be
> worthwhile to review that the inlined versions of those functions
> actually are operating in the same way as the analogous standalone
> (C-callable) ecp_nistz256_* functions.
C-callables are wrappers around inlined subroutines. The only thing they
do is load input into designated registers and call inlines, those used
in point functions.
More information about the openssl-dev
mailing list