[openssl-dev] [openssl.org #4284] Bug in nistz256 assembly code.
Jun Sun via RT
rt at openssl.org
Mon Feb 1 19:59:45 UTC 2016
Hi openssl team,
In function ecp_nistz256_point_add (in ecp_nistz256.c), in the case when U1 == U2 and S1 == S2, in C reference code, the logic is call ecp_nistz256_point_double (line 339) to do a point double operation:
337 if (is_equal(U1, U2) && !in1infty && !in2infty) {
338 if (is_equal(S1, S2)) {
339 ecp_nistz256_point_double(r, a);
340 return;
341 } else {
342 memset(r, 0, sizeof(*r));
343 return;
344 }
345 }
This is correct and follow what is described in S.Gueron and V.Krasnov's paper. But in x86_64 assembly code (ecp_nistz256-x86_64.pl), this logic is not implemented, it fall back to point adding code again:
2385 .byte 0x3e # predict taken
2386 jnz .Ladd_proceed$x # is_equal(U1,U2)?
2387 movq %xmm2, $acc0
2388 movq %xmm3, $acc1
2389 test $acc0, $acc0
2390 jnz .Ladd_proceed$x # (in1infty || in2infty)?
2391 test $acc1, $acc1
2392 jz .Ladd_proceed$x # is_equal(S1,S2)?
The difference be seen in the latest ectest.c for the group order tests, even though both C code and assembly code does not generate any error, but they generate different values:
201 scalars[0] = n1;
202 points[0] = Q; /* => infinity */
203 scalars[1] = n2;
204 points[1] = P; /* => -P */
205 scalars[2] = n1;
206 points[2] = Q; /* => infinity */
207 scalars[3] = n2;
208 points[3] = Q; /* => infinity */
209 scalars[4] = n1;
210 points[4] = P; /* => P */
211 scalars[5] = n2;
212 points[5] = Q; /* => infinity */
213 if (!EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
214 ABORT;
215 if (!EC_POINT_is_at_infinity(group, P))
216 ABORT;
P is holding different values between C reference C code and assembly code. This should not happen if the point doubling function is called in assembly code as well.
Jun Sun
This email and any attachments are for the sole use of the intended recipients and may be privileged or confidential. Any distribution, printing or other use by anyone else is prohibited. If you are not an intended recipient, please contact the sender immediately, and permanently delete this email and attachments.
More information about the openssl-dev
mailing list