[openssl-dev] [openssl.org #4284] Bug in nistz256 assembly code.

Wed Feb 3 15:37:48 UTC 2016

Hi Billy,
Thank you very much for verify the bug!

The reason ecp_nistz256_point_add_affine is not affected is that this function is only used when a scalar is multiplying the generator point G. In this case, a big pre-computed table is used with a 7 bit window size for all fixed window positions (that is why the table has 37x64 entries and you do not see a point doubling function called there). So at the point when ecp_nistz256_point_add_affine is called, p.p is holding the accumulated previous window scalar data (lower bits of scalar) by G, and t.a is holding the current window scalar value by G, they will never meet each other. So inside ecp_nistz256_point_add_affine, no logic to check for doubling.

Jun Sun

________________________________________
From: Billy Brumley via RT <rt at openssl.org>
Sent: February 3, 2016 6:05 AM
To: Jun Sun
Cc: openssl-dev at openssl.org
Subject: Re: [openssl-dev] [openssl.org #4284] Bug in nistz256 assembly code.

> Thanks! Verify attached diff.

Without looking too closely at the asm, at least the output now looks OK to me:

Input point: P
ad4cfe7307736330 5a390846abdb19e5 bc92e079b12de03f 3a6b3ebcbf24755d
5ed0dbce609dcf3b 091a794357eca9ee acb4d5512ea7232f 09d787c5915c070a
d482c016856ed40a 4a9e64127c9216d7 308267a3a3c72f6c 99a4ef25b90c6499
after ecp_nistz256_point_add(A, P, P)
52d422c756922166 033fb71af0fd3251 b38e0f88b5a2b2a4 bd964cc28ad2bf39
61c01cf1c0a9b7f9 5acaf8aa07f449fc 62b8600cf22cec6b ab80a212e72fb53d
b4a67dfe55eb1133 ec19e9f97640f280 1a3caeebc962ab48 19a5d850b22fa55b
after ecp_nistz256_point_double(B, P)
52d422c756922166 033fb71af0fd3251 b38e0f88b5a2b2a4 bd964cc28ad2bf39
61c01cf1c0a9b7f9 5acaf8aa07f449fc 62b8600cf22cec6b ab80a212e72fb53d
b4a67dfe55eb1133 ec19e9f97640f280 1a3caeebc962ab48 19a5d850b22fa55b

I will say that I don't understand how ecp_nistz256_point_add_affine
does not have these conditions. Maybe that's a question for the
original authors.

BBB

This email and any attachments are for the sole use of the intended recipients and may be privileged or confidential. Any distribution, printing or other use by anyone else is prohibited. If you are not an intended recipient, please contact the sender immediately, and permanently delete this email and attachments.