[openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions

David Benjamin via RT rt at openssl.org
Tue Mar 29 16:01:37 UTC 2016 

On Tue, Mar 29, 2016 at 9:47 AM Andy Polyakov via RT <rt at openssl.org> wrote:

> > In the non-SIMD paths, I believe this is fine because $r0's and $r1's
> > cleared high bits mean we should have plenty of slack to leave that
> > unreduced. (And indeed its normally not reduced on input from the
> > addition.) Then poly1305_emit's reduction after adding s will resolve
> > things before output. But, in the SIMD paths, __poly1305_blocks is called
> > and then bits are shifted without any reduction.
>
> What do you mean shifted without any reduction? There is reduction step
> after base 2^26 -> 2^64 conversion (which also needs additional adc, but
> there *is* reduction step) *prior* call to __poly1305_block. And there
> naturally is reduction step at the end of __poly1305_block, so that base
> 2^64 -> 2^26 conversion *after* __poly1305_block is performed at reduced
> value.
>

I mean that here:
https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/poly1305/asm/poly1305-x86_64.pl;h=8977d563a25166b5c3bfac9bb952703c40962cfd;hb=HEAD#l535

We call __poly1305_block, which is just poly1305_iteration. If we add the
missing adc, $h2 may exceed two bits, right, so it's not completely
reduced. And the code after the __poly1305_block call above doesn't do an
extra reduction and only shifts bits to convert from 2^64 to 2^26.

I later realized there's plenty of room to spare in the 2^26 representation
even when you put everything in 32-bit values, so we won't lose the extra
bit. I imagine the SIMD logic can tolerate this slightly-unreduced value
just fine, but that was my question.

David


> > Wouldn't that cause a
> > problem? Or is this situation impossible?
>
> If neither of above answers questions, then please elaborate.
>
>
> --
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483
> Please log in as guest with password guest if prompted
>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list