[openssl-users] possible C bugs in ecp_nistp521

Mon Jan 7 12:56:35 UTC 2019

Dear all,

we found some counter-examples (examples where wrong answers were 
returned) for field element computations in the C routines for P-521 
(that is, modulo 2^521-1).   The counterexamples, a C test file, a 
Makefile, and a short README are attached.

The routines in question are: felem_square, felem_mul, felem_diff_128_64.

Can someone inform us whether these are in fact a couple of bugs that we 
found, or did we miss something.

Best wishes,
Bo-Yin Yang

P.S.

The counterexamples are:

- for felem_square and felem_mul:
   felem in = {
     0x3fd9049d07fdc0ad, 0x3ece5f4000000000, 0x39c5349d6a623811,
     0x3bf48f8409415499, 0x3ffdac80c8300000, 0x3ff3f3de63be6baf,
     0x3fa3eff5c6db1743, 0x3dde8d0ddc21079f, 0x3e068b5ec961f8fc
   };

- for felem_diff_128_64:
   largefelem out = {
     0,0,0,
     0,0,0,
     0,0,0
   };
   felem in = {
     0x4000000000012270, 0x1000000000000000, 0x0010000000000000,
     0x0400000000000000, 0x0800000000000000, 0x0020000000000000,
     0x0000000040000000, 0x0002000000000000, 0x0000000400000000
   };

-- B.Y.

-------------- next part --------------
all: check.c $(SRC_DIR)/crypto/ec/ecp_nistp521.c
	$(CC) -I$(SRC_DIR) -I$(SRC_DIR)/include -I$(SRC_DIR)/crypto/include \
		-pthread -m64 -std=c99 -Wall -fdata-sections -ffunction-sections \
		-o check check.c $(SRC_DIR)/libcrypto.a -ldl
clean:
	rm -f check
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check.c
Type: text/x-csrc
Size: 13853 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190107/a8f9fbbb/attachment.c>
-------------- next part --------------
This is a little program to compare the outputs of functions
	felem_square,
	felem_mul, 
	felem_diff_128_64
against the outputs of functions
	BN_mod_sqr,
	BN_mod_mul,
	BN_mod_sub.
The objective is to check the correctness of these felem_* functions.

/////////////////////////////////////////////////////////
//
//  HOW TO USE IT
//
/////////////////////////////////////////////////////////

Note: this is only tested on Ubuntu and MacOS using GCC and Clang.

1. Configure your OpenSSL source code with the option 
   "enable-ec_nistp_64_gcc_128", and then compile it to generate the
   static library "libcrypto.a". For example:

   > ./config enable-ec_nistp_64_gcc_128
   > make

2. Enter the directory of this little program, run "make" while 
   assigning SRC_DIR with the path of the OpenSSL source tree:

   > make SRC_DIR=path-to-OpenSSL
   (replace "path-to-OpenSSL" with the path to the source tree)

3. Execute the binary "check".

/////////////////////////////////////////////////////////
//
//  WHAT IS THE OUTPUT OF IT
//
/////////////////////////////////////////////////////////

This little program contains one counter-example and one passed 
example for each felem_* function. In the output from the program
you can see the inputs and outputs from felem_* and BN_mod_* 
functions. 