1. Where's the security analysis? Does https://eprint.iacr.org/2011/633 apply?
2. When will RT2574 be integrated to protect our ECC keys in the inevitable presence of software defects like this? http://rt.openssl.org/Ticket/Display.html?id=2574&user=guest&pass=guest These questions are not necessarily for Adam, but the OpenSSL team. BBB On Sun, Nov 23, 2014 at 8:09 PM, Adam Langley via RT <r...@openssl.org> wrote: > (Affects 1.0.2 only.) > > In crypto/ec/asm/ecp_nistz256-x86_64.pl, __ecp_nistz256_sqr_montq, > under "Now the reduction" there are a number of comments saying > "doesn't overflow". Unfortunately, they aren't correct. > > Let f be a field element with value > 52998265219372519138277318009572834528257482223861497652862868020346603903843. > > In Montgomery form, it's represented in memory as f*2^256 mod p, which > is > 58733536287848456860684025065811053850702581988990452502702607007944524443511. > > When passed to ecp_nistz256_sqr_mont, this results in the intermediate > value (before any reduction) > 0x41dd6e8bcf7e19f499c19d0f5f3bba78272201eee64c6a44ca8a4ff275b53fa93b41d5b7035af3effffffff40a05dc36f424ab9438cdec4fa193faebf6ce951. > > r10 in this case contains 0xffffffff40a05dc3 and the high-word output > of the multiplication after "# First iteration" is 0xfa193fad. The > addition of r8 and r9 overflows into it leaving it as 0xfa193fae. The > addition of rax and r9 also sets the carry flag thus the final > add-with-carry of rdx into r10 easily overflows and leaves r10 as > 0x3ab99d72. > > Additionally, I'm not sure about any of the other cases in the same > function that have been annotated the same way. There is also a > similar annotation in ecp_nistz256_mul_mont that I've not > investigated. > > > Cheers > > AGL > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
