On Tue, Mar 29, 2016 at 9:47 AM Andy Polyakov via RT <r...@openssl.org> wrote:
> > In the non-SIMD paths, I believe this is fine because $r0's and $r1's > > cleared high bits mean we should have plenty of slack to leave that > > unreduced. (And indeed its normally not reduced on input from the > > addition.) Then poly1305_emit's reduction after adding s will resolve > > things before output. But, in the SIMD paths, __poly1305_blocks is called > > and then bits are shifted without any reduction. > > What do you mean shifted without any reduction? There is reduction step > after base 2^26 -> 2^64 conversion (which also needs additional adc, but > there *is* reduction step) *prior* call to __poly1305_block. And there > naturally is reduction step at the end of __poly1305_block, so that base > 2^64 -> 2^26 conversion *after* __poly1305_block is performed at reduced > value. > I mean that here: https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/poly1305/asm/poly1305-x86_64.pl;h=8977d563a25166b5c3bfac9bb952703c40962cfd;hb=HEAD#l535 We call __poly1305_block, which is just poly1305_iteration. If we add the missing adc, $h2 may exceed two bits, right, so it's not completely reduced. And the code after the __poly1305_block call above doesn't do an extra reduction and only shifts bits to convert from 2^64 to 2^26. I later realized there's plenty of room to spare in the 2^26 representation even when you put everything in 32-bit values, so we won't lose the extra bit. I imagine the SIMD logic can tolerate this slightly-unreduced value just fine, but that was my question. David > > Wouldn't that cause a > > problem? Or is this situation impossible? > > If neither of above answers questions, then please elaborate. > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 > Please log in as guest with password guest if prompted > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
