> Note in particular that, IIUC, ecp_nistz256_neg will never get an > unreduced input when applied to the the based point multiples, because > those are already fully reduced. But, when it is used in > ecp_nistz256_windowed_mul, it isn't clear whether or how the input Y > coordinate is fully reduced mod P before passed to ecp_nistz256_neg.
Is it correctly understood that concern is that input to ecp_nistz256_windowed_mul, which in turn can be *user* input, would be not fully reduced? I mean that user would supply such input for a gain, obviously with malicious intent. In such case one can probably argue that it would be more appropriate to *reject* such input rather than to play along and reduce it. Just for reference, conditional reduction can be done by simply subtracting modulus, i.e. one doesn't need special subroutine. Attempt to subtract modulus from fully reduced value results in adding it back. > More generally, I'm think it might be a good idea to unit test all of > the primitive operations in ecp_nistz256, with particular emphasis > placed on whether unreduced inputs are supposed to be accepted for > certain functions and, if so, whether unreduced inputs are handled > correctly. But primitives are private and don't have to work in most general cases, only in specific context. In other words it's not unreasonable to expect/demand that inputs are fully reduced. Well, except when we are looking at user input. But then, as just mentioned, question is if silent reductions is actually appropriate. > And also, since many of the ecp_nistz256 field arithmetic functions > are inlined into the ecp_nistz256_point functions, I think it would be > worthwhile to review that the inlined versions of those functions > actually are operating in the same way as the analogous standalone > (C-callable) ecp_nistz256_* functions. C-callables are wrappers around inlined subroutines. The only thing they do is load input into designated registers and call inlines, those used in point functions. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
