> I would expect that correct results would be provided for all valid
> inputs (including those inputs that are not otherwise constrained).
> As such, I would class this as a bug in OpenSSL.
These functions are not part of the public OpenSSL API so that's just
not how it works. There is a ton of
I would expect that correct results would be provided for all valid
inputs (including those inputs that are not otherwise constrained).
As such, I would class this as a bug in OpenSSL.
-Kyle H
On Mon, Jan 7, 2019 at 7:44 PM Patrick Steuer wrote:
>
> Dear Bo-Yin Yang,
>
> I looked into your
Dear Bo-Yin Yang,
I looked into your felem_square counterexample:
There is an overflow in the result's least significant 128-bit limb such
that the computed result is 2^128 smaller than the actual result.
The general problem is the following..
The function's comment says:
/*-
*
Dear all,
we found some counter-examples (examples where wrong answers were
returned) for field element computations in the C routines for P-521
(that is, modulo 2^521-1). The counterexamples, a C test file, a
Makefile, and a short README are attached.
The routines in question are:
