go crypto/internal/nistec: 在p256SelectAffine的s390x和ppe64le汇编中,循环次数不正确,

wljmcqd8  于 4个月前  发布在  Go
关注(0)|答案(5)|浏览(74)

Go版本

Go1.19+

在你的模块/工作区中go env的输出:

NA

你做了什么?

根据预先计算的p256AffineTable和p256SelectAffine函数的定义:

// p256AffineTable is a table of the first 32 multiples of a point. Points are
// stored at an index offset of -1 like in p256Table, and [0]P is not stored.
type p256AffineTable [32]p256AffinePoint

// p256Precomputed is a series of precomputed multiples of G, the canonical
// generator. The first p256AffineTable contains multiples of G. The second one
// multiples of [2⁶]G, the third one of [2¹²]G, and so on, where each successive
// table is the previous table doubled six times. Six is the width of the
// sliding window used in p256ScalarMult, and having each table already
// pre-doubled lets us avoid the doublings between windows entirely. This table
// MUST NOT be modified, as it aliases into p256PrecomputedEmbed below.
var p256Precomputed *[43]p256AffineTable

// p256SelectAffine sets res to the point at index idx in the table.
// idx must be in [0, 31]. It executes in constant time.
//
//go:noescape
func p256SelectAffine(res *p256AffinePoint, table *p256AffineTable, idx int)

如果每次取一个点,p256SelectAffine中的正确循环次数应该是32

你看到了什么发生?

  1. go/src/crypto/internal/nistec/p256_asm_s390x.s
    36b45bc中的第511行
    | | CMPW COUNT, $65 |

  2. go/src/crypto/internal/nistec/p256_asm_ppc64le.s
    36b45bc中的第444行
    | | MOVD$64, COUNT |

  3. go/src/crypto/internal/nistec/p256_asm_ppc64le.s
    36b45bc中的第294行
    | | MOVD$17, COUNT |
    这将影响ScalarBaseMult性能。

你期望看到什么?

  1. go/src/crypto/internal/nistec/p256_asm_s390x.s
    36b45bc中的第511行
    | | CMPW COUNT, $65 |
    应该为33

  2. go/src/crypto/internal/nistec/p256_asm_ppc64le.s
    36b45bc中的第444行
    | | MOVD$64, COUNT |
    应该为32

  3. go/src/crypto/internal/nistec/p256_asm_ppc64le.s
    36b45bc中的第294行
    | | MOVD$17, COUNT |
    应该为16
    顺便说一下,对于s390x汇编实现:

  4. 尝试使用VLM/VSTM;

  5. go/src/crypto/internal/nistec/p256_asm_s390x.s
    36b45bc中的第579行
    | | // VLEF $3, 0(R4), K0 |

gmxoilav

gmxoilav1#

cc @laboger。顺便说一下,ppc64le的p256NegCond似乎将以可变时间运行。

fnvucqvd

fnvucqvd2#

ccing @pmur who is the current maintainer of Go on ppc64le as Lynn recently retired.

xnifntxz

xnifntxz3#

ppc64代码看起来确实有问题。它是从s390实现中派生出来的。我本以为会偶尔出现段错误,因为这意味着它在读取超出表限制2KB的值,但从未使用过这样的值。

v1uwarro

v1uwarro4#

cc @golang/s390x @golang/ppc64 @golang/security

8e2ybdfx

8e2ybdfx5#

https://go.dev/cl/608816提到了这个问题:crypto/internal/nistec: fix p256Select and p256SelectAffine on PPC64

相关问题