RFR: 8374755: ML-KEM's 12-bit decompression uses incorrect assertions
Shawn M Emery
duke at openjdk.org
Wed Jan 14 07:50:17 UTC 2026
On Fri, 9 Jan 2026 14:41:07 GMT, Ferenc Rakoczi <duke at openjdk.org> wrote:
> The preconditions for the aarch64 and the AVX-512 intrinsic implementations of the implKyber12To16() method of com.sun.crypto.provider.ML_KEM are different and the AVX-512 one has stricter preconditions on the input, which was not recorded in the assert() before calling the function (although they were satisfied by all calling code). Now the assert() is corrected, and with these preconditions, the aarch64 implementation is simplified.
src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp line 6217:
> 6215: __ sub(parsedLength, parsedLength, 64);
> 6216: __ cmp(parsedLength, (u1)0);
> 6217: __ br(Assembler::GE, L_loop);
Should this be GT now?
src/java.base/share/classes/com/sun/crypto/provider/ML_KEM.java line 1364:
> 1362: int n = (parsedLength + 127) / 128;
> 1363: assert ((parsed.length >= n * 128) &&
> 1364: (condensed.length >= index + n * 192));
Given the comments, can this be simplified to just:
- int n = (parsedLength + 127) / 128;
- assert ((parsed.length >= n * 128) &&
- (condensed.length >= index + n * 192));
+ assert((parsed.length % 128) == 0) && (condensed.length % 192 == 0));
If the length is smaller than the constant then the remainder will be non-zero.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29141#discussion_r2689338785
PR Review Comment: https://git.openjdk.org/jdk/pull/29141#discussion_r2689173853
More information about the security-dev
mailing list