RFR: 8374755: ML-KEM's 12-bit decompression uses incorrect assertions
Andrew Dinn
adinn at openjdk.org
Wed Jan 14 10:46:54 UTC 2026
On Wed, 14 Jan 2026 07:45:26 GMT, Shawn M Emery <duke at openjdk.org> wrote:
>> The preconditions for the aarch64 and the AVX-512 intrinsic implementations of the implKyber12To16() method of com.sun.crypto.provider.ML_KEM are different and the AVX-512 one has stricter preconditions on the input, which was not recorded in the assert() before calling the function (although they were satisfied by all calling code). Now the assert() is corrected, and with these preconditions, the aarch64 implementation is simplified.
>
> src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp line 6217:
>
>> 6215: __ sub(parsedLength, parsedLength, 64);
>> 6216: __ cmp(parsedLength, (u1)0);
>> 6217: __ br(Assembler::GE, L_loop);
>
> Should this be GT now?
Yes, I believe it should. That makes me wonder why the test did not fail. I would have expected it to loop back to the top and try to consume an extra 96 bytes of non-existent input and write it to 64 bytes of of non-existent output buffer? Did this erroneous computation not happen? or was the error simply not manifest?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29141#discussion_r2689924512
More information about the security-dev
mailing list