RFR: 8374755: ML-KEM's 12-bit decompression uses incorrect assertions [v2]
Shawn M Emery
duke at openjdk.org
Thu Jan 15 01:55:59 UTC 2026
On Wed, 14 Jan 2026 13:27:50 GMT, Ferenc Rakoczi <duke at openjdk.org> wrote:
>> src/java.base/share/classes/com/sun/crypto/provider/ML_KEM.java line 1364:
>>
>>> 1362: int n = (parsedLength + 127) / 128;
>>> 1363: assert ((parsed.length >= n * 128) &&
>>> 1364: (condensed.length >= index + n * 192));
>>
>> Given the comments, can this be simplified to just:
>>
>>
>> - int n = (parsedLength + 127) / 128;
>> - assert ((parsed.length >= n * 128) &&
>> - (condensed.length >= index + n * 192));
>> + assert((parsed.length % 128) == 0) && (condensed.length % 192 == 0));
>>
>>
>> If the length is smaller than the constant then the remainder will be non-zero.
>
> These are the exact conditions that the most demanding intrinsic (the AVX-512 one) requires. If we would rely on that the callers satisfy these, we wouldn't need the assert :-) . The loop in the intrinsic will read n * 192 bytes and write n * 128 shorts, your suggestion would not ensure that the arrays have at least that much space.
Ah, I see that now. Maybe an update to the comments would alleviate my confusion?:
NEW:
// An intrinsic implementation assumes that the input and output buffers
// are such that condensed can be read in n-multiples of 192 bytes and
// parsed can be written in n-multiples of 128 shorts, so callers should allocate
// the condensed and parsed arrays to at least these amounts, see the assert()
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29141#discussion_r2692668352
More information about the security-dev
mailing list