About correctness of CTR mode implementation about crypto HOT 5 CLOSED

Thanks. But your construction does not work.

Right direct solution for { a + b, if (a + b) < 2^32; a + b - 2^32 + 1, elsewhere } is
var tmp = syn[1] + 0x1010104;
syn[1] = tmp < 0x100000000 ? tmp : tmp - 0xffffffff;

But in according to math rules summation with modulo (2^32-1) should be less then (2^32-1).

In case syn[1] = 0xfefefefb next syn[1] = 0xffffffff - it is not correspond to mathematical rules.
In case syn[1] = 0xfefefefc next syn[1] = 0x1 - we miss 0x0 in series of integer number.

I think it is mistake in the GOST description. Right summation with modulo (2^32-1) in according to mathematical rules should be { a + b, if (a + b) < 2^32 - 1; a + b - 2^32 + 1, elsewhere }

So right solution
var tmp = syn[1] + 0x1010104;
syn[1] = tmp < 0xffffffff ? tmp : tmp - 0xffffffff;

And this is full equivalent to
syn[1] = signed(unsigned((syn[1] + 0x1010104) & 0xffffffff) % 0xffffffff);

from crypto.

I think it is mistake in the GOST description.

Exactly. GOST's definition of (mod 2^32 - 1) is not mathematical one. See the attached link to the standard's addendum №4. As for the right code, C-version looks like:

uint64_t value;

// ADD C1 (mod 2^32)
*dst32++ = (uint32_t)0x01010101 + (uint32_t)(*src32++);

// ADD C2 (mod 2^32 - 1)
   value = (uint64_t)0x01010104 + (uint64_t)(*src32++);
*dst32++ = (uint32_t)(value + (value >> 32));

I'dont know JS well, but seems that in your code syn[1] = signed(unsigned((syn[1] + 0x1010104) & 0xffffffff) % 0xffffffff) result of (syn[1] + 0x1010104) & 0xffffffff is always masked with 0xffffffff and it's not greater that 2^32. So, you miss the possible one's wrap.

from crypto.

Clear. value >> 32 - zero if value < 0x100000000 and one if value >= 0x100000000.
(uint32_t)x - equivalent (x & 0xffffffff)

Different for javascript - all numbers are signed. Shift bit operations signed too and 32-bit based. And (value >> 32) == value for any value.

So
var tmp = unsigned(syn[1] + 0x1010104);
syn[1] = signed(tmp < 0x100000000 ? tmp : tmp - 0xffffffff);
Is it right?

from crypto.

var tmp = unsigned(syn[1] + 0x1010104);
syn[1] = signed(tmp < 0x100000000 ? tmp : ((tmp & 0xffffffff) + 1));

Is it the same?

from crypto.

Yes for C/C++. For JS - NO. Because tmp is unsigned and not less then 0x100000000. But operation "&" has 32-bit signed result.

If tmp between 0x100000000 and 0x1fffffffff then (tmp & 0xffffffff) equals (tmp - 0x100000000) for C/C++. Then ((tmp & 0xffffffff) + 1) equals (tmp - 0xffffffff).

I found one more mistake: unsigned(syn[1] + 0x1010104) always less then 0x100000000. Right solution is

        var tmp = unsigned(syn[1]) + 0x1010104;
        syn[1] = signed(tmp < 0x100000000 ? tmp : tmp - 0xffffffff);

I tested and committed it. Thank you!

from crypto.