On 12/5/14, Solar Designer <[email protected]> wrote: > Miscompiles are a thing. This is a reason why I think runtime self-test > of the full scrypt is desirable. (I am planning on adding that to > yescrypt as well.) One aspect I haven't decided on yet is whether it's > a good idea to have a self-test even in -ref code or not (since this > goes against the simplicity goal for -ref).
I believe that *every* cryptographic function needs a run-time self test, and that the self-test code and data must be in a separately compiled source file to defend against moderately broken/malicious compilers. (The way to detect lack of SSE/SSE2 support is to use the CPUID instruction -- but even ‘reference’ code needs a self-test routine called at run time.) Robert Ransom
