[398] | 1 | /**
|
---|
| 2 | * \file ecp_internal.h
|
---|
| 3 | *
|
---|
| 4 | * \brief Function declarations for alternative implementation of elliptic curve
|
---|
| 5 | * point arithmetic.
|
---|
| 6 | */
|
---|
| 7 | /*
|
---|
| 8 | * Copyright (C) 2016, ARM Limited, All Rights Reserved
|
---|
| 9 | * SPDX-License-Identifier: Apache-2.0
|
---|
| 10 | *
|
---|
| 11 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
|
---|
| 12 | * not use this file except in compliance with the License.
|
---|
| 13 | * You may obtain a copy of the License at
|
---|
| 14 | *
|
---|
| 15 | * http://www.apache.org/licenses/LICENSE-2.0
|
---|
| 16 | *
|
---|
| 17 | * Unless required by applicable law or agreed to in writing, software
|
---|
| 18 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
---|
| 19 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
---|
| 20 | * See the License for the specific language governing permissions and
|
---|
| 21 | * limitations under the License.
|
---|
| 22 | *
|
---|
| 23 | * This file is part of mbed TLS (https://tls.mbed.org)
|
---|
| 24 | */
|
---|
| 25 |
|
---|
| 26 | /*
|
---|
| 27 | * References:
|
---|
| 28 | *
|
---|
| 29 | * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records.
|
---|
| 30 | * <http://cr.yp.to/ecdh/curve25519-20060209.pdf>
|
---|
| 31 | *
|
---|
| 32 | * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
|
---|
| 33 | * for elliptic curve cryptosystems. In : Cryptographic Hardware and
|
---|
| 34 | * Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
|
---|
| 35 | * <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
|
---|
| 36 | *
|
---|
| 37 | * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
|
---|
| 38 | * render ECC resistant against Side Channel Attacks. IACR Cryptology
|
---|
| 39 | * ePrint Archive, 2004, vol. 2004, p. 342.
|
---|
| 40 | * <http://eprint.iacr.org/2004/342.pdf>
|
---|
| 41 | *
|
---|
| 42 | * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters.
|
---|
| 43 | * <http://www.secg.org/sec2-v2.pdf>
|
---|
| 44 | *
|
---|
| 45 | * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic
|
---|
| 46 | * Curve Cryptography.
|
---|
| 47 | *
|
---|
| 48 | * [6] Digital Signature Standard (DSS), FIPS 186-4.
|
---|
| 49 | * <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>
|
---|
| 50 | *
|
---|
| 51 | * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
|
---|
| 52 | * Security (TLS), RFC 4492.
|
---|
| 53 | * <https://tools.ietf.org/search/rfc4492>
|
---|
| 54 | *
|
---|
| 55 | * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html>
|
---|
| 56 | *
|
---|
| 57 | * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory.
|
---|
| 58 | * Springer Science & Business Media, 1 Aug 2000
|
---|
| 59 | */
|
---|
| 60 |
|
---|
| 61 | #ifndef MBEDTLS_ECP_INTERNAL_H
|
---|
| 62 | #define MBEDTLS_ECP_INTERNAL_H
|
---|
| 63 |
|
---|
| 64 | #if !defined(MBEDTLS_CONFIG_FILE)
|
---|
| 65 | #include "config.h"
|
---|
| 66 | #else
|
---|
| 67 | #include MBEDTLS_CONFIG_FILE
|
---|
| 68 | #endif
|
---|
| 69 |
|
---|
| 70 | #if defined(MBEDTLS_ECP_INTERNAL_ALT)
|
---|
| 71 |
|
---|
| 72 | /**
|
---|
| 73 | * \brief Indicate if the Elliptic Curve Point module extension can
|
---|
| 74 | * handle the group.
|
---|
| 75 | *
|
---|
| 76 | * \param grp The pointer to the elliptic curve group that will be the
|
---|
| 77 | * basis of the cryptographic computations.
|
---|
| 78 | *
|
---|
| 79 | * \return Non-zero if successful.
|
---|
| 80 | */
|
---|
| 81 | unsigned char mbedtls_internal_ecp_grp_capable( const mbedtls_ecp_group *grp );
|
---|
| 82 |
|
---|
| 83 | /**
|
---|
| 84 | * \brief Initialise the Elliptic Curve Point module extension.
|
---|
| 85 | *
|
---|
| 86 | * If mbedtls_internal_ecp_grp_capable returns true for a
|
---|
| 87 | * group, this function has to be able to initialise the
|
---|
| 88 | * module for it.
|
---|
| 89 | *
|
---|
| 90 | * This module can be a driver to a crypto hardware
|
---|
| 91 | * accelerator, for which this could be an initialise function.
|
---|
| 92 | *
|
---|
| 93 | * \param grp The pointer to the group the module needs to be
|
---|
| 94 | * initialised for.
|
---|
| 95 | *
|
---|
| 96 | * \return 0 if successful.
|
---|
| 97 | */
|
---|
| 98 | int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp );
|
---|
| 99 |
|
---|
| 100 | /**
|
---|
| 101 | * \brief Frees and deallocates the Elliptic Curve Point module
|
---|
| 102 | * extension.
|
---|
| 103 | *
|
---|
| 104 | * \param grp The pointer to the group the module was initialised for.
|
---|
| 105 | */
|
---|
| 106 | void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp );
|
---|
| 107 |
|
---|
| 108 | #if defined(ECP_SHORTWEIERSTRASS)
|
---|
| 109 |
|
---|
| 110 | #if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
|
---|
| 111 | /**
|
---|
| 112 | * \brief Randomize jacobian coordinates:
|
---|
| 113 | * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l.
|
---|
| 114 | *
|
---|
| 115 | * \param grp Pointer to the group representing the curve.
|
---|
| 116 | *
|
---|
| 117 | * \param pt The point on the curve to be randomised, given with Jacobian
|
---|
| 118 | * coordinates.
|
---|
| 119 | *
|
---|
| 120 | * \param f_rng A function pointer to the random number generator.
|
---|
| 121 | *
|
---|
| 122 | * \param p_rng A pointer to the random number generator state.
|
---|
| 123 | *
|
---|
| 124 | * \return 0 if successful.
|
---|
| 125 | */
|
---|
| 126 | int mbedtls_internal_ecp_randomize_jac( const mbedtls_ecp_group *grp,
|
---|
| 127 | mbedtls_ecp_point *pt, int (*f_rng)(void *, unsigned char *, size_t),
|
---|
| 128 | void *p_rng );
|
---|
| 129 | #endif
|
---|
| 130 |
|
---|
| 131 | #if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
|
---|
| 132 | /**
|
---|
| 133 | * \brief Addition: R = P + Q, mixed affine-Jacobian coordinates.
|
---|
| 134 | *
|
---|
| 135 | * The coordinates of Q must be normalized (= affine),
|
---|
| 136 | * but those of P don't need to. R is not normalized.
|
---|
| 137 | *
|
---|
| 138 | * This function is used only as a subrutine of
|
---|
| 139 | * ecp_mul_comb().
|
---|
| 140 | *
|
---|
| 141 | * Special cases: (1) P or Q is zero, (2) R is zero,
|
---|
| 142 | * (3) P == Q.
|
---|
| 143 | * None of these cases can happen as intermediate step in
|
---|
| 144 | * ecp_mul_comb():
|
---|
| 145 | * - at each step, P, Q and R are multiples of the base
|
---|
| 146 | * point, the factor being less than its order, so none of
|
---|
| 147 | * them is zero;
|
---|
| 148 | * - Q is an odd multiple of the base point, P an even
|
---|
| 149 | * multiple, due to the choice of precomputed points in the
|
---|
| 150 | * modified comb method.
|
---|
| 151 | * So branches for these cases do not leak secret information.
|
---|
| 152 | *
|
---|
| 153 | * We accept Q->Z being unset (saving memory in tables) as
|
---|
| 154 | * meaning 1.
|
---|
| 155 | *
|
---|
| 156 | * Cost in field operations if done by [5] 3.22:
|
---|
| 157 | * 1A := 8M + 3S
|
---|
| 158 | *
|
---|
| 159 | * \param grp Pointer to the group representing the curve.
|
---|
| 160 | *
|
---|
| 161 | * \param R Pointer to a point structure to hold the result.
|
---|
| 162 | *
|
---|
| 163 | * \param P Pointer to the first summand, given with Jacobian
|
---|
| 164 | * coordinates
|
---|
| 165 | *
|
---|
| 166 | * \param Q Pointer to the second summand, given with affine
|
---|
| 167 | * coordinates.
|
---|
| 168 | *
|
---|
| 169 | * \return 0 if successful.
|
---|
| 170 | */
|
---|
| 171 | int mbedtls_internal_ecp_add_mixed( const mbedtls_ecp_group *grp,
|
---|
| 172 | mbedtls_ecp_point *R, const mbedtls_ecp_point *P,
|
---|
| 173 | const mbedtls_ecp_point *Q );
|
---|
| 174 | #endif
|
---|
| 175 |
|
---|
| 176 | /**
|
---|
| 177 | * \brief Point doubling R = 2 P, Jacobian coordinates.
|
---|
| 178 | *
|
---|
| 179 | * Cost: 1D := 3M + 4S (A == 0)
|
---|
| 180 | * 4M + 4S (A == -3)
|
---|
| 181 | * 3M + 6S + 1a otherwise
|
---|
| 182 | * when the implementation is based on the "dbl-1998-cmo-2"
|
---|
| 183 | * doubling formulas in [8] and standard optimizations are
|
---|
| 184 | * applied when curve parameter A is one of { 0, -3 }.
|
---|
| 185 | *
|
---|
| 186 | * \param grp Pointer to the group representing the curve.
|
---|
| 187 | *
|
---|
| 188 | * \param R Pointer to a point structure to hold the result.
|
---|
| 189 | *
|
---|
| 190 | * \param P Pointer to the point that has to be doubled, given with
|
---|
| 191 | * Jacobian coordinates.
|
---|
| 192 | *
|
---|
| 193 | * \return 0 if successful.
|
---|
| 194 | */
|
---|
| 195 | #if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
|
---|
| 196 | int mbedtls_internal_ecp_double_jac( const mbedtls_ecp_group *grp,
|
---|
| 197 | mbedtls_ecp_point *R, const mbedtls_ecp_point *P );
|
---|
| 198 | #endif
|
---|
| 199 |
|
---|
| 200 | /**
|
---|
| 201 | * \brief Normalize jacobian coordinates of an array of (pointers to)
|
---|
| 202 | * points.
|
---|
| 203 | *
|
---|
| 204 | * Using Montgomery's trick to perform only one inversion mod P
|
---|
| 205 | * the cost is:
|
---|
| 206 | * 1N(t) := 1I + (6t - 3)M + 1S
|
---|
| 207 | * (See for example Algorithm 10.3.4. in [9])
|
---|
| 208 | *
|
---|
| 209 | * This function is used only as a subrutine of
|
---|
| 210 | * ecp_mul_comb().
|
---|
| 211 | *
|
---|
| 212 | * Warning: fails (returning an error) if one of the points is
|
---|
| 213 | * zero!
|
---|
| 214 | * This should never happen, see choice of w in ecp_mul_comb().
|
---|
| 215 | *
|
---|
| 216 | * \param grp Pointer to the group representing the curve.
|
---|
| 217 | *
|
---|
| 218 | * \param T Array of pointers to the points to normalise.
|
---|
| 219 | *
|
---|
| 220 | * \param t_len Number of elements in the array.
|
---|
| 221 | *
|
---|
| 222 | * \return 0 if successful,
|
---|
| 223 | * an error if one of the points is zero.
|
---|
| 224 | */
|
---|
| 225 | #if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
|
---|
| 226 | int mbedtls_internal_ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
|
---|
| 227 | mbedtls_ecp_point *T[], size_t t_len );
|
---|
| 228 | #endif
|
---|
| 229 |
|
---|
| 230 | /**
|
---|
| 231 | * \brief Normalize jacobian coordinates so that Z == 0 || Z == 1.
|
---|
| 232 | *
|
---|
| 233 | * Cost in field operations if done by [5] 3.2.1:
|
---|
| 234 | * 1N := 1I + 3M + 1S
|
---|
| 235 | *
|
---|
| 236 | * \param grp Pointer to the group representing the curve.
|
---|
| 237 | *
|
---|
| 238 | * \param pt pointer to the point to be normalised. This is an
|
---|
| 239 | * input/output parameter.
|
---|
| 240 | *
|
---|
| 241 | * \return 0 if successful.
|
---|
| 242 | */
|
---|
| 243 | #if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
|
---|
| 244 | int mbedtls_internal_ecp_normalize_jac( const mbedtls_ecp_group *grp,
|
---|
| 245 | mbedtls_ecp_point *pt );
|
---|
| 246 | #endif
|
---|
| 247 |
|
---|
| 248 | #endif /* ECP_SHORTWEIERSTRASS */
|
---|
| 249 |
|
---|
| 250 | #if defined(ECP_MONTGOMERY)
|
---|
| 251 |
|
---|
| 252 | #if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
|
---|
| 253 | int mbedtls_internal_ecp_double_add_mxz( const mbedtls_ecp_group *grp,
|
---|
| 254 | mbedtls_ecp_point *R, mbedtls_ecp_point *S, const mbedtls_ecp_point *P,
|
---|
| 255 | const mbedtls_ecp_point *Q, const mbedtls_mpi *d );
|
---|
| 256 | #endif
|
---|
| 257 |
|
---|
| 258 | /**
|
---|
| 259 | * \brief Randomize projective x/z coordinates:
|
---|
| 260 | * (X, Z) -> (l X, l Z) for random l
|
---|
| 261 | *
|
---|
| 262 | * \param grp pointer to the group representing the curve
|
---|
| 263 | *
|
---|
| 264 | * \param P the point on the curve to be randomised given with
|
---|
| 265 | * projective coordinates. This is an input/output parameter.
|
---|
| 266 | *
|
---|
| 267 | * \param f_rng a function pointer to the random number generator
|
---|
| 268 | *
|
---|
| 269 | * \param p_rng a pointer to the random number generator state
|
---|
| 270 | *
|
---|
| 271 | * \return 0 if successful
|
---|
| 272 | */
|
---|
| 273 | #if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
|
---|
| 274 | int mbedtls_internal_ecp_randomize_mxz( const mbedtls_ecp_group *grp,
|
---|
| 275 | mbedtls_ecp_point *P, int (*f_rng)(void *, unsigned char *, size_t),
|
---|
| 276 | void *p_rng );
|
---|
| 277 | #endif
|
---|
| 278 |
|
---|
| 279 | /**
|
---|
| 280 | * \brief Normalize Montgomery x/z coordinates: X = X/Z, Z = 1.
|
---|
| 281 | *
|
---|
| 282 | * \param grp pointer to the group representing the curve
|
---|
| 283 | *
|
---|
| 284 | * \param P pointer to the point to be normalised. This is an
|
---|
| 285 | * input/output parameter.
|
---|
| 286 | *
|
---|
| 287 | * \return 0 if successful
|
---|
| 288 | */
|
---|
| 289 | #if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
|
---|
| 290 | int mbedtls_internal_ecp_normalize_mxz( const mbedtls_ecp_group *grp,
|
---|
| 291 | mbedtls_ecp_point *P );
|
---|
| 292 | #endif
|
---|
| 293 |
|
---|
| 294 | #endif /* ECP_MONTGOMERY */
|
---|
| 295 |
|
---|
| 296 | #endif /* MBEDTLS_ECP_INTERNAL_ALT */
|
---|
| 297 |
|
---|
| 298 | #endif /* ecp_internal.h */
|
---|
| 299 |
|
---|