1 /** 2 * \file ecp_internal.h 3 * 4 * \brief Function declarations for alternative implementation of elliptic curve 5 * point arithmetic. 6 */ 7 /* 8 * Copyright The Mbed TLS Contributors 9 * SPDX-License-Identifier: Apache-2.0 10 * 11 * Licensed under the Apache License, Version 2.0 (the "License"); you may 12 * not use this file except in compliance with the License. 13 * You may obtain a copy of the License at 14 * 15 * http://www.apache.org/licenses/LICENSE-2.0 16 * 17 * Unless required by applicable law or agreed to in writing, software 18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 * See the License for the specific language governing permissions and 21 * limitations under the License. 22 */ 23 24 /* 25 * References: 26 * 27 * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records. 28 * <http://cr.yp.to/ecdh/curve25519-20060209.pdf> 29 * 30 * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis 31 * for elliptic curve cryptosystems. In : Cryptographic Hardware and 32 * Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302. 33 * <http://link.springer.com/chapter/10.1007/3-540-48059-5_25> 34 * 35 * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to 36 * render ECC resistant against Side Channel Attacks. IACR Cryptology 37 * ePrint Archive, 2004, vol. 2004, p. 342. 38 * <http://eprint.iacr.org/2004/342.pdf> 39 * 40 * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters. 41 * <http://www.secg.org/sec2-v2.pdf> 42 * 43 * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic 44 * Curve Cryptography. 45 * 46 * [6] Digital Signature Standard (DSS), FIPS 186-4. 47 * <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf> 48 * 49 * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer 50 * Security (TLS), RFC 4492. 51 * <https://tools.ietf.org/search/rfc4492> 52 * 53 * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html> 54 * 55 * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory. 56 * Springer Science & Business Media, 1 Aug 2000 57 */ 58 59 #ifndef MBEDTLS_ECP_INTERNAL_H 60 #define MBEDTLS_ECP_INTERNAL_H 61 62 #if !defined(MBEDTLS_CONFIG_FILE) 63 #include "mbedtls/config.h" 64 #else 65 #include MBEDTLS_CONFIG_FILE 66 #endif 67 68 #if defined(MBEDTLS_ECP_INTERNAL_ALT) 69 70 /** 71 * \brief Indicate if the Elliptic Curve Point module extension can 72 * handle the group. 73 * 74 * \param grp The pointer to the elliptic curve group that will be the 75 * basis of the cryptographic computations. 76 * 77 * \return Non-zero if successful. 78 */ 79 unsigned char mbedtls_internal_ecp_grp_capable( const mbedtls_ecp_group *grp ); 80 81 /** 82 * \brief Initialise the Elliptic Curve Point module extension. 83 * 84 * If mbedtls_internal_ecp_grp_capable returns true for a 85 * group, this function has to be able to initialise the 86 * module for it. 87 * 88 * This module can be a driver to a crypto hardware 89 * accelerator, for which this could be an initialise function. 90 * 91 * \param grp The pointer to the group the module needs to be 92 * initialised for. 93 * 94 * \return 0 if successful. 95 */ 96 int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ); 97 98 /** 99 * \brief Frees and deallocates the Elliptic Curve Point module 100 * extension. 101 * 102 * \param grp The pointer to the group the module was initialised for. 103 */ 104 void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp ); 105 106 #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) 107 108 #if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) 109 /** 110 * \brief Randomize jacobian coordinates: 111 * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l. 112 * 113 * \param grp Pointer to the group representing the curve. 114 * 115 * \param pt The point on the curve to be randomised, given with Jacobian 116 * coordinates. 117 * 118 * \param f_rng A function pointer to the random number generator. 119 * 120 * \param p_rng A pointer to the random number generator state. 121 * 122 * \return 0 if successful. 123 */ 124 int mbedtls_internal_ecp_randomize_jac( const mbedtls_ecp_group *grp, 125 mbedtls_ecp_point *pt, int (*f_rng)(void *, unsigned char *, size_t), 126 void *p_rng ); 127 #endif 128 129 #if defined(MBEDTLS_ECP_ADD_MIXED_ALT) 130 /** 131 * \brief Addition: R = P + Q, mixed affine-Jacobian coordinates. 132 * 133 * The coordinates of Q must be normalized (= affine), 134 * but those of P don't need to. R is not normalized. 135 * 136 * This function is used only as a subrutine of 137 * ecp_mul_comb(). 138 * 139 * Special cases: (1) P or Q is zero, (2) R is zero, 140 * (3) P == Q. 141 * None of these cases can happen as intermediate step in 142 * ecp_mul_comb(): 143 * - at each step, P, Q and R are multiples of the base 144 * point, the factor being less than its order, so none of 145 * them is zero; 146 * - Q is an odd multiple of the base point, P an even 147 * multiple, due to the choice of precomputed points in the 148 * modified comb method. 149 * So branches for these cases do not leak secret information. 150 * 151 * We accept Q->Z being unset (saving memory in tables) as 152 * meaning 1. 153 * 154 * Cost in field operations if done by [5] 3.22: 155 * 1A := 8M + 3S 156 * 157 * \param grp Pointer to the group representing the curve. 158 * 159 * \param R Pointer to a point structure to hold the result. 160 * 161 * \param P Pointer to the first summand, given with Jacobian 162 * coordinates 163 * 164 * \param Q Pointer to the second summand, given with affine 165 * coordinates. 166 * 167 * \return 0 if successful. 168 */ 169 int mbedtls_internal_ecp_add_mixed( const mbedtls_ecp_group *grp, 170 mbedtls_ecp_point *R, const mbedtls_ecp_point *P, 171 const mbedtls_ecp_point *Q ); 172 #endif 173 174 /** 175 * \brief Point doubling R = 2 P, Jacobian coordinates. 176 * 177 * Cost: 1D := 3M + 4S (A == 0) 178 * 4M + 4S (A == -3) 179 * 3M + 6S + 1a otherwise 180 * when the implementation is based on the "dbl-1998-cmo-2" 181 * doubling formulas in [8] and standard optimizations are 182 * applied when curve parameter A is one of { 0, -3 }. 183 * 184 * \param grp Pointer to the group representing the curve. 185 * 186 * \param R Pointer to a point structure to hold the result. 187 * 188 * \param P Pointer to the point that has to be doubled, given with 189 * Jacobian coordinates. 190 * 191 * \return 0 if successful. 192 */ 193 #if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) 194 int mbedtls_internal_ecp_double_jac( const mbedtls_ecp_group *grp, 195 mbedtls_ecp_point *R, const mbedtls_ecp_point *P ); 196 #endif 197 198 /** 199 * \brief Normalize jacobian coordinates of an array of (pointers to) 200 * points. 201 * 202 * Using Montgomery's trick to perform only one inversion mod P 203 * the cost is: 204 * 1N(t) := 1I + (6t - 3)M + 1S 205 * (See for example Algorithm 10.3.4. in [9]) 206 * 207 * This function is used only as a subrutine of 208 * ecp_mul_comb(). 209 * 210 * Warning: fails (returning an error) if one of the points is 211 * zero! 212 * This should never happen, see choice of w in ecp_mul_comb(). 213 * 214 * \param grp Pointer to the group representing the curve. 215 * 216 * \param T Array of pointers to the points to normalise. 217 * 218 * \param t_len Number of elements in the array. 219 * 220 * \return 0 if successful, 221 * an error if one of the points is zero. 222 */ 223 #if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) 224 int mbedtls_internal_ecp_normalize_jac_many( const mbedtls_ecp_group *grp, 225 mbedtls_ecp_point *T[], size_t t_len ); 226 #endif 227 228 /** 229 * \brief Normalize jacobian coordinates so that Z == 0 || Z == 1. 230 * 231 * Cost in field operations if done by [5] 3.2.1: 232 * 1N := 1I + 3M + 1S 233 * 234 * \param grp Pointer to the group representing the curve. 235 * 236 * \param pt pointer to the point to be normalised. This is an 237 * input/output parameter. 238 * 239 * \return 0 if successful. 240 */ 241 #if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) 242 int mbedtls_internal_ecp_normalize_jac( const mbedtls_ecp_group *grp, 243 mbedtls_ecp_point *pt ); 244 #endif 245 246 #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ 247 248 #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) 249 250 #if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) 251 int mbedtls_internal_ecp_double_add_mxz( const mbedtls_ecp_group *grp, 252 mbedtls_ecp_point *R, mbedtls_ecp_point *S, const mbedtls_ecp_point *P, 253 const mbedtls_ecp_point *Q, const mbedtls_mpi *d ); 254 #endif 255 256 /** 257 * \brief Randomize projective x/z coordinates: 258 * (X, Z) -> (l X, l Z) for random l 259 * 260 * \param grp pointer to the group representing the curve 261 * 262 * \param P the point on the curve to be randomised given with 263 * projective coordinates. This is an input/output parameter. 264 * 265 * \param f_rng a function pointer to the random number generator 266 * 267 * \param p_rng a pointer to the random number generator state 268 * 269 * \return 0 if successful 270 */ 271 #if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) 272 int mbedtls_internal_ecp_randomize_mxz( const mbedtls_ecp_group *grp, 273 mbedtls_ecp_point *P, int (*f_rng)(void *, unsigned char *, size_t), 274 void *p_rng ); 275 #endif 276 277 /** 278 * \brief Normalize Montgomery x/z coordinates: X = X/Z, Z = 1. 279 * 280 * \param grp pointer to the group representing the curve 281 * 282 * \param P pointer to the point to be normalised. This is an 283 * input/output parameter. 284 * 285 * \return 0 if successful 286 */ 287 #if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) 288 int mbedtls_internal_ecp_normalize_mxz( const mbedtls_ecp_group *grp, 289 mbedtls_ecp_point *P ); 290 #endif 291 292 #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */ 293 294 #endif /* MBEDTLS_ECP_INTERNAL_ALT */ 295 296 #endif /* ecp_internal.h */ 297 298