1*62c56f98SSadaf Ebrahimi /** 2*62c56f98SSadaf Ebrahimi * \file ecp_internal_alt.h 3*62c56f98SSadaf Ebrahimi * 4*62c56f98SSadaf Ebrahimi * \brief Function declarations for alternative implementation of elliptic curve 5*62c56f98SSadaf Ebrahimi * point arithmetic. 6*62c56f98SSadaf Ebrahimi */ 7*62c56f98SSadaf Ebrahimi /* 8*62c56f98SSadaf Ebrahimi * Copyright The Mbed TLS Contributors 9*62c56f98SSadaf Ebrahimi * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 10*62c56f98SSadaf Ebrahimi */ 11*62c56f98SSadaf Ebrahimi 12*62c56f98SSadaf Ebrahimi /* 13*62c56f98SSadaf Ebrahimi * References: 14*62c56f98SSadaf Ebrahimi * 15*62c56f98SSadaf Ebrahimi * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records. 16*62c56f98SSadaf Ebrahimi * <http://cr.yp.to/ecdh/curve25519-20060209.pdf> 17*62c56f98SSadaf Ebrahimi * 18*62c56f98SSadaf Ebrahimi * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis 19*62c56f98SSadaf Ebrahimi * for elliptic curve cryptosystems. In : Cryptographic Hardware and 20*62c56f98SSadaf Ebrahimi * Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302. 21*62c56f98SSadaf Ebrahimi * <http://link.springer.com/chapter/10.1007/3-540-48059-5_25> 22*62c56f98SSadaf Ebrahimi * 23*62c56f98SSadaf Ebrahimi * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to 24*62c56f98SSadaf Ebrahimi * render ECC resistant against Side Channel Attacks. IACR Cryptology 25*62c56f98SSadaf Ebrahimi * ePrint Archive, 2004, vol. 2004, p. 342. 26*62c56f98SSadaf Ebrahimi * <http://eprint.iacr.org/2004/342.pdf> 27*62c56f98SSadaf Ebrahimi * 28*62c56f98SSadaf Ebrahimi * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters. 29*62c56f98SSadaf Ebrahimi * <http://www.secg.org/sec2-v2.pdf> 30*62c56f98SSadaf Ebrahimi * 31*62c56f98SSadaf Ebrahimi * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic 32*62c56f98SSadaf Ebrahimi * Curve Cryptography. 33*62c56f98SSadaf Ebrahimi * 34*62c56f98SSadaf Ebrahimi * [6] Digital Signature Standard (DSS), FIPS 186-4. 35*62c56f98SSadaf Ebrahimi * <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf> 36*62c56f98SSadaf Ebrahimi * 37*62c56f98SSadaf Ebrahimi * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer 38*62c56f98SSadaf Ebrahimi * Security (TLS), RFC 4492. 39*62c56f98SSadaf Ebrahimi * <https://tools.ietf.org/search/rfc4492> 40*62c56f98SSadaf Ebrahimi * 41*62c56f98SSadaf Ebrahimi * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html> 42*62c56f98SSadaf Ebrahimi * 43*62c56f98SSadaf Ebrahimi * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory. 44*62c56f98SSadaf Ebrahimi * Springer Science & Business Media, 1 Aug 2000 45*62c56f98SSadaf Ebrahimi */ 46*62c56f98SSadaf Ebrahimi 47*62c56f98SSadaf Ebrahimi #ifndef MBEDTLS_ECP_INTERNAL_H 48*62c56f98SSadaf Ebrahimi #define MBEDTLS_ECP_INTERNAL_H 49*62c56f98SSadaf Ebrahimi 50*62c56f98SSadaf Ebrahimi #include "mbedtls/build_info.h" 51*62c56f98SSadaf Ebrahimi 52*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_INTERNAL_ALT) 53*62c56f98SSadaf Ebrahimi 54*62c56f98SSadaf Ebrahimi /** 55*62c56f98SSadaf Ebrahimi * \brief Indicate if the Elliptic Curve Point module extension can 56*62c56f98SSadaf Ebrahimi * handle the group. 57*62c56f98SSadaf Ebrahimi * 58*62c56f98SSadaf Ebrahimi * \param grp The pointer to the elliptic curve group that will be the 59*62c56f98SSadaf Ebrahimi * basis of the cryptographic computations. 60*62c56f98SSadaf Ebrahimi * 61*62c56f98SSadaf Ebrahimi * \return Non-zero if successful. 62*62c56f98SSadaf Ebrahimi */ 63*62c56f98SSadaf Ebrahimi unsigned char mbedtls_internal_ecp_grp_capable(const mbedtls_ecp_group *grp); 64*62c56f98SSadaf Ebrahimi 65*62c56f98SSadaf Ebrahimi /** 66*62c56f98SSadaf Ebrahimi * \brief Initialise the Elliptic Curve Point module extension. 67*62c56f98SSadaf Ebrahimi * 68*62c56f98SSadaf Ebrahimi * If mbedtls_internal_ecp_grp_capable returns true for a 69*62c56f98SSadaf Ebrahimi * group, this function has to be able to initialise the 70*62c56f98SSadaf Ebrahimi * module for it. 71*62c56f98SSadaf Ebrahimi * 72*62c56f98SSadaf Ebrahimi * This module can be a driver to a crypto hardware 73*62c56f98SSadaf Ebrahimi * accelerator, for which this could be an initialise function. 74*62c56f98SSadaf Ebrahimi * 75*62c56f98SSadaf Ebrahimi * \param grp The pointer to the group the module needs to be 76*62c56f98SSadaf Ebrahimi * initialised for. 77*62c56f98SSadaf Ebrahimi * 78*62c56f98SSadaf Ebrahimi * \return 0 if successful. 79*62c56f98SSadaf Ebrahimi */ 80*62c56f98SSadaf Ebrahimi int mbedtls_internal_ecp_init(const mbedtls_ecp_group *grp); 81*62c56f98SSadaf Ebrahimi 82*62c56f98SSadaf Ebrahimi /** 83*62c56f98SSadaf Ebrahimi * \brief Frees and deallocates the Elliptic Curve Point module 84*62c56f98SSadaf Ebrahimi * extension. 85*62c56f98SSadaf Ebrahimi * 86*62c56f98SSadaf Ebrahimi * \param grp The pointer to the group the module was initialised for. 87*62c56f98SSadaf Ebrahimi */ 88*62c56f98SSadaf Ebrahimi void mbedtls_internal_ecp_free(const mbedtls_ecp_group *grp); 89*62c56f98SSadaf Ebrahimi 90*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) 91*62c56f98SSadaf Ebrahimi 92*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) 93*62c56f98SSadaf Ebrahimi /** 94*62c56f98SSadaf Ebrahimi * \brief Randomize jacobian coordinates: 95*62c56f98SSadaf Ebrahimi * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l. 96*62c56f98SSadaf Ebrahimi * 97*62c56f98SSadaf Ebrahimi * \param grp Pointer to the group representing the curve. 98*62c56f98SSadaf Ebrahimi * 99*62c56f98SSadaf Ebrahimi * \param pt The point on the curve to be randomised, given with Jacobian 100*62c56f98SSadaf Ebrahimi * coordinates. 101*62c56f98SSadaf Ebrahimi * 102*62c56f98SSadaf Ebrahimi * \param f_rng A function pointer to the random number generator. 103*62c56f98SSadaf Ebrahimi * 104*62c56f98SSadaf Ebrahimi * \param p_rng A pointer to the random number generator state. 105*62c56f98SSadaf Ebrahimi * 106*62c56f98SSadaf Ebrahimi * \return 0 if successful. 107*62c56f98SSadaf Ebrahimi */ 108*62c56f98SSadaf Ebrahimi int mbedtls_internal_ecp_randomize_jac(const mbedtls_ecp_group *grp, 109*62c56f98SSadaf Ebrahimi mbedtls_ecp_point *pt, int (*f_rng)(void *, 110*62c56f98SSadaf Ebrahimi unsigned char *, 111*62c56f98SSadaf Ebrahimi size_t), 112*62c56f98SSadaf Ebrahimi void *p_rng); 113*62c56f98SSadaf Ebrahimi #endif 114*62c56f98SSadaf Ebrahimi 115*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_ADD_MIXED_ALT) 116*62c56f98SSadaf Ebrahimi /** 117*62c56f98SSadaf Ebrahimi * \brief Addition: R = P + Q, mixed affine-Jacobian coordinates. 118*62c56f98SSadaf Ebrahimi * 119*62c56f98SSadaf Ebrahimi * The coordinates of Q must be normalized (= affine), 120*62c56f98SSadaf Ebrahimi * but those of P don't need to. R is not normalized. 121*62c56f98SSadaf Ebrahimi * 122*62c56f98SSadaf Ebrahimi * This function is used only as a subrutine of 123*62c56f98SSadaf Ebrahimi * ecp_mul_comb(). 124*62c56f98SSadaf Ebrahimi * 125*62c56f98SSadaf Ebrahimi * Special cases: (1) P or Q is zero, (2) R is zero, 126*62c56f98SSadaf Ebrahimi * (3) P == Q. 127*62c56f98SSadaf Ebrahimi * None of these cases can happen as intermediate step in 128*62c56f98SSadaf Ebrahimi * ecp_mul_comb(): 129*62c56f98SSadaf Ebrahimi * - at each step, P, Q and R are multiples of the base 130*62c56f98SSadaf Ebrahimi * point, the factor being less than its order, so none of 131*62c56f98SSadaf Ebrahimi * them is zero; 132*62c56f98SSadaf Ebrahimi * - Q is an odd multiple of the base point, P an even 133*62c56f98SSadaf Ebrahimi * multiple, due to the choice of precomputed points in the 134*62c56f98SSadaf Ebrahimi * modified comb method. 135*62c56f98SSadaf Ebrahimi * So branches for these cases do not leak secret information. 136*62c56f98SSadaf Ebrahimi * 137*62c56f98SSadaf Ebrahimi * We accept Q->Z being unset (saving memory in tables) as 138*62c56f98SSadaf Ebrahimi * meaning 1. 139*62c56f98SSadaf Ebrahimi * 140*62c56f98SSadaf Ebrahimi * Cost in field operations if done by [5] 3.22: 141*62c56f98SSadaf Ebrahimi * 1A := 8M + 3S 142*62c56f98SSadaf Ebrahimi * 143*62c56f98SSadaf Ebrahimi * \param grp Pointer to the group representing the curve. 144*62c56f98SSadaf Ebrahimi * 145*62c56f98SSadaf Ebrahimi * \param R Pointer to a point structure to hold the result. 146*62c56f98SSadaf Ebrahimi * 147*62c56f98SSadaf Ebrahimi * \param P Pointer to the first summand, given with Jacobian 148*62c56f98SSadaf Ebrahimi * coordinates 149*62c56f98SSadaf Ebrahimi * 150*62c56f98SSadaf Ebrahimi * \param Q Pointer to the second summand, given with affine 151*62c56f98SSadaf Ebrahimi * coordinates. 152*62c56f98SSadaf Ebrahimi * 153*62c56f98SSadaf Ebrahimi * \return 0 if successful. 154*62c56f98SSadaf Ebrahimi */ 155*62c56f98SSadaf Ebrahimi int mbedtls_internal_ecp_add_mixed(const mbedtls_ecp_group *grp, 156*62c56f98SSadaf Ebrahimi mbedtls_ecp_point *R, const mbedtls_ecp_point *P, 157*62c56f98SSadaf Ebrahimi const mbedtls_ecp_point *Q); 158*62c56f98SSadaf Ebrahimi #endif 159*62c56f98SSadaf Ebrahimi 160*62c56f98SSadaf Ebrahimi /** 161*62c56f98SSadaf Ebrahimi * \brief Point doubling R = 2 P, Jacobian coordinates. 162*62c56f98SSadaf Ebrahimi * 163*62c56f98SSadaf Ebrahimi * Cost: 1D := 3M + 4S (A == 0) 164*62c56f98SSadaf Ebrahimi * 4M + 4S (A == -3) 165*62c56f98SSadaf Ebrahimi * 3M + 6S + 1a otherwise 166*62c56f98SSadaf Ebrahimi * when the implementation is based on the "dbl-1998-cmo-2" 167*62c56f98SSadaf Ebrahimi * doubling formulas in [8] and standard optimizations are 168*62c56f98SSadaf Ebrahimi * applied when curve parameter A is one of { 0, -3 }. 169*62c56f98SSadaf Ebrahimi * 170*62c56f98SSadaf Ebrahimi * \param grp Pointer to the group representing the curve. 171*62c56f98SSadaf Ebrahimi * 172*62c56f98SSadaf Ebrahimi * \param R Pointer to a point structure to hold the result. 173*62c56f98SSadaf Ebrahimi * 174*62c56f98SSadaf Ebrahimi * \param P Pointer to the point that has to be doubled, given with 175*62c56f98SSadaf Ebrahimi * Jacobian coordinates. 176*62c56f98SSadaf Ebrahimi * 177*62c56f98SSadaf Ebrahimi * \return 0 if successful. 178*62c56f98SSadaf Ebrahimi */ 179*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) 180*62c56f98SSadaf Ebrahimi int mbedtls_internal_ecp_double_jac(const mbedtls_ecp_group *grp, 181*62c56f98SSadaf Ebrahimi mbedtls_ecp_point *R, const mbedtls_ecp_point *P); 182*62c56f98SSadaf Ebrahimi #endif 183*62c56f98SSadaf Ebrahimi 184*62c56f98SSadaf Ebrahimi /** 185*62c56f98SSadaf Ebrahimi * \brief Normalize jacobian coordinates of an array of (pointers to) 186*62c56f98SSadaf Ebrahimi * points. 187*62c56f98SSadaf Ebrahimi * 188*62c56f98SSadaf Ebrahimi * Using Montgomery's trick to perform only one inversion mod P 189*62c56f98SSadaf Ebrahimi * the cost is: 190*62c56f98SSadaf Ebrahimi * 1N(t) := 1I + (6t - 3)M + 1S 191*62c56f98SSadaf Ebrahimi * (See for example Algorithm 10.3.4. in [9]) 192*62c56f98SSadaf Ebrahimi * 193*62c56f98SSadaf Ebrahimi * This function is used only as a subrutine of 194*62c56f98SSadaf Ebrahimi * ecp_mul_comb(). 195*62c56f98SSadaf Ebrahimi * 196*62c56f98SSadaf Ebrahimi * Warning: fails (returning an error) if one of the points is 197*62c56f98SSadaf Ebrahimi * zero! 198*62c56f98SSadaf Ebrahimi * This should never happen, see choice of w in ecp_mul_comb(). 199*62c56f98SSadaf Ebrahimi * 200*62c56f98SSadaf Ebrahimi * \param grp Pointer to the group representing the curve. 201*62c56f98SSadaf Ebrahimi * 202*62c56f98SSadaf Ebrahimi * \param T Array of pointers to the points to normalise. 203*62c56f98SSadaf Ebrahimi * 204*62c56f98SSadaf Ebrahimi * \param t_len Number of elements in the array. 205*62c56f98SSadaf Ebrahimi * 206*62c56f98SSadaf Ebrahimi * \return 0 if successful, 207*62c56f98SSadaf Ebrahimi * an error if one of the points is zero. 208*62c56f98SSadaf Ebrahimi */ 209*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) 210*62c56f98SSadaf Ebrahimi int mbedtls_internal_ecp_normalize_jac_many(const mbedtls_ecp_group *grp, 211*62c56f98SSadaf Ebrahimi mbedtls_ecp_point *T[], size_t t_len); 212*62c56f98SSadaf Ebrahimi #endif 213*62c56f98SSadaf Ebrahimi 214*62c56f98SSadaf Ebrahimi /** 215*62c56f98SSadaf Ebrahimi * \brief Normalize jacobian coordinates so that Z == 0 || Z == 1. 216*62c56f98SSadaf Ebrahimi * 217*62c56f98SSadaf Ebrahimi * Cost in field operations if done by [5] 3.2.1: 218*62c56f98SSadaf Ebrahimi * 1N := 1I + 3M + 1S 219*62c56f98SSadaf Ebrahimi * 220*62c56f98SSadaf Ebrahimi * \param grp Pointer to the group representing the curve. 221*62c56f98SSadaf Ebrahimi * 222*62c56f98SSadaf Ebrahimi * \param pt pointer to the point to be normalised. This is an 223*62c56f98SSadaf Ebrahimi * input/output parameter. 224*62c56f98SSadaf Ebrahimi * 225*62c56f98SSadaf Ebrahimi * \return 0 if successful. 226*62c56f98SSadaf Ebrahimi */ 227*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) 228*62c56f98SSadaf Ebrahimi int mbedtls_internal_ecp_normalize_jac(const mbedtls_ecp_group *grp, 229*62c56f98SSadaf Ebrahimi mbedtls_ecp_point *pt); 230*62c56f98SSadaf Ebrahimi #endif 231*62c56f98SSadaf Ebrahimi 232*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ 233*62c56f98SSadaf Ebrahimi 234*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) 235*62c56f98SSadaf Ebrahimi 236*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) 237*62c56f98SSadaf Ebrahimi int mbedtls_internal_ecp_double_add_mxz(const mbedtls_ecp_group *grp, 238*62c56f98SSadaf Ebrahimi mbedtls_ecp_point *R, 239*62c56f98SSadaf Ebrahimi mbedtls_ecp_point *S, 240*62c56f98SSadaf Ebrahimi const mbedtls_ecp_point *P, 241*62c56f98SSadaf Ebrahimi const mbedtls_ecp_point *Q, 242*62c56f98SSadaf Ebrahimi const mbedtls_mpi *d); 243*62c56f98SSadaf Ebrahimi #endif 244*62c56f98SSadaf Ebrahimi 245*62c56f98SSadaf Ebrahimi /** 246*62c56f98SSadaf Ebrahimi * \brief Randomize projective x/z coordinates: 247*62c56f98SSadaf Ebrahimi * (X, Z) -> (l X, l Z) for random l 248*62c56f98SSadaf Ebrahimi * 249*62c56f98SSadaf Ebrahimi * \param grp pointer to the group representing the curve 250*62c56f98SSadaf Ebrahimi * 251*62c56f98SSadaf Ebrahimi * \param P the point on the curve to be randomised given with 252*62c56f98SSadaf Ebrahimi * projective coordinates. This is an input/output parameter. 253*62c56f98SSadaf Ebrahimi * 254*62c56f98SSadaf Ebrahimi * \param f_rng a function pointer to the random number generator 255*62c56f98SSadaf Ebrahimi * 256*62c56f98SSadaf Ebrahimi * \param p_rng a pointer to the random number generator state 257*62c56f98SSadaf Ebrahimi * 258*62c56f98SSadaf Ebrahimi * \return 0 if successful 259*62c56f98SSadaf Ebrahimi */ 260*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) 261*62c56f98SSadaf Ebrahimi int mbedtls_internal_ecp_randomize_mxz(const mbedtls_ecp_group *grp, 262*62c56f98SSadaf Ebrahimi mbedtls_ecp_point *P, int (*f_rng)(void *, 263*62c56f98SSadaf Ebrahimi unsigned char *, 264*62c56f98SSadaf Ebrahimi size_t), 265*62c56f98SSadaf Ebrahimi void *p_rng); 266*62c56f98SSadaf Ebrahimi #endif 267*62c56f98SSadaf Ebrahimi 268*62c56f98SSadaf Ebrahimi /** 269*62c56f98SSadaf Ebrahimi * \brief Normalize Montgomery x/z coordinates: X = X/Z, Z = 1. 270*62c56f98SSadaf Ebrahimi * 271*62c56f98SSadaf Ebrahimi * \param grp pointer to the group representing the curve 272*62c56f98SSadaf Ebrahimi * 273*62c56f98SSadaf Ebrahimi * \param P pointer to the point to be normalised. This is an 274*62c56f98SSadaf Ebrahimi * input/output parameter. 275*62c56f98SSadaf Ebrahimi * 276*62c56f98SSadaf Ebrahimi * \return 0 if successful 277*62c56f98SSadaf Ebrahimi */ 278*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) 279*62c56f98SSadaf Ebrahimi int mbedtls_internal_ecp_normalize_mxz(const mbedtls_ecp_group *grp, 280*62c56f98SSadaf Ebrahimi mbedtls_ecp_point *P); 281*62c56f98SSadaf Ebrahimi #endif 282*62c56f98SSadaf Ebrahimi 283*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */ 284*62c56f98SSadaf Ebrahimi 285*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_ECP_INTERNAL_ALT */ 286*62c56f98SSadaf Ebrahimi 287*62c56f98SSadaf Ebrahimi #endif /* ecp_internal_alt.h */ 288