132b31808SJens Wiklander /** 232b31808SJens Wiklander * \file ecp_internal_alt.h 332b31808SJens Wiklander * 432b31808SJens Wiklander * \brief Function declarations for alternative implementation of elliptic curve 532b31808SJens Wiklander * point arithmetic. 632b31808SJens Wiklander */ 732b31808SJens Wiklander /* 832b31808SJens Wiklander * Copyright The Mbed TLS Contributors 9*b0563631STom Van Eyck * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 1032b31808SJens Wiklander */ 1132b31808SJens Wiklander 1232b31808SJens Wiklander /* 1332b31808SJens Wiklander * References: 1432b31808SJens Wiklander * 1532b31808SJens Wiklander * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records. 1632b31808SJens Wiklander * <http://cr.yp.to/ecdh/curve25519-20060209.pdf> 1732b31808SJens Wiklander * 1832b31808SJens Wiklander * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis 1932b31808SJens Wiklander * for elliptic curve cryptosystems. In : Cryptographic Hardware and 2032b31808SJens Wiklander * Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302. 2132b31808SJens Wiklander * <http://link.springer.com/chapter/10.1007/3-540-48059-5_25> 2232b31808SJens Wiklander * 2332b31808SJens Wiklander * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to 2432b31808SJens Wiklander * render ECC resistant against Side Channel Attacks. IACR Cryptology 2532b31808SJens Wiklander * ePrint Archive, 2004, vol. 2004, p. 342. 2632b31808SJens Wiklander * <http://eprint.iacr.org/2004/342.pdf> 2732b31808SJens Wiklander * 2832b31808SJens Wiklander * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters. 2932b31808SJens Wiklander * <http://www.secg.org/sec2-v2.pdf> 3032b31808SJens Wiklander * 3132b31808SJens Wiklander * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic 3232b31808SJens Wiklander * Curve Cryptography. 3332b31808SJens Wiklander * 3432b31808SJens Wiklander * [6] Digital Signature Standard (DSS), FIPS 186-4. 3532b31808SJens Wiklander * <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf> 3632b31808SJens Wiklander * 3732b31808SJens Wiklander * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer 3832b31808SJens Wiklander * Security (TLS), RFC 4492. 3932b31808SJens Wiklander * <https://tools.ietf.org/search/rfc4492> 4032b31808SJens Wiklander * 4132b31808SJens Wiklander * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html> 4232b31808SJens Wiklander * 4332b31808SJens Wiklander * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory. 4432b31808SJens Wiklander * Springer Science & Business Media, 1 Aug 2000 4532b31808SJens Wiklander */ 4632b31808SJens Wiklander 4732b31808SJens Wiklander #ifndef MBEDTLS_ECP_INTERNAL_H 4832b31808SJens Wiklander #define MBEDTLS_ECP_INTERNAL_H 4932b31808SJens Wiklander 5032b31808SJens Wiklander #include "mbedtls/build_info.h" 5132b31808SJens Wiklander 5232b31808SJens Wiklander #if defined(MBEDTLS_ECP_INTERNAL_ALT) 5332b31808SJens Wiklander 5432b31808SJens Wiklander /** 5532b31808SJens Wiklander * \brief Indicate if the Elliptic Curve Point module extension can 5632b31808SJens Wiklander * handle the group. 5732b31808SJens Wiklander * 5832b31808SJens Wiklander * \param grp The pointer to the elliptic curve group that will be the 5932b31808SJens Wiklander * basis of the cryptographic computations. 6032b31808SJens Wiklander * 6132b31808SJens Wiklander * \return Non-zero if successful. 6232b31808SJens Wiklander */ 6332b31808SJens Wiklander unsigned char mbedtls_internal_ecp_grp_capable(const mbedtls_ecp_group *grp); 6432b31808SJens Wiklander 6532b31808SJens Wiklander /** 6632b31808SJens Wiklander * \brief Initialise the Elliptic Curve Point module extension. 6732b31808SJens Wiklander * 6832b31808SJens Wiklander * If mbedtls_internal_ecp_grp_capable returns true for a 6932b31808SJens Wiklander * group, this function has to be able to initialise the 7032b31808SJens Wiklander * module for it. 7132b31808SJens Wiklander * 7232b31808SJens Wiklander * This module can be a driver to a crypto hardware 7332b31808SJens Wiklander * accelerator, for which this could be an initialise function. 7432b31808SJens Wiklander * 7532b31808SJens Wiklander * \param grp The pointer to the group the module needs to be 7632b31808SJens Wiklander * initialised for. 7732b31808SJens Wiklander * 7832b31808SJens Wiklander * \return 0 if successful. 7932b31808SJens Wiklander */ 8032b31808SJens Wiklander int mbedtls_internal_ecp_init(const mbedtls_ecp_group *grp); 8132b31808SJens Wiklander 8232b31808SJens Wiklander /** 8332b31808SJens Wiklander * \brief Frees and deallocates the Elliptic Curve Point module 8432b31808SJens Wiklander * extension. 8532b31808SJens Wiklander * 8632b31808SJens Wiklander * \param grp The pointer to the group the module was initialised for. 8732b31808SJens Wiklander */ 8832b31808SJens Wiklander void mbedtls_internal_ecp_free(const mbedtls_ecp_group *grp); 8932b31808SJens Wiklander 9032b31808SJens Wiklander #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) 9132b31808SJens Wiklander 9232b31808SJens Wiklander #if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) 9332b31808SJens Wiklander /** 9432b31808SJens Wiklander * \brief Randomize jacobian coordinates: 9532b31808SJens Wiklander * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l. 9632b31808SJens Wiklander * 9732b31808SJens Wiklander * \param grp Pointer to the group representing the curve. 9832b31808SJens Wiklander * 9932b31808SJens Wiklander * \param pt The point on the curve to be randomised, given with Jacobian 10032b31808SJens Wiklander * coordinates. 10132b31808SJens Wiklander * 10232b31808SJens Wiklander * \param f_rng A function pointer to the random number generator. 10332b31808SJens Wiklander * 10432b31808SJens Wiklander * \param p_rng A pointer to the random number generator state. 10532b31808SJens Wiklander * 10632b31808SJens Wiklander * \return 0 if successful. 10732b31808SJens Wiklander */ 10832b31808SJens Wiklander int mbedtls_internal_ecp_randomize_jac(const mbedtls_ecp_group *grp, 10932b31808SJens Wiklander mbedtls_ecp_point *pt, int (*f_rng)(void *, 11032b31808SJens Wiklander unsigned char *, 11132b31808SJens Wiklander size_t), 11232b31808SJens Wiklander void *p_rng); 11332b31808SJens Wiklander #endif 11432b31808SJens Wiklander 11532b31808SJens Wiklander #if defined(MBEDTLS_ECP_ADD_MIXED_ALT) 11632b31808SJens Wiklander /** 11732b31808SJens Wiklander * \brief Addition: R = P + Q, mixed affine-Jacobian coordinates. 11832b31808SJens Wiklander * 11932b31808SJens Wiklander * The coordinates of Q must be normalized (= affine), 12032b31808SJens Wiklander * but those of P don't need to. R is not normalized. 12132b31808SJens Wiklander * 12232b31808SJens Wiklander * This function is used only as a subrutine of 12332b31808SJens Wiklander * ecp_mul_comb(). 12432b31808SJens Wiklander * 12532b31808SJens Wiklander * Special cases: (1) P or Q is zero, (2) R is zero, 12632b31808SJens Wiklander * (3) P == Q. 12732b31808SJens Wiklander * None of these cases can happen as intermediate step in 12832b31808SJens Wiklander * ecp_mul_comb(): 12932b31808SJens Wiklander * - at each step, P, Q and R are multiples of the base 13032b31808SJens Wiklander * point, the factor being less than its order, so none of 13132b31808SJens Wiklander * them is zero; 13232b31808SJens Wiklander * - Q is an odd multiple of the base point, P an even 13332b31808SJens Wiklander * multiple, due to the choice of precomputed points in the 13432b31808SJens Wiklander * modified comb method. 13532b31808SJens Wiklander * So branches for these cases do not leak secret information. 13632b31808SJens Wiklander * 13732b31808SJens Wiklander * We accept Q->Z being unset (saving memory in tables) as 13832b31808SJens Wiklander * meaning 1. 13932b31808SJens Wiklander * 14032b31808SJens Wiklander * Cost in field operations if done by [5] 3.22: 14132b31808SJens Wiklander * 1A := 8M + 3S 14232b31808SJens Wiklander * 14332b31808SJens Wiklander * \param grp Pointer to the group representing the curve. 14432b31808SJens Wiklander * 14532b31808SJens Wiklander * \param R Pointer to a point structure to hold the result. 14632b31808SJens Wiklander * 14732b31808SJens Wiklander * \param P Pointer to the first summand, given with Jacobian 14832b31808SJens Wiklander * coordinates 14932b31808SJens Wiklander * 15032b31808SJens Wiklander * \param Q Pointer to the second summand, given with affine 15132b31808SJens Wiklander * coordinates. 15232b31808SJens Wiklander * 15332b31808SJens Wiklander * \return 0 if successful. 15432b31808SJens Wiklander */ 15532b31808SJens Wiklander int mbedtls_internal_ecp_add_mixed(const mbedtls_ecp_group *grp, 15632b31808SJens Wiklander mbedtls_ecp_point *R, const mbedtls_ecp_point *P, 15732b31808SJens Wiklander const mbedtls_ecp_point *Q); 15832b31808SJens Wiklander #endif 15932b31808SJens Wiklander 16032b31808SJens Wiklander /** 16132b31808SJens Wiklander * \brief Point doubling R = 2 P, Jacobian coordinates. 16232b31808SJens Wiklander * 16332b31808SJens Wiklander * Cost: 1D := 3M + 4S (A == 0) 16432b31808SJens Wiklander * 4M + 4S (A == -3) 16532b31808SJens Wiklander * 3M + 6S + 1a otherwise 16632b31808SJens Wiklander * when the implementation is based on the "dbl-1998-cmo-2" 16732b31808SJens Wiklander * doubling formulas in [8] and standard optimizations are 16832b31808SJens Wiklander * applied when curve parameter A is one of { 0, -3 }. 16932b31808SJens Wiklander * 17032b31808SJens Wiklander * \param grp Pointer to the group representing the curve. 17132b31808SJens Wiklander * 17232b31808SJens Wiklander * \param R Pointer to a point structure to hold the result. 17332b31808SJens Wiklander * 17432b31808SJens Wiklander * \param P Pointer to the point that has to be doubled, given with 17532b31808SJens Wiklander * Jacobian coordinates. 17632b31808SJens Wiklander * 17732b31808SJens Wiklander * \return 0 if successful. 17832b31808SJens Wiklander */ 17932b31808SJens Wiklander #if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) 18032b31808SJens Wiklander int mbedtls_internal_ecp_double_jac(const mbedtls_ecp_group *grp, 18132b31808SJens Wiklander mbedtls_ecp_point *R, const mbedtls_ecp_point *P); 18232b31808SJens Wiklander #endif 18332b31808SJens Wiklander 18432b31808SJens Wiklander /** 18532b31808SJens Wiklander * \brief Normalize jacobian coordinates of an array of (pointers to) 18632b31808SJens Wiklander * points. 18732b31808SJens Wiklander * 18832b31808SJens Wiklander * Using Montgomery's trick to perform only one inversion mod P 18932b31808SJens Wiklander * the cost is: 19032b31808SJens Wiklander * 1N(t) := 1I + (6t - 3)M + 1S 19132b31808SJens Wiklander * (See for example Algorithm 10.3.4. in [9]) 19232b31808SJens Wiklander * 19332b31808SJens Wiklander * This function is used only as a subrutine of 19432b31808SJens Wiklander * ecp_mul_comb(). 19532b31808SJens Wiklander * 19632b31808SJens Wiklander * Warning: fails (returning an error) if one of the points is 19732b31808SJens Wiklander * zero! 19832b31808SJens Wiklander * This should never happen, see choice of w in ecp_mul_comb(). 19932b31808SJens Wiklander * 20032b31808SJens Wiklander * \param grp Pointer to the group representing the curve. 20132b31808SJens Wiklander * 20232b31808SJens Wiklander * \param T Array of pointers to the points to normalise. 20332b31808SJens Wiklander * 20432b31808SJens Wiklander * \param t_len Number of elements in the array. 20532b31808SJens Wiklander * 20632b31808SJens Wiklander * \return 0 if successful, 20732b31808SJens Wiklander * an error if one of the points is zero. 20832b31808SJens Wiklander */ 20932b31808SJens Wiklander #if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) 21032b31808SJens Wiklander int mbedtls_internal_ecp_normalize_jac_many(const mbedtls_ecp_group *grp, 21132b31808SJens Wiklander mbedtls_ecp_point *T[], size_t t_len); 21232b31808SJens Wiklander #endif 21332b31808SJens Wiklander 21432b31808SJens Wiklander /** 21532b31808SJens Wiklander * \brief Normalize jacobian coordinates so that Z == 0 || Z == 1. 21632b31808SJens Wiklander * 21732b31808SJens Wiklander * Cost in field operations if done by [5] 3.2.1: 21832b31808SJens Wiklander * 1N := 1I + 3M + 1S 21932b31808SJens Wiklander * 22032b31808SJens Wiklander * \param grp Pointer to the group representing the curve. 22132b31808SJens Wiklander * 22232b31808SJens Wiklander * \param pt pointer to the point to be normalised. This is an 22332b31808SJens Wiklander * input/output parameter. 22432b31808SJens Wiklander * 22532b31808SJens Wiklander * \return 0 if successful. 22632b31808SJens Wiklander */ 22732b31808SJens Wiklander #if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) 22832b31808SJens Wiklander int mbedtls_internal_ecp_normalize_jac(const mbedtls_ecp_group *grp, 22932b31808SJens Wiklander mbedtls_ecp_point *pt); 23032b31808SJens Wiklander #endif 23132b31808SJens Wiklander 23232b31808SJens Wiklander #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ 23332b31808SJens Wiklander 23432b31808SJens Wiklander #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) 23532b31808SJens Wiklander 23632b31808SJens Wiklander #if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) 23732b31808SJens Wiklander int mbedtls_internal_ecp_double_add_mxz(const mbedtls_ecp_group *grp, 23832b31808SJens Wiklander mbedtls_ecp_point *R, 23932b31808SJens Wiklander mbedtls_ecp_point *S, 24032b31808SJens Wiklander const mbedtls_ecp_point *P, 24132b31808SJens Wiklander const mbedtls_ecp_point *Q, 24232b31808SJens Wiklander const mbedtls_mpi *d); 24332b31808SJens Wiklander #endif 24432b31808SJens Wiklander 24532b31808SJens Wiklander /** 24632b31808SJens Wiklander * \brief Randomize projective x/z coordinates: 24732b31808SJens Wiklander * (X, Z) -> (l X, l Z) for random l 24832b31808SJens Wiklander * 24932b31808SJens Wiklander * \param grp pointer to the group representing the curve 25032b31808SJens Wiklander * 25132b31808SJens Wiklander * \param P the point on the curve to be randomised given with 25232b31808SJens Wiklander * projective coordinates. This is an input/output parameter. 25332b31808SJens Wiklander * 25432b31808SJens Wiklander * \param f_rng a function pointer to the random number generator 25532b31808SJens Wiklander * 25632b31808SJens Wiklander * \param p_rng a pointer to the random number generator state 25732b31808SJens Wiklander * 25832b31808SJens Wiklander * \return 0 if successful 25932b31808SJens Wiklander */ 26032b31808SJens Wiklander #if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) 26132b31808SJens Wiklander int mbedtls_internal_ecp_randomize_mxz(const mbedtls_ecp_group *grp, 26232b31808SJens Wiklander mbedtls_ecp_point *P, int (*f_rng)(void *, 26332b31808SJens Wiklander unsigned char *, 26432b31808SJens Wiklander size_t), 26532b31808SJens Wiklander void *p_rng); 26632b31808SJens Wiklander #endif 26732b31808SJens Wiklander 26832b31808SJens Wiklander /** 26932b31808SJens Wiklander * \brief Normalize Montgomery x/z coordinates: X = X/Z, Z = 1. 27032b31808SJens Wiklander * 27132b31808SJens Wiklander * \param grp pointer to the group representing the curve 27232b31808SJens Wiklander * 27332b31808SJens Wiklander * \param P pointer to the point to be normalised. This is an 27432b31808SJens Wiklander * input/output parameter. 27532b31808SJens Wiklander * 27632b31808SJens Wiklander * \return 0 if successful 27732b31808SJens Wiklander */ 27832b31808SJens Wiklander #if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) 27932b31808SJens Wiklander int mbedtls_internal_ecp_normalize_mxz(const mbedtls_ecp_group *grp, 28032b31808SJens Wiklander mbedtls_ecp_point *P); 28132b31808SJens Wiklander #endif 28232b31808SJens Wiklander 28332b31808SJens Wiklander #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */ 28432b31808SJens Wiklander 28532b31808SJens Wiklander #endif /* MBEDTLS_ECP_INTERNAL_ALT */ 28632b31808SJens Wiklander 28732b31808SJens Wiklander #endif /* ecp_internal_alt.h */ 288