1
/**
2
 * \file ecp_internal_alt.h
3
 *
4
 * \brief Function declarations for alternative implementation of elliptic curve
5
 * point arithmetic.
6
 */
7
/*
8
 *  Copyright The Mbed TLS Contributors
9
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10
 */
11

12
/*
13
 * References:
14
 *
15
 * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records.
16
 *     <http://cr.yp.to/ecdh/curve25519-20060209.pdf>
17
 *
18
 * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
19
 *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
20
 *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
21
 *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
22
 *
23
 * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
24
 *     render ECC resistant against Side Channel Attacks. IACR Cryptology
25
 *     ePrint Archive, 2004, vol. 2004, p. 342.
26
 *     <http://eprint.iacr.org/2004/342.pdf>
27
 *
28
 * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters.
29
 *     <http://www.secg.org/sec2-v2.pdf>
30
 *
31
 * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic
32
 *     Curve Cryptography.
33
 *
34
 * [6] Digital Signature Standard (DSS), FIPS 186-4.
35
 *     <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>
36
 *
37
 * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
38
 *     Security (TLS), RFC 4492.
39
 *     <https://tools.ietf.org/search/rfc4492>
40
 *
41
 * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html>
42
 *
43
 * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory.
44
 *     Springer Science & Business Media, 1 Aug 2000
45
 */
46

47
#ifndef MBEDTLS_ECP_INTERNAL_H
48
#define MBEDTLS_ECP_INTERNAL_H
49

50
#include "mbedtls/build_info.h"
51

52
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
53

54
/**
55
 * \brief           Indicate if the Elliptic Curve Point module extension can
56
 *                  handle the group.
57
 *
58
 * \param grp       The pointer to the elliptic curve group that will be the
59
 *                  basis of the cryptographic computations.
60
 *
61
 * \return          Non-zero if successful.
62
 */
63
unsigned char mbedtls_internal_ecp_grp_capable(const mbedtls_ecp_group *grp);
64

65
/**
66
 * \brief           Initialise the Elliptic Curve Point module extension.
67
 *
68
 *                  If mbedtls_internal_ecp_grp_capable returns true for a
69
 *                  group, this function has to be able to initialise the
70
 *                  module for it.
71
 *
72
 *                  This module can be a driver to a crypto hardware
73
 *                  accelerator, for which this could be an initialise function.
74
 *
75
 * \param grp       The pointer to the group the module needs to be
76
 *                  initialised for.
77
 *
78
 * \return          0 if successful.
79
 */
80
int mbedtls_internal_ecp_init(const mbedtls_ecp_group *grp);
81

82
/**
83
 * \brief           Frees and deallocates the Elliptic Curve Point module
84
 *                  extension.
85
 *
86
 * \param grp       The pointer to the group the module was initialised for.
87
 */
88
void mbedtls_internal_ecp_free(const mbedtls_ecp_group *grp);
89

90
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
91

92
#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
93
/**
94
 * \brief           Randomize jacobian coordinates:
95
 *                  (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l.
96
 *
97
 * \param grp       Pointer to the group representing the curve.
98
 *
99
 * \param pt        The point on the curve to be randomised, given with Jacobian
100
 *                  coordinates.
101
 *
102
 * \param f_rng     A function pointer to the random number generator.
103
 *
104
 * \param p_rng     A pointer to the random number generator state.
105
 *
106
 * \return          0 if successful.
107
 */
108
int mbedtls_internal_ecp_randomize_jac(const mbedtls_ecp_group *grp,
109
                                       mbedtls_ecp_point *pt, int (*f_rng)(void *,
110
                                                                           unsigned char *,
111
                                                                           size_t),
112
                                       void *p_rng);
113
#endif
114

115
#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
116
/**
117
 * \brief           Addition: R = P + Q, mixed affine-Jacobian coordinates.
118
 *
119
 *                  The coordinates of Q must be normalized (= affine),
120
 *                  but those of P don't need to. R is not normalized.
121
 *
122
 *                  This function is used only as a subrutine of
123
 *                  ecp_mul_comb().
124
 *
125
 *                  Special cases: (1) P or Q is zero, (2) R is zero,
126
 *                      (3) P == Q.
127
 *                  None of these cases can happen as intermediate step in
128
 *                  ecp_mul_comb():
129
 *                      - at each step, P, Q and R are multiples of the base
130
 *                      point, the factor being less than its order, so none of
131
 *                      them is zero;
132
 *                      - Q is an odd multiple of the base point, P an even
133
 *                      multiple, due to the choice of precomputed points in the
134
 *                      modified comb method.
135
 *                  So branches for these cases do not leak secret information.
136
 *
137
 *                  We accept Q->Z being unset (saving memory in tables) as
138
 *                  meaning 1.
139
 *
140
 *                  Cost in field operations if done by [5] 3.22:
141
 *                      1A := 8M + 3S
142
 *
143
 * \param grp       Pointer to the group representing the curve.
144
 *
145
 * \param R         Pointer to a point structure to hold the result.
146
 *
147
 * \param P         Pointer to the first summand, given with Jacobian
148
 *                  coordinates
149
 *
150
 * \param Q         Pointer to the second summand, given with affine
151
 *                  coordinates.
152
 *
153
 * \return          0 if successful.
154
 */
155
int mbedtls_internal_ecp_add_mixed(const mbedtls_ecp_group *grp,
156
                                   mbedtls_ecp_point *R, const mbedtls_ecp_point *P,
157
                                   const mbedtls_ecp_point *Q);
158
#endif
159

160
/**
161
 * \brief           Point doubling R = 2 P, Jacobian coordinates.
162
 *
163
 *                  Cost:   1D := 3M + 4S    (A ==  0)
164
 *                          4M + 4S          (A == -3)
165
 *                          3M + 6S + 1a     otherwise
166
 *                  when the implementation is based on the "dbl-1998-cmo-2"
167
 *                  doubling formulas in [8] and standard optimizations are
168
 *                  applied when curve parameter A is one of { 0, -3 }.
169
 *
170
 * \param grp       Pointer to the group representing the curve.
171
 *
172
 * \param R         Pointer to a point structure to hold the result.
173
 *
174
 * \param P         Pointer to the point that has to be doubled, given with
175
 *                  Jacobian coordinates.
176
 *
177
 * \return          0 if successful.
178
 */
179
#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
180
int mbedtls_internal_ecp_double_jac(const mbedtls_ecp_group *grp,
181
                                    mbedtls_ecp_point *R, const mbedtls_ecp_point *P);
182
#endif
183

184
/**
185
 * \brief           Normalize jacobian coordinates of an array of (pointers to)
186
 *                  points.
187
 *
188
 *                  Using Montgomery's trick to perform only one inversion mod P
189
 *                  the cost is:
190
 *                      1N(t) := 1I + (6t - 3)M + 1S
191
 *                  (See for example Algorithm 10.3.4. in [9])
192
 *
193
 *                  This function is used only as a subrutine of
194
 *                  ecp_mul_comb().
195
 *
196
 *                  Warning: fails (returning an error) if one of the points is
197
 *                  zero!
198
 *                  This should never happen, see choice of w in ecp_mul_comb().
199
 *
200
 * \param grp       Pointer to the group representing the curve.
201
 *
202
 * \param T         Array of pointers to the points to normalise.
203
 *
204
 * \param t_len     Number of elements in the array.
205
 *
206
 * \return          0 if successful,
207
 *                      an error if one of the points is zero.
208
 */
209
#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
210
int mbedtls_internal_ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
211
                                            mbedtls_ecp_point *T[], size_t t_len);
212
#endif
213

214
/**
215
 * \brief           Normalize jacobian coordinates so that Z == 0 || Z == 1.
216
 *
217
 *                  Cost in field operations if done by [5] 3.2.1:
218
 *                      1N := 1I + 3M + 1S
219
 *
220
 * \param grp       Pointer to the group representing the curve.
221
 *
222
 * \param pt        pointer to the point to be normalised. This is an
223
 *                  input/output parameter.
224
 *
225
 * \return          0 if successful.
226
 */
227
#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
228
int mbedtls_internal_ecp_normalize_jac(const mbedtls_ecp_group *grp,
229
                                       mbedtls_ecp_point *pt);
230
#endif
231

232
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
233

234
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
235

236
#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
237
int mbedtls_internal_ecp_double_add_mxz(const mbedtls_ecp_group *grp,
238
                                        mbedtls_ecp_point *R,
239
                                        mbedtls_ecp_point *S,
240
                                        const mbedtls_ecp_point *P,
241
                                        const mbedtls_ecp_point *Q,
242
                                        const mbedtls_mpi *d);
243
#endif
244

245
/**
246
 * \brief           Randomize projective x/z coordinates:
247
 *                      (X, Z) -> (l X, l Z) for random l
248
 *
249
 * \param grp       pointer to the group representing the curve
250
 *
251
 * \param P         the point on the curve to be randomised given with
252
 *                  projective coordinates. This is an input/output parameter.
253
 *
254
 * \param f_rng     a function pointer to the random number generator
255
 *
256
 * \param p_rng     a pointer to the random number generator state
257
 *
258
 * \return          0 if successful
259
 */
260
#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
261
int mbedtls_internal_ecp_randomize_mxz(const mbedtls_ecp_group *grp,
262
                                       mbedtls_ecp_point *P, int (*f_rng)(void *,
263
                                                                          unsigned char *,
264
                                                                          size_t),
265
                                       void *p_rng);
266
#endif
267

268
/**
269
 * \brief           Normalize Montgomery x/z coordinates: X = X/Z, Z = 1.
270
 *
271
 * \param grp       pointer to the group representing the curve
272
 *
273
 * \param P         pointer to the point to be normalised. This is an
274
 *                  input/output parameter.
275
 *
276
 * \return          0 if successful
277
 */
278
#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
279
int mbedtls_internal_ecp_normalize_mxz(const mbedtls_ecp_group *grp,
280
                                       mbedtls_ecp_point *P);
281
#endif
282

283
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
284

285
#endif /* MBEDTLS_ECP_INTERNAL_ALT */
286

287
#endif /* ecp_internal_alt.h */
288

289