Add the Labs projects provided in the V10.2.1_191129 zip file.

[freertos] / FreeRTOS-Labs / Source / mbedtls / include / mbedtls / ecp_internal.h

/**\r
 * \file ecp_internal.h\r
 *\r
 * \brief Function declarations for alternative implementation of elliptic curve\r
 * point arithmetic.\r
 */\r
/*\r
 *  Copyright (C) 2016, ARM Limited, All Rights Reserved\r
 *  SPDX-License-Identifier: Apache-2.0\r
 *\r
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may\r
 *  not use this file except in compliance with the License.\r
 *  You may obtain a copy of the License at\r
 *\r
 *  http://www.apache.org/licenses/LICENSE-2.0\r
 *\r
 *  Unless required by applicable law or agreed to in writing, software\r
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\r
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 *  See the License for the specific language governing permissions and\r
 *  limitations under the License.\r
 *\r
 *  This file is part of mbed TLS (https://tls.mbed.org)\r
 */\r
\r
/*\r
 * References:\r
 *\r
 * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records.\r
 *     <http://cr.yp.to/ecdh/curve25519-20060209.pdf>\r
 *\r
 * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis\r
 *     for elliptic curve cryptosystems. In : Cryptographic Hardware and\r
 *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.\r
 *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>\r
 *\r
 * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to\r
 *     render ECC resistant against Side Channel Attacks. IACR Cryptology\r
 *     ePrint Archive, 2004, vol. 2004, p. 342.\r
 *     <http://eprint.iacr.org/2004/342.pdf>\r
 *\r
 * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters.\r
 *     <http://www.secg.org/sec2-v2.pdf>\r
 *\r
 * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic\r
 *     Curve Cryptography.\r
 *\r
 * [6] Digital Signature Standard (DSS), FIPS 186-4.\r
 *     <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>\r
 *\r
 * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer\r
 *     Security (TLS), RFC 4492.\r
 *     <https://tools.ietf.org/search/rfc4492>\r
 *\r
 * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html>\r
 *\r
 * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory.\r
 *     Springer Science & Business Media, 1 Aug 2000\r
 */\r
\r
#ifndef MBEDTLS_ECP_INTERNAL_H\r
#define MBEDTLS_ECP_INTERNAL_H\r
\r
#if !defined(MBEDTLS_CONFIG_FILE)\r
#include "config.h"\r
#else\r
#include MBEDTLS_CONFIG_FILE\r
#endif\r
\r
#if defined(MBEDTLS_ECP_INTERNAL_ALT)\r
\r
/**\r
 * \brief           Indicate if the Elliptic Curve Point module extension can\r
 *                  handle the group.\r
 *\r
 * \param grp       The pointer to the elliptic curve group that will be the\r
 *                  basis of the cryptographic computations.\r
 *\r
 * \return          Non-zero if successful.\r
 */\r
unsigned char mbedtls_internal_ecp_grp_capable( const mbedtls_ecp_group *grp );\r
\r
/**\r
 * \brief           Initialise the Elliptic Curve Point module extension.\r
 *\r
 *                  If mbedtls_internal_ecp_grp_capable returns true for a\r
 *                  group, this function has to be able to initialise the\r
 *                  module for it.\r
 *\r
 *                  This module can be a driver to a crypto hardware\r
 *                  accelerator, for which this could be an initialise function.\r
 *\r
 * \param grp       The pointer to the group the module needs to be\r
 *                  initialised for.\r
 *\r
 * \return          0 if successful.\r
 */\r
int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp );\r
\r
/**\r
 * \brief           Frees and deallocates the Elliptic Curve Point module\r
 *                  extension.\r
 *\r
 * \param grp       The pointer to the group the module was initialised for.\r
 */\r
void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp );\r
\r
#if defined(ECP_SHORTWEIERSTRASS)\r
\r
#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)\r
/**\r
 * \brief           Randomize jacobian coordinates:\r
 *                  (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l.\r
 *\r
 * \param grp       Pointer to the group representing the curve.\r
 *\r
 * \param pt        The point on the curve to be randomised, given with Jacobian\r
 *                  coordinates.\r
 *\r
 * \param f_rng     A function pointer to the random number generator.\r
 *\r
 * \param p_rng     A pointer to the random number generator state.\r
 *\r
 * \return          0 if successful.\r
 */\r
int mbedtls_internal_ecp_randomize_jac( const mbedtls_ecp_group *grp,\r
        mbedtls_ecp_point *pt, int (*f_rng)(void *, unsigned char *, size_t),\r
        void *p_rng );\r
#endif\r
\r
#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)\r
/**\r
 * \brief           Addition: R = P + Q, mixed affine-Jacobian coordinates.\r
 *\r
 *                  The coordinates of Q must be normalized (= affine),\r
 *                  but those of P don't need to. R is not normalized.\r
 *\r
 *                  This function is used only as a subrutine of\r
 *                  ecp_mul_comb().\r
 *\r
 *                  Special cases: (1) P or Q is zero, (2) R is zero,\r
 *                      (3) P == Q.\r
 *                  None of these cases can happen as intermediate step in\r
 *                  ecp_mul_comb():\r
 *                      - at each step, P, Q and R are multiples of the base\r
 *                      point, the factor being less than its order, so none of\r
 *                      them is zero;\r
 *                      - Q is an odd multiple of the base point, P an even\r
 *                      multiple, due to the choice of precomputed points in the\r
 *                      modified comb method.\r
 *                  So branches for these cases do not leak secret information.\r
 *\r
 *                  We accept Q->Z being unset (saving memory in tables) as\r
 *                  meaning 1.\r
 *\r
 *                  Cost in field operations if done by [5] 3.22:\r
 *                      1A := 8M + 3S\r
 *\r
 * \param grp       Pointer to the group representing the curve.\r
 *\r
 * \param R         Pointer to a point structure to hold the result.\r
 *\r
 * \param P         Pointer to the first summand, given with Jacobian\r
 *                  coordinates\r
 *\r
 * \param Q         Pointer to the second summand, given with affine\r
 *                  coordinates.\r
 *\r
 * \return          0 if successful.\r
 */\r
int mbedtls_internal_ecp_add_mixed( const mbedtls_ecp_group *grp,\r
        mbedtls_ecp_point *R, const mbedtls_ecp_point *P,\r
        const mbedtls_ecp_point *Q );\r
#endif\r
\r
/**\r
 * \brief           Point doubling R = 2 P, Jacobian coordinates.\r
 *\r
 *                  Cost:   1D := 3M + 4S    (A ==  0)\r
 *                          4M + 4S          (A == -3)\r
 *                          3M + 6S + 1a     otherwise\r
 *                  when the implementation is based on the "dbl-1998-cmo-2"\r
 *                  doubling formulas in [8] and standard optimizations are\r
 *                  applied when curve parameter A is one of { 0, -3 }.\r
 *\r
 * \param grp       Pointer to the group representing the curve.\r
 *\r
 * \param R         Pointer to a point structure to hold the result.\r
 *\r
 * \param P         Pointer to the point that has to be doubled, given with\r
 *                  Jacobian coordinates.\r
 *\r
 * \return          0 if successful.\r
 */\r
#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)\r
int mbedtls_internal_ecp_double_jac( const mbedtls_ecp_group *grp,\r
        mbedtls_ecp_point *R, const mbedtls_ecp_point *P );\r
#endif\r
\r
/**\r
 * \brief           Normalize jacobian coordinates of an array of (pointers to)\r
 *                  points.\r
 *\r
 *                  Using Montgomery's trick to perform only one inversion mod P\r
 *                  the cost is:\r
 *                      1N(t) := 1I + (6t - 3)M + 1S\r
 *                  (See for example Algorithm 10.3.4. in [9])\r
 *\r
 *                  This function is used only as a subrutine of\r
 *                  ecp_mul_comb().\r
 *\r
 *                  Warning: fails (returning an error) if one of the points is\r
 *                  zero!\r
 *                  This should never happen, see choice of w in ecp_mul_comb().\r
 *\r
 * \param grp       Pointer to the group representing the curve.\r
 *\r
 * \param T         Array of pointers to the points to normalise.\r
 *\r
 * \param t_len     Number of elements in the array.\r
 *\r
 * \return          0 if successful,\r
 *                      an error if one of the points is zero.\r
 */\r
#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)\r
int mbedtls_internal_ecp_normalize_jac_many( const mbedtls_ecp_group *grp,\r
        mbedtls_ecp_point *T[], size_t t_len );\r
#endif\r
\r
/**\r
 * \brief           Normalize jacobian coordinates so that Z == 0 || Z == 1.\r
 *\r
 *                  Cost in field operations if done by [5] 3.2.1:\r
 *                      1N := 1I + 3M + 1S\r
 *\r
 * \param grp       Pointer to the group representing the curve.\r
 *\r
 * \param pt        pointer to the point to be normalised. This is an\r
 *                  input/output parameter.\r
 *\r
 * \return          0 if successful.\r
 */\r
#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)\r
int mbedtls_internal_ecp_normalize_jac( const mbedtls_ecp_group *grp,\r
        mbedtls_ecp_point *pt );\r
#endif\r
\r
#endif /* ECP_SHORTWEIERSTRASS */\r
\r
#if defined(ECP_MONTGOMERY)\r
\r
#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)\r
int mbedtls_internal_ecp_double_add_mxz( const mbedtls_ecp_group *grp,\r
        mbedtls_ecp_point *R, mbedtls_ecp_point *S, const mbedtls_ecp_point *P,\r
        const mbedtls_ecp_point *Q, const mbedtls_mpi *d );\r
#endif\r
\r
/**\r
 * \brief           Randomize projective x/z coordinates:\r
 *                      (X, Z) -> (l X, l Z) for random l\r
 *\r
 * \param grp       pointer to the group representing the curve\r
 *\r
 * \param P         the point on the curve to be randomised given with\r
 *                  projective coordinates. This is an input/output parameter.\r
 *\r
 * \param f_rng     a function pointer to the random number generator\r
 *\r
 * \param p_rng     a pointer to the random number generator state\r
 *\r
 * \return          0 if successful\r
 */\r
#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)\r
int mbedtls_internal_ecp_randomize_mxz( const mbedtls_ecp_group *grp,\r
        mbedtls_ecp_point *P, int (*f_rng)(void *, unsigned char *, size_t),\r
        void *p_rng );\r
#endif\r
\r
/**\r
 * \brief           Normalize Montgomery x/z coordinates: X = X/Z, Z = 1.\r
 *\r
 * \param grp       pointer to the group representing the curve\r
 *\r
 * \param P         pointer to the point to be normalised. This is an\r
 *                  input/output parameter.\r
 *\r
 * \return          0 if successful\r
 */\r
#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)\r
int mbedtls_internal_ecp_normalize_mxz( const mbedtls_ecp_group *grp,\r
        mbedtls_ecp_point *P );\r
#endif\r
\r
#endif /* ECP_MONTGOMERY */\r
\r
#endif /* MBEDTLS_ECP_INTERNAL_ALT */\r
\r
#endif /* ecp_internal.h */\r
\r