/* * mbed Microcontroller Library * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * Copyright (C) 2019 Cypress Semiconductor Corporation * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /** * \file * \version 1.0 * * \brief This file provides an API for Elliptic Curves over GF(P) (ECP). * * The use of ECP in cryptography and TLS is defined in * <em>Standards for Efficient Cryptography Group (SECG): SEC1 * Elliptic Curve Cryptography</em> and * <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites * for Transport Layer Security (TLS)</em>. * * <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP * group types. * */ #ifndef ECP_ALT_H #define ECP_ALT_H #include "bignum.h" #ifdef __cplusplus extern "C" { #endif #if defined(MBEDTLS_ECP_ALT) #include "cy_crypto_core_ecc.h" /* * default mbed TLS elliptic curve arithmetic implementation * * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an * alternative implementation for the whole module and it will replace this * one.) */ /** * \brief The ECP group structure. * * We consider two types of curve equations: * <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code> * (SEC1 + RFC-4492)</li> * <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519, * Curve448)</li></ul> * In both cases, the generator (\p G) for a prime-order subgroup is fixed. * * For Short Weierstrass, this subgroup is the whole curve, and its * cardinality is denoted by \p N. Our code requires that \p N is an * odd prime as mbedtls_ecp_mul() requires an odd number, and * mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. * * For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>, * which is the quantity used in the formulas. Additionally, \p nbits is * not the size of \p N but the required size for private keys. * * If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. * Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the * range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer * which is congruent mod \p P to the given MPI, and is close enough to \p pbits * in size, so that it may be efficiently brought in the 0..P-1 range by a few * additions or subtractions. Therefore, it is only an approximative modular * reduction. It must return 0 on success and non-zero on failure. * */ typedef struct mbedtls_ecp_group { mbedtls_ecp_group_id id; /*!< An internal group identifier. */ mbedtls_mpi P; /*!< The prime modulus of the base field. */ mbedtls_mpi A; /*!< For Short Weierstrass: \p A in the equation. For Montgomery curves: <code>(A + 2) / 4</code>. */ mbedtls_mpi B; /*!< For Short Weierstrass: \p B in the equation. For Montgomery curves: unused. */ mbedtls_ecp_point G; /*!< The generator of the subgroup used. */ mbedtls_mpi N; /*!< The order of \p G. */ size_t pbits; /*!< The number of bits in \p P.*/ size_t nbits; /*!< For Short Weierstrass: The number of bits in \p P. For Montgomery curves: the number of bits in the private keys. */ unsigned int h; /*!< \internal 1 if the constants are static. */ int (*modp)(mbedtls_mpi *); /*!< The function for fast pseudo-reduction mod \p P (see above).*/ int (*t_pre)(mbedtls_ecp_point *, void *); /*!< Unused. */ int (*t_post)(mbedtls_ecp_point *, void *); /*!< Unused. */ void *t_data; /*!< Unused. */ mbedtls_ecp_point *T; /*!< Pre-computed points for ecp_mul_comb(). */ size_t T_size; /*!< The number of pre-computed points. */ } mbedtls_ecp_group; #define MBEDTLS_ECP_BUDGET( ops ) /* no-op; for compatibility */ /* We want to declare restartable versions of existing functions anyway */ typedef void mbedtls_ecp_restart_ctx; /** * \name SECTION: Module settings * * The configuration options you can set for this module are in this section. * Either change them in config.h, or define them using the compiler command line. * \{ */ #if !defined(MBEDTLS_ECP_MAX_BITS) /** * The maximum size of the groups, that is, of \c N and \c P. */ #define MBEDTLS_ECP_MAX_BITS 521 /**< The maximum size of groups, in bits. */ #endif #define MBEDTLS_ECP_MAX_BYTES ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 ) #define MBEDTLS_ECP_MAX_PT_LEN ( 2 * MBEDTLS_ECP_MAX_BYTES + 1 ) #if !defined(MBEDTLS_ECP_WINDOW_SIZE) /* * Maximum "window" size used for point multiplication. * Default: 6. * Minimum value: 2. Maximum value: 7. * * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) ) * points used for point multiplication. This value is directly tied to EC * peak memory usage, so decreasing it by one should roughly cut memory usage * by two (if large curves are in use). * * Reduction in size may reduce speed, but larger curves are impacted first. * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1): * w-size: 6 5 4 3 2 * 521 145 141 135 120 97 * 384 214 209 198 177 146 * 256 320 320 303 262 226 * 224 475 475 453 398 342 * 192 640 640 633 587 476 */ #define MBEDTLS_ECP_WINDOW_SIZE 6 /**< The maximum window size used. */ #endif /* MBEDTLS_ECP_WINDOW_SIZE */ #if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM) /* * Trade memory for speed on fixed-point multiplication. * * This speeds up repeated multiplication of the generator (that is, the * multiplication in ECDSA signatures, and half of the multiplications in * ECDSA verification and ECDHE) by a factor roughly 3 to 4. * * The cost is increasing EC peak memory usage by a factor roughly 2. * * Change this value to 0 to reduce peak memory usage. */ #define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up. */ #endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */ /* \} name SECTION: Module settings */ cy_en_crypto_ecc_curve_id_t cy_get_dp_idx(mbedtls_ecp_group_id gid); #endif /* MBEDTLS_ECP_ALT */ #ifdef __cplusplus } #endif #endif /* ecp_alt.h */