mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-03-31 01:20:35 +00:00
Improve doc on special use of A in ecp group structure
Signed-off-by: Chien Wong <m@xv97.com>
This commit is contained in:
parent
3b5e8aa05c
commit
153ae464db
@ -196,6 +196,23 @@ mbedtls_ecp_point;
|
||||
* cardinality is denoted by \p N. Our code requires that \p N is an
|
||||
* odd prime as mbedtls_ecp_mul() requires an odd number, and
|
||||
* mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.
|
||||
* The default implementation only initializes \p A without setting it to the
|
||||
* authentic value for curves with <code>A = -3</code>(SECP256R1, etc), in which
|
||||
* case you need to load and free \p A by yourself when using domain parameters
|
||||
* directly, for example:
|
||||
* \code
|
||||
* mbedtls_ecp_group_init(&grp);
|
||||
* CHECK_RETURN(mbedtls_ecp_group_load(&grp, grp_id));
|
||||
* if (mbedtls_ecp_group_a_is_minus_3(&grp)) {
|
||||
* CHECK_RETURN(mbedtls_mpi_sub_int(&grp.A, &grp.P, 3);
|
||||
* }
|
||||
*
|
||||
* access_grp_A_etc(&grp);
|
||||
*
|
||||
* cleanup:
|
||||
* mbedtls_mpi_free(&grp.A);
|
||||
* mbedtls_ecp_group_free(&grp);
|
||||
* \endcode
|
||||
*
|
||||
* For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>,
|
||||
* which is the quantity used in the formulas. Additionally, \p nbits is
|
||||
@ -223,8 +240,11 @@ mbedtls_ecp_point;
|
||||
typedef struct mbedtls_ecp_group {
|
||||
mbedtls_ecp_group_id id; /*!< An internal group identifier. */
|
||||
mbedtls_mpi P; /*!< The prime modulus of the base field. */
|
||||
mbedtls_mpi A; /*!< For Short Weierstrass: \p A in the equation. For
|
||||
Montgomery curves: <code>(A + 2) / 4</code>. */
|
||||
mbedtls_mpi A; /*!< For Short Weierstrass: \p A in the equation. Note that
|
||||
\p A is not set to the authentic value in some cases.
|
||||
For Montgomery curves: <code>(A + 2) / 4</code>.
|
||||
Refer to detailed description of mbedtls_ecp_group if
|
||||
using domain parameters in the structure. */
|
||||
mbedtls_mpi B; /*!< For Short Weierstrass: \p B in the equation.
|
||||
For Montgomery curves: unused. */
|
||||
mbedtls_ecp_point G; /*!< The generator of the subgroup used. */
|
||||
@ -991,6 +1011,26 @@ int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||
mbedtls_ecp_restart_ctx *rs_ctx);
|
||||
|
||||
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
|
||||
/**
|
||||
* \brief This function checks if domain parameter A of the curve is
|
||||
* \c -3.
|
||||
*
|
||||
* \note This function is only defined for short Weierstrass curves.
|
||||
* It may not be included in builds without any short
|
||||
* Weierstrass curve.
|
||||
*
|
||||
* \param grp The ECP group to use.
|
||||
* This must be initialized and have group parameters
|
||||
* set, for example through mbedtls_ecp_group_load().
|
||||
*
|
||||
* \return \c 1 if <code>A = -3</code>.
|
||||
* \return \c 0 Otherwise.
|
||||
*/
|
||||
static inline int mbedtls_ecp_group_a_is_minus_3(const mbedtls_ecp_group *grp)
|
||||
{
|
||||
return grp->A.MBEDTLS_PRIVATE(p) == NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
* \brief This function performs multiplication and addition of two
|
||||
* points by integers: \p R = \p m * \p P + \p n * \p Q
|
||||
|
@ -1255,7 +1255,7 @@ static int ecp_sw_rhs(const mbedtls_ecp_group *grp,
|
||||
MPI_ECP_SQR(rhs, X);
|
||||
|
||||
/* Special case for A = -3 */
|
||||
if (grp->A.p == NULL) {
|
||||
if (mbedtls_ecp_group_a_is_minus_3(grp)) {
|
||||
MPI_ECP_SUB_INT(rhs, rhs, 3);
|
||||
} else {
|
||||
MPI_ECP_ADD(rhs, rhs, &grp->A);
|
||||
@ -1526,7 +1526,7 @@ static int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
/* Special case for A = -3 */
|
||||
if (grp->A.p == NULL) {
|
||||
if (mbedtls_ecp_group_a_is_minus_3(grp)) {
|
||||
/* tmp[0] <- M = 3(X + Z^2)(X - Z^2) */
|
||||
MPI_ECP_SQR(&tmp[1], &P->Z);
|
||||
MPI_ECP_ADD(&tmp[2], &P->X, &tmp[1]);
|
||||
|
Loading…
x
Reference in New Issue
Block a user