lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merged ECP improvements

Browse Source
This commit is contained in:
Paul Bakker
2013-11-26 15:19:17 +01:00
parent e4c71f0e11 96c7a92b08
commit 3209ce3692
8 changed files with 572 additions and 308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
include/polarssl/bignum.h
View File

@ -201,6 +201,17 @@ void mpi_free( mpi *X );
*/
int mpi_grow( mpi *X, size_t nblimbs );
/**
* \brief Resize down, keeping at least the specified number of limbs
*
* \param X MPI to shrink
* \param nblimbs The minimum number of limbs to keep
*
* \return 0 if successful,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
*/
int mpi_shrink( mpi *X, size_t nblimbs );
/**
* \brief Copy the contents of Y into X
*
@ -220,6 +231,26 @@ int mpi_copy( mpi *X, const mpi *Y );
*/
void mpi_swap( mpi *X, mpi *Y );
/**
* \brief Safe conditional assignement X = Y if assign is 1
*
* \param X MPI to conditionally assign to
* \param Y Value to be assigned
* \param assign 1: perform the assignment, 0: leave X untouched
*
* \return 0 if successful,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
* POLARSSL_ERR_MPI_BAD_INPUT_DATA if assing is not 0 or 1
*
* \note This function is equivalent to
* if( assign ) mpi_copy( X, Y );
* except that it avoids leaking any information about whether
* the assignment was done or not (the above code may leak
* information through branch prediction and/or memory access
* patterns analysis).
*/
int mpi_safe_cond_assign( mpi *X, const mpi *Y, unsigned char assign );
/**
* \brief Set value from integer
*

32
include/polarssl/ecp.h
View File

@ -157,16 +157,16 @@ ecp_keypair;
#define POLARSSL_ECP_MAX_PT_LEN ( 2 * POLARSSL_ECP_MAX_BYTES + 1 )
/*
* Maximum window size (actually, NAF width) used for point multipliation.
* Default: 8.
* Minimum value: 2. Maximum value: 8.
* Maximum "window" size used for point multiplication.
* Default: 6.
* Minimum value: 2. Maximum value: 7.
*
* Result is an array of at most ( 1 << ( POLARSSL_ECP_WINDOW_SIZE - 1 ) )
* points used for point multiplication.
*
* Reduction in size may reduce speed for big curves.
*/
#define POLARSSL_ECP_WINDOW_SIZE 8 /**< Maximum NAF width used. */
#define POLARSSL_ECP_WINDOW_SIZE 6 /**< Maximum window size used. */
/*
* Point formats, from RFC 4492's enum ECPointFormat
@ -459,28 +459,24 @@ int ecp_sub( const ecp_group *grp, ecp_point *R,
* \param p_rng RNG parameter
*
* \return 0 if successful,
* POLARSSL_ERR_ECP_INVALID_KEY if m is not a valid privkey
* or P is not a valid pubkey,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
* POLARSSL_ERR_ECP_BAD_INPUT_DATA if m < 0 of m has greater
* bit length than N, the number of points in the group.
*
* \note In order to prevent simple timing attacks, this function
* executes a constant number of operations (that is, point
* doubling and addition of distinct points) for random m in
* the allowed range.
* \note In order to prevent timing attacks, this function
* executes the exact same sequence of (base field)
* operations for any valid m. It avoids any if-branch or
* array index depending on the value of m.
*
* \note If f_rng is not NULL, it is used to randomize projective
* coordinates of indermediate results, in order to prevent
* more elaborate timing attacks relying on intermediate
* operations. (This is a prophylactic measure since no such
* attack has been published yet.) Since this contermeasure
* has very low overhead, it is recommended to always provide
* a non-NULL f_rng parameter when using secret inputs.
* \note If f_rng is not NULL, it is used to randomize intermediate
* results in order to prevent potential timing attacks
* targetting these results. It is recommended to always
* provide a non-NULL f_rng (the overhead is negligible).
*/
int ecp_mul( ecp_group *grp, ecp_point *R,
const mpi *m, const ecp_point *P,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
* \brief Check that a point is a valid public key on this curve
*