Move some bignum functions to internal header

We will need a couple of low level functions to implement safe unblinding in RSA. Signed-off-by: Janos Follath <janos.follath@arm.com>
2025-11-21 12:40:51 +03:00 · 2024-01-08 14:08:17 +00:00
parent 404160a533
commit f9cc4763f1
2 changed files with 63 additions and 44 deletions
--- a/library/bignum_internal.h
+++ b/library/bignum_internal.h
@@ -28,4 +28,44 @@
 int mbedtls_mpi_get_mont_r2_unsafe(mbedtls_mpi *X,
                                   const mbedtls_mpi *N);

+/**
+ * \brief Calculate initialisation value for fast Montgomery modular
+ *        multiplication.
+ *
+ * \param[out] mm   The initialisation value for fast Montgomery modular
+ *                  multiplication.
+ * \param[in]  N    Little-endian presentation of the modulus. This must have
+ *                  at least one limb.
+ */
+void mbedtls_mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N);
+
+/** Montgomery multiplication: A = A * B * R^-1 mod N  (HAC 14.36)
+ *
+ * \param[in,out]   A   One of the numbers to multiply.
+ *                      It must have at least as many limbs as N
+ *                      (A->n >= N->n), and any limbs beyond n are ignored.
+ *                      On successful completion, A contains the result of
+ *                      the multiplication A * B * R^-1 mod N where
+ *                      R = (2^ciL)^n.
+ * \param[in]       B   One of the numbers to multiply.
+ *                      It must be nonzero and must not have more limbs than N
+ *                      (B->n <= N->n).
+ * \param[in]       N   The modulo. N must be odd.
+ * \param           mm  The value calculated by
+ *                      `mbedtls_mpi_montg_init(&mm, N)`.
+ *                      This is -N^-1 mod 2^ciL.
+ * \param[in,out]   T   A bignum for temporary storage.
+ *                      It must be at least twice the limb size of N plus 2
+ *                      (T->n >= 2 * (N->n + 1)).
+ *                      Its initial content is unused and
+ *                      its final content is indeterminate.
+ *                      Note that unlike the usual convention in the library
+ *                      for `const mbedtls_mpi*`, the content of T can change.
+ */
+void mbedtls_mpi_montmul(mbedtls_mpi *A,
+                         const mbedtls_mpi *B,
+                         const mbedtls_mpi *N,
+                         mbedtls_mpi_uint mm,
+                         const mbedtls_mpi *T);
+
 #endif /* MBEDTLS_BIGNUM_INTERNAL_H */