Struct mbedtls_ecp_group
-
struct mbedtls_ecp_group
The ECP group structure.
We consider two types of curve equations:
Short Weierstrass:
y^2 = x^3 + A x + B mod P
(SEC1 + RFC-4492)Montgomery:
y^2 = x^3 + A x^2 + x mod P
(Curve25519, Curve448)
G
) for a prime-order subgroup is fixed.For Short Weierstrass, this subgroup is the whole curve, and its cardinality is denoted by
N
. Our code requires thatN
is an odd prime as mbedtls_ecp_mul() requires an odd number, and mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.The default implementation only initializes
A
without setting it to the authentic value for curves withA = -3
(SECP256R1, etc), in which case you need to loadA
by yourself when using domain parameters directly, for example:mbedtls_mpi_init(&A); mbedtls_ecp_group_init(&grp); CHECK_RETURN(mbedtls_ecp_group_load(&grp, grp_id)); if (mbedtls_ecp_group_a_is_minus_3(&grp)) { CHECK_RETURN(mbedtls_mpi_sub_int(&A, &grp.P, 3)); } else { CHECK_RETURN(mbedtls_mpi_copy(&A, &grp.A)); } do_something_with_a(&A); cleanup: mbedtls_mpi_free(&A); mbedtls_ecp_group_free(&grp);
For Montgomery curves, we do not store
A
, but(A + 2) / 4
, which is the quantity used in the formulas. Additionally,nbits
is not the size ofN
but the required size for private keys.If
modp
is NULL, reduction moduloP
is done using a generic algorithm. Otherwise,modp
must point to a function that takes anmbedtls_mpi
in the range of0..2^(2*pbits)-1
, and transforms it in-place to an integer which is congruent modP
to the given MPI, and is close enough topbits
in size, so that it may be efficiently brought in the 0..P-1 range by a few additions or subtractions. Therefore, it is only an approximate modular reduction. It must return 0 on success and non-zero on failure.Note
Alternative implementations of the ECP module must obey the following constraints.
Group IDs must be distinct: if two group structures have the same ID, then they must be identical.
The fields
id
,P
,A
,B
,G
,N
,pbits
andnbits
must have the same type and semantics as in the built-in implementation. They must be available for reading, but direct modification of these fields does not need to be supported. They do not need to be at the same offset in the structure.