Mbed OS Reference
Loading...
Searching...
No Matches
Data Fields
mbedtls_ecp_group Struct Reference
Public API » Cryptography » Mbed TLS » Elliptic Curves over GF(P)

The ECP group structure. More...

#include <ecp.h>

Data Fields

mbedtls_ecp_group_id id
 
mbedtls_mpi P
 
mbedtls_mpi A
 
mbedtls_mpi B
 
mbedtls_ecp_point G
 
mbedtls_mpi N
 
size_t pbits
 
size_t nbits
 
int(* modp )(mbedtls_mpi *)
 
int(* t_pre )(mbedtls_ecp_point *, void *)
 
int(* t_post )(mbedtls_ecp_point *, void *)
 
void * t_data
 
mbedtls_ecp_pointT
 
size_t T_size
 

Detailed Description

The ECP group structure.

We consider two types of curve equations:

  • Short Weierstrass: y^2 = x^3 + A x + B mod P (SEC1 + RFC-4492)
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, Curve448)

In both cases, the generator (G) for a prime-order subgroup is fixed.

For Short Weierstrass, this subgroup is the whole curve, and its cardinality is denoted by N. Our code requires that N is an odd prime as mbedtls_ecp_mul() requires an odd number, and mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.

For Montgomery curves, we do not store A, but (A + 2) / 4, which is the quantity used in the formulas. Additionally, nbits is not the size of N but the required size for private keys.

If modp is NULL, reduction modulo P is done using a generic algorithm. Otherwise, modp must point to a function that takes an mbedtls_mpi in the range of 0..2^(2*pbits)-1, and transforms it in-place to an integer which is congruent mod P to the given MPI, and is close enough to pbits in size, so that it may be efficiently brought in the 0..P-1 range by a few additions or subtractions. Therefore, it is only an approximative modular reduction. It must return 0 on success and non-zero on failure.

Note
Alternative implementations must keep the group IDs distinct. If two group structures have the same ID, then they must be identical.

Definition at line 222 of file mbedtls/include/mbedtls/ecp.h.

Field Documentation

◆ id

mbedtls_ecp_group_id id

An internal group identifier.

Definition at line 224 of file mbedtls/include/mbedtls/ecp.h.

◆ P

mbedtls_mpi P

The prime modulus of the base field.

Definition at line 225 of file mbedtls/include/mbedtls/ecp.h.

◆ A

mbedtls_mpi A

For Short Weierstrass: A in the equation. For Montgomery curves: (A + 2) / 4.

Definition at line 226 of file mbedtls/include/mbedtls/ecp.h.

◆ B

mbedtls_mpi B

For Short Weierstrass: B in the equation. For Montgomery curves: unused.

Definition at line 228 of file mbedtls/include/mbedtls/ecp.h.

◆ G

mbedtls_ecp_point G

The generator of the subgroup used.

Definition at line 230 of file mbedtls/include/mbedtls/ecp.h.

◆ N

mbedtls_mpi N

The order of G.

Definition at line 231 of file mbedtls/include/mbedtls/ecp.h.

◆ pbits

size_t pbits

The number of bits in P.

Definition at line 232 of file mbedtls/include/mbedtls/ecp.h.

◆ nbits

size_t nbits

For Short Weierstrass: The number of bits in P. For Montgomery curves: the number of bits in the private keys.

Definition at line 233 of file mbedtls/include/mbedtls/ecp.h.

◆ modp

int(* modp) (mbedtls_mpi *)

The function for fast pseudo-reduction mod P (see above).

Definition at line 237 of file mbedtls/include/mbedtls/ecp.h.

◆ t_pre

int(* t_pre) (mbedtls_ecp_point *, void *)

Unused.

Definition at line 239 of file mbedtls/include/mbedtls/ecp.h.

◆ t_post

int(* t_post) (mbedtls_ecp_point *, void *)

Unused.

Definition at line 240 of file mbedtls/include/mbedtls/ecp.h.

◆ t_data

void* t_data

Unused.

Definition at line 241 of file mbedtls/include/mbedtls/ecp.h.

◆ T

mbedtls_ecp_point* T

Pre-computed points for ecp_mul_comb().

Definition at line 242 of file mbedtls/include/mbedtls/ecp.h.

◆ T_size

size_t T_size

The number of pre-computed points.

Definition at line 243 of file mbedtls/include/mbedtls/ecp.h.