| Janos Follath | 5f31697 | 2024-08-22 14:53:13 +0100 | [diff] [blame] | 1 | /** |
| 2 | * \file bignum_internal.h |
| 3 | * |
| 4 | * \brief Internal-only bignum public-key cryptosystem API. |
| 5 | * |
| 6 | * This file declares bignum-related functions that are to be used |
| 7 | * only from within the Mbed TLS library itself. |
| 8 | * |
| 9 | */ |
| 10 | /* |
| 11 | * Copyright The Mbed TLS Contributors |
| 12 | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
| 13 | */ |
| 14 | #ifndef MBEDTLS_BIGNUM_INTERNAL_H |
| 15 | #define MBEDTLS_BIGNUM_INTERNAL_H |
| 16 | |
| 17 | /** |
| 18 | * \brief Perform a modular exponentiation: X = A^E mod N |
| 19 | * |
| 20 | * \warning This function is not constant time with respect to \p E (the exponent). |
| 21 | * |
| 22 | * \param X The destination MPI. This must point to an initialized MPI. |
| 23 | * This must not alias E or N. |
| 24 | * \param A The base of the exponentiation. |
| 25 | * This must point to an initialized MPI. |
| 26 | * \param E The exponent MPI. This must point to an initialized MPI. |
| 27 | * \param N The base for the modular reduction. This must point to an |
| 28 | * initialized MPI. |
| 29 | * \param prec_RR A helper MPI depending solely on \p N which can be used to |
| 30 | * speed-up multiple modular exponentiations for the same value |
| 31 | * of \p N. This may be \c NULL. If it is not \c NULL, it must |
| 32 | * point to an initialized MPI. If it hasn't been used after |
| 33 | * the call to mbedtls_mpi_init(), this function will compute |
| 34 | * the helper value and store it in \p prec_RR for reuse on |
| 35 | * subsequent calls to this function. Otherwise, the function |
| 36 | * will assume that \p prec_RR holds the helper value set by a |
| 37 | * previous call to mbedtls_mpi_exp_mod(), and reuse it. |
| 38 | * |
| 39 | * \return \c 0 if successful. |
| 40 | * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. |
| 41 | * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or |
| 42 | * even, or if \c E is negative. |
| 43 | * \return Another negative error code on different kinds of failures. |
| 44 | * |
| 45 | */ |
| 46 | int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A, |
| 47 | const mbedtls_mpi *E, const mbedtls_mpi *N, |
| 48 | mbedtls_mpi *prec_RR); |
| 49 | |
| Felix Conway | bd7ede3 | 2025-08-04 11:33:48 +0100 | [diff] [blame] | 50 | /** |
| Felix Conway | d9c4c9c | 2025-08-05 14:33:32 +0100 | [diff] [blame] | 51 | * \brief A wrapper around a constant time function to compute |
| 52 | * GCD(A, N) and/or A^-1 mod N if it exists. |
| Felix Conway | bd7ede3 | 2025-08-04 11:33:48 +0100 | [diff] [blame] | 53 | * |
| Felix Conway | d9c4c9c | 2025-08-05 14:33:32 +0100 | [diff] [blame] | 54 | * \warning Requires N to be odd, and 0 <= A <= N. Additionally, if |
| 55 | * I != NULL, requires N > 1. |
| 56 | * The wrapper part of this function is not constant time. |
| Felix Conway | bd7ede3 | 2025-08-04 11:33:48 +0100 | [diff] [blame] | 57 | * |
| Felix Conway | d9c4c9c | 2025-08-05 14:33:32 +0100 | [diff] [blame] | 58 | * \note A and N must not alias each other. |
| Felix Conway | 54a94c1 | 2025-08-04 11:34:19 +0100 | [diff] [blame] | 59 | * When I == NULL (computing only the GCD), G can alias A or N. |
| 60 | * When I != NULL (computing the modular inverse), G or I can |
| 61 | * alias A, but neither of them can alias N (the modulus). |
| Felix Conway | bd7ede3 | 2025-08-04 11:33:48 +0100 | [diff] [blame] | 62 | * |
| 63 | * \param[out] G The GCD of \p A and \p N. |
| 64 | * This may be NULL, to only compute I. |
| 65 | * \param[out] I The inverse of \p A modulo \p N if it exists (that is, |
| 66 | * if \p G above is 1 on exit); indeterminate otherwise. |
| 67 | * This may be NULL, to only compute G. |
| 68 | * \param[in] A The 1st operand of GCD and number to invert. |
| 69 | * This value must be less than or equal to \p N. |
| 70 | * \param[in] N The 2nd operand of GCD and modulus for inversion. |
| 71 | * Must be odd or the results are indeterminate. |
| 72 | * |
| 73 | * \return \c 0 if successful. |
| 74 | * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. |
| Felix Conway | 54a94c1 | 2025-08-04 11:34:19 +0100 | [diff] [blame] | 75 | * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if preconditions were not |
| 76 | * met. |
| Felix Conway | bd7ede3 | 2025-08-04 11:33:48 +0100 | [diff] [blame] | 77 | */ |
| 78 | int mbedtls_mpi_gcd_modinv_odd(mbedtls_mpi *G, |
| 79 | mbedtls_mpi *I, |
| 80 | const mbedtls_mpi *A, |
| 81 | const mbedtls_mpi *N); |
| 82 | |
| Manuel Pégourié-Gonnard | 630148e | 2025-08-13 13:57:35 +0200 | [diff] [blame^] | 83 | /** |
| 84 | * \brief Modular inverse: X = A^-1 mod N with N odd |
| 85 | * |
| 86 | * \param[out] X The inverse of \p A modulo \p N on success, |
| 87 | * indeterminate otherwise. |
| 88 | * \param[in] A The number to invert. |
| 89 | * \param[in] N The modulus. Must be odd and greater than 1. |
| 90 | * |
| 91 | * \return \c 0 if successful. |
| 92 | * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. |
| 93 | * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if preconditions were not |
| 94 | * met. |
| 95 | * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A is not invertible mod N. |
| 96 | */ |
| 97 | int mbedtls_mpi_inv_mod_odd(mbedtls_mpi *X, |
| 98 | const mbedtls_mpi *A, |
| 99 | const mbedtls_mpi *N); |
| 100 | |
| Janos Follath | 5f31697 | 2024-08-22 14:53:13 +0100 | [diff] [blame] | 101 | #endif /* bignum_internal.h */ |