| Janos Follath | 5f31697 | 2024-08-22 14:53:13 +0100 | [diff] [blame] | 1 | /** | 
|  | 2 | * \file bignum_internal.h | 
|  | 3 | * | 
|  | 4 | * \brief Internal-only bignum public-key cryptosystem API. | 
|  | 5 | * | 
|  | 6 | * This file declares bignum-related functions that are to be used | 
|  | 7 | * only from within the Mbed TLS library itself. | 
|  | 8 | * | 
|  | 9 | */ | 
|  | 10 | /* | 
|  | 11 | *  Copyright The Mbed TLS Contributors | 
|  | 12 | *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later | 
|  | 13 | */ | 
|  | 14 | #ifndef MBEDTLS_BIGNUM_INTERNAL_H | 
|  | 15 | #define MBEDTLS_BIGNUM_INTERNAL_H | 
|  | 16 |  | 
|  | 17 | /** | 
|  | 18 | * \brief          Perform a modular exponentiation: X = A^E mod N | 
|  | 19 | * | 
|  | 20 | * \warning        This function is not constant time with respect to \p E (the exponent). | 
|  | 21 | * | 
|  | 22 | * \param X        The destination MPI. This must point to an initialized MPI. | 
|  | 23 | *                 This must not alias E or N. | 
|  | 24 | * \param A        The base of the exponentiation. | 
|  | 25 | *                 This must point to an initialized MPI. | 
|  | 26 | * \param E        The exponent MPI. This must point to an initialized MPI. | 
|  | 27 | * \param N        The base for the modular reduction. This must point to an | 
|  | 28 | *                 initialized MPI. | 
|  | 29 | * \param prec_RR  A helper MPI depending solely on \p N which can be used to | 
|  | 30 | *                 speed-up multiple modular exponentiations for the same value | 
|  | 31 | *                 of \p N. This may be \c NULL. If it is not \c NULL, it must | 
|  | 32 | *                 point to an initialized MPI. If it hasn't been used after | 
|  | 33 | *                 the call to mbedtls_mpi_init(), this function will compute | 
|  | 34 | *                 the helper value and store it in \p prec_RR for reuse on | 
|  | 35 | *                 subsequent calls to this function. Otherwise, the function | 
|  | 36 | *                 will assume that \p prec_RR holds the helper value set by a | 
|  | 37 | *                 previous call to mbedtls_mpi_exp_mod(), and reuse it. | 
|  | 38 | * | 
|  | 39 | * \return         \c 0 if successful. | 
|  | 40 | * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. | 
|  | 41 | * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or | 
|  | 42 | *                 even, or if \c E is negative. | 
|  | 43 | * \return         Another negative error code on different kinds of failures. | 
|  | 44 | * | 
|  | 45 | */ | 
|  | 46 | int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A, | 
|  | 47 | const mbedtls_mpi *E, const mbedtls_mpi *N, | 
|  | 48 | mbedtls_mpi *prec_RR); | 
|  | 49 |  | 
| Felix Conway | bd7ede3 | 2025-08-04 11:33:48 +0100 | [diff] [blame] | 50 | /** | 
| Felix Conway | d9c4c9c | 2025-08-05 14:33:32 +0100 | [diff] [blame] | 51 | * \brief          A wrapper around a constant time function to compute | 
|  | 52 | *                 GCD(A, N) and/or A^-1 mod N if it exists. | 
| Felix Conway | bd7ede3 | 2025-08-04 11:33:48 +0100 | [diff] [blame] | 53 | * | 
| Felix Conway | d9c4c9c | 2025-08-05 14:33:32 +0100 | [diff] [blame] | 54 | * \warning        Requires N to be odd, and 0 <= A <= N. Additionally, if | 
|  | 55 | *                 I != NULL, requires N > 1. | 
|  | 56 | *                 The wrapper part of this function is not constant time. | 
| Felix Conway | bd7ede3 | 2025-08-04 11:33:48 +0100 | [diff] [blame] | 57 | * | 
| Felix Conway | d9c4c9c | 2025-08-05 14:33:32 +0100 | [diff] [blame] | 58 | * \note           A and N must not alias each other. | 
| Felix Conway | 54a94c1 | 2025-08-04 11:34:19 +0100 | [diff] [blame] | 59 | *                 When I == NULL (computing only the GCD), G can alias A or N. | 
|  | 60 | *                 When I != NULL (computing the modular inverse), G or I can | 
|  | 61 | *                 alias A, but neither of them can alias N (the modulus). | 
| Felix Conway | bd7ede3 | 2025-08-04 11:33:48 +0100 | [diff] [blame] | 62 | * | 
|  | 63 | * \param[out] G   The GCD of \p A and \p N. | 
|  | 64 | *                 This may be NULL, to only compute I. | 
|  | 65 | * \param[out] I   The inverse of \p A modulo \p N if it exists (that is, | 
|  | 66 | *                 if \p G above is 1 on exit); indeterminate otherwise. | 
|  | 67 | *                 This may be NULL, to only compute G. | 
|  | 68 | * \param[in] A    The 1st operand of GCD and number to invert. | 
|  | 69 | *                 This value must be less than or equal to \p N. | 
|  | 70 | * \param[in] N    The 2nd operand of GCD and modulus for inversion. | 
|  | 71 | *                 Must be odd or the results are indeterminate. | 
|  | 72 | * | 
|  | 73 | * \return         \c 0 if successful. | 
|  | 74 | * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. | 
| Felix Conway | 54a94c1 | 2025-08-04 11:34:19 +0100 | [diff] [blame] | 75 | * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if preconditions were not | 
|  | 76 | *                 met. | 
| Felix Conway | bd7ede3 | 2025-08-04 11:33:48 +0100 | [diff] [blame] | 77 | */ | 
|  | 78 | int mbedtls_mpi_gcd_modinv_odd(mbedtls_mpi *G, | 
|  | 79 | mbedtls_mpi *I, | 
|  | 80 | const mbedtls_mpi *A, | 
|  | 81 | const mbedtls_mpi *N); | 
|  | 82 |  | 
| Manuel Pégourié-Gonnard | 630148e | 2025-08-13 13:57:35 +0200 | [diff] [blame] | 83 | /** | 
|  | 84 | * \brief          Modular inverse: X = A^-1 mod N with N odd | 
|  | 85 | * | 
|  | 86 | * \param[out] X   The inverse of \p A modulo \p N on success, | 
|  | 87 | *                 indeterminate otherwise. | 
|  | 88 | * \param[in] A    The number to invert. | 
|  | 89 | * \param[in] N    The modulus. Must be odd and greater than 1. | 
|  | 90 | * | 
|  | 91 | * \return         \c 0 if successful. | 
|  | 92 | * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. | 
|  | 93 | * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if preconditions were not | 
|  | 94 | *                 met. | 
|  | 95 | * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A is not invertible mod N. | 
|  | 96 | */ | 
|  | 97 | int mbedtls_mpi_inv_mod_odd(mbedtls_mpi *X, | 
|  | 98 | const mbedtls_mpi *A, | 
|  | 99 | const mbedtls_mpi *N); | 
|  | 100 |  | 
| Manuel Pégourié-Gonnard | 9e1c532 | 2025-08-13 14:14:19 +0200 | [diff] [blame] | 101 | /** | 
|  | 102 | * \brief          Modular inverse: X = A^-1 mod N with N even, | 
|  | 103 | *                 A odd and 1 < A < N. | 
|  | 104 | * | 
|  | 105 | * \param[out] X   The inverse of \p A modulo \p N on success, | 
|  | 106 | *                 indeterminate otherwise. | 
|  | 107 | * \param[in] A    The number to invert. Must be odd, greated than 1 | 
|  | 108 | *                 and less than \p N. | 
|  | 109 | * \param[in] N    The modulus. Must be even and greater than 1. | 
|  | 110 | * | 
|  | 111 | * \return         \c 0 if successful. | 
|  | 112 | * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. | 
|  | 113 | * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if preconditions were not | 
|  | 114 | *                 met. | 
|  | 115 | * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A is not invertible mod N. | 
|  | 116 | */ | 
|  | 117 | int mbedtls_mpi_inv_mod_even_in_range(mbedtls_mpi *X, | 
|  | 118 | mbedtls_mpi const *A, | 
|  | 119 | mbedtls_mpi const *N); | 
|  | 120 |  | 
| Janos Follath | 5f31697 | 2024-08-22 14:53:13 +0100 | [diff] [blame] | 121 | #endif /* bignum_internal.h */ |