ECP group structure. More...
#include <ecp.h>
Data Fields | |
| ecp_group_id | id |
| mpi | P |
| mpi | A |
| mpi | B |
| ecp_point | G |
| mpi | N |
| size_t | pbits |
| size_t | nbits |
| unsigned int | h |
| int(* | modp )(mpi *) |
| int(* | t_pre )(ecp_point *, void *) |
| int(* | t_post )(ecp_point *, void *) |
| void * | t_data |
| ecp_point * | T |
| size_t | T_size |
Detailed Description
ECP group structure.
We consider two types of curves equations:
- Short Weierstrass y^2 = x^3 + A x + B mod P (SEC1 + RFC 4492)
- Montgomery, y^2 = x^3 + A x^2 + x mod P (M255 + draft) In both cases, a generator G for a prime-order subgroup is fixed. In the short weierstrass, this subgroup is actually the whole curve, and its cardinal is denoted by N.
In the case of Short Weierstrass curves, our code requires that N is an odd prime. (Use odd in ecp_mul() and prime in ecdsa_sign() for blinding.)
In the case of Montgomery curves, we don't store A but (A + 2) / 4 which is the quantity actually used in the formulas. Also, nbits is not the size of N but the required size for private keys.
If modp is NULL, reduction modulo P is done using a generic algorithm. Otherwise, it must point to a function that takes an mpi in the range 0..2^(2*pbits)-1 and transforms it in-place in an integer of little more than pbits, so that the integer may be efficiently brought in the 0..P-1 range by a few additions or substractions. It must return 0 on success and non-zero on failure.
Field Documentation
◆ A
◆ B
◆ G
◆ h
| unsigned int ecp_group::h |
◆ id
| ecp_group_id ecp_group::id |
◆ modp
| int(* ecp_group::modp) (mpi *) |
◆ N
◆ nbits
| size_t ecp_group::nbits |
◆ P
◆ pbits
◆ T
| ecp_point* ecp_group::T |
◆ t_data
◆ t_post
◆ t_pre
◆ T_size
The documentation for this struct was generated from the following file:
Generated on Tue Feb 18 2025 20:02:20 for PolarSSL v1.3.9 by
1.12.0