mbedtls_ecp_group Struct Reference

The ECP group structure. More...

#include <ecp.h>

Detailed Description

The ECP group structure.

We consider two types of curve equations:

• Short Weierstrass: y^2 = x^3 + A x + B mod P (SEC1 + RFC-4492)
• Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, Curve448)

In both cases, the generator (G) for a prime-order subgroup is fixed.

For Short Weierstrass, this subgroup is the whole curve, and its cardinality is denoted by N. Our code requires that N is an odd prime as mbedtls_ecp_mul() requires an odd number, and mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.

For Montgomery curves, we do not store A, but (A + 2) / 4, which is the quantity used in the formulas. Additionally, nbits is not the size of N but the required size for private keys.

If modp is NULL, reduction modulo P is done using a generic algorithm. Otherwise, modp must point to a function that takes an mbedtls_mpi in the range of 0..2^(2*pbits)-1, and transforms it in-place to an integer which is congruent mod P to the given MPI, and is close enough to pbits in size, so that it may be efficiently brought in the 0..P-1 range by a few additions or subtractions. Therefore, it is only an approximative modular reduction. It must return 0 on success and non-zero on failure.

Note:

Alternative implementations must keep the group IDs distinct. If two group structures have the same ID, then they must be identical.

Definition at line 183 of file mbedtls/mbed-crypto/inc/mbedtls/ecp.h.

Field Documentation