Software APIs
ecc.h
Go to the documentation of this file.
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_ECC_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_ECC_H_
7 
8 #include "datatypes.h"
9 
10 /**
11  * @file
12  * @brief Elliptic curve operations for OpenTitan cryptography library.
13  *
14  * Includes ECDSA, ECDH, Ed25519, and X25519.
15  */
16 
17 #ifdef __cplusplus
18 extern "C" {
19 #endif // __cplusplus
20 
21 /**
22  * Enum to define EdDSA mode for signature.
23  *
24  * Values are hardened.
25  */
26 typedef enum otcrypto_eddsa_sign_mode {
27  // Signature mode EdDSA.
28  kOtcryptoEddsaSignModeEddsa = 0xae1,
29  // Signature mode Hashed EdDSA.
30  kOtcryptoEddsaSignModeHashEddsa = 0x9a6,
31 } otcrypto_eddsa_sign_mode_t;
32 
33 /**
34  * Struct for domain parameters of a custom Weierstrass curve.
35  */
36 typedef struct otcrypto_ecc_domain {
37  // Prime P (modulus of coordinate finite field).
38  otcrypto_const_byte_buf_t p;
39  // Coefficient a.
40  otcrypto_const_byte_buf_t a;
41  // Coefficient b.
42  otcrypto_const_byte_buf_t b;
43  // q (order of G).
44  otcrypto_const_byte_buf_t q;
45  // Value of x coordinate of G (basepoint). Same length as p.
46  const uint32_t *gx;
47  // Value of y coordinate of G (basepoint). Same length as p.
48  const uint32_t *gy;
49  // Cofactor of the curve.
50  const uint32_t cofactor;
51  // Checksum value of the parameters.
52  uint32_t checksum;
53 } otcrypto_ecc_domain_t;
54 
55 /**
56  * Enum to define the type of elliptic curve used for the operation.
57  *
58  * Values are hardened.
59  */
60 typedef enum otcrypto_ecc_curve_type {
61  // Generic Weierstrass curve, with custom domain parameters.
62  kOtcryptoEccCurveTypeCustom = 0xbf7,
63  // Named Weierstrass curve - NIST P256.
64  kOtcryptoEccCurveTypeNistP256 = 0xec8,
65  // Named Weierstrass curve - NIST P384.
66  kOtcryptoEccCurveTypeNistP384 = 0x1bc,
67  // Named Weierstrass curve - Brainpool P256r1.
68  kEccCurveTypeBrainpoolP256R1 = 0xc1e,
69 } otcrypto_ecc_curve_type_t;
70 
71 /**
72  * Struct for ECC curve used for ECDSA / ECDH operation.
73  *
74  * Values are hardened.
75  */
76 typedef struct otcrypto_ecc_curve {
77  // Type of the Weierstrass curve, custom curve or named curve.
78  otcrypto_ecc_curve_type_t curve_type;
79  // Domain parameters for a custom Weierstrass curve. May be NULL for a named
80  // curve.
81  const otcrypto_ecc_domain_t *const domain_parameter;
82 } otcrypto_ecc_curve_t;
83 
84 /**
85  * Generates a key pair for ECDSA with curve P-256.
86  *
87  * The caller should allocate and partially populate the blinded key struct,
88  * including populating the key configuration and allocating space for the
89  * keyblob. For a hardware-backed key, use the private key handle returned by
90  * `otcrypto_hw_backed_key`. Otherwise, the mode should indicate ECDSA with
91  * P-256 and the keyblob should be 80 bytes. The value in the `checksum` field
92  * of the blinded key struct will be populated by the key generation function.
93  *
94  * @param[out] private_key Pointer to the blinded private key (d) struct.
95  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
96  * @return Result of the ECDSA key generation.
97  */
98 OT_WARN_UNUSED_RESULT
99 otcrypto_status_t otcrypto_ecdsa_p256_keygen(
100  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
101 
102 /**
103  * Generates a key pair for ECDSA with curve P-384.
104  *
105  * The caller should allocate and partially populate the blinded key struct,
106  * including populating the key configuration and allocating space for the
107  * keyblob. For a hardware-backed key, use the private key handle returned by
108  * `otcrypto_hw_backed_key`. Otherwise, the mode should indicate ECDSA with
109  * P-384 and the keyblob should be 112 bytes. The value in the `checksum` field
110  * of the blinded key struct will be populated by the key generation function.
111  *
112  * @param[out] private_key Pointer to the blinded private key (d) struct.
113  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
114  * @return Result of the ECDSA key generation.
115  */
116 OT_WARN_UNUSED_RESULT
117 otcrypto_status_t otcrypto_ecdsa_p384_keygen(
118  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
119 
120 /**
121  * Generates an ECDSA signature with curve P-256.
122  *
123  * The message digest must be exactly 256 bits (32 bytes) long, but may use any
124  * hash mode. The caller is responsible for ensuring that the security
125  * strength of the hash function is at least equal to the security strength of
126  * the curve, but in some cases it may be truncated. See FIPS 186-5 for
127  * details.
128  *
129  * @param private_key Pointer to the blinded private key (d) struct.
130  * @param message_digest Message digest to be signed (pre-hashed).
131  * @param[out] signature Pointer to the signature struct with (r,s) values.
132  * @return Result of the ECDSA signature generation.
133  */
134 OT_WARN_UNUSED_RESULT
135 otcrypto_status_t otcrypto_ecdsa_p256_sign(
136  const otcrypto_blinded_key_t *private_key,
137  const otcrypto_hash_digest_t message_digest,
138  otcrypto_word32_buf_t signature);
139 
140 /**
141  * Generates an ECDSA signature with curve P-384.
142 
143  * The message digest must be exactly 384 bits (48 bytes) long, but may use any
144  * hash mode. The caller is responsible for ensuring that the security
145  * strength of the hash function is at least equal to the security strength of
146  * the curve, but in some cases it may be truncated. See FIPS 186-5 for
147  * details.
148  *
149  * @param private_key Pointer to the blinded private key (d) struct.
150  * @param message_digest Message digest to be signed (pre-hashed).
151  * @param[out] signature Pointer to the signature struct with (r,s) values.
152  * @return Result of the ECDSA signature generation.
153  */
154 OT_WARN_UNUSED_RESULT
155 otcrypto_status_t otcrypto_ecdsa_p384_sign(
156  const otcrypto_blinded_key_t *private_key,
157  const otcrypto_hash_digest_t message_digest,
158  otcrypto_word32_buf_t signature);
159 
160 /**
161  * Verifies an ECDSA/P-256 signature.
162  *
163  * The message digest must be exactly 256 bits (32 bytes) long, but may use any
164  * hash mode. The caller is responsible for ensuring that the security
165  * strength of the hash function is at least equal to the security strength of
166  * the curve, but in some cases it may be truncated. See FIPS 186-5 for
167  * details.
168  *
169  * The caller must check the `verification_result` parameter, NOT only the
170  * returned status code, to know if the signature passed verification. The
171  * status code, as for other operations, only indicates whether errors were
172  * encountered, and may return OK even when the signature is invalid.
173  *
174  * @param public_key Pointer to the unblinded public key (Q) struct.
175  * @param message_digest Message digest to be verified (pre-hashed).
176  * @param signature Pointer to the signature to be verified.
177  * @param[out] verification_result Whether the signature passed verification.
178  * @return Result of the ECDSA verification operation.
179  */
180 OT_WARN_UNUSED_RESULT
181 otcrypto_status_t otcrypto_ecdsa_p256_verify(
182  const otcrypto_unblinded_key_t *public_key,
183  const otcrypto_hash_digest_t message_digest,
184  otcrypto_const_word32_buf_t signature,
185  hardened_bool_t *verification_result);
186 
187 /**
188  * Verifies an ECDSA/P-384 signature.
189  *
190  * The message digest must be exactly 384 bits (48 bytes) long, but may use any
191  * hash mode. The caller is responsible for ensuring that the security
192  * strength of the hash function is at least equal to the security strength of
193  * the curve, but in some cases it may be truncated. See FIPS 186-5 for
194  * details.
195  *
196  * The caller must check the `verification_result` parameter, NOT only the
197  * returned status code, to know if the signature passed verification. The
198  * status code, as for other operations, only indicates whether errors were
199  * encountered, and may return OK even when the signature is invalid.
200  *
201  * @param public_key Pointer to the unblinded public key (Q) struct.
202  * @param message_digest Message digest to be verified (pre-hashed).
203  * @param signature Pointer to the signature to be verified.
204  * @param[out] verification_result Whether the signature passed verification.
205  * @return Result of the ECDSA verification operation.
206  */
207 OT_WARN_UNUSED_RESULT
208 otcrypto_status_t otcrypto_ecdsa_p384_verify(
209  const otcrypto_unblinded_key_t *public_key,
210  const otcrypto_hash_digest_t message_digest,
211  otcrypto_const_word32_buf_t signature,
212  hardened_bool_t *verification_result);
213 
214 /**
215  * Generates a key pair for ECDH with curve P-256.
216  *
217  * The caller should allocate and partially populate the blinded key struct,
218  * including populating the key configuration and allocating space for the
219  * keyblob. For a hardware-backed key, use the private key handle returned by
220  * `otcrypto_hw_backed_key`. Otherwise, the mode should indicate ECDH with
221  * P-256 and the keyblob should be 80 bytes. The value in the `checksum` field
222  * of the blinded key struct will be populated by the key generation function.
223  *
224  * @param[out] private_key Pointer to the blinded private key (d) struct.
225  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
226  * @return Result of the ECDH key generation.
227  */
228 OT_WARN_UNUSED_RESULT
229 otcrypto_status_t otcrypto_ecdh_p256_keygen(
230  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
231 
232 /**
233  * Generates a key pair for ECDH with curve P-384.
234  *
235  * The caller should allocate and partially populate the blinded key struct,
236  * including populating the key configuration and allocating space for the
237  * keyblob. For a hardware-backed key, use the private key handle returned by
238  * `otcrypto_hw_backed_key`. Otherwise, the mode should indicate ECDH with
239  * P-384 and the keyblob should be 112 bytes. The value in the `checksum` field
240  * of the blinded key struct will be populated by the key generation function.
241  *
242  * @param[out] private_key Pointer to the blinded private key (d) struct.
243  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
244  * @return Result of the ECDH key generation.
245  */
246 OT_WARN_UNUSED_RESULT
247 otcrypto_status_t otcrypto_ecdh_p384_keygen(
248  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
249 
250 /**
251  * Performs Elliptic Curve Diffie Hellman shared secret generation.
252  *
253  * The `domain_parameter` field of the `elliptic_curve` is required
254  * only for a custom curve. For named curves this field is ignored
255  * and can be set to `NULL`.
256  *
257  * @param private_key Pointer to the blinded private key (d) struct.
258  * @param public_key Pointer to the unblinded public key (Q) struct.
259  * @param elliptic_curve Pointer to the elliptic curve to be used.
260  * @param[out] shared_secret Pointer to generated blinded shared key struct.
261  * @return Result of ECDH shared secret generation.
262  */
263 OT_WARN_UNUSED_RESULT
264 otcrypto_status_t otcrypto_ecdh(const otcrypto_blinded_key_t *private_key,
265  const otcrypto_unblinded_key_t *public_key,
266  const otcrypto_ecc_curve_t *elliptic_curve,
267  otcrypto_blinded_key_t *shared_secret);
268 
269 /**
270  * Generates a new Ed25519 key pair.
271  *
272  * Computes the private exponent (d) and public key (Q) based on
273  * Curve25519.
274  *
275  * No `domain_parameter` is needed and is automatically set for Ed25519.
276  *
277  * The caller should allocate and partially populate the blinded key struct,
278  * including populating the key configuration and allocating space for the
279  * keyblob. The caller should indicate the length of the allocated keyblob;
280  * this function will return an error if the keyblob length does not match
281  * expectations. If the key is hardware-backed, the caller should pass a fully
282  * populated private key handle as returned by `otcrypto_hw_backed_key`. For
283  * non-hardware-backed keys, the keyblob should be twice the length of the key.
284  * The value in the `checksum` field of the blinded key struct will be
285  * populated by the key generation function.
286  *
287  * @param[out] private_key Pointer to the blinded private key struct.
288  * @param[out] public_key Pointer to the unblinded public key struct.
289  * @return Result of the Ed25519 key generation.
290  */
291 OT_WARN_UNUSED_RESULT
292 otcrypto_status_t otcrypto_ed25519_keygen(otcrypto_blinded_key_t *private_key,
293  otcrypto_unblinded_key_t *public_key);
294 
295 /**
296  * Generates an Ed25519 digital signature.
297  *
298  * @param private_key Pointer to the blinded private key struct.
299  * @param input_message Input message to be signed.
300  * @param sign_mode Parameter for EdDSA or Hash EdDSA sign mode.
301  * @param[out] signature Pointer to the EdDSA signature with (r,s) values.
302  * @return Result of the EdDSA signature generation.
303  */
304 OT_WARN_UNUSED_RESULT
305 otcrypto_status_t otcrypto_ed25519_sign(
306  const otcrypto_blinded_key_t *private_key,
307  otcrypto_const_byte_buf_t input_message,
308  otcrypto_eddsa_sign_mode_t sign_mode, otcrypto_word32_buf_t signature);
309 
310 /**
311  * Verifies an Ed25519 signature.
312  *
313  * @param public_key Pointer to the unblinded public key struct.
314  * @param input_message Input message to be signed for verification.
315  * @param sign_mode Parameter for EdDSA or Hash EdDSA sign mode.
316  * @param signature Pointer to the signature to be verified.
317  * @param[out] verification_result Result of signature verification
318  * (Pass/Fail).
319  * @return Result of the EdDSA verification operation.
320  */
321 OT_WARN_UNUSED_RESULT
322 otcrypto_status_t otcrypto_ed25519_verify(
323  const otcrypto_unblinded_key_t *public_key,
324  otcrypto_const_byte_buf_t input_message,
325  otcrypto_eddsa_sign_mode_t sign_mode, otcrypto_const_word32_buf_t signature,
326  hardened_bool_t *verification_result);
327 
328 /**
329  * Generates a new key pair for X25519 key exchange.
330  *
331  * Computes the private scalar (d) and public key (Q) based on
332  * Curve25519.
333  *
334  * No `domain_parameter` is needed and is automatically set for X25519.
335  *
336  * The caller should allocate and partially populate the blinded key struct,
337  * including populating the key configuration and allocating space for the
338  * keyblob. The caller should indicate the length of the allocated keyblob;
339  * this function will return an error if the keyblob length does not match
340  * expectations. If the key is hardware-backed, the caller should pass a fully
341  * populated private key handle as returned by `otcrypto_hw_backed_key`. For
342  * non-hardware-backed keys, the keyblob should be twice the length of the key.
343  * The value in the `checksum` field of the blinded key struct will be
344  * populated by the key generation function.
345  *
346  * @param[out] private_key Pointer to the blinded private key struct.
347  * @param[out] public_key Pointer to the unblinded public key struct.
348  * @return Result of the X25519 key generation.
349  */
350 OT_WARN_UNUSED_RESULT
351 otcrypto_status_t otcrypto_x25519_keygen(otcrypto_blinded_key_t *private_key,
352  otcrypto_unblinded_key_t *public_key);
353 
354 /**
355  * Performs the X25519 Diffie Hellman shared secret generation.
356  *
357  * @param private_key Pointer to blinded private key (u-coordinate).
358  * @param public_key Pointer to the public scalar from the sender.
359  * @param[out] shared_secret Pointer to shared secret key (u-coordinate).
360  * @return Result of the X25519 operation.
361  */
362 OT_WARN_UNUSED_RESULT
363 otcrypto_status_t otcrypto_x25519(const otcrypto_blinded_key_t *private_key,
364  const otcrypto_unblinded_key_t *public_key,
365  otcrypto_blinded_key_t *shared_secret);
366 
367 /**
368  * Starts asynchronous key generation for ECDSA/P-256.
369  *
370  * See `otcrypto_ecdsa_p256_keygen` for requirements on input values.
371  *
372  * @param private_key Destination structure for private key, or key handle.
373  * @return Result of asynchronous ECDSA keygen start operation.
374  */
375 OT_WARN_UNUSED_RESULT
376 otcrypto_status_t otcrypto_ecdsa_p256_keygen_async_start(
377  const otcrypto_blinded_key_t *private_key);
378 
379 /**
380  * Finalizes asynchronous key generation for ECDSA/P-256.
381  *
382  * See `otcrypto_ecdsa_p256_keygen` for requirements on input values.
383  *
384  * May block until the operation is complete.
385  *
386  * The caller should ensure that the private key configuration matches that
387  * passed to the `_start` function.
388  *
389  * @param[out] private_key Pointer to the blinded private key (d) struct.
390  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
391  * @return Result of asynchronous ECDSA keygen finalize operation.
392  */
393 OT_WARN_UNUSED_RESULT
394 otcrypto_status_t otcrypto_ecdsa_p256_keygen_async_finalize(
395  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
396 
397 /**
398  * Starts asynchronous key generation for ECDSA/P-384.
399  *
400  * See `otcrypto_ecdsa_p384_keygen` for requirements on input values.
401  *
402  * @param private_key Destination structure for private key, or key handle.
403  * @return Result of asynchronous ECDSA keygen start operation.
404  */
405 OT_WARN_UNUSED_RESULT
406 otcrypto_status_t otcrypto_ecdsa_p384_keygen_async_start(
407  const otcrypto_blinded_key_t *private_key);
408 
409 /**
410  * Finalizes asynchronous key generation for ECDSA/P-384.
411  *
412  * See `otcrypto_ecdsa_p384_keygen` for requirements on input values.
413  *
414  * May block until the operation is complete.
415  *
416  * The caller should ensure that the private key configuration matches that
417  * passed to the `_start` function.
418  *
419  * @param[out] private_key Pointer to the blinded private key (d) struct.
420  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
421  * @return Result of asynchronous ECDSA keygen finalize operation.
422  */
423 OT_WARN_UNUSED_RESULT
424 otcrypto_status_t otcrypto_ecdsa_p384_keygen_async_finalize(
425  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
426 
427 /**
428  * Starts asynchronous signature generation for ECDSA/P-256.
429  *
430  * See `otcrypto_ecdsa_p256_sign` for requirements on input values.
431  *
432  * @param private_key Pointer to the blinded private key (d) struct.
433  * @param message_digest Message digest to be signed (pre-hashed).
434  * @param elliptic_curve Pointer to the elliptic curve to be used.
435  * @return Result of async ECDSA start operation.
436  */
437 OT_WARN_UNUSED_RESULT
438 otcrypto_status_t otcrypto_ecdsa_p256_sign_async_start(
439  const otcrypto_blinded_key_t *private_key,
440  const otcrypto_hash_digest_t message_digest);
441 
442 /**
443  * Finalizes asynchronous signature generation for ECDSA/P-256.
444  *
445  * See `otcrypto_ecdsa_p256_sign` for requirements on input values.
446  *
447  * May block until the operation is complete.
448  *
449  * @param[out] signature Pointer to the signature struct with (r,s) values.
450  * @return Result of async ECDSA finalize operation.
451  */
452 OT_WARN_UNUSED_RESULT
453 otcrypto_status_t otcrypto_ecdsa_p256_sign_async_finalize(
454  otcrypto_word32_buf_t signature);
455 
456 /**
457  * Starts asynchronous signature generation for ECDSA/P-384.
458  *
459  * See `otcrypto_ecdsa_p384_sign` for requirements on input values.
460  *
461  * @param private_key Pointer to the blinded private key (d) struct.
462  * @param message_digest Message digest to be signed (pre-hashed).
463  * @param elliptic_curve Pointer to the elliptic curve to be used.
464  * @return Result of async ECDSA start operation.
465  */
466 OT_WARN_UNUSED_RESULT
467 otcrypto_status_t otcrypto_ecdsa_p384_sign_async_start(
468  const otcrypto_blinded_key_t *private_key,
469  const otcrypto_hash_digest_t message_digest);
470 
471 /**
472  * Finalizes asynchronous signature generation for ECDSA/P-384.
473  *
474  * See `otcrypto_ecdsa_p384_sign` for requirements on input values.
475  *
476  * May block until the operation is complete.
477  *
478  * @param[out] signature Pointer to the signature struct with (r,s) values.
479  * @return Result of async ECDSA finalize operation.
480  */
481 OT_WARN_UNUSED_RESULT
482 otcrypto_status_t otcrypto_ecdsa_p384_sign_async_finalize(
483  otcrypto_word32_buf_t signature);
484 
485 /**
486  * Starts asynchronous signature verification for ECDSA/P-256.
487  *
488  * See `otcrypto_ecdsa_p256_verify` for requirements on input values.
489  *
490  * @param public_key Pointer to the unblinded public key (Q) struct.
491  * @param message_digest Message digest to be verified (pre-hashed).
492  * @param signature Pointer to the signature to be verified.
493  * @return Result of async ECDSA verify start function.
494  */
495 OT_WARN_UNUSED_RESULT
496 otcrypto_status_t otcrypto_ecdsa_p256_verify_async_start(
497  const otcrypto_unblinded_key_t *public_key,
498  const otcrypto_hash_digest_t message_digest,
499  otcrypto_const_word32_buf_t signature);
500 
501 /**
502  * Finalizes asynchronous signature verification for ECDSA/P-256.
503  *
504  * See `otcrypto_ecdsa_p256_verify` for requirements on input values.
505  *
506  * May block until the operation is complete.
507  *
508  * @param[out] verification_result Whether the signature passed verification.
509  * @return Result of async ECDSA verify finalize operation.
510  */
511 OT_WARN_UNUSED_RESULT
512 otcrypto_status_t otcrypto_ecdsa_p256_verify_async_finalize(
513  otcrypto_const_word32_buf_t signature,
514  hardened_bool_t *verification_result);
515 
516 /**
517  * Starts asynchronous signature verification for ECDSA/P-384.
518  *
519  * See `otcrypto_ecdsa_p384_verify` for requirements on input values.
520  *
521  * @param public_key Pointer to the unblinded public key (Q) struct.
522  * @param message_digest Message digest to be verified (pre-hashed).
523  * @param signature Pointer to the signature to be verified.
524  * @return Result of async ECDSA verify start function.
525  */
526 OT_WARN_UNUSED_RESULT
527 otcrypto_status_t otcrypto_ecdsa_p384_verify_async_start(
528  const otcrypto_unblinded_key_t *public_key,
529  const otcrypto_hash_digest_t message_digest,
530  otcrypto_const_word32_buf_t signature);
531 
532 /**
533  * Finalizes asynchronous signature verification for ECDSA/P-384.
534  *
535  * See `otcrypto_ecdsa_p384_verify` for requirements on input values.
536  *
537  * May block until the operation is complete.
538  *
539  * @param[out] verification_result Whether the signature passed verification.
540  * @return Result of async ECDSA verify finalize operation.
541  */
542 OT_WARN_UNUSED_RESULT
543 otcrypto_status_t otcrypto_ecdsa_p384_verify_async_finalize(
544  otcrypto_const_word32_buf_t signature,
545  hardened_bool_t *verification_result);
546 
547 /**
548  * Starts asynchronous key generation for ECDH/P-256.
549  *
550  * See `otcrypto_ecdh_p256_keygen` for requirements on input values.
551  *
552  * @param private_key Destination structure for private key, or key handle.
553  * @return Result of asynchronous ECDH keygen start operation.
554  */
555 OT_WARN_UNUSED_RESULT
556 otcrypto_status_t otcrypto_ecdh_p256_keygen_async_start(
557  const otcrypto_blinded_key_t *private_key);
558 
559 /**
560  * Finalizes asynchronous key generation for ECDH/P-256.
561  *
562  * See `otcrypto_ecdh_p256_keygen` for requirements on input values.
563  *
564  * May block until the operation is complete.
565  *
566  * The caller should ensure that the private key configuration matches that
567  * passed to the `_start` function.
568  *
569  * @param[out] private_key Pointer to the blinded private key (d) struct.
570  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
571  * @return Result of asynchronous ECDH keygen finalize operation.
572  */
573 OT_WARN_UNUSED_RESULT
574 otcrypto_status_t otcrypto_ecdh_p256_keygen_async_finalize(
575  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
576 
577 /**
578  * Starts asynchronous key generation for ECDH/P-384.
579  *
580  * See `otcrypto_ecdh_p384_keygen` for requirements on input values.
581  *
582  * @param private_key Destination structure for private key, or key handle.
583  * @return Result of asynchronous ECDH keygen start operation.
584  */
585 OT_WARN_UNUSED_RESULT
586 otcrypto_status_t otcrypto_ecdh_p384_keygen_async_start(
587  const otcrypto_blinded_key_t *private_key);
588 
589 /**
590  * Finalizes asynchronous key generation for ECDH/P-384.
591  *
592  * See `otcrypto_ecdh_p384_keygen` for requirements on input values.
593  *
594  * May block until the operation is complete.
595  *
596  * The caller should ensure that the private key configuration matches that
597  * passed to the `_start` function.
598  *
599  * @param[out] private_key Pointer to the blinded private key (d) struct.
600  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
601  * @return Result of asynchronous ECDH keygen finalize operation.
602  */
603 OT_WARN_UNUSED_RESULT
604 otcrypto_status_t otcrypto_ecdh_p384_keygen_async_finalize(
605  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
606 
607 /**
608  * Starts the asynchronous Elliptic Curve Diffie Hellman shared
609  * secret generation.
610  *
611  * The `domain_parameter` field of the `elliptic_curve` is required
612  * only for a custom curve. For named curves this field is ignored
613  * and can be set to `NULL`.
614  *
615  * @param private_key Pointer to the blinded private key (d) struct.
616  * @param public_key Pointer to the unblinded public key (Q) struct.
617  * @param elliptic_curve Pointer to the elliptic curve to be used.
618  * @return Result of async ECDH start operation.
619  */
620 OT_WARN_UNUSED_RESULT
621 otcrypto_status_t otcrypto_ecdh_async_start(
622  const otcrypto_blinded_key_t *private_key,
623  const otcrypto_unblinded_key_t *public_key,
624  const otcrypto_ecc_curve_t *elliptic_curve);
625 
626 /**
627  * Finalizes the asynchronous Elliptic Curve Diffie Hellman shared
628  * secret generation.
629  *
630  * Returns `kOtcryptoStatusValueOk` and copies `shared_secret` if the OTBN
631  * status is done, or `kOtcryptoStatusValueAsyncIncomplete` if the OTBN
632  * is busy or `kOtcryptoStatusValueInternalError` if there is an error.
633  *
634  * The caller must ensure that the `elliptic_curve` parameter matches the one
635  * that was previously passed to the corresponding `_start` function; a
636  * mismatch will cause inconsistencies.
637  *
638  * @param elliptic_curve Pointer to the elliptic curve that is being used.
639  * @param[out] shared_secret Pointer to generated blinded shared key struct.
640  * @return Result of async ECDH finalize operation.
641  */
642 OT_WARN_UNUSED_RESULT
643 otcrypto_status_t otcrypto_ecdh_async_finalize(
644  const otcrypto_ecc_curve_t *elliptic_curve,
645  otcrypto_blinded_key_t *shared_secret);
646 
647 /**
648  * Starts the asynchronous key generation for Ed25519.
649  *
650  * Initializes OTBN and begins generating an Ed25519 key pair. The caller
651  * should set the `config` field of `private_key` with their desired key
652  * configuration options. If the key is hardware-backed, the caller should pass
653  * a fully populated private key handle such as the kind returned by
654  * `otcrypto_hw_backed_key`.
655  *
656  * No `domain_parameter` is needed and is automatically set for X25519.
657  *
658  * @param private_key Destination structure for private key, or key handle.
659  * @return Result of asynchronous ed25519 keygen start operation.
660  */
661 OT_WARN_UNUSED_RESULT
662 otcrypto_status_t otcrypto_ed25519_keygen_async_start(
663  const otcrypto_blinded_key_t *private_key);
664 
665 /**
666  * Finalizes the asynchronous key generation for Ed25519.
667  *
668  * Returns `kOtcryptoStatusValueOk` and copies private key (d) and public key
669  * (Q), if the OTBN status is done, or `kOtcryptoStatusValueAsyncIncomplete`
670  * if the OTBN is busy or `kOtcryptoStatusValueInternalError` if there is an
671  * error.
672  *
673  * The caller must ensure that `config` matches the key configuration initially
674  * passed to the `_start` complement of this function.
675  *
676  * @param[out] private_key Pointer to the blinded private key struct.
677  * @param[out] public_key Pointer to the unblinded public key struct.
678  * @return Result of asynchronous ed25519 keygen finalize operation.
679  */
680 OT_WARN_UNUSED_RESULT
681 otcrypto_status_t otcrypto_ed25519_keygen_async_finalize(
682  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
683 
684 /**
685  * Starts the asynchronous Ed25519 digital signature generation.
686  *
687  * Initializes OTBN and starts the OTBN routine to compute the digital
688  * signature on the input message. The `domain_parameter` field for
689  * Ed25519 is automatically set.
690  *
691  * @param private_key Pointer to the blinded private key struct.
692  * @param input_message Input message to be signed.
693  * @param sign_mode Parameter for EdDSA or Hash EdDSA sign mode.
694  * @param[out] signature Pointer to the EdDSA signature to get (r) value.
695  * @return Result of async Ed25519 start operation.
696  */
697 OT_WARN_UNUSED_RESULT
698 otcrypto_status_t otcrypto_ed25519_sign_async_start(
699  const otcrypto_blinded_key_t *private_key,
700  otcrypto_const_byte_buf_t input_message,
701  otcrypto_eddsa_sign_mode_t sign_mode, otcrypto_word32_buf_t signature);
702 
703 /**
704  * Finalizes the asynchronous Ed25519 digital signature generation.
705  *
706  * Returns `kOtcryptoStatusValueOk` and copies the signature if the OTBN
707  * status is done, or `kOtcryptoStatusValueAsyncIncomplete` if the OTBN is
708  * busy or `kOtcryptoStatusValueInternalError` if there is an error.
709  *
710  * @param[out] signature Pointer to the EdDSA signature to get (s) value.
711  * @return Result of async Ed25519 finalize operation.
712  */
713 OT_WARN_UNUSED_RESULT
714 otcrypto_status_t otcrypto_ed25519_sign_async_finalize(
715  otcrypto_word32_buf_t signature);
716 
717 /**
718  * Starts the asynchronous Ed25519 digital signature verification.
719  *
720  * Initializes OTBN and starts the OTBN routine to verify the
721  * signature. The `domain_parameter` for Ed25519 is set automatically.
722  *
723  * @param public_key Pointer to the unblinded public key struct.
724  * @param input_message Input message to be signed for verification.
725  * @param sign_mode Parameter for EdDSA or Hash EdDSA sign mode.
726  * @param signature Pointer to the signature to be verified.
727  * @return Result of async Ed25519 verification start operation.
728  */
729 OT_WARN_UNUSED_RESULT
730 otcrypto_status_t otcrypto_ed25519_verify_async_start(
731  const otcrypto_unblinded_key_t *public_key,
732  otcrypto_const_byte_buf_t input_message,
733  otcrypto_eddsa_sign_mode_t sign_mode,
734  otcrypto_const_word32_buf_t signature);
735 
736 /**
737  * Finalizes the asynchronous Ed25519 digital signature verification.
738  *
739  * Returns `kOtcryptoStatusValueOk` and populates the `verification result`
740  * with a PASS or FAIL, if the OTBN status is done,
741  * `kOtcryptoStatusValueAsyncIncomplete` if the OTBN is busy or
742  * `kOtcryptoStatusValueInternalError` if there is an error.
743  *
744  * @param[out] verification_result Result of signature verification
745  * (Pass/Fail).
746  * @return Result of async Ed25519 verification finalize operation.
747  */
748 OT_WARN_UNUSED_RESULT
749 otcrypto_status_t otcrypto_ed25519_verify_async_finalize(
750  hardened_bool_t *verification_result);
751 
752 /**
753  * Starts the asynchronous key generation for X25519.
754  *
755  * Initializes OTBN and begins generating an X25519 key pair. The caller
756  * should set the `config` field of `private_key` with their desired key
757  * configuration options. If the key is hardware-backed, the caller should pass
758  * a fully populated private key handle such as the kind returned by
759  * `otcrypto_hw_backed_key`.
760  *
761  * No `domain_parameter` is needed and is automatically set for X25519.
762  *
763  * @param private_key Destination structure for private key, or key handle.
764  * @return Result of asynchronous X25519 keygen start operation.
765  */
766 OT_WARN_UNUSED_RESULT
767 otcrypto_status_t otcrypto_x25519_keygen_async_start(
768  const otcrypto_blinded_key_t *private_key);
769 
770 /**
771  * Finalizes the asynchronous key generation for X25519.
772  *
773  * Returns `kOtcryptoStatusValueOk` and copies private key (d) and public key
774  * (Q), if the OTBN status is done, or `kOtcryptoStatusValueAsyncIncomplete`
775  * if the OTBN is busy or `kOtcryptoStatusValueInternalError` if there is an
776  * error.
777  *
778  * The caller must ensure that `config` matches the key configuration initially
779  * passed to the `_start` complement of this function.
780  *
781  * @param[out] private_key Pointer to the blinded private key struct.
782  * @param[out] public_key Pointer to the unblinded public key struct.
783  * @return Result of asynchronous X25519 keygen finalize operation.
784  */
785 OT_WARN_UNUSED_RESULT
786 otcrypto_status_t otcrypto_x25519_keygen_async_finalize(
787  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
788 
789 /**
790  * Starts the asynchronous X25519 Diffie Hellman shared secret
791  * generation.
792  *
793  * Initializes OTBN and starts the OTBN routine to perform Diffie
794  * Hellman shared secret generation based on Curve25519. The
795  * domain parameter is automatically set for X25519 API.
796  *
797  * @param private_key Pointer to the blinded private key (u-coordinate).
798  * @param public_key Pointer to the public scalar from the sender.
799  * @return Result of the async X25519 start operation.
800  */
801 OT_WARN_UNUSED_RESULT
802 otcrypto_status_t otcrypto_x25519_async_start(
803  const otcrypto_blinded_key_t *private_key,
804  const otcrypto_unblinded_key_t *public_key);
805 
806 /**
807  * Finalizes the asynchronous X25519 Diffie Hellman shared secret
808  * generation.
809  *
810  * Returns `kOtcryptoStatusValueOk` and copies `shared_secret` if the OTBN
811  * status is done, or `kOtcryptoStatusValueAsyncIncomplete` if the OTBN
812  * is busy or `kOtcryptoStatusValueInternalError` if there is an error.
813  *
814  * @param[out] shared_secret Pointer to shared secret key (u-coordinate).
815  * @return Result of async X25519 finalize operation.
816  */
817 OT_WARN_UNUSED_RESULT
818 otcrypto_status_t otcrypto_x25519_async_finalize(
819  otcrypto_blinded_key_t *shared_secret);
820 
821 #ifdef __cplusplus
822 } // extern "C"
823 #endif // __cplusplus
824 
825 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_ECC_H_
Return to OpenTitan Documentation