Software APIs
ecc_p256.h
Go to the documentation of this file.
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_ECC_P256_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_ECC_P256_H_
7 
8 #include "datatypes.h"
9 
10 /**
11  * @file
12  * @brief P-256 elliptic curve operations for OpenTitan cryptography library.
13  *
14  * Includes ECDSA and ECDH.
15  */
16 
17 #ifdef __cplusplus
18 extern "C" {
19 #endif // __cplusplus
20 
21 /**
22  * Generates a key pair for ECDSA with curve P-256.
23  *
24  * The caller should allocate and partially populate the blinded key struct,
25  * including populating the key configuration and allocating space for the
26  * keyblob. For a hardware-backed key, use the private key handle returned by
27  * `otcrypto_hw_backed_key`. Otherwise, the mode should indicate ECDSA with
28  * P-256 and the keyblob should be 80 bytes. The value in the `checksum` field
29  * of the blinded key struct will be populated by the key generation function.
30  *
31  * @param[out] private_key Pointer to the blinded private key (d) struct.
32  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
33  * @return Result of the ECDSA key generation.
34  */
35 OT_WARN_UNUSED_RESULT
36 otcrypto_status_t otcrypto_ecdsa_p256_keygen(
37  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
38 
39 /**
40  * Generates an ECDSA signature with curve P-256.
41  *
42  * The message digest must be exactly 256 bits (32 bytes) long, but may use any
43  * hash mode. The caller is responsible for ensuring that the security
44  * strength of the hash function is at least equal to the security strength of
45  * the curve, but in some cases it may be truncated. See FIPS 186-5 for
46  * details.
47  *
48  * @param private_key Pointer to the blinded private key (d) struct.
49  * @param message_digest Message digest to be signed (pre-hashed).
50  * @param[out] signature Pointer to the signature struct with (r,s) values.
51  * @return Result of the ECDSA signature generation.
52  */
53 OT_WARN_UNUSED_RESULT
54 otcrypto_status_t otcrypto_ecdsa_p256_sign(
55  const otcrypto_blinded_key_t *private_key,
56  const otcrypto_hash_digest_t message_digest,
57  otcrypto_word32_buf_t signature);
58 
59 /**
60  * Verifies an ECDSA/P-256 signature.
61  *
62  * The message digest must be exactly 256 bits (32 bytes) long, but may use any
63  * hash mode. The caller is responsible for ensuring that the security
64  * strength of the hash function is at least equal to the security strength of
65  * the curve, but in some cases it may be truncated. See FIPS 186-5 for
66  * details.
67  *
68  * The caller must check the `verification_result` parameter, NOT only the
69  * returned status code, to know if the signature passed verification. The
70  * status code, as for other operations, only indicates whether errors were
71  * encountered, and may return OK even when the signature is invalid.
72  *
73  * @param public_key Pointer to the unblinded public key (Q) struct.
74  * @param message_digest Message digest to be verified (pre-hashed).
75  * @param signature Pointer to the signature to be verified.
76  * @param[out] verification_result Whether the signature passed verification.
77  * @return Result of the ECDSA verification operation.
78  */
79 OT_WARN_UNUSED_RESULT
80 otcrypto_status_t otcrypto_ecdsa_p256_verify(
81  const otcrypto_unblinded_key_t *public_key,
82  const otcrypto_hash_digest_t message_digest,
83  otcrypto_const_word32_buf_t signature,
84  hardened_bool_t *verification_result);
85 
86 /**
87  * Generates a key pair for ECDH with curve P-256.
88  *
89  * The caller should allocate and partially populate the blinded key struct,
90  * including populating the key configuration and allocating space for the
91  * keyblob. For a hardware-backed key, use the private key handle returned by
92  * `otcrypto_hw_backed_key`. Otherwise, the mode should indicate ECDH with
93  * P-256 and the keyblob should be 80 bytes. The value in the `checksum` field
94  * of the blinded key struct will be populated by the key generation function.
95  *
96  * @param[out] private_key Pointer to the blinded private key (d) struct.
97  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
98  * @return Result of the ECDH key generation.
99  */
100 OT_WARN_UNUSED_RESULT
101 otcrypto_status_t otcrypto_ecdh_p256_keygen(
102  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
103 
104 /**
105  * Elliptic Curve Diffie Hellman shared secret generation with curve P-256.
106  *
107  * @param private_key Pointer to the blinded private key (d) struct.
108  * @param public_key Pointer to the unblinded public key (Q) struct.
109  * @param[out] shared_secret Pointer to generated blinded shared key struct.
110  * @return Result of ECDH shared secret generation.
111  */
112 OT_WARN_UNUSED_RESULT
113 otcrypto_status_t otcrypto_ecdh_p256(const otcrypto_blinded_key_t *private_key,
114  const otcrypto_unblinded_key_t *public_key,
115  otcrypto_blinded_key_t *shared_secret);
116 
117 /**
118  * Starts asynchronous key generation for ECDSA/P-256.
119  *
120  * See `otcrypto_ecdsa_p256_keygen` for requirements on input values.
121  *
122  * @param private_key Destination structure for private key, or key handle.
123  * @return Result of asynchronous ECDSA keygen start operation.
124  */
125 OT_WARN_UNUSED_RESULT
126 otcrypto_status_t otcrypto_ecdsa_p256_keygen_async_start(
127  const otcrypto_blinded_key_t *private_key);
128 
129 /**
130  * Finalizes asynchronous key generation for ECDSA/P-256.
131  *
132  * See `otcrypto_ecdsa_p256_keygen` for requirements on input values.
133  *
134  * May block until the operation is complete.
135  *
136  * The caller should ensure that the private key configuration matches that
137  * passed to the `_start` function.
138  *
139  * @param[out] private_key Pointer to the blinded private key (d) struct.
140  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
141  * @return Result of asynchronous ECDSA keygen finalize operation.
142  */
143 OT_WARN_UNUSED_RESULT
144 otcrypto_status_t otcrypto_ecdsa_p256_keygen_async_finalize(
145  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
146 
147 /**
148  * Starts asynchronous signature generation for ECDSA/P-256.
149  *
150  * See `otcrypto_ecdsa_p256_sign` for requirements on input values.
151  *
152  * @param private_key Pointer to the blinded private key (d) struct.
153  * @param message_digest Message digest to be signed (pre-hashed).
154  * @return Result of async ECDSA start operation.
155  */
156 OT_WARN_UNUSED_RESULT
157 otcrypto_status_t otcrypto_ecdsa_p256_sign_async_start(
158  const otcrypto_blinded_key_t *private_key,
159  const otcrypto_hash_digest_t message_digest);
160 
161 /**
162  * Finalizes asynchronous signature generation for ECDSA/P-256.
163  *
164  * See `otcrypto_ecdsa_p256_sign` for requirements on input values.
165  *
166  * May block until the operation is complete.
167  *
168  * @param[out] signature Pointer to the signature struct with (r,s) values.
169  * @return Result of async ECDSA finalize operation.
170  */
171 OT_WARN_UNUSED_RESULT
172 otcrypto_status_t otcrypto_ecdsa_p256_sign_async_finalize(
173  otcrypto_word32_buf_t signature);
174 
175 /**
176  * Starts asynchronous signature verification for ECDSA/P-256.
177  *
178  * See `otcrypto_ecdsa_p256_verify` for requirements on input values.
179  *
180  * @param public_key Pointer to the unblinded public key (Q) struct.
181  * @param message_digest Message digest to be verified (pre-hashed).
182  * @param signature Pointer to the signature to be verified.
183  * @return Result of async ECDSA verify start function.
184  */
185 OT_WARN_UNUSED_RESULT
186 otcrypto_status_t otcrypto_ecdsa_p256_verify_async_start(
187  const otcrypto_unblinded_key_t *public_key,
188  const otcrypto_hash_digest_t message_digest,
189  otcrypto_const_word32_buf_t signature);
190 
191 /**
192  * Finalizes asynchronous signature verification for ECDSA/P-256.
193  *
194  * See `otcrypto_ecdsa_p256_verify` for requirements on input values.
195  *
196  * May block until the operation is complete.
197  *
198  * The caller must check the `verification_result` parameter, NOT only the
199  * returned status code, to know if the signature passed verification. The
200  * status code, as for other operations, only indicates whether errors were
201  * encountered, and may return OK even when the signature is invalid.
202  *
203  * @param[out] verification_result Whether the signature passed verification.
204  * @return Result of async ECDSA verify finalize operation.
205  */
206 OT_WARN_UNUSED_RESULT
207 otcrypto_status_t otcrypto_ecdsa_p256_verify_async_finalize(
208  otcrypto_const_word32_buf_t signature,
209  hardened_bool_t *verification_result);
210 
211 /**
212  * Starts asynchronous key generation for ECDH/P-256.
213  *
214  * See `otcrypto_ecdh_p256_keygen` for requirements on input values.
215  *
216  * @param private_key Destination structure for private key, or key handle.
217  * @return Result of asynchronous ECDH keygen start operation.
218  */
219 OT_WARN_UNUSED_RESULT
220 otcrypto_status_t otcrypto_ecdh_p256_keygen_async_start(
221  const otcrypto_blinded_key_t *private_key);
222 
223 /**
224  * Finalizes asynchronous key generation for ECDH/P-256.
225  *
226  * See `otcrypto_ecdh_p256_keygen` for requirements on input values.
227  *
228  * May block until the operation is complete.
229  *
230  * The caller should ensure that the private key configuration matches that
231  * passed to the `_start` function.
232  *
233  * @param[out] private_key Pointer to the blinded private key (d) struct.
234  * @param[out] public_key Pointer to the unblinded public key (Q) struct.
235  * @return Result of asynchronous ECDH keygen finalize operation.
236  */
237 OT_WARN_UNUSED_RESULT
238 otcrypto_status_t otcrypto_ecdh_p256_keygen_async_finalize(
239  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key);
240 
241 /**
242  * Starts asynchronous shared secret generation for ECDH/P-256.
243  *
244  * See `otcrypto_ecdh_p256` for requirements on input values.
245  *
246  * @param private_key Pointer to the blinded private key (d) struct.
247  * @param public_key Pointer to the unblinded public key (Q) struct.
248  * @return Result of async ECDH start operation.
249  */
250 OT_WARN_UNUSED_RESULT
251 otcrypto_status_t otcrypto_ecdh_p256_async_start(
252  const otcrypto_blinded_key_t *private_key,
253  const otcrypto_unblinded_key_t *public_key);
254 
255 /**
256  * Finalizes asynchronous shared secret generation for ECDH/P-256.
257  *
258  * See `otcrypto_ecdh_p256` for requirements on input values.
259  *
260  * May block until the operation is complete.
261  *
262  * @param[out] shared_secret Pointer to generated blinded shared key struct.
263  * @return Result of async ECDH finalize operation.
264  */
265 OT_WARN_UNUSED_RESULT
266 otcrypto_status_t otcrypto_ecdh_p256_async_finalize(
267  otcrypto_blinded_key_t *shared_secret);
268 
269 #ifdef __cplusplus
270 } // extern "C"
271 #endif // __cplusplus
272 
273 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_ECC_P256_H_
Return to OpenTitan Documentation