mbedTLS¶
3.5.1Primitives¶
ECDH and ECDSA on P192, P224, P256, P384, P521 (their R and K variants) as well as x25519 and x448.
x25519 has two implementations, and mbedTLS one (described below) and one from Project Everest.
ECDH¶
- KeyGen:
Short-Weierstrass
Comb via
mbedtls_ecdh_gen_public -> ecdh_gen_public_restartable -> mbedtls_ecp_mul_restartable -> ecp_mul_restartable_internal -> ecp_mul_comb. w = 5 for curves < 384 bits, then w = 6.Jacobian coords with coordinate randomization.
add-gecc-322 [GECC]_ algorithm 3.22, dbl-1998-cmo-2. Also has alternative impl (
_ALT).
- Derive:
Short-Weierstrass
Comb via
mbedtls_ecdh_compute_shared -> ecdh_compute_shared_restartable -> mbedtls_ecp_mul_restartable -> ecp_mul_restartable_internal -> ecp_mul_comb. w = 4 for curves < 384 bits, then w = 5. The width is smaller by 1 than the case when the generator point is used (in KeyGen).Same coords and formulas as KeyGen.
ECDSA¶
- KeyGen:
Short-Weierstrass
Comb via
mbedtls_ecdsa_genkey -> mbedtls_ecp_gen_keypair -> mbedtls_ecp_gen_keypair_base -> mbedtls_ecp_mul -> mbedtls_ecp_mul_restartable -> ecp_mul_restartable_internal -> ecp_mul_comb.Same as ECDH (KeyGen).
- Sign:
Short-Weierstrass
Comb via
mbedtls_ecdsa_sign -> mbedtls_ecdsa_sign_restartable -> mbedtls_ecp_mul_restartable -> ecp_mul_restartable_internal -> ecp_mul_comb.Same as ECDH (KeyGen).
- Verify:
x25519¶
- KeyGen:
Montgomery
Montgomery Ladder via
mbedtls_ecdh_gen_public -> ecdh_gen_public_restartable -> mbedtls_ecp_mul_restartable -> ecp_mul_restartable_internal -> ecp_mul_mxz.xz coords.
- Derive:
Montgomery
Montgomery Ladder via
mbedtls_ecdh_compute_shared -> ecdh_compute_shared_restartable -> mbedtls_ecp_mul_restartable -> ecp_mul_restartable_internal -> ecp_mul_mxz.Same as KeyGen.