P-256#
ECDSA over the P-256 NIST curve.
API Reference#
#include "Hacl_P256.h"
Load and Store Keys#
-
bool Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw)#
Convert a public key from uncompressed to its raw form.
The function returns
truefor successful conversion of a public key andfalseotherwise.The outparam
pk_rawpoints to 64 bytes of valid memory, i.e., uint8_t[64]. The argumentpkpoints to 65 bytes of valid memory, i.e., uint8_t[65].The function DOESN’T check whether (x, y) is a valid point.
-
bool Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw)#
Convert a public key from compressed to its raw form.
The function returns
truefor successful conversion of a public key andfalseotherwise.The outparam
pk_rawpoints to 64 bytes of valid memory, i.e., uint8_t[64]. The argumentpkpoints to 33 bytes of valid memory, i.e., uint8_t[33].The function also checks whether (x, y) is a valid point.
-
void Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk)#
Convert a public key from raw to its uncompressed form.
The outparam
pkpoints to 65 bytes of valid memory, i.e., uint8_t[65]. The argumentpk_rawpoints to 64 bytes of valid memory, i.e., uint8_t[64].The function DOESN’T check whether (x, y) is a valid point.
-
void Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk)#
Convert a public key from raw to its compressed form.
The outparam
pkpoints to 33 bytes of valid memory, i.e., uint8_t[33]. The argumentpk_rawpoints to 64 bytes of valid memory, i.e., uint8_t[64].The function DOESN’T check whether (x, y) is a valid point.
Validate Keys#
-
bool Hacl_P256_validate_private_key(uint8_t *private_key)#
Private key validation.
The function returns
trueif a private key is valid andfalseotherwise.The argument
private_keypoints to 32 bytes of valid memory, i.e., uint8_t[32].The private key is valid: • 0 <
private_key< the order of the curve
-
bool Hacl_P256_validate_public_key(uint8_t *public_key)#
Public key validation.
The function returns
trueif a public key is valid andfalseotherwise.The argument
public_keypoints to 64 bytes of valid memory, i.e., uint8_t[64].The public key (x || y) is valid (with respect to SP 800-56A): • the public key is not the “point at infinity”, represented as O. • the affine x and y coordinates of the point represented by the public key are in the range [0, p – 1] where p is the prime defining the finite field. • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/
Sign#
-
bool Hacl_P256_ecdsa_sign_p256_sha2(uint8_t *signature, uint32_t msg_len, uint8_t *msg, uint8_t *private_key, uint8_t *nonce)#
Create an ECDSA signature using SHA2-256.
The function returns
truefor successful creation of an ECDSA signature andfalseotherwise.The outparam
signature(R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. The argumentmsgpoints tomsg_lenbytes of valid memory, i.e., uint8_t[msg_len]. The argumentsprivate_keyandnoncepoint to 32 bytes of valid memory, i.e., uint8_t[32].The function also checks whether
private_keyandnonceare valid: • 0 <private_key< the order of the curve • 0 <nonce< the order of the curve
-
bool Hacl_P256_ecdsa_sign_p256_sha384(uint8_t *signature, uint32_t msg_len, uint8_t *msg, uint8_t *private_key, uint8_t *nonce)#
Create an ECDSA signature using SHA2-384.
The function returns
truefor successful creation of an ECDSA signature andfalseotherwise.The outparam
signature(R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. The argumentmsgpoints tomsg_lenbytes of valid memory, i.e., uint8_t[msg_len]. The argumentsprivate_keyandnoncepoint to 32 bytes of valid memory, i.e., uint8_t[32].The function also checks whether
private_keyandnonceare valid: • 0 <private_key< the order of the curve • 0 <nonce< the order of the curve
-
bool Hacl_P256_ecdsa_sign_p256_sha512(uint8_t *signature, uint32_t msg_len, uint8_t *msg, uint8_t *private_key, uint8_t *nonce)#
Create an ECDSA signature using SHA2-512.
The function returns
truefor successful creation of an ECDSA signature andfalseotherwise.The outparam
signature(R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. The argumentmsgpoints tomsg_lenbytes of valid memory, i.e., uint8_t[msg_len]. The argumentsprivate_keyandnoncepoint to 32 bytes of valid memory, i.e., uint8_t[32].The function also checks whether
private_keyandnonceare valid: • 0 <private_key< the order of the curve • 0 <nonce< the order of the curve
-
bool Hacl_P256_ecdsa_sign_p256_without_hash(uint8_t *signature, uint32_t msg_len, uint8_t *msg, uint8_t *private_key, uint8_t *nonce)#
Create an ECDSA signature WITHOUT hashing first.
This function is intended to receive a hash of the input. For convenience, we recommend using one of the hash-and-sign combined functions above.
The argument
msgMUST be at least 32 bytes (i.e.msg_len >= 32).NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs smaller than 32 bytes. These libraries left-pad the input with enough zeroes to reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL need to perform the left-padding themselves.
The function returns
truefor successful creation of an ECDSA signature andfalseotherwise.The outparam
signature(R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. The argumentmsgpoints tomsg_lenbytes of valid memory, i.e., uint8_t[msg_len]. The argumentsprivate_keyandnoncepoint to 32 bytes of valid memory, i.e., uint8_t[32].The function also checks whether
private_keyandnonceare valid values: • 0 <private_key< the order of the curve • 0 <nonce< the order of the curve
Verify#
-
bool Hacl_P256_ecdsa_verif_p256_sha2(uint32_t msg_len, uint8_t *msg, uint8_t *public_key, uint8_t *signature_r, uint8_t *signature_s)#
Verify an ECDSA signature using SHA2-256.
The function returns
trueif the signature is valid andfalseotherwise.The argument
msgpoints tomsg_lenbytes of valid memory, i.e., uint8_t[msg_len]. The argumentpublic_key(x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. The argumentssignature_randsignature_spoint to 32 bytes of valid memory, i.e., uint8_t[32].The function also checks whether
public_keyis valid
-
bool Hacl_P256_ecdsa_verif_p256_sha384(uint32_t msg_len, uint8_t *msg, uint8_t *public_key, uint8_t *signature_r, uint8_t *signature_s)#
Verify an ECDSA signature using SHA2-384.
The function returns
trueif the signature is valid andfalseotherwise.The argument
msgpoints tomsg_lenbytes of valid memory, i.e., uint8_t[msg_len]. The argumentpublic_key(x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. The argumentssignature_randsignature_spoint to 32 bytes of valid memory, i.e., uint8_t[32].The function also checks whether
public_keyis valid
-
bool Hacl_P256_ecdsa_verif_p256_sha512(uint32_t msg_len, uint8_t *msg, uint8_t *public_key, uint8_t *signature_r, uint8_t *signature_s)#
Verify an ECDSA signature using SHA2-512.
The function returns
trueif the signature is valid andfalseotherwise.The argument
msgpoints tomsg_lenbytes of valid memory, i.e., uint8_t[msg_len]. The argumentpublic_key(x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. The argumentssignature_randsignature_spoint to 32 bytes of valid memory, i.e., uint8_t[32].The function also checks whether
public_keyis valid
-
bool Hacl_P256_ecdsa_verif_without_hash(uint32_t msg_len, uint8_t *msg, uint8_t *public_key, uint8_t *signature_r, uint8_t *signature_s)#
Verify an ECDSA signature WITHOUT hashing first.
This function is intended to receive a hash of the input. For convenience, we recommend using one of the hash-and-verify combined functions above.
The argument
msgMUST be at least 32 bytes (i.e.msg_len >= 32).The function returns
trueif the signature is valid andfalseotherwise.The argument
msgpoints tomsg_lenbytes of valid memory, i.e., uint8_t[msg_len]. The argumentpublic_key(x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. The argumentssignature_randsignature_spoint to 32 bytes of valid memory, i.e., uint8_t[32].The function also checks whether
public_keyis valid