Lines Matching +full:fast +full:- +full:charge +full:- +full:current +full:- +full:limit
4 * Permission is hereby granted, free of charge, to any person obtaining
50 * such integers are represented with big-endian unsigned notation:
55 * relevant bytes. As a general rule, minimal-length encoding is not
60 * - the modulus (`n`);
61 * - the public exponent (`e`).
66 * - the modulus (`n`);
67 * - the public exponent (`e`);
68 * - the private exponent (`d`);
69 * - the first prime factor (`p`);
70 * - the second prime factor (`q`);
71 * - the first reduced exponent (`dp`, which is `d` modulo `p-1`);
72 * - the second reduced exponent (`dq`, which is `d` modulo `q-1`);
73 * - the CRT coefficient (`iq`, the inverse of `q` modulo `p`).
83 * - They are constant-time. This means that the execution time and
87 * random masking, but "true" constant-time code.
89 * - They support only private keys with two prime factors. RSA private
95 * - The public exponent may have arbitrary length. Of course, it is
97 * operations are fast; but, contrary to some widely deployed
101 * - The two prime factors of the modulus need not have the same length
106 * - Prime factors and modulus must be smaller than a compile-time limit.
107 * This is made necessary by the use of fixed-size stack buffers, and
108 * the limit has been adjusted to keep stack usage under 2 kB for the
112 * - The RSA functions themselves do not enforce lower size limits,
115 * SHA-1 requires a modulus of at least 361 bits). It is up to users
120 * - Within the size constraints expressed above, arbitrary bit lengths
124 * - When verifying PKCS#1 v1.5 signatures, both variants of the hash
133 * - The **i32** implementation internally represents big integers
134 * as arrays of 32-bit integers. It is perfunctory and portable,
137 * - The **i31** implementation uses 32-bit integers, each containing
143 * - The **i62** implementation is similar to the i31 implementation,
144 * except that it internally leverages the 64x64->128 multiplication
148 * - The **i15** implementation uses 16-bit integers, each containing
151 * on ARM Cortex M0/M0+, for much better performance and constant-time
159 * integers use unsigned big-endian representation; extra leading bytes
178 * the modulus. The big integers use unsigned big-endian representation;
239 * - The signature itself. The provided array is NOT modified.
241 * - The encoded OID for the hash function. The provided array must begin
246 * to TLS-1.1, with a 36-byte hash value).
248 * - The hash output length, in bytes.
250 * - The public key.
252 * - An output buffer for the hash value. The caller must still compare
257 * - Hash length MUST be no more than 64 bytes.
259 * - OID value length MUST be no more than 32 bytes (i.e. `hash_oid[0]`
269 * Implementations of this type need not be constant-time.
288 * - The signature itself. The provided array is NOT modified.
290 * - The hash function which was used to hash the message.
292 * - The hash function to use with MGF1 within the PSS padding. This
296 * - The hashed message (as an array of bytes).
298 * - The PSS salt length (in bytes).
300 * - The public key.
304 * - Hash message length MUST be no more than 64 bytes.
317 * Implementations of this type need not be constant-time.
337 * - A source of random bytes. The source must be already initialized.
339 * - A hash function, used internally with the mask generation function
342 * - A label. The `label` pointer may be `NULL` if `label_len` is zero
345 * - The public key.
347 * - The destination buffer. Its maximum length (in bytes) is provided;
351 * - The source message.
388 * `(sk->n_bitlen+7)/8` bytes).
404 * - The encoded OID for the hash function. The provided array must begin
409 * to TLS-1.1, with a 36-byte hash value).
411 * - The hash value computes over the data to sign (its length is
414 * - The RSA private key.
416 * - The output buffer, that receives the signature.
421 * `(sk->n_bitlen+7)/8` bytes.
423 * This function is expected to be constant-time with regards to the
443 * - An initialized PRNG for salt generation. If the salt length is
446 * tighter when a non-empty salt is used).
448 * - The hash function which was used to hash the message.
450 * - The hash function to use with MGF1 within the PSS padding. This
454 * - The hashed message.
456 * - The salt length, in bytes.
458 * - The RSA private key.
460 * - The output buffer, that receives the signature.
465 * `(sk->n_bitlen+7)/8` bytes.
467 * This function is expected to be constant-time with regards to the
486 * \brief Encoded OID for SHA-1 (in RSA PKCS#1 signatures).
492 * \brief Encoded OID for SHA-224 (in RSA PKCS#1 signatures).
498 * \brief Encoded OID for SHA-256 (in RSA PKCS#1 signatures).
504 * \brief Encoded OID for SHA-384 (in RSA PKCS#1 signatures).
510 * \brief Encoded OID for SHA-512 (in RSA PKCS#1 signatures).
520 * - A hash function, used internally with the mask generation function
523 * - A label. The `label` pointer may be `NULL` if `label_len` is zero
526 * - The private key.
528 * - The source and destination buffer. The buffer initially contains
539 * Implementations MUST use constant-time check of the validity of the
558 * 32-bit integers, and the core multiplication primitive is the
559 * 32x32->64 multiplication.
658 * RSA "i31" engine. Similar to i32, but only 31 bits are used per 32-bit
760 * 64x64->128 multiplications. This is available only on architecture
767 * This function is defined only on architecture that offer a 64x64->128
784 * This function is defined only on architecture that offer a 64x64->128
805 * This function is defined only on architecture that offer a 64x64->128
827 * This function is defined only on architecture that offer a 64x64->128
843 * This function is defined only on architecture that offer a 64x64->128
863 * This function is defined only on architecture that offer a 64x64->128
948 * RSA "i15" engine. Integers are represented as 15-bit integers, so
949 * the code uses only 32-bit multiplication (no 64-bit result), which
950 * is vastly faster (and constant-time) on the ARM Cortex M0/M0+.
1049 * \brief Get "default" RSA implementation (public-key operations).
1051 * This returns the preferred implementation of RSA (public-key operations)
1052 * on the current system.
1059 * \brief Get "default" RSA implementation (private-key operations).
1061 * This returns the preferred implementation of RSA (private-key operations)
1062 * on the current system.
1072 * on the current system.
1082 * on the current system.
1092 * on the current system.
1102 * on the current system.
1112 * on the current system.
1122 * on the current system.
1131 * This function performs the RSA decryption for a RSA-based key exchange
1134 * success, the 48-byte pre-master secret is copied into `data`, starting
1144 * in constant-time. A decryption error, or a bad padding, or an
1147 * to proceed with a random pre-master secret in case of error.
1281 * This function is defined only on architecture that offer a 64x64->128
1308 * This function is defined only on architecture that offer a 64x64->128
1375 * if an invalid non-zero public exponent value is provided. Supported
1376 * range starts at 512 bits, and up to an implementation-defined
1439 * This function is defined only on architecture that offer a 64x64->128
1472 * on the current system.
1482 * encoded modulus (unsigned big-endian) is written on `n`, and the size
1486 * If the key size exceeds an internal limit, 0 is returned.
1520 * on the current system.
1532 * - Either `p` or `q` is not equal to 3 modulo 4.
1534 * - The public exponent does not fit on 32 bits.
1536 * - An internal limit is exceeded.
1538 * - The private key is invalid in some way.
1571 * exponent) on the current system.
1583 * require also a copy of the complete private exponent (non-reduced),
1588 * - Both private factors `p` and `q` are equal to 3 modulo 4.
1590 * - The provided public exponent `pubexp` is correct, and, in particular,
1591 * is odd, relatively prime to `p-1` and `q-1`, and greater than 1.
1593 * - No internal storage limit is exceeded.
1599 * The encoded private exponent is written in `d` (unsigned big-endian
1645 * exponent) on the current system.