SPRUJ17H March 2022 – October 2024 AM2631 , AM2631-Q1 , AM2632 , AM2632-Q1 , AM2634 , AM2634-Q1
The ECp operations shown in Table 7-112, Point Add & Multiply on a Prime Field Curve, are used in the ECDSA and ECDH public key algorithms when the underlying elliptic curves are defined over a prime field. See Appendix D.1.2 of [FIPS 186-3] for curves recommended by NIST.
The choice to express input and output points in projective format (X, Y, Z) instead of affine format (x, y) is motivated by the following facts:
The simplest way to convert affine point (x, y) to projective format is to select Z=1, that is: (x, y) -> (x/1, y/1). The conversion from a point in projective format to affine format requires the modular inversion of Z (modulo curve.p) followed by two modular multiplications: (X/Z, Y/Z) -> (x = {X * (1/Z) mod p}, y = {Y * (1/Z) mod p}). All this leads to the conclusion that the use of projective input and output saves a number of (relatively costly) inverse operations when implementing the ECDSA verify algorithm. Another advantage is that it gives the host the option to skip the conversion of the y-coordinate (as output by the ECpADDxyz or ECpMULxyz operation) from projective to affine, since that coordinate is typically not used in the remainder of the ECDSA or ECDH algorithm.
The implementation of ECC-MUL is limited to Z = 1.
The ECpADDxyz operation detects when both input points are identical and automatically performs a point doubling in that case. When one point is the negation of the other, the "point-at-infinity" (that is, P0.Z = 0) is returned.
The ECpMULxyz operation supports multiplication with the scalar 'k' equal to the curve's order. The result should be the "at-infinity" (that is, P0_z = 0) in that case.
For ECC over prime fields, the maximum supported Modulus size is 768 bits (24 words).
| Function | Requirements |
|---|---|
| ECpADDxyz | 1 < BLen <= 24 (maximum vector length is 768 bits) Modulus p must be a prime > 263 The highest word of the modulus vector, as indicated by BLen, may not be zero. a < p and b < p P1_xyz and P2_xyz must be on the curve (this is not checked). |
| ECpMULxyz | 0 < ALen <= 24 (maximum vector length is 768 bits) 1 < BLen <= 24 (maximum vector length is 768 bits) Modulus p must be a prime > 263 The highest word of the modulus vector, as indicated by BLen, may not be zero. a < p and b < p P1_xyz must be on the curve (this is not checked). P1_z must equal one. 1 < k <= n, where n is the curve's order. |
| ECpSCALExyz | 1 < BLen <= 24 Modulus p must be a prime > 263 The highest word of the modulus vector, as indicated by BLen, may not be zero. |
| Function | WorkSpace Size (in 32-bit Words) |
|---|---|
| ECpADDxyz | 15 * (BLen + 2 + BLen MOD 2) |
| ECpMULxyz | 15 * (BLen + 2 + BLen MOD 2) |
| ECpSCALExyz | 5 * (BLen + 2 + BLen MOD 2) |
| Status Code | Description |
|---|---|
| 0x01 | Command executed successfully. |
| 0x03 | Modulus is even. |
| 0x05 | Scalar 'k' is zero. This value should never occur in practice and is treated as an error. The result is undefined. |
| 0x09 | Scalar 'k' is one. This value should never occur in practice and is treated as an error. The result is undefined. |
| 0x0D | Result is "at-infinity" (Z = 0, not an error). |
| 0x13 | An intermediate result of ECpMUL was "at-infinity", which should never happen. The result is set to all-zeroes. |