@@ -555,6 +555,10 @@ int mbedtls_mpi_core_random( mbedtls_mpi_uint *X,
555555 * \brief Returns the number of limbs of working memory required for
556556 * a call to `mbedtls_mpi_core_exp_mod()`.
557557 *
558+ * \note This will always be at least
559+ * `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`,
560+ * i.e. sufficient for a call to `mbedtls_mpi_core_montmul()`.
561+ *
558562 * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
559563 * (they must be the same size) that will be given to
560564 * `mbedtls_mpi_core_exp_mod()`.
@@ -625,6 +629,111 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub_int( mbedtls_mpi_uint *X,
625629 mbedtls_mpi_uint b ,
626630 size_t limbs );
627631
632+ /**
633+ * \brief Determine if a given MPI has the value \c 0 in constant time with
634+ * respect to the value (but not with respect to the number of limbs).
635+ *
636+ * \param[in] A The MPI to test.
637+ * \param limbs Number of limbs in \p A.
638+ *
639+ * \return 0 if `A == 0`
640+ * non-0 (may be any value) if `A != 0`.
641+ */
642+ mbedtls_mpi_uint mbedtls_mpi_core_check_zero_ct ( const mbedtls_mpi_uint * A ,
643+ size_t limbs );
644+
645+ /**
646+ * \brief Returns the number of limbs of working memory required for
647+ * a call to `mbedtls_mpi_core_montmul()`.
648+ *
649+ * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
650+ * (they must be the same size) that will be given to
651+ * `mbedtls_mpi_core_montmul()` or one of the other functions
652+ * that specifies this as the amount of working memory needed.
653+ *
654+ * \return The number of limbs of working memory required by
655+ * `mbedtls_mpi_core_montmul()` (or other similar function).
656+ */
657+ static inline size_t mbedtls_mpi_core_montmul_working_limbs ( size_t AN_limbs )
658+ {
659+ return ( 2 * AN_limbs + 1 );
660+ }
661+
662+ /** Convert an MPI into Montgomery form.
663+ *
664+ * \p X may be aliased to \p A, but may not otherwise overlap it.
665+ *
666+ * \p X may not alias \p N (it is in canonical form, so must be stricly less
667+ * than \p N). Nor may it alias or overlap \p rr (this is unlikely to be
668+ * required in practice.)
669+ *
670+ * This function is a thin wrapper around `mbedtls_mpi_core_montmul()` that is
671+ * an alternative to calling `mbedtls_mpi_mod_raw_to_mont_rep()` when we
672+ * don't want to allocate memory.
673+ *
674+ * \param[out] X The result of the conversion.
675+ * Must have the same number of limbs as \p A.
676+ * \param[in] A The MPI to convert into Montgomery form.
677+ * Must have the same number of limbs as the modulus.
678+ * \param[in] N The address of the modulus, which gives the size of
679+ * the base `R` = 2^(biL*N->limbs).
680+ * \param[in] AN_limbs The number of limbs in \p X, \p A, \p N and \p rr.
681+ * \param mm The Montgomery constant for \p N: -N^-1 mod 2^biL.
682+ * This can be determined by calling
683+ * `mbedtls_mpi_core_montmul_init()`.
684+ * \param[in] rr The residue for `2^{2*n*biL} mod N`.
685+ * \param[in,out] T Temporary storage of size at least
686+ * `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`
687+ * limbs.
688+ * Its initial content is unused and
689+ * its final content is indeterminate.
690+ * It must not alias or otherwise overlap any of the
691+ * other parameters.
692+ */
693+ void mbedtls_mpi_core_to_mont_rep ( mbedtls_mpi_uint * X ,
694+ const mbedtls_mpi_uint * A ,
695+ const mbedtls_mpi_uint * N ,
696+ size_t AN_limbs ,
697+ mbedtls_mpi_uint mm ,
698+ const mbedtls_mpi_uint * rr ,
699+ mbedtls_mpi_uint * T );
700+
701+ /** Convert an MPI from Montgomery form.
702+ *
703+ * \p X may be aliased to \p A, but may not otherwise overlap it.
704+ *
705+ * \p X may not alias \p N (it is in canonical form, so must be stricly less
706+ * than \p N).
707+ *
708+ * This function is a thin wrapper around `mbedtls_mpi_core_montmul()` that is
709+ * an alternative to calling `mbedtls_mpi_mod_raw_from_mont_rep()` when we
710+ * don't want to allocate memory.
711+ *
712+ * \param[out] X The result of the conversion.
713+ * Must have the same number of limbs as \p A.
714+ * \param[in] A The MPI to convert from Montgomery form.
715+ * Must have the same number of limbs as the modulus.
716+ * \param[in] N The address of the modulus, which gives the size of
717+ * the base `R` = 2^(biL*N->limbs).
718+ * \param[in] AN_limbs The number of limbs in \p X, \p A and \p N.
719+ * \param mm The Montgomery constant for \p N: -N^-1 mod 2^biL.
720+ * This can be determined by calling
721+ * `mbedtls_mpi_core_montmul_init()`.
722+ * \param[in,out] T Temporary storage of size at least
723+ * `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`
724+ * limbs.
725+ * Its initial content is unused and
726+ * its final content is indeterminate.
727+ * It must not alias or otherwise overlap any of the
728+ * other parameters.
729+ */
730+ void mbedtls_mpi_core_from_mont_rep ( mbedtls_mpi_uint * X ,
731+ const mbedtls_mpi_uint * A ,
732+ const mbedtls_mpi_uint * N ,
733+ size_t AN_limbs ,
734+ mbedtls_mpi_uint mm ,
735+ mbedtls_mpi_uint * T );
736+
628737/* END MERGE SLOT 3 */
629738
630739/* BEGIN MERGE SLOT 4 */
0 commit comments