Struct Pka 

pub struct Pka<'d, T: Instance, M: Mode> { /* private fields */ }

PKA driver

Implementations

impl<'d, T: Instance> Pka<'d, T, Blocking>

pub fn new_blocking( peripheral: Peri<'d, T>, _irq: impl Binding<T::Interrupt, InterruptHandler<T>> + 'd, ) -> Self

Create a new PKA driver in blocking mode.

impl<'d, T: Instance> Pka<'d, T, Async>

pub fn new( peripheral: Peri<'d, T>, _irq: impl Binding<T::Interrupt, InterruptHandler<T>> + 'd, ) -> Self

Create a new PKA driver in async mode.

impl<'d, T: Instance, M: Mode> Pka<'d, T, M>

pub fn scrub(&mut self)

Zero out the PKA RAM (basic hygiene scrub).

Writes 0 to every word of the PKA internal RAM. Call this between operations that touch sensitive material (e.g. private keys) to avoid leaking intermediates from prior ops through PKA RAM.

impl<'d, T: Instance> Pka<'d, T, Blocking>

pub fn ecdsa_verify_blocking( &mut self, curve: &EcdsaCurveParams, public_key: &EcdsaPublicKey<'_>, signature: &EcdsaSignature<'_>, message_hash: &[u8], ) -> Result<bool, Error>

Verify an ECDSA signature.

Arguments

• curve – Curve parameters.
• public_key – Public key (Qx, Qy).
• signature – Signature (r, s).
• message_hash – Hash of the message being verified.

Returns

Ok(true) if the signature is valid, Ok(false) if invalid.

pub fn ecdsa_sign_blocking( &mut self, curve: &EcdsaCurveParams, private_key: &[u8], k: &[u8], message_hash: &[u8], signature_r: &mut [u8], signature_s: &mut [u8], ) -> Result<(), Error>

Generate an ECDSA signature.

Arguments

• curve – Curve parameters.
• private_key – Private key d.
• k – Random nonce (MUST be cryptographically random and unique per signature!).
• message_hash – Hash of the message to sign.
• signature_r, signature_s – Output buffers for the (r, s) signature.

Security Warning

The k value MUST be:

• Cryptographically random
• Unique for every signature
• Never reused or predictable

Failure to ensure this will compromise the private key.

pub fn ecc_mul_blocking( &mut self, curve: &EcdsaCurveParams, k: &[u8], point_x: &[u8], point_y: &[u8], result: &mut EccPoint, ) -> Result<(), Error>

Perform ECC scalar multiplication: result = k * P.

This is the core operation for ECDH key agreement:

• To generate a public key: public = private_key * G (generator point).
• To compute a shared secret: shared = my_private * peer_public.

Arguments

• curve – Curve parameters.
• k – Scalar multiplier.
• point_x, point_y – Input point coordinates.
• result – Output point (must be initialized with the correct size).

pub fn point_check_blocking( &mut self, curve: &EcdsaCurveParams, point_x: &[u8], point_y: &[u8], ) -> Result<bool, Error>

Check if a point is on the curve.

Call this to validate any externally-provided public key before using it in cryptographic operations.

pub fn modular_exp_blocking( &mut self, base: &[u8], exponent: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Perform modular exponentiation: result = base^exp mod n.

This is the core RSA operation:

• Encryption: ciphertext = plaintext^e mod n
• Decryption: plaintext = ciphertext^d mod n
• Signing: signature = hash^d mod n
• Verification: hash = signature^e mod n

Arguments

• base – Base value (plaintext/ciphertext).
• exponent – Exponent (e for encrypt/verify, d for decrypt/sign).
• modulus – RSA modulus n.
• result – Output buffer (must be at least the size of modulus).

pub fn rsa_crt_exp_blocking( &mut self, ciphertext: &[u8], params: &RsaCrtParams<'_>, result: &mut [u8], ) -> Result<(), Error>

Perform RSA CRT exponentiation for fast decryption.

Uses the Chinese Remainder Theorem for ~4x faster RSA private-key operations than modular_exp_blocking.

Arguments

• ciphertext – Encrypted data.
• params – CRT parameters (p, q, dp, dq, qinv).
• result – Output buffer.

pub fn modular_inv_blocking( &mut self, a: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute modular inverse: result = a^(-1) mod n.

pub fn modular_add_blocking( &mut self, a: &[u8], b: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute modular addition: result = (a + b) mod n.

pub fn modular_sub_blocking( &mut self, a: &[u8], b: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute modular subtraction: result = (a - b) mod n.

pub fn arithmetic_mul_blocking( &mut self, a: &[u8], b: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute arithmetic multiplication: result = a * b.

pub fn montgomery_param_blocking( &mut self, modulus: &[u8], result: &mut [u32], ) -> Result<(), Error>

Compute the Montgomery parameter R^2 mod n.

Required for fast modular exponentiation and other Montgomery-form operations. The result should be stored and reused for multiple operations against the same modulus.

Arguments

• modulus – The modulus n.
• result – Output buffer for R^2 mod n (must be at least ceil(modulus.len() / 4) u32 words).

pub fn modular_exp_fast_blocking( &mut self, base: &[u8], exponent: &[u8], modulus: &[u8], montgomery_param: &[u32], result: &mut [u8], ) -> Result<(), Error>

Perform modular exponentiation with pre-computed Montgomery parameter (fast mode).

Faster than modular_exp_blocking when the Montgomery parameter has already been computed (via montgomery_param_blocking).

Arguments

• base – Base value.
• exponent – Exponent.
• modulus – Modulus n.
• montgomery_param – Pre-computed Montgomery parameter R^2 mod n.
• result – Output buffer (must be at least the size of modulus).

pub fn modular_exp_protect_blocking( &mut self, params: &ModExpProtectParams<'_>, result: &mut [u8], ) -> Result<(), Error>

Perform modular exponentiation with side-channel protection.

Provides constant-time execution to protect against timing and power analysis attacks. Requires phi(n) as input.

Arguments

• params – Protected-mode parameters including phi(n).
• result – Output buffer (must be at least the size of params.modulus).

pub fn montgomery_mul_blocking( &mut self, a: &[u8], b: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Perform Montgomery multiplication: result = (a * b * R^-1) mod n.

Useful for chaining operations in Montgomery form.

pub fn arithmetic_add_blocking( &mut self, a: &[u8], b: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute arithmetic addition: result = a + b.

Note: the result may be one word larger than the inputs if there is overflow.

pub fn arithmetic_sub_blocking( &mut self, a: &[u8], b: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute arithmetic subtraction: result = a - b.

Note: if a < b, the result is the two’s complement.

pub fn comparison_blocking( &mut self, a: &[u8], b: &[u8], ) -> Result<ComparisonResult, Error>

Compare two big integers.

Returns whether a < b, a == b, or a > b.

pub fn modular_red_blocking( &mut self, a: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute modular reduction: result = a mod n.

pub fn ecc_complete_add_blocking( &mut self, curve: &EcdsaCurveParams, p: &EccProjectivePoint, q: &EccProjectivePoint, result: &mut EccProjectivePoint, ) -> Result<(), Error>

ECC complete point addition in projective coordinates: R = P + Q.

Handles all edge cases (point at infinity, point doubling, etc.).

Output representation

The result is in Jacobian projective coordinates, where the affine point is recovered as x = X / Z^2 mod p, y = Y / Z^3 mod p. To convert the result to affine, call jacobian_to_affine_blocking – not projective_to_affine_blocking, which uses the standard-projective formula and will return wrong values.

Arguments

• curve – Curve parameters.
• p – First point in projective coordinates.
• q – Second point in projective coordinates.
• result – Output point in Jacobian projective coordinates.

pub fn double_base_ladder_blocking( &mut self, curve: &EcdsaCurveParams, k: &[u8], p: &EccProjectivePoint, m: &[u8], q: &EccProjectivePoint, result: &mut EccPoint, ) -> Result<(), Error>

ECC double base ladder: result = k*P + m*Q (side-channel resistant).

Computes the linear combination of two points using the double base ladder algorithm, which provides side-channel resistance.

Arguments

• curve – Curve parameters.
• k – Scalar for point P.
• p – First point in projective coordinates.
• m – Scalar for point Q.
• q – Second point in projective coordinates.
• result – Output point in affine coordinates.

pub fn projective_to_affine_blocking( &mut self, modulus: &[u8], montgomery_param: &[u32], point: &EccProjectivePoint, result: &mut EccPoint, ) -> Result<(), Error>

Convert a point from projective to affine coordinates.

Arguments

• modulus – The curve modulus p.
• montgomery_param – Pre-computed Montgomery parameter R^2 mod p.
• point – Point in projective coordinates.
• result – Output point in affine coordinates.

pub fn jacobian_to_affine_blocking( &mut self, modulus: &[u8], point: &EccProjectivePoint, result: &mut EccPoint, ) -> Result<(), Error>

Convert a Jacobian projective point (X, Y, Z) to affine (x, y), computing x = X * Z^-2 mod p and y = Y * Z^-3 mod p.

This is the correct normalization for the output of ecc_complete_add_blocking, which produces points in Jacobian projective form. Do not use projective_to_affine_blocking for that purpose – it implements the standard projective formula x = X/Z, y = Y/Z, which gives incorrect results for Jacobian input.

Implemented as a chain of 9 PKA ops: 1 modular_inv, 4 arithmetic_mul, 4 modular_red.

impl<'d, T: Instance> Pka<'d, T, Async>

pub async fn ecdsa_verify( &mut self, curve: &EcdsaCurveParams, public_key: &EcdsaPublicKey<'_>, signature: &EcdsaSignature<'_>, message_hash: &[u8], ) -> Result<bool, Error>

Verify an ECDSA signature.

Arguments

• curve – Curve parameters.
• public_key – Public key (Qx, Qy).
• signature – Signature (r, s).
• message_hash – Hash of the message being verified.

Returns

Ok(true) if the signature is valid, Ok(false) if invalid.

pub async fn ecdsa_sign( &mut self, curve: &EcdsaCurveParams, private_key: &[u8], k: &[u8], message_hash: &[u8], signature_r: &mut [u8], signature_s: &mut [u8], ) -> Result<(), Error>

Generate an ECDSA signature.

Arguments

• curve – Curve parameters.
• private_key – Private key d.
• k – Random nonce (MUST be cryptographically random and unique per signature!).
• message_hash – Hash of the message to sign.
• signature_r, signature_s – Output buffers for the (r, s) signature.

Security Warning

The k value MUST be:

• Cryptographically random
• Unique for every signature
• Never reused or predictable

Failure to ensure this will compromise the private key.

pub async fn ecc_mul( &mut self, curve: &EcdsaCurveParams, k: &[u8], point_x: &[u8], point_y: &[u8], result: &mut EccPoint, ) -> Result<(), Error>

Perform ECC scalar multiplication: result = k * P.

This is the core operation for ECDH key agreement:

• To generate a public key: public = private_key * G (generator point).
• To compute a shared secret: shared = my_private * peer_public.

Arguments

• curve – Curve parameters.
• k – Scalar multiplier.
• point_x, point_y – Input point coordinates.
• result – Output point (must be initialized with the correct size).

pub async fn point_check( &mut self, curve: &EcdsaCurveParams, point_x: &[u8], point_y: &[u8], ) -> Result<bool, Error>

Check if a point is on the curve.

Call this to validate any externally-provided public key before using it in cryptographic operations.

pub async fn modular_exp( &mut self, base: &[u8], exponent: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Perform modular exponentiation: result = base^exp mod n.

This is the core RSA operation:

• Encryption: ciphertext = plaintext^e mod n
• Decryption: plaintext = ciphertext^d mod n
• Signing: signature = hash^d mod n
• Verification: hash = signature^e mod n

Arguments

• base – Base value (plaintext/ciphertext).
• exponent – Exponent (e for encrypt/verify, d for decrypt/sign).
• modulus – RSA modulus n.
• result – Output buffer (must be at least the size of modulus).

pub async fn rsa_crt_exp( &mut self, ciphertext: &[u8], params: &RsaCrtParams<'_>, result: &mut [u8], ) -> Result<(), Error>

Perform RSA CRT exponentiation for fast decryption.

Uses the Chinese Remainder Theorem for ~4x faster RSA private-key operations than modular_exp.

Arguments

• ciphertext – Encrypted data.
• params – CRT parameters (p, q, dp, dq, qinv).
• result – Output buffer.

pub async fn modular_inv( &mut self, a: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute modular inverse: result = a^(-1) mod n.

pub async fn modular_add( &mut self, a: &[u8], b: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute modular addition: result = (a + b) mod n.

pub async fn modular_sub( &mut self, a: &[u8], b: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute modular subtraction: result = (a - b) mod n.

pub async fn arithmetic_mul( &mut self, a: &[u8], b: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute arithmetic multiplication: result = a * b.

pub async fn montgomery_param( &mut self, modulus: &[u8], result: &mut [u32], ) -> Result<(), Error>

Compute the Montgomery parameter R^2 mod n.

Required for fast modular exponentiation and other Montgomery-form operations. The result should be stored and reused for multiple operations against the same modulus.

Arguments

• modulus – The modulus n.
• result – Output buffer for R^2 mod n (must be at least ceil(modulus.len() / 4) u32 words).

pub async fn modular_exp_fast( &mut self, base: &[u8], exponent: &[u8], modulus: &[u8], montgomery_param: &[u32], result: &mut [u8], ) -> Result<(), Error>

Perform modular exponentiation with pre-computed Montgomery parameter (fast mode).

Faster than modular_exp when the Montgomery parameter has already been computed (via montgomery_param).

Arguments

• base – Base value.
• exponent – Exponent.
• modulus – Modulus n.
• montgomery_param – Pre-computed Montgomery parameter R^2 mod n.
• result – Output buffer (must be at least the size of modulus).

pub async fn modular_exp_protect( &mut self, params: &ModExpProtectParams<'_>, result: &mut [u8], ) -> Result<(), Error>

Perform modular exponentiation with side-channel protection.

Provides constant-time execution to protect against timing and power analysis attacks. Requires phi(n) as input.

Arguments

• params – Protected-mode parameters including phi(n).
• result – Output buffer (must be at least the size of params.modulus).

pub async fn montgomery_mul( &mut self, a: &[u8], b: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Perform Montgomery multiplication: result = (a * b * R^-1) mod n.

Useful for chaining operations in Montgomery form.

pub async fn arithmetic_add( &mut self, a: &[u8], b: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute arithmetic addition: result = a + b.

Note: the result may be one word larger than the inputs if there is overflow.

pub async fn arithmetic_sub( &mut self, a: &[u8], b: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute arithmetic subtraction: result = a - b.

Note: if a < b, the result is the two’s complement.

pub async fn comparison( &mut self, a: &[u8], b: &[u8], ) -> Result<ComparisonResult, Error>

Compare two big integers.

Returns whether a < b, a == b, or a > b.

pub async fn modular_red( &mut self, a: &[u8], modulus: &[u8], result: &mut [u8], ) -> Result<(), Error>

Compute modular reduction: result = a mod n.

pub async fn ecc_complete_add( &mut self, curve: &EcdsaCurveParams, p: &EccProjectivePoint, q: &EccProjectivePoint, result: &mut EccProjectivePoint, ) -> Result<(), Error>

ECC complete point addition in projective coordinates: R = P + Q.

Handles all edge cases (point at infinity, point doubling, etc.).

Output representation

The result is in Jacobian projective coordinates, where the affine point is recovered as x = X / Z^2 mod p, y = Y / Z^3 mod p. To convert the result to affine, call jacobian_to_affine – not projective_to_affine, which uses the standard-projective formula and will return wrong values.

Arguments

• curve – Curve parameters.
• p – First point in projective coordinates.
• q – Second point in projective coordinates.
• result – Output point in Jacobian projective coordinates.

pub async fn double_base_ladder( &mut self, curve: &EcdsaCurveParams, k: &[u8], p: &EccProjectivePoint, m: &[u8], q: &EccProjectivePoint, result: &mut EccPoint, ) -> Result<(), Error>

ECC double base ladder: result = k*P + m*Q (side-channel resistant).

Computes the linear combination of two points using the double base ladder algorithm, which provides side-channel resistance.

Arguments

• curve – Curve parameters.
• k – Scalar for point P.
• p – First point in projective coordinates.
• m – Scalar for point Q.
• q – Second point in projective coordinates.
• result – Output point in affine coordinates.

pub async fn projective_to_affine( &mut self, modulus: &[u8], montgomery_param: &[u32], point: &EccProjectivePoint, result: &mut EccPoint, ) -> Result<(), Error>

Convert a point from projective to affine coordinates.

Arguments

• modulus – The curve modulus p.
• montgomery_param – Pre-computed Montgomery parameter R^2 mod p.
• point – Point in projective coordinates.
• result – Output point in affine coordinates.

pub async fn jacobian_to_affine( &mut self, modulus: &[u8], point: &EccProjectivePoint, result: &mut EccPoint, ) -> Result<(), Error>

Convert a Jacobian projective point (X, Y, Z) to affine (x, y), computing x = X * Z^-2 mod p and y = Y * Z^-3 mod p.

This is the correct normalization for the output of ecc_complete_add, which produces points in Jacobian projective form. Do not use projective_to_affine for that purpose – it implements the standard projective formula x = X/Z, y = Y/Z, which gives incorrect results for Jacobian input.

Implemented as a chain of 9 PKA ops: 1 modular_inv, 4 arithmetic_mul, 4 modular_red.