1. I really missed an Initialize, Update, Finalize (IUF) interface for
   CCM.

   For GCM, we have mbedtls_gcm_init(), mbedtls_gcm_setkey(),
   mbedtls_gcm_starts(), mbedtls_gcm_update() iterated,
   mbedtls_gcm_finish(), mbedtls_gcm_free() or the comfort functions
   mbedtls_gcm_crypt_and_tag() and mbedtls_gcm_auth_decrypt(). For
   CCM, only mbedtls_ccm_init(), mbedtls_ccm_setkey(),
   mbedtls_ccm_encrypt_and_tag() or mbedtls_ccm_auth_decrypt() and
   mbedtls_ccm_free(). With this interface it was only possible to
   encrypt and tag 128 kByte on my target system, while with GCM I
   could encrypt much larger files.

   see Github issue #662 and my comment there

2. The next step, of course, is to integrate this into the higher
   mbedtls_cipher layer.

   Regarding higher, abstract layers: I often didn't understand which
   interface I was supposed to use. In general, I like to use the
   lowest available interface, for example, #include
   "mbedtls/sha512.h" when I want to use sha512. However, if I need
   HMAC-SHA-512 or HKDF-HMAC-SHA-512 then I have to use the interface
   in md.h. For hash functions this is fine. Almost all hash functions
   are supported via md.h. (I missed SHA-512/256 which is sometimes
   preferable to SHA-256 on 64bit systems).

   But with cipher.h, I can only access Chacha20Poly1305 and AES-GCM,
   not AES-CCM.

4. That I couldn't configure AES-256 only, i.e. without AES-128 and
   AES-192, was to be expected (and the code overhead is not that
   much). But in modern modes of operations nobody needs AES
   decryption, only the forward direction. Sometimes modern
   publications as Schwabe/Stoffelen "All the AES you need on
   Cortex-M3 and M4" provide only the forward direction.

   So, it would be fine if one could configure an AES (ECB) encryption
   only without decryption.

   Of course, this is only possible if we don't use CBC mode, etc.
   This wouldn't only save the AES decryption code but also the rather
   large T-tables for decryption.

5. Regarding AES or better the AES context-type definition

[snip]

6. In general, the contexts of mbedTLS are rather full of
   implementation specific details. Most extreme is mbedtls_ecp_group
   in ecp.h. Wouldn't it be clearer if one separates the standard
   things (domain parameters in this case) from implementation
   specific details?

9. Regarding ECC examples: I found it very difficult that there isn't
   a single example with known test vectors as in the relevant crypto
   standards, i.e. FIPS 186-4 and ANSI X9.62-2005, with raw public
   keys. What I mean are (defined) curves, public key value Q=(Qx,Qy)
   and known signature values r and s. In the example ecdsa.c you
   generate your own key pair and read/write the signature in
   serialized form. In the example programs/pkey/pk_sign.c and
   pk_verify.c you use a higher interface pk.h and keys in PEM format.

   So, it took me a while for a program to verify (all) known answer
   tests in the standards (old standards as ANSI X9.62 1998 have more
   detailed known answer tests). One needs this interface with raw
   public keys for example for CAVP tests, see The FIPS 186-4 Elliptic
   Curve Digital Signature Algorithm Validation System (ECDSA2VS).

11. In the moment, there is no single known answer tests for ECDSA
    (which could be activated with #define MBEDTLS_SELF_TEST). I
    wouldn't say that you need an example for every curve and hash
    combination, as it is done in ECDSA2VS CAVP, but one example for
    one of the NIST curves and one for Curve25519 and - if I have a
    wish free - one for Brainpool would be fine. And this would solve
    #9 above.

10. While debugging mbedtls_ecdsa_verify() in my example program, I
    found out, that the ECDSA, ECC and MPI operations are very, let's
    say, nested. So, IMHO there is a lot of function call overhead and
    special cases. It would be interesting to see what's the
    performance impact of a clean, straight-forward
    mbedtls_ecdsa_verify without restartable code, etc. to the current
    one.

12. Just a minor issue: I only needed ECDSA signature verification,
    therefore I only included MBEDTLS_ASN1_PARSE_C. But it is not
    possible to compile without MBEDTLS_ASN1_WRITE_C needed for ECDSA
    signature generation.

14. Design question: In the moment, both GCM and CCM use their own
    implementation of CTR encryption which is very simple. But then we
    have mbedtls_aes_crypt_ctr() in aes.h which is very simple, too.
    Let's assume at one day we have a performance optimized CTR
    encryption (for example from Schwabe & Stoffelen) with all fancy
    stuff like counter-mode caching etc. Then this would have to be
    replaced at three places at minimum.  While isn't the code at this
    point more modularized? Is this a dedicated design decision?

    Why do I find at so many places

    for( i = 0; i < 16; i++ )                                              
        y[i] ^= b[i];

    instead of a fast 128-bit XOR macro with 32bit aligned data?

So, that's it for the moment. I hope I could give some hints for the
further development of mbedTLS. Feel free to discuss any of the above
points. It's clear to me that we cannot have both: clear and simple to
understand code and performance records.

Ciao,

Torsten