Dear MbedTLS contributors,
I'm reaching out with a question regarding the ECDH and similar interfaces on the MbedTLS development branch. I hope this mailing list is the appropriate venue for this discussion.
I am preparing a pull request for an implementation of the Hybrid Public Key Encryption (HPKE) standard for MbedTLS/TF-PSA-Crypo. It seems like the development branch at TF-PSA-Crypo does not seem to support ecdh.h anymore. While this is not seem to be explicitly stated anywhere, there are instructions on how to use the PSA interface instead to create ECDH keys.
Now my question: So the my code meets the desired quality criteria, does all other key interfaces also have to be changed? I am using the ECP interface a lot, so mbedtls_ecp_group_init, mbedtls_ecp_point_init, mbedtls_ecp_keypair_init and so on. The functions are still available but the instructions in psa_tranistion.md in Section "translating a legacy ephemeral key agreement TLS server workflow" make me believe that using non-psa key interfaces might be undesirable in MbedTLS in general.
I would greatly appreciate any clarification on this matter.
Best regards, Leonie
[ABB logotype]
—
Dr. Leonie Reichert Research Scientist "Secure Connected Systems" ABB AG Kallstadter Strasse 1 Mannheim Mobile: +49 160 99002896 E-mail: leonie.reichert@de.abb.commailto:leonie.reichert@de.abb.com abb.comhttps://www.abb.com/
[ABB logotype]
ABB AG Sitz/Head Office: Mannheim Registergericht/Registry Court: Mannheim Handelsregisternummer/Commercial Register No.: HRB 4664 Vorstand/Managing Board: Klaus Eble (Vorsitzender/Chairman), Alexander Zumkeller Vorsitzender des Aufsichtsrats/ Chairman of Supervisory Board: Adrian Guggisberg
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Bitte beachten Sie auch unsere Datenschutzerklärung, die Sie auf unserer Webseitehttps://new.abb.com/privacy-policy/de/datenschutz finden.
This E-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this E-mail in error) please notify the sender immediately and destroy this E-mail. Any unauthorized copying, disclosure or distribution of the material in this E-mail is strictly forbidden. Please also take note of our privacy notice, which you can find on our webpagehttps://new.abb.com/privacy-notice.
Hello,
<mbedtls/ecdh.h>, <mbedtls/ecp.h> and other low-level interfaces have been removed in TF-PSA-Crypto 1.0. Many are still present internally, but there is no stability guarantee and they may go away or become more limited over time. As you've seen, the PSA transition guide explains how to migrate to PSA APIs. All crypto APIs are now either PSA APIs, or a layer over PSA APIs for functionality that PSA doesn't cover. (Plus crypto-adjacent APIs that are largely unchanged for things like ASN.1, base64, etc.)
Note that if you're using #include <mbedtls/private/...> or #define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS, you are using unsupported interfaces and you can expect your code to break in future versions of the library.
For ecdh.h functions, you may need to change your workflow a bit, but I can't think of anything that psa_raw_key_agreement() can't do. On the other hand, the new API does not give you direct access to ECC arithmetic: there is a loss of functionality compared to ecp.h.
But do you need anything beyond ECDH (plus of course some symmetric crypto) for HKPE? I thought it didn't need any “fancy” elliptic curve arithmetic.
Best regards,
Hello Gilles,
Thank you for the quick response. I appreciate the clarification regarding the mbedtls/private interfaces and their lack of long-term support. My HPKE implementation relies on several private features: GCM encryption, HKDF key derivation, bignum operations for sequence numbers and nonces, hashing, ECDH key agreement, and extensive key serialization and validation.
Given these dependencies, it appears more substantial rework than I initially anticipated. I'll follow the PSA transition guide to identify the best approach for each component. Thank you for your help!
Best regards, Leonie
________________________________ From: Gilles Peskine gilles.peskine@arm.com Sent: Tuesday, March 3, 2026 20:21 To: Leonie Reichert leonie.reichert@de.abb.com; mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: Re: [mbed-tls] ECDH and key interfaces on development branch
BeSecure! This email comes from outside of ABB. Make sure you verify the sender before clicking any links or downloading/opening attachments. If this email looks suspicious, report it by clicking 'Report Phishing' button in Outlook or raising a ticket on MyIS.
Hello,
<mbedtls/ecdh.h>, <mbedtls/ecp.h> and other low-level interfaces have been removed in TF-PSA-Crypto 1.0. Many are still present internally, but there is no stability guarantee and they may go away or become more limited over time. As you've seen, the PSA transition guide explains how to migrate to PSA APIs. All crypto APIs are now either PSA APIs, or a layer over PSA APIs for functionality that PSA doesn't cover. (Plus crypto-adjacent APIs that are largely unchanged for things like ASN.1, base64, etc.)
Note that if you're using #include <mbedtls/private/...> or #define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS, you are using unsupported interfaces and you can expect your code to break in future versions of the library.
For ecdh.h functions, you may need to change your workflow a bit, but I can't think of anything that psa_raw_key_agreement() can't do. On the other hand, the new API does not give you direct access to ECC arithmetic: there is a loss of functionality compared to ecp.h.
But do you need anything beyond ECDH (plus of course some symmetric crypto) for HKPE? I thought it didn't need any “fancy” elliptic curve arithmetic.
Best regards,
-- Gilles Peskine TF-PSA-Crypto and Mbed TLS developer
On 03/03/2026 17:02, Leonie Reichert via mbed-tls wrote: Dear MbedTLS contributors,
I'm reaching out with a question regarding the ECDH and similar interfaces on the MbedTLS development branch. I hope this mailing list is the appropriate venue for this discussion.
I am preparing a pull request for an implementation of the Hybrid Public Key Encryption (HPKE) standard for MbedTLS/TF-PSA-Crypo. It seems like the development branch at TF-PSA-Crypo does not seem to support ecdh.h anymore. While this is not seem to be explicitly stated anywhere, there are instructions on how to use the PSA interface instead to create ECDH keys.
Now my question: So the my code meets the desired quality criteria, does all other key interfaces also have to be changed? I am using the ECP interface a lot, so mbedtls_ecp_group_init, mbedtls_ecp_point_init, mbedtls_ecp_keypair_init and so on. The functions are still available but the instructions in psa_tranistion.md in Section "translating a legacy ephemeral key agreement TLS server workflow" make me believe that using non-psa key interfaces might be undesirable in MbedTLS in general.
I would greatly appreciate any clarification on this matter.
Best regards, Leonie
[ABB logotype]
—
Dr. Leonie Reichert Research Scientist "Secure Connected Systems" ABB AG Kallstadter Strasse 1 Mannheim Mobile: +49 160 99002896 E-mail: leonie.reichert@de.abb.commailto:leonie.reichert@de.abb.com abb.comhttps://www.abb.com/
[ABB logotype]
ABB AG Sitz/Head Office: Mannheim Registergericht/Registry Court: Mannheim Handelsregisternummer/Commercial Register No.: HRB 4664 Vorstand/Managing Board: Klaus Eble (Vorsitzender/Chairman), Alexander Zumkeller Vorsitzender des Aufsichtsrats/ Chairman of Supervisory Board: Adrian Guggisberg
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Bitte beachten Sie auch unsere Datenschutzerklärung, die Sie auf unserer Webseitehttps://new.abb.com/privacy-policy/de/datenschutz finden.
This E-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this E-mail in error) please notify the sender immediately and destroy this E-mail. Any unauthorized copying, disclosure or distribution of the material in this E-mail is strictly forbidden. Please also take note of our privacy notice, which you can find on our webpagehttps://new.abb.com/privacy-notice.
mbed-tls@lists.trustedfirmware.org
-
Gilles Peskine -
Leonie Reichert