1 /*
2  * Copyright (c) 2015, Google Inc.
3  *
4  * Permission to use, copy, modify, and/or distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
11  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
13  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
14  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #ifndef HEADER_CURVE25519_INTERNAL_H
18 #define HEADER_CURVE25519_INTERNAL_H
19 
20 #include <stdint.h>
21 
22 __BEGIN_HIDDEN_DECLS
23 
24 /* fe means field element. Here the field is \Z/(2^255-19). An element t,
25  * entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
26  * t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
27  * context.  */
28 typedef int32_t fe[10];
29 
30 /* ge means group element.
31 
32  * Here the group is the set of pairs (x,y) of field elements (see fe.h)
33  * satisfying -x^2 + y^2 = 1 + d x^2y^2
34  * where d = -121665/121666.
35  *
36  * Representations:
37  *   ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
38  *   ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
39  *   ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
40  *   ge_precomp (Duif): (y+x,y-x,2dxy) */
41 
42 typedef struct {
43   fe X;
44   fe Y;
45   fe Z;
46 } ge_p2;
47 
48 typedef struct {
49   fe X;
50   fe Y;
51   fe Z;
52   fe T;
53 } ge_p3;
54 
55 typedef struct {
56   fe X;
57   fe Y;
58   fe Z;
59   fe T;
60 } ge_p1p1;
61 
62 typedef struct {
63   fe yplusx;
64   fe yminusx;
65   fe xy2d;
66 } ge_precomp;
67 
68 typedef struct {
69   fe YplusX;
70   fe YminusX;
71   fe Z;
72   fe T2d;
73 } ge_cached;
74 
75 void x25519_ge_tobytes(uint8_t *s, const ge_p2 *h);
76 int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s);
77 void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p);
78 void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p);
79 void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p);
80 void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q);
81 void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q);
82 void x25519_ge_scalarmult_small_precomp(ge_p3 *h, const uint8_t a[32],
83     const uint8_t precomp_table[15 * 2 * 32]);
84 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]);
85 void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A);
86 void x25519_sc_reduce(uint8_t *s);
87 
88 void x25519_public_from_private(uint8_t out_public_value[32],
89     const uint8_t private_key[32]);
90 
91 void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
92     const uint8_t point[32]);
93 void x25519_scalar_mult_generic(uint8_t out[32], const uint8_t scalar[32],
94     const uint8_t point[32]);
95 
96 __END_HIDDEN_DECLS
97 
98 #endif  /* HEADER_CURVE25519_INTERNAL_H */
99