diff --git a/CHANGELOG b/CHANGELOG deleted file mode 100644 index 2d46afe..0000000 --- a/CHANGELOG +++ /dev/null @@ -1,34 +0,0 @@ -libuecc v7 (2016/03/27) - -* Change conversion between Ed25519 and legacy representation. This should - not affect any operations unless Ed25519 and legacy load/store - functions are mixed when accessing a work structure. Doing so is now - officially supported, for example to convert a legacy public key to - Ed25519 format. -* The changed representation allows to use the same - ecc_25519_work_default_base for both Ed25519 and legacy. - ecc_25519_work_default_base and ecc_25519_scalarmult_base have been - undeprecated, ecc_25519_work_base_ed25519 and - ecc_25519_work_base_legacy are deprecated now. -* All points are now internally represented with Ed25519 coordinates, which - allows about 6% faster scalar multplication than the legacy - representation. -* ecc_25519_scalarmult_base has been further optimized, making it another - 6% faster than normal ecc_25519_scalarmult. - - -libuecc v6 (2015/10/25) - -* Fixes a bug which might have caused a point's y coordinate to be negated - in certain circumstances when the point was stored in packed - representation and loaded again. It is extremely improbable that this - has ever actually happened, as only a small range of coordinates was - affected. -* Use stdint types to clarify ABI and add support for systems with - sizeof(int) < 4 (this is not an ABI break in practise as all systems on - which libuecc has been used in the past should have int == int32_t) -* Add point negation and subtraction functions -* Rename all point access functions to bear a _legacy suffix (the old names - are still available, but marked as deprecated) -* Add new point access functions and a new generator point that are - compatible with Ed25519 diff --git a/CMakeLists.txt b/CMakeLists.txt index 779ac41..3479c1e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,6 +1,6 @@ cmake_minimum_required(VERSION 2.6) project(LIBUECC C) -set(PROJECT_VERSION 7) +set(PROJECT_VERSION 4) set(CMAKE_MODULE_PATH ${LIBUECC_SOURCE_DIR}) diff --git a/COPYRIGHT b/COPYRIGHT index dd4294c..ed0b08d 100644 --- a/COPYRIGHT +++ b/COPYRIGHT @@ -1,4 +1,4 @@ -Copyright (c) 2012-2015, Matthias Schiffer +Copyright (c) 2012, Matthias Schiffer Partly based on public domain code by Matthew Dempsky and D. J. Bernstein. All rights reserved. diff --git a/Doxyfile.in b/Doxyfile.in index 5a5b547..1f75c48 100644 --- a/Doxyfile.in +++ b/Doxyfile.in @@ -1,4 +1,4 @@ -# Doxyfile 1.8.9.1 +# Doxyfile 1.8.5 # This file describes the settings to be used by the documentation system # doxygen (www.doxygen.org) for a project. @@ -46,10 +46,10 @@ PROJECT_NUMBER = "@PROJECT_VERSION@" PROJECT_BRIEF = -# With the PROJECT_LOGO tag one can specify a logo or an icon that is included -# in the documentation. The maximum height of the logo should not exceed 55 -# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy -# the logo to the output directory. +# With the PROJECT_LOGO tag one can specify an logo or icon that is included in +# the documentation. The maximum height of the logo should not exceed 55 pixels +# and the maximum width should not exceed 200 pixels. Doxygen will copy the logo +# to the output directory. PROJECT_LOGO = @@ -60,7 +60,7 @@ PROJECT_LOGO = OUTPUT_DIRECTORY = "@DOXYFILE_OUTPUT_DIR@" -# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub- +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub- # directories (in 2 levels) under the output directory of each output format and # will distribute the generated files over these directories. Enabling this # option can be useful when feeding doxygen a huge amount of source files, where @@ -70,37 +70,27 @@ OUTPUT_DIRECTORY = "@DOXYFILE_OUTPUT_DIR@" CREATE_SUBDIRS = NO -# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII -# characters to appear in the names of generated files. If set to NO, non-ASCII -# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode -# U+3044. -# The default value is: NO. - -ALLOW_UNICODE_NAMES = NO - # The OUTPUT_LANGUAGE tag is used to specify the language in which all # documentation generated by doxygen is written. Doxygen will use this # information to generate all constant output in the proper language. -# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese, -# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States), -# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian, -# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages), -# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian, -# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian, -# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish, -# Ukrainian and Vietnamese. +# Possible values are: Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese- +# Traditional, Croatian, Czech, Danish, Dutch, English, Esperanto, Farsi, +# Finnish, French, German, Greek, Hungarian, Italian, Japanese, Japanese-en, +# Korean, Korean-en, Latvian, Norwegian, Macedonian, Persian, Polish, +# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, +# Turkish, Ukrainian and Vietnamese. # The default value is: English. OUTPUT_LANGUAGE = English -# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member +# If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member # descriptions after the members that are listed in the file and class # documentation (similar to Javadoc). Set to NO to disable this. # The default value is: YES. BRIEF_MEMBER_DESC = YES -# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief +# If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief # description of a member or function before the detailed description # # Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the @@ -135,7 +125,7 @@ ALWAYS_DETAILED_SEC = NO INLINE_INHERITED_MEMB = NO -# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path +# If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path # before files name in the file list and in the header files. If set to NO the # shortest path that makes the file name unique will be used # The default value is: YES. @@ -205,9 +195,9 @@ MULTILINE_CPP_IS_BRIEF = NO INHERIT_DOCS = YES -# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new -# page for each member. If set to NO, the documentation of a member will be part -# of the file/class/namespace that contains it. +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a +# new page for each member. If set to NO, the documentation of a member will be +# part of the file/class/namespace that contains it. # The default value is: NO. SEPARATE_MEMBER_PAGES = NO @@ -269,14 +259,11 @@ OPTIMIZE_OUTPUT_VHDL = NO # extension. Doxygen has a built-in mapping, but you can override or extend it # using this tag. The format is ext=language, where ext is a file extension, and # language is one of the parsers supported by doxygen: IDL, Java, Javascript, -# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran: -# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran: -# Fortran. In the later case the parser tries to guess whether the code is fixed -# or free formatted code, this is the default for Fortran type files), VHDL. For -# instance to make doxygen treat .inc files as Fortran files (default is PHP), -# and .f files as C (default is Fortran), use: inc=Fortran f=C. +# C#, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL. For instance to make +# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C +# (default is Fortran), use: inc=Fortran f=C. # -# Note: For files without extension you can use no_extension as a placeholder. +# Note For files without extension you can use no_extension as a placeholder. # # Note that for custom extensions you also need to set FILE_PATTERNS otherwise # the files are not read by doxygen. @@ -295,8 +282,8 @@ MARKDOWN_SUPPORT = YES # When enabled doxygen tries to link words that correspond to documented # classes, or namespaces to their corresponding documentation. Such a link can -# be prevented in individual cases by putting a % sign in front of the word or -# globally by setting AUTOLINK_SUPPORT to NO. +# be prevented in individual cases by by putting a % sign in front of the word +# or globally by setting AUTOLINK_SUPPORT to NO. # The default value is: YES. AUTOLINK_SUPPORT = YES @@ -336,7 +323,7 @@ SIP_SUPPORT = NO IDL_PROPERTY_SUPPORT = YES # If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC -# tag is set to YES then doxygen will reuse the documentation of the first +# tag is set to YES, then doxygen will reuse the documentation of the first # member in the group (if any) for the other members of the group. By default # all members of a group must be documented explicitly. # The default value is: NO. @@ -401,7 +388,7 @@ LOOKUP_CACHE_SIZE = 0 # Build related configuration options #--------------------------------------------------------------------------- -# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in # documentation are documented, even if no documentation was available. Private # class members and static file members will be hidden unless the # EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES. @@ -411,35 +398,35 @@ LOOKUP_CACHE_SIZE = 0 EXTRACT_ALL = YES -# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class will # be included in the documentation. # The default value is: NO. EXTRACT_PRIVATE = NO -# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal +# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal # scope will be included in the documentation. # The default value is: NO. EXTRACT_PACKAGE = NO -# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be +# If the EXTRACT_STATIC tag is set to YES all static members of a file will be # included in the documentation. # The default value is: NO. EXTRACT_STATIC = YES -# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined -# locally in source files will be included in the documentation. If set to NO, +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined +# locally in source files will be included in the documentation. If set to NO # only classes defined in header files are included. Does not have any effect # for Java sources. # The default value is: YES. EXTRACT_LOCAL_CLASSES = YES -# This flag is only useful for Objective-C code. If set to YES, local methods, +# This flag is only useful for Objective-C code. When set to YES local methods, # which are defined in the implementation section but not in the interface are -# included in the documentation. If set to NO, only methods in the interface are +# included in the documentation. If set to NO only methods in the interface are # included. # The default value is: NO. @@ -464,21 +451,21 @@ HIDE_UNDOC_MEMBERS = NO # If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all # undocumented classes that are normally visible in the class hierarchy. If set -# to NO, these classes will be included in the various overviews. This option -# has no effect if EXTRACT_ALL is enabled. +# to NO these classes will be included in the various overviews. This option has +# no effect if EXTRACT_ALL is enabled. # The default value is: NO. HIDE_UNDOC_CLASSES = NO # If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend -# (class|struct|union) declarations. If set to NO, these declarations will be +# (class|struct|union) declarations. If set to NO these declarations will be # included in the documentation. # The default value is: NO. HIDE_FRIEND_COMPOUNDS = NO # If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any -# documentation blocks found inside the body of a function. If set to NO, these +# documentation blocks found inside the body of a function. If set to NO these # blocks will be appended to the function's detailed documentation block. # The default value is: NO. @@ -492,7 +479,7 @@ HIDE_IN_BODY_DOCS = NO INTERNAL_DOCS = NO # If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file -# names in lower-case letters. If set to YES, upper-case letters are also +# names in lower-case letters. If set to YES upper-case letters are also # allowed. This is useful if you have classes or files whose names only differ # in case and if your file system supports case sensitive file names. Windows # and Mac users are advised to set this option to NO. @@ -501,32 +488,18 @@ INTERNAL_DOCS = NO CASE_SENSE_NAMES = YES # If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with -# their full class and namespace scopes in the documentation. If set to YES, the +# their full class and namespace scopes in the documentation. If set to YES the # scope will be hidden. # The default value is: NO. HIDE_SCOPE_NAMES = NO -# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will -# append additional text to a page's title, such as Class Reference. If set to -# YES the compound reference will be hidden. -# The default value is: NO. - -HIDE_COMPOUND_REFERENCE= NO - # If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of # the files that are included by a file in the documentation of that file. # The default value is: YES. SHOW_INCLUDE_FILES = YES -# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each -# grouped member an include statement to the documentation, telling the reader -# which file to include in order to use the member. -# The default value is: NO. - -SHOW_GROUPED_MEMB_INC = NO - # If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include # files with double quotes in the documentation rather than with sharp brackets. # The default value is: NO. @@ -541,15 +514,14 @@ INLINE_INFO = YES # If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the # (detailed) documentation of file and class members alphabetically by member -# name. If set to NO, the members will appear in declaration order. +# name. If set to NO the members will appear in declaration order. # The default value is: YES. SORT_MEMBER_DOCS = YES # If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief # descriptions of file, namespace and class members alphabetically by member -# name. If set to NO, the members will appear in declaration order. Note that -# this will also influence the order of the classes in the class list. +# name. If set to NO the members will appear in declaration order. # The default value is: NO. SORT_BRIEF_DOCS = NO @@ -593,25 +565,27 @@ SORT_BY_SCOPE_NAME = NO STRICT_PROTO_MATCHING = NO -# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo -# list. This list is created by putting \todo commands in the documentation. +# The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the +# todo list. This list is created by putting \todo commands in the +# documentation. # The default value is: YES. GENERATE_TODOLIST = YES -# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test -# list. This list is created by putting \test commands in the documentation. +# The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the +# test list. This list is created by putting \test commands in the +# documentation. # The default value is: YES. GENERATE_TESTLIST = YES -# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug +# The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug # list. This list is created by putting \bug commands in the documentation. # The default value is: YES. GENERATE_BUGLIST = YES -# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO) +# The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO) # the deprecated list. This list is created by putting \deprecated commands in # the documentation. # The default value is: YES. @@ -636,8 +610,8 @@ ENABLED_SECTIONS = MAX_INITIALIZER_LINES = 30 # Set the SHOW_USED_FILES tag to NO to disable the list of files generated at -# the bottom of the documentation of classes and structs. If set to YES, the -# list will mention the files that were used to generate the documentation. +# the bottom of the documentation of classes and structs. If set to YES the list +# will mention the files that were used to generate the documentation. # The default value is: YES. SHOW_USED_FILES = YES @@ -685,7 +659,8 @@ LAYOUT_FILE = # to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info. # For LaTeX the style of the bibliography can be controlled using # LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the -# search path. See also \cite for info how to create references. +# search path. Do not use file names with spaces, bibtex cannot handle them. See +# also \cite for info how to create references. CITE_BIB_FILES = @@ -701,7 +676,7 @@ CITE_BIB_FILES = QUIET = YES # The WARNINGS tag can be used to turn on/off the warning messages that are -# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES +# generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES # this implies that the warnings are on. # # Tip: Turn warnings on while writing the documentation. @@ -709,7 +684,7 @@ QUIET = YES WARNINGS = YES -# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate +# If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate # warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag # will automatically be disabled. # The default value is: YES. @@ -726,8 +701,8 @@ WARN_IF_DOC_ERROR = YES # This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that # are documented, but have no documentation for their parameters or return -# value. If set to NO, doxygen will only warn about wrong or incomplete -# parameter documentation, but not about the absence of documentation. +# value. If set to NO doxygen will only warn about wrong or incomplete parameter +# documentation, but not about the absence of documentation. # The default value is: NO. WARN_NO_PARAMDOC = NO @@ -876,7 +851,7 @@ INPUT_FILTER = FILTER_PATTERNS = # If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using -# INPUT_FILTER) will also be used to filter the input files that are used for +# INPUT_FILTER ) will also be used to filter the input files that are used for # producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES). # The default value is: NO. @@ -936,7 +911,7 @@ REFERENCED_BY_RELATION = NO REFERENCES_RELATION = NO # If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set -# to YES then the hyperlinks from functions in REFERENCES_RELATION and +# to YES, then the hyperlinks from functions in REFERENCES_RELATION and # REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will # link to the documentation. # The default value is: YES. @@ -1013,7 +988,7 @@ IGNORE_PREFIX = # Configuration options related to the HTML output #--------------------------------------------------------------------------- -# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output +# If the GENERATE_HTML tag is set to YES doxygen will generate HTML output # The default value is: YES. GENERATE_HTML = YES @@ -1075,15 +1050,13 @@ HTML_FOOTER = HTML_STYLESHEET = -# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined -# cascading style sheets that are included after the standard style sheets +# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user- +# defined cascading style sheet that is included after the standard style sheets # created by doxygen. Using this option one can overrule certain style aspects. # This is preferred over using HTML_STYLESHEET since it does not replace the -# standard style sheet and is therefore more robust against future updates. -# Doxygen will copy the style sheet files to the output directory. -# Note: The order of the extra style sheet files is of importance (e.g. the last -# style sheet in the list overrules the setting of the previous ones in the -# list). For an example see the documentation. +# standard style sheet and is therefor more robust against future updates. +# Doxygen will copy the style sheet file to the output directory. For an example +# see the documentation. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_EXTRA_STYLESHEET = @@ -1099,7 +1072,7 @@ HTML_EXTRA_STYLESHEET = HTML_EXTRA_FILES = # The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen -# will adjust the colors in the style sheet and background images according to +# will adjust the colors in the stylesheet and background images according to # this color. Hue is specified as an angle on a colorwheel, see # http://en.wikipedia.org/wiki/Hue for more information. For instance the value # 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300 @@ -1227,29 +1200,28 @@ GENERATE_HTMLHELP = NO CHM_FILE = # The HHC_LOCATION tag can be used to specify the location (absolute path -# including file name) of the HTML help compiler (hhc.exe). If non-empty, +# including file name) of the HTML help compiler ( hhc.exe). If non-empty # doxygen will try to run the HTML help compiler on the generated index.hhp. # The file has to be specified with full path. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. HHC_LOCATION = -# The GENERATE_CHI flag controls if a separate .chi index file is generated -# (YES) or that it should be included in the master .chm file (NO). +# The GENERATE_CHI flag controls if a separate .chi index file is generated ( +# YES) or that it should be included in the master .chm file ( NO). # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. GENERATE_CHI = NO -# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc) +# The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc) # and project file content. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. CHM_INDEX_ENCODING = -# The BINARY_TOC flag controls whether a binary table of contents is generated -# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it -# enables the Previous and Next buttons. +# The BINARY_TOC flag controls whether a binary table of contents is generated ( +# YES) or a normal table of contents ( NO) in the .chm file. # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. @@ -1362,7 +1334,7 @@ DISABLE_INDEX = NO # index structure (just like the one that is generated for HTML Help). For this # to work a browser that supports JavaScript, DHTML, CSS and frames is required # (i.e. any modern browser). Windows users are probably better off using the -# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can +# HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can # further fine-tune the look of the index. As an example, the default style # sheet generated by doxygen has an example that shows how to put an image at # the root of the tree instead of the PROJECT_NAME. Since the tree basically has @@ -1390,7 +1362,7 @@ ENUM_VALUES_PER_LINE = 4 TREEVIEW_WIDTH = 250 -# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to +# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to # external symbols imported via tag files in a separate window. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. @@ -1419,7 +1391,7 @@ FORMULA_TRANSPARENT = YES # Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see # http://www.mathjax.org) which uses client side Javascript for the rendering -# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX +# instead of using prerendered bitmaps. Use this if you do not have LaTeX # installed or if you want to formulas look prettier in the HTML output. When # enabled you may also need to install MathJax separately and configure the path # to it using the MATHJAX_RELPATH option. @@ -1489,11 +1461,11 @@ SEARCHENGINE = NO # When the SERVER_BASED_SEARCH tag is enabled the search engine will be # implemented using a web server instead of a web client using Javascript. There -# are two flavors of web server based searching depending on the EXTERNAL_SEARCH -# setting. When disabled, doxygen will generate a PHP script for searching and -# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing -# and searching needs to be provided by external tools. See the section -# "External Indexing and Searching" for details. +# are two flavours of web server based searching depending on the +# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for +# searching and an index file used by the script. When EXTERNAL_SEARCH is +# enabled the indexing and searching needs to be provided by external tools. See +# the section "External Indexing and Searching" for details. # The default value is: NO. # This tag requires that the tag SEARCHENGINE is set to YES. @@ -1505,7 +1477,7 @@ SERVER_BASED_SEARCH = NO # external search engine pointed to by the SEARCHENGINE_URL option to obtain the # search results. # -# Doxygen ships with an example indexer (doxyindexer) and search engine +# Doxygen ships with an example indexer ( doxyindexer) and search engine # (doxysearch.cgi) which are based on the open source search engine library # Xapian (see: http://xapian.org/). # @@ -1518,7 +1490,7 @@ EXTERNAL_SEARCH = NO # The SEARCHENGINE_URL should point to a search engine hosted by a web server # which will return the search results when EXTERNAL_SEARCH is enabled. # -# Doxygen ships with an example indexer (doxyindexer) and search engine +# Doxygen ships with an example indexer ( doxyindexer) and search engine # (doxysearch.cgi) which are based on the open source search engine library # Xapian (see: http://xapian.org/). See the section "External Indexing and # Searching" for details. @@ -1556,7 +1528,7 @@ EXTRA_SEARCH_MAPPINGS = # Configuration options related to the LaTeX output #--------------------------------------------------------------------------- -# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output. +# If the GENERATE_LATEX tag is set to YES doxygen will generate LaTeX output. # The default value is: YES. GENERATE_LATEX = @DOXYFILE_GENERATE_LATEX@ @@ -1587,7 +1559,7 @@ LATEX_CMD_NAME = "@LATEX_COMPILER@" MAKEINDEX_CMD_NAME = "@MAKEINDEX_COMPILER@" -# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX +# If the COMPACT_LATEX tag is set to YES doxygen generates more compact LaTeX # documents. This may be useful for small projects and may help to save some # trees in general. # The default value is: NO. @@ -1621,36 +1593,23 @@ EXTRA_PACKAGES = # # Note: Only use a user-defined header if you know what you are doing! The # following commands have a special meaning inside the header: $title, -# $datetime, $date, $doxygenversion, $projectname, $projectnumber, -# $projectbrief, $projectlogo. Doxygen will replace $title with the empty -# string, for the replacement values of the other commands the user is referred -# to HTML_HEADER. +# $datetime, $date, $doxygenversion, $projectname, $projectnumber. Doxygen will +# replace them by respectively the title of the page, the current date and time, +# only the current date, the version number of doxygen, the project name (see +# PROJECT_NAME), or the project number (see PROJECT_NUMBER). # This tag requires that the tag GENERATE_LATEX is set to YES. LATEX_HEADER = # The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the # generated LaTeX document. The footer should contain everything after the last -# chapter. If it is left blank doxygen will generate a standard footer. See -# LATEX_HEADER for more information on how to generate a default footer and what -# special commands can be used inside the footer. +# chapter. If it is left blank doxygen will generate a standard footer. # # Note: Only use a user-defined footer if you know what you are doing! # This tag requires that the tag GENERATE_LATEX is set to YES. LATEX_FOOTER = -# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined -# LaTeX style sheets that are included after the standard style sheets created -# by doxygen. Using this option one can overrule certain style aspects. Doxygen -# will copy the style sheet files to the output directory. -# Note: The order of the extra style sheet files is of importance (e.g. the last -# style sheet in the list overrules the setting of the previous ones in the -# list). -# This tag requires that the tag GENERATE_LATEX is set to YES. - -LATEX_EXTRA_STYLESHEET = - # The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or # other source files which should be copied to the LATEX_OUTPUT output # directory. Note that the files will be copied as-is; there are no commands or @@ -1668,8 +1627,8 @@ LATEX_EXTRA_FILES = PDF_HYPERLINKS = YES -# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate -# the PDF file directly from the LaTeX files. Set this option to YES, to get a +# If the LATEX_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate +# the PDF file directly from the LaTeX files. Set this option to YES to get a # higher quality PDF documentation. # The default value is: YES. # This tag requires that the tag GENERATE_LATEX is set to YES. @@ -1714,7 +1673,7 @@ LATEX_BIB_STYLE = plain # Configuration options related to the RTF output #--------------------------------------------------------------------------- -# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The +# If the GENERATE_RTF tag is set to YES doxygen will generate RTF output. The # RTF output is optimized for Word 97 and may not look too pretty with other RTF # readers/editors. # The default value is: NO. @@ -1729,7 +1688,7 @@ GENERATE_RTF = NO RTF_OUTPUT = rtf -# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF +# If the COMPACT_RTF tag is set to YES doxygen generates more compact RTF # documents. This may be useful for small projects and may help to save some # trees in general. # The default value is: NO. @@ -1766,21 +1725,11 @@ RTF_STYLESHEET_FILE = RTF_EXTENSIONS_FILE = -# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code -# with syntax highlighting in the RTF output. -# -# Note that which sources are shown also depends on other settings such as -# SOURCE_BROWSER. -# The default value is: NO. -# This tag requires that the tag GENERATE_RTF is set to YES. - -RTF_SOURCE_CODE = NO - #--------------------------------------------------------------------------- # Configuration options related to the man page output #--------------------------------------------------------------------------- -# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for +# If the GENERATE_MAN tag is set to YES doxygen will generate man pages for # classes and files. # The default value is: NO. @@ -1804,13 +1753,6 @@ MAN_OUTPUT = man MAN_EXTENSION = .3 -# The MAN_SUBDIR tag determines the name of the directory created within -# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by -# MAN_EXTENSION with the initial . removed. -# This tag requires that the tag GENERATE_MAN is set to YES. - -MAN_SUBDIR = - # If the MAN_LINKS tag is set to YES and doxygen generates man output, then it # will generate one additional man file for each entity documented in the real # man page(s). These additional files only source the real man page, but without @@ -1824,7 +1766,7 @@ MAN_LINKS = NO # Configuration options related to the XML output #--------------------------------------------------------------------------- -# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that +# If the GENERATE_XML tag is set to YES doxygen will generate an XML file that # captures the structure of the code including all documentation. # The default value is: NO. @@ -1838,7 +1780,19 @@ GENERATE_XML = NO XML_OUTPUT = xml -# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program +# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a +# validating XML parser to check the syntax of the XML files. +# This tag requires that the tag GENERATE_XML is set to YES. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify a XML DTD, which can be used by a +# validating XML parser to check the syntax of the XML files. +# This tag requires that the tag GENERATE_XML is set to YES. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program # listings (including syntax highlighting and cross-referencing information) to # the XML output. Note that enabling this will significantly increase the size # of the XML output. @@ -1851,7 +1805,7 @@ XML_PROGRAMLISTING = YES # Configuration options related to the DOCBOOK output #--------------------------------------------------------------------------- -# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files +# If the GENERATE_DOCBOOK tag is set to YES doxygen will generate Docbook files # that can be used to generate PDF. # The default value is: NO. @@ -1865,23 +1819,14 @@ GENERATE_DOCBOOK = NO DOCBOOK_OUTPUT = docbook -# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the -# program listings (including syntax highlighting and cross-referencing -# information) to the DOCBOOK output. Note that enabling this will significantly -# increase the size of the DOCBOOK output. -# The default value is: NO. -# This tag requires that the tag GENERATE_DOCBOOK is set to YES. - -DOCBOOK_PROGRAMLISTING = NO - #--------------------------------------------------------------------------- # Configuration options for the AutoGen Definitions output #--------------------------------------------------------------------------- -# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an -# AutoGen Definitions (see http://autogen.sf.net) file that captures the -# structure of the code including all documentation. Note that this feature is -# still experimental and incomplete at the moment. +# If the GENERATE_AUTOGEN_DEF tag is set to YES doxygen will generate an AutoGen +# Definitions (see http://autogen.sf.net) file that captures the structure of +# the code including all documentation. Note that this feature is still +# experimental and incomplete at the moment. # The default value is: NO. GENERATE_AUTOGEN_DEF = NO @@ -1890,7 +1835,7 @@ GENERATE_AUTOGEN_DEF = NO # Configuration options related to the Perl module output #--------------------------------------------------------------------------- -# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module +# If the GENERATE_PERLMOD tag is set to YES doxygen will generate a Perl module # file that captures the structure of the code including all documentation. # # Note that this feature is still experimental and incomplete at the moment. @@ -1898,7 +1843,7 @@ GENERATE_AUTOGEN_DEF = NO GENERATE_PERLMOD = NO -# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary +# If the PERLMOD_LATEX tag is set to YES doxygen will generate the necessary # Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI # output from the Perl module output. # The default value is: NO. @@ -1906,9 +1851,9 @@ GENERATE_PERLMOD = NO PERLMOD_LATEX = NO -# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be nicely # formatted so it can be parsed by a human reader. This is useful if you want to -# understand what is going on. On the other hand, if this tag is set to NO, the +# understand what is going on. On the other hand, if this tag is set to NO the # size of the Perl module output will be much smaller and Perl will parse it # just the same. # The default value is: YES. @@ -1928,14 +1873,14 @@ PERLMOD_MAKEVAR_PREFIX = # Configuration options related to the preprocessor #--------------------------------------------------------------------------- -# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all +# If the ENABLE_PREPROCESSING tag is set to YES doxygen will evaluate all # C-preprocessor directives found in the sources and include files. # The default value is: YES. ENABLE_PREPROCESSING = YES -# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names -# in the source code. If set to NO, only conditional compilation will be +# If the MACRO_EXPANSION tag is set to YES doxygen will expand all macro names +# in the source code. If set to NO only conditional compilation will be # performed. Macro expansion can be done in a controlled way by setting # EXPAND_ONLY_PREDEF to YES. # The default value is: NO. @@ -1951,7 +1896,7 @@ MACRO_EXPANSION = YES EXPAND_ONLY_PREDEF = YES -# If the SEARCH_INCLUDES tag is set to YES, the include files in the +# If the SEARCH_INCLUDES tag is set to YES the includes files in the # INCLUDE_PATH will be searched if a #include is found. # The default value is: YES. # This tag requires that the tag ENABLE_PREPROCESSING is set to YES. @@ -1993,9 +1938,9 @@ PREDEFINED = DEPRECATED= EXPAND_AS_DEFINED = # If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will -# remove all references to function-like macros that are alone on a line, have -# an all uppercase name, and do not end with a semicolon. Such function macros -# are typically used for boiler-plate code, and will confuse the parser if not +# remove all refrences to function-like macros that are alone on a line, have an +# all uppercase name, and do not end with a semicolon. Such function macros are +# typically used for boiler-plate code, and will confuse the parser if not # removed. # The default value is: YES. # This tag requires that the tag ENABLE_PREPROCESSING is set to YES. @@ -2015,7 +1960,7 @@ SKIP_FUNCTION_MACROS = YES # where loc1 and loc2 can be relative or absolute paths or URLs. See the # section "Linking to external documentation" for more information about the use # of tag files. -# Note: Each tag file must have a unique name (where the name does NOT include +# Note: Each tag file must have an unique name (where the name does NOT include # the path). If a tag file is not located in the directory in which doxygen is # run, you must also specify the path to the tagfile here. @@ -2027,21 +1972,20 @@ TAGFILES = GENERATE_TAGFILE = -# If the ALLEXTERNALS tag is set to YES, all external class will be listed in -# the class index. If set to NO, only the inherited external classes will be -# listed. +# If the ALLEXTERNALS tag is set to YES all external class will be listed in the +# class index. If set to NO only the inherited external classes will be listed. # The default value is: NO. ALLEXTERNALS = NO -# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed -# in the modules index. If set to NO, only the current project's groups will be +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed in +# the modules index. If set to NO, only the current project's groups will be # listed. # The default value is: YES. EXTERNAL_GROUPS = YES -# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in +# If the EXTERNAL_PAGES tag is set to YES all external pages will be listed in # the related pages index. If set to NO, only the current project's pages will # be listed. # The default value is: YES. @@ -2058,7 +2002,7 @@ PERL_PATH = /usr/bin/perl # Configuration options related to the dot tool #--------------------------------------------------------------------------- -# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram +# If the CLASS_DIAGRAMS tag is set to YES doxygen will generate a class diagram # (in HTML and LaTeX) for classes with base or super classes. Setting the tag to # NO turns the diagrams off. Note that this option also works with HAVE_DOT # disabled, but it is recommended to install and use dot, since it yields more @@ -2076,14 +2020,7 @@ CLASS_DIAGRAMS = YES MSCGEN_PATH = -# You can include diagrams made with dia in doxygen documentation. Doxygen will -# then run dia to produce the diagram and insert it in the documentation. The -# DIA_PATH tag allows you to specify the directory where the dia binary resides. -# If left empty dia is assumed to be found in the default search path. - -DIA_PATH = - -# If set to YES the inheritance and collaboration graphs will hide inheritance +# If set to YES, the inheritance and collaboration graphs will hide inheritance # and usage relations if the target is undocumented or is not a class. # The default value is: YES. @@ -2108,7 +2045,7 @@ HAVE_DOT = @DOXYFILE_DOT@ DOT_NUM_THREADS = 0 -# When you want a differently looking font in the dot files that doxygen +# When you want a differently looking font n the dot files that doxygen # generates you can specify the font name using DOT_FONTNAME. You need to make # sure dot is able to find the font, which can be done by putting it in a # standard location or by setting the DOTFONTPATH environment variable or by @@ -2156,7 +2093,7 @@ COLLABORATION_GRAPH = YES GROUP_GRAPHS = YES -# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and # collaboration diagrams in a style similar to the OMG's Unified Modeling # Language. # The default value is: NO. @@ -2283,25 +2220,6 @@ DOTFILE_DIRS = MSCFILE_DIRS = -# The DIAFILE_DIRS tag can be used to specify one or more directories that -# contain dia files that are included in the documentation (see the \diafile -# command). - -DIAFILE_DIRS = - -# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the -# path where java can find the plantuml.jar file. If left blank, it is assumed -# PlantUML is not used or called during a preprocessing step. Doxygen will -# generate a warning when it encounters a \startuml command in this case and -# will not generate output for the diagram. - -PLANTUML_JAR_PATH = - -# When using plantuml, the specified paths are searched for files specified by -# the !include statement in a plantuml block. - -PLANTUML_INCLUDE_PATH = - # The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes # that will be shown in the graph. If the number of nodes in a graph becomes # larger than this value, doxygen will truncate the graph, which is visualized @@ -2338,7 +2256,7 @@ MAX_DOT_GRAPH_DEPTH = 0 DOT_TRANSPARENT = YES -# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output # files in one run (i.e. multiple -o and -T options on the command line). This # makes dot run faster, but since only newer versions of dot (>1.8.10) support # this, this feature is disabled by default. @@ -2355,7 +2273,7 @@ DOT_MULTI_TARGETS = NO GENERATE_LEGEND = YES -# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot +# If the DOT_CLEANUP tag is set to YES doxygen will remove the intermediate dot # files that are used to generate the various graphs. # The default value is: YES. # This tag requires that the tag HAVE_DOT is set to YES. diff --git a/README b/README deleted file mode 100644 index 6e0ec9b..0000000 --- a/README +++ /dev/null @@ -1,30 +0,0 @@ -libuecc is a very small generic-purpose Elliptic Curve Cryptography library -compatible with Ed25519. - -Most documentation can be found as Doxygen comments in the ecc.h header -file. You can use `make doxygen` after running CMake to create HTML -documenation from it. - -There are two sets of functions converting between libuecc's internal point -representation and coordinates or compressed representation. The functions -ending with _ed25519 use the same representation as original Ed25519 -implementation and should be used by new software. The functions with the -suffix _legacy are provided for compatiblity with libuecc version before -v6. - -Ed25519 and the legacy representation are isomorphic, they use a Twisted -Edwards Curve - - ax^2 + y^2 = 1 + dx^2y^2 - -over the prime field for p = 2^255 - 19. - -Ed25519 uses the parameters - - a = -1 and - d = -(121665/121666), - -while the legacy curve has - - a = 486664 - d = 486660. diff --git a/UseDoxygen.cmake b/UseDoxygen.cmake index 66978fc..245ba56 100644 --- a/UseDoxygen.cmake +++ b/UseDoxygen.cmake @@ -32,7 +32,7 @@ # "${CMAKE_CURRENT_BINARY_DIR}/foo.c" "${CMAKE_CURRENT_BINARY_DIR}/bar/" # # DOXYFILE_OUTPUT_DIR - Path where the Doxygen output is stored. -# Defaults to "${CMAKE_CURRENT_BINARY_DIR}/doxygen". +# Defaults to "${CMAKE_CURRENT_BINARY_DIR}/doc". # # DOXYFILE_LATEX - ON/OFF; Set to "ON" if you want the LaTeX documentation # to be built. @@ -57,32 +57,20 @@ macro(usedoxygen_set_default name value type docstring) endif() endmacro() -if(ANDROID) - find_host_package(Doxygen) -else(ANDROID) - find_package(Doxygen) -endif(ANDROID) +find_package(Doxygen) if(DOXYGEN_FOUND) - if(ANDROID) - # android-cmake doesn't provide a find_host_file and here's the workaround - set(_save_root_path ${CMAKE_FIND_ROOT_PATH}) - set(CMAKE_FIND_ROOT_PATH) - endif(ANDROID) find_file(DOXYFILE_IN "Doxyfile.in" PATHS "${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_ROOT}/Modules/" NO_DEFAULT_PATH DOC "Path to the doxygen configuration template file") - if(ANDROID) - set(CMAKE_FIND_ROOT_PATH $_save_root_path) - endif(ANDROID) set(DOXYFILE "${CMAKE_CURRENT_BINARY_DIR}/Doxyfile") include(FindPackageHandleStandardArgs) find_package_handle_standard_args(DOXYFILE_IN DEFAULT_MSG "DOXYFILE_IN") endif() if(DOXYGEN_FOUND AND DOXYFILE_IN_FOUND) - usedoxygen_set_default(DOXYFILE_OUTPUT_DIR "${CMAKE_CURRENT_BINARY_DIR}/doxygen" + usedoxygen_set_default(DOXYFILE_OUTPUT_DIR "${CMAKE_CURRENT_BINARY_DIR}/doc" PATH "Doxygen output directory") usedoxygen_set_default(DOXYFILE_HTML_DIR "html" STRING "Doxygen HTML output directory") @@ -146,4 +134,11 @@ if(DOXYGEN_FOUND AND DOXYFILE_IN_FOUND) configure_file("${DOXYFILE_IN}" "${DOXYFILE}" @ONLY) + + get_target_property(DOC_TARGET doc TYPE) + if(NOT DOC_TARGET) + add_custom_target(doc) + endif() + + add_dependencies(doc doxygen) endif() diff --git a/include/libuecc/ecc.h b/include/libuecc/ecc.h index 1fb6106..c456ac3 100644 --- a/include/libuecc/ecc.h +++ b/include/libuecc/ecc.h @@ -1,5 +1,5 @@ /* - Copyright (c) 2012-2015, Matthias Schiffer + Copyright (c) 2012, Matthias Schiffer Partly based on public domain code by Matthew Dempsky and D. J. Bernstein. All rights reserved. @@ -27,14 +27,6 @@ #ifndef _LIBUECC_ECC_H_ #define _LIBUECC_ECC_H_ -#ifndef DEPRECATED -#define DEPRECATED __attribute__((deprecated)) -#endif - - -#include - - /** * A 256 bit integer * @@ -42,7 +34,7 @@ */ typedef union _ecc_int256 { /** Data bytes */ - uint8_t p[32]; + unsigned char p[32]; } ecc_int256_t; /** @@ -52,10 +44,10 @@ typedef union _ecc_int256 { * it should always be packed. */ typedef struct _ecc_25519_work { - uint32_t X[32]; - uint32_t Y[32]; - uint32_t Z[32]; - uint32_t T[32]; + unsigned int X[32]; + unsigned int Y[32]; + unsigned int Z[32]; + unsigned int T[32]; } ecc_25519_work_t; /** @@ -63,205 +55,16 @@ typedef struct _ecc_25519_work { * @{ */ -/** The identity element */ -extern const ecc_25519_work_t ecc_25519_work_identity; +int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y); +void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in); +int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in); +void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in); -/** - * The Ed25519 default generator point - * - * \deprecated Use the equivalent \ref ecc_25519_work_default_base instead. - * - **/ -DEPRECATED extern const ecc_25519_work_t ecc_25519_work_base_ed25519; - -/** - * The Ed25519 default generator point - * - * \deprecated Use the equivalent \ref ecc_25519_work_default_base instead. - */ -DEPRECATED extern const ecc_25519_work_t ecc_25519_work_base_legacy; - - -/** - * The Ed25519 default generator point - * - * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$. - */ -extern const ecc_25519_work_t ecc_25519_work_default_base; - - -/** Loads a point of the Ed25519 curve with given coordinates into its unpacked representation */ -int ecc_25519_load_xy_ed25519(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y); - -/** - * Loads a point of the legacy curve with given coordinates into its unpacked representation - * - * New software should use \ref ecc_25519_load_xy_ed25519, which uses the same curve as the Ed25519 algorithm. - */ -int ecc_25519_load_xy_legacy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y); - -/** - * Loads a point of the legacy curve with given coordinates into its unpacked representation - * - * \deprecated Use \ref ecc_25519_load_xy_legacy - */ -DEPRECATED int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y); - - -/** - * Stores the x and y coordinates of a point of the Ed25519 curve - * - * \param x Returns the x coordinate of the point. May be NULL. - * \param y Returns the y coordinate of the point. May be NULL. - * \param in The unpacked point to store. - */ -void ecc_25519_store_xy_ed25519(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in); - -/** - * Stores the x and y coordinates of a point of the legacy curve - * - * New software should use \ref ecc_25519_store_xy_ed25519, which uses the same curve as the Ed25519 algorithm. - * - * \param x Returns the x coordinate of the point. May be NULL. - * \param y Returns the y coordinate of the point. May be NULL. - * \param in The unpacked point to store. - */ -void ecc_25519_store_xy_legacy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in); - -/** - * Stores a point's x and y coordinates - * - * \param x Returns the x coordinate of the point. May be NULL. - * \param y Returns the y coordinate of the point. May be NULL. - * \param in The unpacked point to store. - * - * \deprecated Use \ref ecc_25519_store_xy_legacy - */ -DEPRECATED void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in); - - -/** - * Loads a packed point of the Ed25519 curve into its unpacked representation - * - * The packed format is different from the legacy one: the legacy format contains that X coordinate and the parity of the Y coordinate, - * Ed25519 uses the Y coordinate and the parity of the X coordinate. -*/ -int ecc_25519_load_packed_ed25519(ecc_25519_work_t *out, const ecc_int256_t *in); - -/** - * Loads a packed point of the legacy curve into its unpacked representation - * - * New software should use \ref ecc_25519_load_packed_ed25519, which uses the same curve and packed representation as the Ed25519 algorithm. - * - * The packed format is different from the Ed25519 one: the legacy format contains that X coordinate and the parity of the Y coordinate, - * Ed25519 uses the Y coordinate and the parity of the X coordinate. - */ -int ecc_25519_load_packed_legacy(ecc_25519_work_t *out, const ecc_int256_t *in); - -/** - * Loads a packed point of the legacy curve into its unpacked representation - * - * \deprecated Use \ref ecc_25519_load_packed_legacy - */ -DEPRECATED int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in); - - -/** - * Stores a point of the Ed25519 curve into its packed representation - * - * The packed format is different from the Ed25519 one: the legacy format contains that X coordinate and the parity of the Y coordinate, - * Ed25519 uses the Y coordinate and the parity of the X coordinate. - */ -void ecc_25519_store_packed_ed25519(ecc_int256_t *out, const ecc_25519_work_t *in); - -/** - * Stores a point of the legacy curve into its packed representation - * - * New software should use \ref ecc_25519_store_packed_ed25519, which uses the same curve and packed representation as the Ed25519 algorithm. - * - * The packed format is different from the Ed25519 one: the legacy format contains that X coordinate and the parity of the Y coordinate, - * Ed25519 uses the Y coordinate and the parity of the X coordinate. - */ -void ecc_25519_store_packed_legacy(ecc_int256_t *out, const ecc_25519_work_t *in); - -/** - * Stores a point of the legacy curve into its packed representation - * - * \deprecated Use \ref ecc_25519_store_packed_legacy - */ -DEPRECATED void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in); - - -/** Checks if a point is the identity element of the Elliptic Curve group */ int ecc_25519_is_identity(const ecc_25519_work_t *in); - -/** - * Negates a point of the Elliptic Curve - * - * The same pointer may be given for input and output - */ -void ecc_25519_negate(ecc_25519_work_t *out, const ecc_25519_work_t *in); - -/** - * Doubles a point of the Elliptic Curve - * - * ecc_25519_double(out, in) is equivalent to ecc_25519_add(out, in, in), but faster. - * - * The same pointer may be given for input and output. - */ void ecc_25519_double(ecc_25519_work_t *out, const ecc_25519_work_t *in); - -/** - * Adds two points of the Elliptic Curve - * - * The same pointers may be given for input and output. - */ void ecc_25519_add(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2); - -/** - * Subtracts two points of the Elliptic Curve - * - * The same pointers may be given for input and output. - */ -void ecc_25519_sub(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2); - -/** - * Does a scalar multiplication of a point of the Elliptic Curve with an integer of a given bit length - * - * To speed up scalar multiplication when it is known that not the whole 256 bits of the scalar - * are used. The bit length should always be a constant and not computed at runtime to ensure - * that no timing attacks are possible. - * - * The same pointer may be given for input and output. - **/ -void ecc_25519_scalarmult_bits(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base, unsigned bits); - -/** - * Does a scalar multiplication of a point of the Elliptic Curve with an integer - * - * The same pointer may be given for input and output. - **/ void ecc_25519_scalarmult(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base); - -/** - * Does a scalar multiplication of the default base point (generator element) of the Elliptic Curve with an integer of a given bit length - * - * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$. - * - * ecc_25519_scalarmult_base_bits(out, n, bits) is faster than ecc_25519_scalarmult_bits(out, n, &ecc_25519_work_default_base, bits). - * - * See the notes about \ref ecc_25519_scalarmult_bits before using this function. - */ -void ecc_25519_scalarmult_base_bits(ecc_25519_work_t *out, const ecc_int256_t *n, unsigned bits); - -/** - * Does a scalar multiplication of the default base point (generator element) of the Elliptic Curve with an integer - * - * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$. - * - * ecc_25519_scalarmult_base(out, n) is faster than ecc_25519_scalarmult(out, n, &ecc_25519_work_default_base). - */ void ecc_25519_scalarmult_base(ecc_25519_work_t *out, const ecc_int256_t *n); /**@}*/ @@ -271,61 +74,14 @@ void ecc_25519_scalarmult_base(ecc_25519_work_t *out, const ecc_int256_t *n); * @{ */ -/** - * The order of the prime field - * - * The order is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$. - */ extern const ecc_int256_t ecc_25519_gf_order; - -/** Checks if an integer is equal to zero (after reduction) */ int ecc_25519_gf_is_zero(const ecc_int256_t *in); - -/** - * Adds two integers as Galois field elements - * - * The same pointers may be given for input and output. - */ void ecc_25519_gf_add(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2); - -/** - * Subtracts two integers as Galois field elements - * - * The same pointers may be given for input and output. - */ void ecc_25519_gf_sub(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2); - -/** - * Reduces an integer to a unique representation in the range \f$ [0,q-1] \f$ - * - * The same pointer may be given for input and output. - */ void ecc_25519_gf_reduce(ecc_int256_t *out, const ecc_int256_t *in); - -/** - * Multiplies two integers as Galois field elements - * - * The same pointers may be given for input and output. - */ void ecc_25519_gf_mult(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2); - -/** - * Computes the reciprocal of a Galois field element - * - * The same pointers may be given for input and output. - */ void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in); - -/** - * Ensures some properties of a Galois field element to make it fit for use as a secret key - * - * This sets the 255th bit and clears the 256th and the bottom three bits (so the key - * will be a multiple of 8). See Daniel J. Bernsteins paper "Curve25519: new Diffie-Hellman speed records." - * for the rationale of this. - * - * The same pointer may be given for input and output. - */ void ecc_25519_gf_sanitize_secret(ecc_int256_t *out, const ecc_int256_t *in); /**@}*/ diff --git a/src/ec25519.c b/src/ec25519.c index 0ed3741..d21bb8a 100644 --- a/src/ec25519.c +++ b/src/ec25519.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2012-2015, Matthias Schiffer + Copyright (c) 2012, Matthias Schiffer Partly based on public domain code by Matthew Dempsky and D. J. Bernstein. All rights reserved. @@ -25,324 +25,134 @@ */ /** \file - * EC group operations for Twisted Edwards Curve \f$ ax^2 + y^2 = 1 + dx^2y^2 \f$ - * on prime field \f$ p = 2^{255} - 19 \f$. - * - * Two different (isomorphic) sets of curve parameters are supported: - * + * EC group operations for Twisted Edwards Curve \f$ ax^2 + y^2 = 1 + dx^2y^2 \f$ with * \f$ a = 486664 \f$ and * \f$ d = 486660 \f$ - * are the parameters used by the original libuecc implementation (till v5). - * To use points on this curve, use the functions with the suffix \em legacy. + * on prime field \f$ p = 2^{255} - 19 \f$. * - * The other supported curve uses the parameters - * \f$ a = -1 \f$ and - * \f$ d = -(121665/121666) \f$, - * which is the curve used by the Ed25519 algorithm. The functions for this curve - * have the suffix \em ed25519. - * - * Internally, libuecc always uses the latter representation for its \em work structure. - * - * The curves are equivalent to the Montgomery Curve used in D. J. Bernstein's + * The curve is equivalent to the Montgomery Curve used in D. J. Bernstein's * Curve25519 Diffie-Hellman algorithm. * * See http://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html for add and * double operations. - * - * Doxygen comments for public APIs can be found in the public header file. - * - * Invariant that must be held by all public API: the components of an - * \ref ecc_25519_work_t are always in the range \f$ [0, 2p) \f$. - * Integers in this range will be called \em squeezed in the following. */ #include -const ecc_25519_work_t ecc_25519_work_identity = {{0}, {1}, {1}, {0}}; - -const ecc_25519_work_t ecc_25519_work_base_legacy = { - {0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, - 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69, - 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, - 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21}, - {0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66}, - {1}, - {0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d, - 0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20, - 0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66, - 0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67}, -}; - -const ecc_25519_work_t ecc_25519_work_default_base = { - {0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, - 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69, - 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, - 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21}, - {0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66}, - {1}, - {0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d, - 0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20, - 0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66, - 0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67}, -}; - - -const ecc_25519_work_t ecc_25519_work_base_ed25519 = { - {0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, - 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69, - 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, - 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21}, - {0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66}, - {1}, - {0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d, - 0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20, - 0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66, - 0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67}, -}; - - -static const uint32_t zero[32] = {0}; -static const uint32_t one[32] = {1}; - -static const uint32_t minus1[32] = { - 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, -}; - -/** Ed25519 parameter -(121665/121666) */ -static const uint32_t d[32] = { - 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75, - 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00, - 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c, - 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52, -}; - - -/** Factor to multiply the X coordinate with to convert from the legacy to the Ed25519 curve */ -static const uint32_t legacy_to_ed25519[32] = { - 0xe7, 0x81, 0xba, 0x00, 0x55, 0xfb, 0x91, 0x33, - 0x7d, 0xe5, 0x82, 0xb4, 0x2e, 0x2c, 0x5e, 0x3a, - 0x81, 0xb0, 0x03, 0xfc, 0x23, 0xf7, 0x84, 0x2d, - 0x44, 0xf9, 0x5f, 0x9f, 0x0b, 0x12, 0xd9, 0x70, -}; - -/** Factor to multiply the X coordinate with to convert from the Ed25519 to the legacy curve */ -static const uint32_t ed25519_to_legacy[32] = { - 0xe9, 0x68, 0x42, 0xdb, 0xaf, 0x04, 0xb4, 0x40, - 0xa1, 0xd5, 0x43, 0xf2, 0xf9, 0x38, 0x31, 0x28, - 0x01, 0x17, 0x05, 0x67, 0x9b, 0x81, 0x61, 0xf8, - 0xa9, 0x5b, 0x3e, 0x6a, 0x20, 0x67, 0x4b, 0x24, -}; +static const unsigned int zero[32] = {0}; +static const unsigned int one[32] = {1}; /** Adds two unpacked integers (modulo p) */ -static void add(uint32_t out[32], const uint32_t a[32], const uint32_t b[32]) { +static void add(unsigned int out[32], const unsigned int a[32], const unsigned int b[32]) { unsigned int j; - uint32_t u; - + unsigned int u; u = 0; - - for (j = 0; j < 31; j++) { - u += a[j] + b[j]; - out[j] = u & 255; - u >>= 8; - } - - u += a[31] + b[31]; - out[31] = u; + for (j = 0;j < 31;++j) { u += a[j] + b[j]; out[j] = u & 255; u >>= 8; } + u += a[31] + b[31]; out[31] = u; } -/** - * Subtracts two unpacked integers (modulo p) - * - * b must be \em squeezed. - */ -static void sub(uint32_t out[32], const uint32_t a[32], const uint32_t b[32]) { +/** Subtracts two unpacked integers (modulo p) */ +static void sub(unsigned int out[32], const unsigned int a[32], const unsigned int b[32]) { unsigned int j; - uint32_t u; - + unsigned int u; u = 218; - for (j = 0;j < 31;++j) { - u += a[j] + UINT32_C(65280) - b[j]; + u += a[j] + 65280 - b[j]; out[j] = u & 255; u >>= 8; } - u += a[31] - b[31]; out[31] = u; } -/** - * Performs carry and reduce on an unpacked integer - * - * The result is not always fully reduced, but it will be significantly smaller than \f$ 2p \f$. - */ -static void squeeze(uint32_t a[32]) { +/** Performs carry and reduce on an unpacked integer */ +static void squeeze(unsigned int a[32]) { unsigned int j; - uint32_t u; - + unsigned int u; u = 0; - - for (j = 0;j < 31;++j) { - u += a[j]; - a[j] = u & 255; - u >>= 8; - } - - u += a[31]; - a[31] = u & 127; + for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; } + u += a[31]; a[31] = u & 127; u = 19 * (u >> 7); - - for (j = 0;j < 31;++j) { - u += a[j]; - a[j] = u & 255; - u >>= 8; - } - - u += a[31]; - a[31] = u; + for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; } + u += a[31]; a[31] = u; } - -static const uint32_t minusp[32] = { - 19, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 128 -}; - /** * Ensures that the output of a previous \ref squeeze is fully reduced * - * After a \ref freeze, only the lower byte of each integer part holds a meaningful value. + * After a \ref freeze, only the lower byte of each integer part holds a meaningful value */ -static void freeze(uint32_t a[32]) { - uint32_t aorig[32]; - unsigned int j; - uint32_t negative; +static void freeze(unsigned int a[32]) { + static const unsigned int minusp[32] = { + 19, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 128 + }; - for (j = 0; j < 32; j++) - aorig[j] = a[j]; + unsigned int aorig[32]; + unsigned int j; + unsigned int negative; + + for (j = 0; j < 32; j++) aorig[j] = a[j]; add(a, a, minusp); negative = -((a[31] >> 7) & 1); - - for (j = 0; j < 32; j++) - a[j] ^= negative & (aorig[j] ^ a[j]); + for (j = 0; j < 32; j++) a[j] ^= negative & (aorig[j] ^ a[j]); } -/** - * Returns the parity (lowest bit of the fully reduced value) of a - * - * The input must be \em squeezed. - */ -static int parity(const uint32_t a[32]) { - uint32_t b[32]; - - add(b, a, minusp); - return (a[0] ^ (b[31] >> 7) ^ 1) & 1; -} - -/** - * Multiplies two unpacked integers (modulo p) - * - * The result will be \em squeezed. - */ -static void mult(uint32_t out[32], const uint32_t a[32], const uint32_t b[32]) { - unsigned int i, j; - uint32_t u; +/** Multiplies two unpacked integers (modulo p) */ +static void mult(unsigned int out[32], const unsigned int a[32], const unsigned int b[32]) { + unsigned int i; + unsigned int j; + unsigned int u; for (i = 0; i < 32; ++i) { u = 0; - - for (j = 0; j <= i; j++) - u += a[j] * b[i - j]; - - for (j = i + 1; j < 32; j++) - u += 38 * a[j] * b[i + 32 - j]; - + for (j = 0;j <= i;++j) u += a[j] * b[i - j]; + for (j = i + 1;j < 32;++j) u += 38 * a[j] * b[i + 32 - j]; out[i] = u; } - squeeze(out); } -/** - * Multiplies an unpacked integer with a small integer (modulo p) - * - * The result will be \em squeezed. - */ -static void mult_int(uint32_t out[32], uint32_t n, const uint32_t a[32]) { +/** Multiplies an unpacked integer with a small integer (modulo p) */ +static void mult_int(unsigned int out[32], unsigned int n, const unsigned int a[32]) { unsigned int j; - uint32_t u; + unsigned int u; u = 0; - - for (j = 0; j < 31; j++) { - u += n * a[j]; - out[j] = u & 255; - u >>= 8; - } - + for (j = 0;j < 31;++j) { u += n * a[j]; out[j] = u & 255; u >>= 8; } u += n * a[31]; out[31] = u & 127; u = 19 * (u >> 7); - - for (j = 0; j < 31; j++) { - u += out[j]; - out[j] = u & 255; - u >>= 8; - } - - u += out[j]; - out[j] = u; + for (j = 0;j < 31;++j) { u += out[j]; out[j] = u & 255; u >>= 8; } + u += out[j]; out[j] = u; } -/** - * Squares an unpacked integer - * - * The result will be sqeezed. - */ -static void square(uint32_t out[32], const uint32_t a[32]) { - unsigned int i, j; - uint32_t u; +/** Squares an unpacked integer */ +static void square(unsigned int out[32], const unsigned int a[32]) { + unsigned int i; + unsigned int j; + unsigned int u; - for (i = 0; i < 32; i++) { + for (i = 0; i < 32; ++i) { u = 0; - - for (j = 0; j < i - j; j++) - u += a[j] * a[i - j]; - - for (j = i + 1; j < i + 32 - j; j++) - u += 38 * a[j] * a[i + 32 - j]; - + for (j = 0;j < i - j;++j) u += a[j] * a[i - j]; + for (j = i + 1;j < i + 32 - j;++j) u += 38 * a[j] * a[i + 32 - j]; u *= 2; - if ((i & 1) == 0) { u += a[i / 2] * a[i / 2]; u += 38 * a[i / 2 + 16] * a[i / 2 + 16]; } - out[i] = u; } - squeeze(out); } /** Checks for the equality of two unpacked integers */ -static int check_equal(const uint32_t x[32], const uint32_t y[32]) { - uint32_t differentbits = 0; +static int check_equal(const unsigned int x[32], const unsigned int y[32]) { + unsigned int differentbits = 0; int i; for (i = 0; i < 32; i++) { @@ -354,12 +164,12 @@ static int check_equal(const uint32_t x[32], const uint32_t y[32]) { } /** - * Checks if an unpacked integer equals zero (modulo p) + * Checks if an unpacked integer equals zero * - * The integer must be squeezed before. + * The intergers must be must be \ref squeeze "squeezed" before. */ -static int check_zero(const uint32_t x[32]) { - static const uint32_t p[32] = { +static int check_zero(const unsigned int x[32]) { + static const unsigned int p[32] = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, @@ -370,10 +180,10 @@ static int check_zero(const uint32_t x[32]) { } /** Copies r to out when b == 0, s when b == 1 */ -static void selectw(ecc_25519_work_t *out, const ecc_25519_work_t *r, const ecc_25519_work_t *s, uint32_t b) { +static void selectw(ecc_25519_work_t *out, const ecc_25519_work_t *r, const ecc_25519_work_t *s, unsigned int b) { unsigned int j; - uint32_t t; - uint32_t bminus1; + unsigned int t; + unsigned int bminus1; bminus1 = b - 1; for (j = 0; j < 32; ++j) { @@ -392,10 +202,10 @@ static void selectw(ecc_25519_work_t *out, const ecc_25519_work_t *r, const ecc_ } /** Copies r to out when b == 0, s when b == 1 */ -static void select(uint32_t out[32], const uint32_t r[32], const uint32_t s[32], uint32_t b) { +static void select(unsigned int out[32], const unsigned int r[32], const unsigned int s[32], unsigned int b) { unsigned int j; - uint32_t t; - uint32_t bminus1; + unsigned int t; + unsigned int bminus1; bminus1 = b - 1; for (j = 0;j < 32;++j) { @@ -409,8 +219,15 @@ static void select(uint32_t out[32], const uint32_t r[32], const uint32_t s[32], * * If the given integer has no square root, 0 is returned, 1 otherwise. */ -static int square_root(uint32_t out[32], const uint32_t z[32]) { - static const uint32_t rho_s[32] = { +static int square_root(unsigned int out[32], const unsigned int z[32]) { + static const unsigned int minus1[32] = { + 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f + }; + + static const unsigned int rho_s[32] = { 0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4, 0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f, 0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b, @@ -419,18 +236,18 @@ static int square_root(uint32_t out[32], const uint32_t z[32]) { /* raise z to power (2^252-2), check if power (2^253-5) equals -1 */ - uint32_t z2[32]; - uint32_t z9[32]; - uint32_t z11[32]; - uint32_t z2_5_0[32]; - uint32_t z2_10_0[32]; - uint32_t z2_20_0[32]; - uint32_t z2_50_0[32]; - uint32_t z2_100_0[32]; - uint32_t t0[32]; - uint32_t t1[32]; - uint32_t z2_252_1[32]; - uint32_t z2_252_1_rho_s[32]; + unsigned int z2[32]; + unsigned int z9[32]; + unsigned int z11[32]; + unsigned int z2_5_0[32]; + unsigned int z2_10_0[32]; + unsigned int z2_20_0[32]; + unsigned int z2_50_0[32]; + unsigned int z2_100_0[32]; + unsigned int t0[32]; + unsigned int t1[32]; + unsigned int z2_252_1[32]; + unsigned int z2_252_1_rho_s[32]; int i; /* 2 */ square(z2, z); @@ -496,17 +313,17 @@ static int square_root(uint32_t out[32], const uint32_t z[32]) { } /** Computes the reciprocal of an unpacked integer (in the prime field modulo p) */ -static void recip(uint32_t out[32], const uint32_t z[32]) { - uint32_t z2[32]; - uint32_t z9[32]; - uint32_t z11[32]; - uint32_t z2_5_0[32]; - uint32_t z2_10_0[32]; - uint32_t z2_20_0[32]; - uint32_t z2_50_0[32]; - uint32_t z2_100_0[32]; - uint32_t t0[32]; - uint32_t t1[32]; +static void recip(unsigned int out[32], const unsigned int z[32]) { + unsigned int z2[32]; + unsigned int z9[32]; + unsigned int z11[32]; + unsigned int z2_5_0[32]; + unsigned int z2_10_0[32]; + unsigned int z2_20_0[32]; + unsigned int z2_50_0[32]; + unsigned int z2_100_0[32]; + unsigned int t0[32]; + unsigned int t1[32]; int i; /* 2 */ square(z2, z); @@ -562,37 +379,10 @@ static void recip(uint32_t out[32], const uint32_t z[32]) { /* 2^255 - 21 */ mult(out, t1, z11); } -/** - * Checks if the X and Y coordinates of a work structure represent a valid point of the curve - * - * Also fills in the T coordinate. - */ -static int check_load_xy(ecc_25519_work_t *val) { - uint32_t X2[32], Y2[32], dX2[32], dX2Y2[32], Y2_X2[32], Y2_X2_1[32], r[32]; - - /* Check validity */ - square(X2, val->X); - square(Y2, val->Y); - - mult(dX2, d, X2); - mult(dX2Y2, dX2, Y2); - - sub(Y2_X2, Y2, X2); - sub(Y2_X2_1, Y2_X2, one); - - sub(r, Y2_X2_1, dX2Y2); - squeeze(r); - - if (!check_zero(r)) - return 0; - - mult(val->T, val->X, val->Y); - - return 1; -} - -int ecc_25519_load_xy_ed25519(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) { +/** Loads a point with given coordinates into its unpacked representation */ +int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) { int i; + unsigned int X2[32], Y2[32], aX2[32], dX2[32], dX2Y2[32], aX2_Y2[32], _1_dX2Y2[32], r[32]; for (i = 0; i < 32; i++) { out->X[i] = x->p[i]; @@ -600,31 +390,34 @@ int ecc_25519_load_xy_ed25519(ecc_25519_work_t *out, const ecc_int256_t *x, cons out->Z[i] = (i == 0); } - return check_load_xy(out); + /* Check validity */ + square(X2, out->X); + square(Y2, out->Y); + mult_int(aX2, 486664, X2); + mult_int(dX2, 486660, X2); + mult(dX2Y2, dX2, Y2); + add(aX2_Y2, aX2, Y2); + add(_1_dX2Y2, one, dX2Y2); + sub(r, aX2_Y2, _1_dX2Y2); + squeeze(r); + + if (!check_zero(r)) + return 0; + + mult(out->T, out->X, out->Y); + + return 1; } -int ecc_25519_load_xy_legacy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) { - int i; - uint32_t tmp[32]; - - for (i = 0; i < 32; i++) { - tmp[i] = x->p[i]; - out->Y[i] = y->p[i]; - out->Z[i] = (i == 0); - } - - mult(out->X, tmp, legacy_to_ed25519); - - return check_load_xy(out); -} - -int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) { - return ecc_25519_load_xy_legacy(out, x, y); -} - - -void ecc_25519_store_xy_ed25519(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) { - uint32_t X[32], Y[32], Z[32]; +/** + * Stores a point's x and y coordinates + * + * \param x Returns the x coordinate of the point. May be NULL. + * \param y Returns the y coordinate of the point. May be NULL. + * \param in The unpacked point to store. + */ +void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) { + unsigned int X[32], Y[32], Z[32]; int i; recip(Z, in->Z); @@ -644,80 +437,22 @@ void ecc_25519_store_xy_ed25519(ecc_int256_t *x, ecc_int256_t *y, const ecc_2551 } } -void ecc_25519_store_xy_legacy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) { - uint32_t X[32], tmp[32], Y[32], Z[32]; +/** Loads a packed point into its unpacked representation */ +int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in) { int i; - - recip(Z, in->Z); - - if (x) { - mult(tmp, Z, in->X); - mult(X, tmp, ed25519_to_legacy); - freeze(X); - for (i = 0; i < 32; i++) - x->p[i] = X[i]; - } - - if (y) { - mult(Y, Z, in->Y); - freeze(Y); - for (i = 0; i < 32; i++) - y->p[i] = Y[i]; - } -} - -void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) { - ecc_25519_store_xy_legacy(x, y, in); -} - - -int ecc_25519_load_packed_ed25519(ecc_25519_work_t *out, const ecc_int256_t *in) { - int i; - uint32_t Y2[32] /* Y^2 */, dY2[32] /* dY^2 */, Y2_1[32] /* Y^2-1 */, dY2_1[32] /* dY^2+1 */, _1_dY2_1[32] /* 1/(dY^2+1) */; - uint32_t X2[32] /* X^2 */, X[32], Xt[32]; + unsigned int X2[32] /* X^2 */, aX2[32] /* aX^2 */, dX2[32] /* dX^2 */, _1_aX2[32] /* 1-aX^2 */, _1_dX2[32] /* 1-aX^2 */; + unsigned int _1_1_dX2[32] /* 1/(1-aX^2) */, Y2[32] /* Y^2 */, Y[32], Yt[32]; for (i = 0; i < 32; i++) { - out->Y[i] = in->p[i]; + out->X[i] = in->p[i]; out->Z[i] = (i == 0); } - out->Y[31] &= 0x7f; + out->X[31] &= 0x7f; - square(Y2, out->Y); - mult(dY2, d, Y2); - sub(Y2_1, Y2, one); - add(dY2_1, dY2, one); - recip(_1_dY2_1, dY2_1); - mult(X2, Y2_1, _1_dY2_1); - - if (!square_root(X, X2)) - return 0; - - /* No squeeze is necessary after subtractions from zero if the subtrahend is squeezed */ - sub(Xt, zero, X); - - select(out->X, X, Xt, (in->p[31] >> 7) ^ parity(X)); - - mult(out->T, out->X, out->Y); - - return 1; -} - -int ecc_25519_load_packed_legacy(ecc_25519_work_t *out, const ecc_int256_t *in) { - int i; - uint32_t X2[32] /* X^2 */, aX2[32] /* aX^2 */, dX2[32] /* dX^2 */, _1_aX2[32] /* 1-aX^2 */, _1_dX2[32] /* 1-aX^2 */; - uint32_t _1_1_dX2[32] /* 1/(1-aX^2) */, Y2[32] /* Y^2 */, Y[32], Yt[32], X_legacy[32]; - - for (i = 0; i < 32; i++) { - X_legacy[i] = in->p[i]; - out->Z[i] = (i == 0); - } - - X_legacy[31] &= 0x7f; - - square(X2, X_legacy); - mult_int(aX2, UINT32_C(486664), X2); - mult_int(dX2, UINT32_C(486660), X2); + square(X2, out->X); + mult_int(aX2, 486664, X2); + mult_int(dX2, 486660, X2); sub(_1_aX2, one, aX2); sub(_1_dX2, one, dX2); recip(_1_1_dX2, _1_dX2); @@ -726,43 +461,29 @@ int ecc_25519_load_packed_legacy(ecc_25519_work_t *out, const ecc_int256_t *in) if (!square_root(Y, Y2)) return 0; - /* No squeeze is necessary after subtractions from zero if the subtrahend is squeezed */ sub(Yt, zero, Y); - select(out->Y, Y, Yt, (in->p[31] >> 7) ^ parity(Y)); + select(out->Y, Y, Yt, (in->p[31] >> 7) ^ (Y[0] & 1)); - mult(out->X, X_legacy, legacy_to_ed25519); mult(out->T, out->X, out->Y); return 1; } -int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in) { - return ecc_25519_load_packed_legacy(out, in); -} - - -void ecc_25519_store_packed_ed25519(ecc_int256_t *out, const ecc_25519_work_t *in) { - ecc_int256_t x; - - ecc_25519_store_xy_ed25519(&x, out, in); - out->p[31] |= (x.p[0] << 7); -} - -void ecc_25519_store_packed_legacy(ecc_int256_t *out, const ecc_25519_work_t *in) { +/** Stores a point into its packed representation */ +void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in) { ecc_int256_t y; - ecc_25519_store_xy_legacy(out, &y, in); + ecc_25519_store_xy(out, &y, in); out->p[31] |= (y.p[0] << 7); } -void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in) { - ecc_25519_store_packed_legacy(out, in); -} - +/** The identity element */ +static const ecc_25519_work_t id = {{0}, {1}, {1}, {0}}; +/** Checks if a point is the identity element of the Elliptic Curve group */ int ecc_25519_is_identity(const ecc_25519_work_t *in) { - uint32_t Y_Z[32]; + unsigned int Y_Z[32]; sub(Y_Z, in->Y, in->Z); squeeze(Y_Z); @@ -770,126 +491,73 @@ int ecc_25519_is_identity(const ecc_25519_work_t *in) { return (check_zero(in->X)&check_zero(Y_Z)); } -void ecc_25519_negate(ecc_25519_work_t *out, const ecc_25519_work_t *in) { - int i; - - for (i = 0; i < 32; i++) { - out->Y[i] = in->Y[i]; - out->Z[i] = in->Z[i]; - } - - /* No squeeze is necessary after subtractions from zero if the subtrahend is squeezed */ - sub(out->X, zero, in->X); - sub(out->T, zero, in->T); -} - +/** + * Doubles a point of the Elliptic Curve + * + * ecc_25519_double(out, in) is equivalent to ecc_25519_add(out, in, in), but faster. + * + * The same pointers may be used for input and output. + */ void ecc_25519_double(ecc_25519_work_t *out, const ecc_25519_work_t *in) { - uint32_t A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32]; + unsigned int A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32], t2[32], t3[32]; square(A, in->X); - square(B, in->Y); - square(t0, in->Z); mult_int(C, 2, t0); - - sub(D, zero, A); - - add(t0, in->X, in->Y); - square(t1, t0); - sub(t0, t1, A); - sub(E, t0, B); - - add(G, D, B); + mult_int(D, 486664, A); + add(t1, in->X, in->Y); + square(t2, t1); + sub(t3, t2, A); squeeze(t3); + sub(E, t3, B); + add(G, D, B); squeeze(G); sub(F, G, C); sub(H, D, B); - mult(out->X, E, F); mult(out->Y, G, H); mult(out->T, E, H); mult(out->Z, F, G); } +/** + * Adds two points of the Elliptic Curve + * + * The same pointers may be used for input and output. + */ void ecc_25519_add(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2) { - const uint32_t j = UINT32_C(60833); - const uint32_t k = UINT32_C(121665); - uint32_t A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32]; + unsigned int A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32], t2[32], t3[32], t4[32], t5[32]; - sub(t0, in1->Y, in1->X); - mult_int(t1, j, t0); - sub(t0, in2->Y, in2->X); - mult(A, t0, t1); - - add(t0, in1->Y, in1->X); - mult_int(t1, j, t0); - add(t0, in2->Y, in2->X); - mult(B, t0, t1); - - mult_int(t0, k, in2->T); + mult(A, in1->X, in2->X); + mult(B, in1->Y, in2->Y); + mult_int(t0, 486660, in2->T); mult(C, in1->T, t0); - - mult_int(t0, 2*j, in2->Z); - mult(D, in1->Z, t0); - - sub(E, B, A); - add(F, D, C); - sub(G, D, C); - add(H, B, A); - + mult(D, in1->Z, in2->Z); + add(t1, in1->X, in1->Y); + add(t2, in2->X, in2->Y); + mult(t3, t1, t2); + sub(t4, t3, A); squeeze(t4); + sub(E, t4, B); + sub(F, D, C); + add(G, D, C); + mult_int(t5, 486664, A); + sub(H, B, t5); mult(out->X, E, F); mult(out->Y, G, H); mult(out->T, E, H); mult(out->Z, F, G); } -/** Adds two points of the Elliptic Curve, assuming that in2->Z == 1 */ -static void ecc_25519_add1(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2) { - const uint32_t j = UINT32_C(60833); - const uint32_t k = UINT32_C(121665); - uint32_t A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32]; - - sub(t0, in1->Y, in1->X); - mult_int(t1, j, t0); - sub(t0, in2->Y, in2->X); - mult(A, t0, t1); - - add(t0, in1->Y, in1->X); - mult_int(t1, j, t0); - add(t0, in2->Y, in2->X); - mult(B, t0, t1); - - mult_int(t0, k, in2->T); - mult(C, in1->T, t0); - - mult_int(D, 2*j, in1->Z); - - sub(E, B, A); - add(F, D, C); - sub(G, D, C); - add(H, B, A); - - mult(out->X, E, F); - mult(out->Y, G, H); - mult(out->T, E, H); - mult(out->Z, F, G); -} - -void ecc_25519_sub(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2) { - ecc_25519_work_t in2_neg; - - ecc_25519_negate(&in2_neg, in2); - ecc_25519_add(out, in1, &in2_neg); -} - -void ecc_25519_scalarmult_bits(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base, unsigned bits) { +/** + * Does a scalar multiplication of a point of the Elliptic Curve with an integer + * + * The same pointers may be used for input and output. + **/ +void ecc_25519_scalarmult(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base) { ecc_25519_work_t Q2, Q2p; - ecc_25519_work_t cur = ecc_25519_work_identity; + ecc_25519_work_t cur = id; int b, pos; - if (bits > 256) - bits = 256; - - for (pos = bits - 1; pos >= 0; --pos) { + for (pos = 255; pos >= 0; --pos) { b = n->p[pos / 8] >> (pos & 7); b &= 1; @@ -901,30 +569,28 @@ void ecc_25519_scalarmult_bits(ecc_25519_work_t *out, const ecc_int256_t *n, con *out = cur; } -void ecc_25519_scalarmult(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base) { - ecc_25519_scalarmult_bits(out, n, base, 256); -} - -void ecc_25519_scalarmult_base_bits(ecc_25519_work_t *out, const ecc_int256_t *n, unsigned bits) { - ecc_25519_work_t Q2, Q2p; - ecc_25519_work_t cur = ecc_25519_work_identity; - int b, pos; - - if (bits > 256) - bits = 256; - - for (pos = bits - 1; pos >= 0; --pos) { - b = n->p[pos / 8] >> (pos & 7); - b &= 1; - - ecc_25519_double(&Q2, &cur); - ecc_25519_add1(&Q2p, &Q2, &ecc_25519_work_default_base); - selectw(&cur, &Q2, &Q2p, b); - } - - *out = cur; -} +/** The ec25519 default base */ +static const ecc_25519_work_t default_base = { + {0xd4, 0x6b, 0xfe, 0x7f, 0x39, 0xfa, 0x8c, 0x22, + 0xe1, 0x96, 0x23, 0xeb, 0x26, 0xb7, 0x8e, 0x6a, + 0x34, 0x74, 0x8b, 0x66, 0xd6, 0xa3, 0x26, 0xdd, + 0x19, 0x5e, 0x9f, 0x21, 0x50, 0x43, 0x7c, 0x54}, + {0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, + 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, + 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, + 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66}, + {1}, + {0x47, 0x56, 0x98, 0x99, 0xc7, 0x61, 0x0a, 0x82, + 0x1a, 0xdf, 0x82, 0x22, 0x1f, 0x2c, 0x72, 0x88, + 0xc3, 0x29, 0x09, 0x52, 0x78, 0xe9, 0x1e, 0xe4, + 0x47, 0x4b, 0x4c, 0x81, 0xa6, 0x02, 0xfd, 0x29} +}; +/** + * Does a scalar multiplication of the default base point (generator element) of the Elliptic Curve with an integer + * + * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$. + */ void ecc_25519_scalarmult_base(ecc_25519_work_t *out, const ecc_int256_t *n) { - ecc_25519_scalarmult_base_bits(out, n, 256); + ecc_25519_scalarmult(out, n, &default_base); } diff --git a/src/ec25519_gf.c b/src/ec25519_gf.c index 11d2989..d9f9bc1 100644 --- a/src/ec25519_gf.c +++ b/src/ec25519_gf.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2012-2015, Matthias Schiffer + Copyright (c) 2012, Matthias Schiffer Partly based on public domain code by Matthew Dempsky and D. J. Bernstein. All rights reserved. @@ -25,23 +25,26 @@ */ /** \file - * Simple finite field operations on the prime field \f$ F_q \f$ for - * \f$ q = 2^{252} + 27742317777372353535851937790883648493 \f$, which - * is the order of the base point used for ec25519 - * - * Doxygen comments for public APIs can be found in the public header file. - */ + Simple finite field operations on the prime field \f$ F_q \f$ for + \f$ q = 2^{252} + 27742317777372353535851937790883648493 \f$, which + is the order of the base point used for ec25519 +*/ #include -/** Checks if the highest bit of an uint32_teger is set */ +/** Checks if the highest bit of an unsigned integer is set */ #define IS_NEGATIVE(n) ((int)((((unsigned)n) >> (8*sizeof(n)-1))&1)) /** Performs an arithmetic right shift */ #define ASR(n,s) (((n) >> s)|(IS_NEGATIVE(n)*((unsigned)-1) << (8*sizeof(n)-s))) +/** + * The order of the prime field + * + * The order is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$. + */ const ecc_int256_t ecc_25519_gf_order = {{ 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, @@ -50,15 +53,15 @@ const ecc_int256_t ecc_25519_gf_order = {{ }}; /** An internal alias for \ref ecc_25519_gf_order */ -static const uint8_t *q = ecc_25519_gf_order.p; +static const unsigned char *q = ecc_25519_gf_order.p; /** * Copies the content of r into out if b == 0, the contents of s if b == 1 */ -static void select(uint8_t out[32], const uint8_t r[32], const uint8_t s[32], uint32_t b) { +static void select(unsigned char out[32], const unsigned char r[32], const unsigned char s[32], unsigned int b) { unsigned int j; - uint8_t t; - uint8_t bminus1; + unsigned int t; + unsigned int bminus1; bminus1 = b - 1; for (j = 0;j < 32;++j) { @@ -67,10 +70,11 @@ static void select(uint8_t out[32], const uint8_t r[32], const uint8_t s[32], ui } } +/** Checks if an integer is equal to zero (after reduction) */ int ecc_25519_gf_is_zero(const ecc_int256_t *in) { int i; ecc_int256_t r; - uint32_t bits = 0; + unsigned int bits = 0; ecc_25519_gf_reduce(&r, in); @@ -80,9 +84,14 @@ int ecc_25519_gf_is_zero(const ecc_int256_t *in) { return (((bits-1)>>8) & 1); } +/** + * Adds two integers as Galois field elements + * + * The same pointers may be used for input and output. + */ void ecc_25519_gf_add(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2) { unsigned int j; - uint32_t u; + unsigned int u; int nq = 1 - (in1->p[31]>>4) - (in2->p[31]>>4); u = 0; @@ -94,9 +103,14 @@ void ecc_25519_gf_add(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int2 } } +/** + * Subtracts two integers as Galois field elements + * + * The same pointers may be used for input and output. + */ void ecc_25519_gf_sub(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2) { unsigned int j; - uint32_t u; + unsigned int u; int nq = 8 - (in1->p[31]>>4) + (in2->p[31]>>4); u = 0; @@ -109,11 +123,11 @@ void ecc_25519_gf_sub(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int2 } /** Reduces an integer to a unique representation in the range \f$ [0,q-1] \f$ */ -static void reduce(uint8_t a[32]) { +static void reduce(unsigned char a[32]) { unsigned int j; - uint32_t nq = a[31] >> 4; - uint32_t u1, u2; - uint8_t out1[32], out2[32]; + unsigned int nq = a[31] >> 4; + unsigned int u1, u2; + unsigned char out1[32], out2[32]; u1 = u2 = 0; for (j = 0; j < 31; ++j) { @@ -131,6 +145,11 @@ static void reduce(uint8_t a[32]) { select(a, out1, out2, IS_NEGATIVE(u1)); } +/** + * Reduces an integer to a unique representation in the range \f$ [0,q-1] \f$ + * + * The same pointers may be used for input and output. + */ void ecc_25519_gf_reduce(ecc_int256_t *out, const ecc_int256_t *in) { int i; @@ -141,10 +160,10 @@ void ecc_25519_gf_reduce(ecc_int256_t *out, const ecc_int256_t *in) { } /** Montgomery modular multiplication algorithm */ -static void montgomery(uint8_t out[32], const uint8_t a[32], const uint8_t b[32]) { +static void montgomery(unsigned char out[32], const unsigned char a[32], const unsigned char b[32]) { unsigned int i, j; - uint32_t nq; - uint32_t u; + unsigned int nq; + unsigned int u; for (i = 0; i < 32; i++) out[i] = 0; @@ -164,17 +183,22 @@ static void montgomery(uint8_t out[32], const uint8_t a[32], const uint8_t b[32] } } +/** + * Multiplies two integers as Galois field elements + * + * The same pointers may be used for input and output. + */ void ecc_25519_gf_mult(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2) { /* 2^512 mod q */ - static const uint8_t C[32] = { + static const unsigned char C[32] = { 0x01, 0x0f, 0x9c, 0x44, 0xe3, 0x11, 0x06, 0xa4, 0x47, 0x93, 0x85, 0x68, 0xa7, 0x1b, 0x0e, 0xd0, 0x65, 0xbe, 0xf5, 0x17, 0xd2, 0x73, 0xec, 0xce, 0x3d, 0x9a, 0x30, 0x7c, 0x1b, 0x41, 0x99, 0x03 }; - uint8_t B[32]; - uint8_t R[32]; + unsigned char B[32]; + unsigned char R[32]; unsigned int i; for (i = 0; i < 32; i++) @@ -186,13 +210,18 @@ void ecc_25519_gf_mult(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int montgomery(out->p, R, C); } +/** + * Computes the reciprocal of a Galois field element + * + * The same pointers may be used for input and output. + */ void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in) { - static const uint8_t C[32] = { + static const unsigned char C[32] = { 0x01 }; - uint8_t A[32], B[32]; - uint8_t R1[32], R2[32]; + unsigned char A[32], B[32]; + unsigned char R1[32], R2[32]; int use_r2 = 0; unsigned int i, j; @@ -204,7 +233,7 @@ void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in) { reduce(A); for (i = 0; i < 32; i++) { - uint8_t c; + unsigned char c; if (i == 0) c = 0xeb; /* q[0] - 2 */ @@ -239,6 +268,11 @@ void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in) { montgomery(out->p, R2, C); } +/** + * Ensures some properties of a Galois field element to make it fit for use as a secret key + * + * The same pointers may be used for input and output. + */ void ecc_25519_gf_sanitize_secret(ecc_int256_t *out, const ecc_int256_t *in) { int i;