2025-04-20 02:55:08 +02:00
9 changed files with 430 additions and 1125 deletions
--- a/34
+++ b/34
@ -1,34 +0,0 @@
 libuecc v7 (2016/03/27)
 * Change conversion between Ed25519 and legacy representation. This should
    not affect any operations unless Ed25519 and legacy load/store
    functions are mixed when accessing a work structure. Doing so is now
    officially supported, for example to convert a legacy public key to
    Ed25519 format.
 * The changed representation allows to use the same
    ecc_25519_work_default_base for both Ed25519 and legacy.
    ecc_25519_work_default_base and ecc_25519_scalarmult_base have been
    undeprecated, ecc_25519_work_base_ed25519 and
    ecc_25519_work_base_legacy are deprecated now.
 * All points are now internally represented with Ed25519 coordinates, which
    allows about 6% faster scalar multplication than the legacy
    representation.
 * ecc_25519_scalarmult_base has been further optimized, making it another
    6% faster than normal ecc_25519_scalarmult.
 libuecc v6 (2015/10/25)
 * Fixes a bug which might have caused a point's y coordinate to be negated
    in certain circumstances when the point was stored in packed
    representation and loaded again. It is extremely improbable that this
    has ever actually happened, as only a small range of coordinates was
    affected.
 * Use stdint types to clarify ABI and add support for systems with
    sizeof(int) < 4 (this is not an ABI break in practise as all systems on
    which libuecc has been used in the past should have int == int32_t)
 * Add point negation and subtraction functions
 * Rename all point access functions to bear a _legacy suffix (the old names
    are still available, but marked as deprecated)
 * Add new point access functions and a new generator point that are
    compatible with Ed25519
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 2.6)
 project(LIBUECC C)
-set(PROJECT_VERSION 7)
+set(PROJECT_VERSION 4)
 set(CMAKE_MODULE_PATH ${LIBUECC_SOURCE_DIR})
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Copyright (c) 2012-2015, Matthias Schiffer <mschiffer@universe-factory.net>
+Copyright (c) 2012, Matthias Schiffer <mschiffer@universe-factory.net>
 Partly based on public domain code by Matthew Dempsky and D. J. Bernstein.
 All rights reserved.
--- a/Doxyfile.in
+++ b/Doxyfile.in
@ -1,4 +1,4 @@
-# Doxyfile 1.8.9.1
+# Doxyfile 1.8.5
 # This file describes the settings to be used by the documentation system
 # doxygen (www.doxygen.org) for a project.
@ -46,10 +46,10 @@ PROJECT_NUMBER         = "@PROJECT_VERSION@"
 PROJECT_BRIEF          =
-# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
+# With the PROJECT_LOGO tag one can specify an logo or icon that is included in
-# in the documentation. The maximum height of the logo should not exceed 55
+# the documentation. The maximum height of the logo should not exceed 55 pixels
-# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
+# and the maximum width should not exceed 200 pixels. Doxygen will copy the logo
-# the logo to the output directory.
+# to the output directory.
 PROJECT_LOGO           =
@ -60,7 +60,7 @@ PROJECT_LOGO           =
 OUTPUT_DIRECTORY       = "@DOXYFILE_OUTPUT_DIR@"
-# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub-
 # directories (in 2 levels) under the output directory of each output format and
 # will distribute the generated files over these directories. Enabling this
 # option can be useful when feeding doxygen a huge amount of source files, where
@ -70,37 +70,27 @@ OUTPUT_DIRECTORY       = "@DOXYFILE_OUTPUT_DIR@"
 CREATE_SUBDIRS         = NO
 # If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
 # characters to appear in the names of generated files. If set to NO, non-ASCII
 # characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
 # U+3044.
 # The default value is: NO.
 ALLOW_UNICODE_NAMES    = NO
 # The OUTPUT_LANGUAGE tag is used to specify the language in which all
 # documentation generated by doxygen is written. Doxygen will use this
 # information to generate all constant output in the proper language.
-# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese,
+# Possible values are: Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-
-# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States),
+# Traditional, Croatian, Czech, Danish, Dutch, English, Esperanto, Farsi,
-# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian,
+# Finnish, French, German, Greek, Hungarian, Italian, Japanese, Japanese-en,
-# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages),
+# Korean, Korean-en, Latvian, Norwegian, Macedonian, Persian, Polish,
-# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian,
+# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish,
-# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian,
+# Turkish, Ukrainian and Vietnamese.
 # Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish,
 # Ukrainian and Vietnamese.
 # The default value is: English.
 OUTPUT_LANGUAGE        = English
-# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
+# If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member
 # descriptions after the members that are listed in the file and class
 # documentation (similar to Javadoc). Set to NO to disable this.
 # The default value is: YES.
 BRIEF_MEMBER_DESC      = YES
-# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
+# If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief
 # description of a member or function before the detailed description
 #
 # Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
@ -135,7 +125,7 @@ ALWAYS_DETAILED_SEC    = NO
 INLINE_INHERITED_MEMB  = NO
-# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
+# If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path
 # before files name in the file list and in the header files. If set to NO the
 # shortest path that makes the file name unique will be used
 # The default value is: YES.
@ -205,9 +195,9 @@ MULTILINE_CPP_IS_BRIEF = NO
 INHERIT_DOCS           = YES
-# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a
-# page for each member. If set to NO, the documentation of a member will be part
+# new page for each member. If set to NO, the documentation of a member will be
-# of the file/class/namespace that contains it.
+# part of the file/class/namespace that contains it.
 # The default value is: NO.
 SEPARATE_MEMBER_PAGES  = NO
@ -269,14 +259,11 @@ OPTIMIZE_OUTPUT_VHDL   = NO
 # extension. Doxygen has a built-in mapping, but you can override or extend it
 # using this tag. The format is ext=language, where ext is a file extension, and
 # language is one of the parsers supported by doxygen: IDL, Java, Javascript,
-# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran:
+# C#, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL. For instance to make
-# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran:
+# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
-# Fortran. In the later case the parser tries to guess whether the code is fixed
+# (default is Fortran), use: inc=Fortran f=C.
 # or free formatted code, this is the default for Fortran type files), VHDL. For
 # instance to make doxygen treat .inc files as Fortran files (default is PHP),
 # and .f files as C (default is Fortran), use: inc=Fortran f=C.
 #
-# Note: For files without extension you can use no_extension as a placeholder.
+# Note For files without extension you can use no_extension as a placeholder.
 #
 # Note that for custom extensions you also need to set FILE_PATTERNS otherwise
 # the files are not read by doxygen.
@ -295,8 +282,8 @@ MARKDOWN_SUPPORT       = YES
 # When enabled doxygen tries to link words that correspond to documented
 # classes, or namespaces to their corresponding documentation. Such a link can
-# be prevented in individual cases by putting a % sign in front of the word or
+# be prevented in individual cases by by putting a % sign in front of the word
-# globally by setting AUTOLINK_SUPPORT to NO.
+# or globally by setting AUTOLINK_SUPPORT to NO.
 # The default value is: YES.
 AUTOLINK_SUPPORT       = YES
@ -336,7 +323,7 @@ SIP_SUPPORT            = NO
 IDL_PROPERTY_SUPPORT   = YES
 # If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
-# tag is set to YES then doxygen will reuse the documentation of the first
+# tag is set to YES, then doxygen will reuse the documentation of the first
 # member in the group (if any) for the other members of the group. By default
 # all members of a group must be documented explicitly.
 # The default value is: NO.
@ -401,7 +388,7 @@ LOOKUP_CACHE_SIZE      = 0
 # Build related configuration options
 #---------------------------------------------------------------------------
-# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
 # documentation are documented, even if no documentation was available. Private
 # class members and static file members will be hidden unless the
 # EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
@ -411,35 +398,35 @@ LOOKUP_CACHE_SIZE      = 0
 EXTRACT_ALL            = YES
-# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class will
 # be included in the documentation.
 # The default value is: NO.
 EXTRACT_PRIVATE        = NO
-# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
+# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal
 # scope will be included in the documentation.
 # The default value is: NO.
 EXTRACT_PACKAGE        = NO
-# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
+# If the EXTRACT_STATIC tag is set to YES all static members of a file will be
 # included in the documentation.
 # The default value is: NO.
 EXTRACT_STATIC         = YES
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined
-# locally in source files will be included in the documentation. If set to NO,
+# locally in source files will be included in the documentation. If set to NO
 # only classes defined in header files are included. Does not have any effect
 # for Java sources.
 # The default value is: YES.
 EXTRACT_LOCAL_CLASSES  = YES
-# This flag is only useful for Objective-C code. If set to YES, local methods,
+# This flag is only useful for Objective-C code. When set to YES local methods,
 # which are defined in the implementation section but not in the interface are
-# included in the documentation. If set to NO, only methods in the interface are
+# included in the documentation. If set to NO only methods in the interface are
 # included.
 # The default value is: NO.
@ -464,21 +451,21 @@ HIDE_UNDOC_MEMBERS     = NO
 # If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
 # undocumented classes that are normally visible in the class hierarchy. If set
-# to NO, these classes will be included in the various overviews. This option
+# to NO these classes will be included in the various overviews. This option has
-# has no effect if EXTRACT_ALL is enabled.
+# no effect if EXTRACT_ALL is enabled.
 # The default value is: NO.
 HIDE_UNDOC_CLASSES     = NO
 # If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
-# (class|struct|union) declarations. If set to NO, these declarations will be
+# (class|struct|union) declarations. If set to NO these declarations will be
 # included in the documentation.
 # The default value is: NO.
 HIDE_FRIEND_COMPOUNDS  = NO
 # If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
-# documentation blocks found inside the body of a function. If set to NO, these
+# documentation blocks found inside the body of a function. If set to NO these
 # blocks will be appended to the function's detailed documentation block.
 # The default value is: NO.
@ -492,7 +479,7 @@ HIDE_IN_BODY_DOCS      = NO
 INTERNAL_DOCS          = NO
 # If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
-# names in lower-case letters. If set to YES, upper-case letters are also
+# names in lower-case letters. If set to YES upper-case letters are also
 # allowed. This is useful if you have classes or files whose names only differ
 # in case and if your file system supports case sensitive file names. Windows
 # and Mac users are advised to set this option to NO.
@ -501,32 +488,18 @@ INTERNAL_DOCS          = NO
 CASE_SENSE_NAMES       = YES
 # If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
-# their full class and namespace scopes in the documentation. If set to YES, the
+# their full class and namespace scopes in the documentation. If set to YES the
 # scope will be hidden.
 # The default value is: NO.
 HIDE_SCOPE_NAMES       = NO
 # If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
 # append additional text to a page's title, such as Class Reference. If set to
 # YES the compound reference will be hidden.
 # The default value is: NO.
 HIDE_COMPOUND_REFERENCE= NO
 # If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
 # the files that are included by a file in the documentation of that file.
 # The default value is: YES.
 SHOW_INCLUDE_FILES     = YES
 # If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each
 # grouped member an include statement to the documentation, telling the reader
 # which file to include in order to use the member.
 # The default value is: NO.
 SHOW_GROUPED_MEMB_INC  = NO
 # If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include
 # files with double quotes in the documentation rather than with sharp brackets.
 # The default value is: NO.
@ -541,15 +514,14 @@ INLINE_INFO            = YES
 # If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
 # (detailed) documentation of file and class members alphabetically by member
-# name. If set to NO, the members will appear in declaration order.
+# name. If set to NO the members will appear in declaration order.
 # The default value is: YES.
 SORT_MEMBER_DOCS       = YES
 # If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
 # descriptions of file, namespace and class members alphabetically by member
-# name. If set to NO, the members will appear in declaration order. Note that
+# name. If set to NO the members will appear in declaration order.
 # this will also influence the order of the classes in the class list.
 # The default value is: NO.
 SORT_BRIEF_DOCS        = NO
@ -593,25 +565,27 @@ SORT_BY_SCOPE_NAME     = NO
 STRICT_PROTO_MATCHING  = NO
-# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
+# The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the
-# list. This list is created by putting \todo commands in the documentation.
+# todo list. This list is created by putting \todo commands in the
 # documentation.
 # The default value is: YES.
 GENERATE_TODOLIST      = YES
-# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
+# The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the
-# list. This list is created by putting \test commands in the documentation.
+# test list. This list is created by putting \test commands in the
 # documentation.
 # The default value is: YES.
 GENERATE_TESTLIST      = YES
-# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
+# The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug
 # list. This list is created by putting \bug commands in the documentation.
 # The default value is: YES.
 GENERATE_BUGLIST       = YES
-# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
+# The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO)
 # the deprecated list. This list is created by putting \deprecated commands in
 # the documentation.
 # The default value is: YES.
@ -636,8 +610,8 @@ ENABLED_SECTIONS       =
 MAX_INITIALIZER_LINES  = 30
 # Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
-# the bottom of the documentation of classes and structs. If set to YES, the
+# the bottom of the documentation of classes and structs. If set to YES the list
-# list will mention the files that were used to generate the documentation.
+# will mention the files that were used to generate the documentation.
 # The default value is: YES.
 SHOW_USED_FILES        = YES
@ -685,7 +659,8 @@ LAYOUT_FILE            =
 # to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
 # For LaTeX the style of the bibliography can be controlled using
 # LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
-# search path. See also \cite for info how to create references.
+# search path. Do not use file names with spaces, bibtex cannot handle them. See
 # also \cite for info how to create references.
 CITE_BIB_FILES         =
@ -701,7 +676,7 @@ CITE_BIB_FILES         =
 QUIET                  = YES
 # The WARNINGS tag can be used to turn on/off the warning messages that are
-# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
+# generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES
 # this implies that the warnings are on.
 #
 # Tip: Turn warnings on while writing the documentation.
@ -709,7 +684,7 @@ QUIET                  = YES
 WARNINGS               = YES
-# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
+# If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate
 # warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
 # will automatically be disabled.
 # The default value is: YES.
@ -726,8 +701,8 @@ WARN_IF_DOC_ERROR      = YES
 # This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
 # are documented, but have no documentation for their parameters or return
-# value. If set to NO, doxygen will only warn about wrong or incomplete
+# value. If set to NO doxygen will only warn about wrong or incomplete parameter
-# parameter documentation, but not about the absence of documentation.
+# documentation, but not about the absence of documentation.
 # The default value is: NO.
 WARN_NO_PARAMDOC       = NO
@ -876,7 +851,7 @@ INPUT_FILTER           =
 FILTER_PATTERNS        =
 # If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
-# INPUT_FILTER) will also be used to filter the input files that are used for
+# INPUT_FILTER ) will also be used to filter the input files that are used for
 # producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
 # The default value is: NO.
@ -936,7 +911,7 @@ REFERENCED_BY_RELATION = NO
 REFERENCES_RELATION    = NO
 # If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
-# to YES then the hyperlinks from functions in REFERENCES_RELATION and
+# to YES, then the hyperlinks from functions in REFERENCES_RELATION and
 # REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
 # link to the documentation.
 # The default value is: YES.
@ -1013,7 +988,7 @@ IGNORE_PREFIX          =
 # Configuration options related to the HTML output
 #---------------------------------------------------------------------------
-# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
+# If the GENERATE_HTML tag is set to YES doxygen will generate HTML output
 # The default value is: YES.
 GENERATE_HTML          = YES
@ -1075,15 +1050,13 @@ HTML_FOOTER            =
 HTML_STYLESHEET        =
-# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user-
-# cascading style sheets that are included after the standard style sheets
+# defined cascading style sheet that is included after the standard style sheets
 # created by doxygen. Using this option one can overrule certain style aspects.
 # This is preferred over using HTML_STYLESHEET since it does not replace the
-# standard style sheet and is therefore more robust against future updates.
+# standard style sheet and is therefor more robust against future updates.
-# Doxygen will copy the style sheet files to the output directory.
+# Doxygen will copy the style sheet file to the output directory. For an example
-# Note: The order of the extra style sheet files is of importance (e.g. the last
+# see the documentation.
 # style sheet in the list overrules the setting of the previous ones in the
 # list). For an example see the documentation.
 # This tag requires that the tag GENERATE_HTML is set to YES.
 HTML_EXTRA_STYLESHEET  =
@ -1099,7 +1072,7 @@ HTML_EXTRA_STYLESHEET  =
 HTML_EXTRA_FILES       =
 # The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
-# will adjust the colors in the style sheet and background images according to
+# will adjust the colors in the stylesheet and background images according to
 # this color. Hue is specified as an angle on a colorwheel, see
 # http://en.wikipedia.org/wiki/Hue for more information. For instance the value
 # 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
@ -1227,29 +1200,28 @@ GENERATE_HTMLHELP      = NO
 CHM_FILE               =
 # The HHC_LOCATION tag can be used to specify the location (absolute path
-# including file name) of the HTML help compiler (hhc.exe). If non-empty,
+# including file name) of the HTML help compiler ( hhc.exe). If non-empty
 # doxygen will try to run the HTML help compiler on the generated index.hhp.
 # The file has to be specified with full path.
 # This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 HHC_LOCATION           =
-# The GENERATE_CHI flag controls if a separate .chi index file is generated
+# The GENERATE_CHI flag controls if a separate .chi index file is generated (
-# (YES) or that it should be included in the master .chm file (NO).
+# YES) or that it should be included in the master .chm file ( NO).
 # The default value is: NO.
 # This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 GENERATE_CHI           = NO
-# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc)
 # and project file content.
 # This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 CHM_INDEX_ENCODING     =
-# The BINARY_TOC flag controls whether a binary table of contents is generated
+# The BINARY_TOC flag controls whether a binary table of contents is generated (
-# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
+# YES) or a normal table of contents ( NO) in the .chm file.
 # enables the Previous and Next buttons.
 # The default value is: NO.
 # This tag requires that the tag GENERATE_HTMLHELP is set to YES.
@ -1362,7 +1334,7 @@ DISABLE_INDEX          = NO
 # index structure (just like the one that is generated for HTML Help). For this
 # to work a browser that supports JavaScript, DHTML, CSS and frames is required
 # (i.e. any modern browser). Windows users are probably better off using the
-# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
+# HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can
 # further fine-tune the look of the index. As an example, the default style
 # sheet generated by doxygen has an example that shows how to put an image at
 # the root of the tree instead of the PROJECT_NAME. Since the tree basically has
@ -1390,7 +1362,7 @@ ENUM_VALUES_PER_LINE   = 4
 TREEVIEW_WIDTH         = 250
-# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
+# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to
 # external symbols imported via tag files in a separate window.
 # The default value is: NO.
 # This tag requires that the tag GENERATE_HTML is set to YES.
@ -1419,7 +1391,7 @@ FORMULA_TRANSPARENT    = YES
 # Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
 # http://www.mathjax.org) which uses client side Javascript for the rendering
-# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
+# instead of using prerendered bitmaps. Use this if you do not have LaTeX
 # installed or if you want to formulas look prettier in the HTML output. When
 # enabled you may also need to install MathJax separately and configure the path
 # to it using the MATHJAX_RELPATH option.
@ -1489,11 +1461,11 @@ SEARCHENGINE           = NO
 # When the SERVER_BASED_SEARCH tag is enabled the search engine will be
 # implemented using a web server instead of a web client using Javascript. There
-# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
+# are two flavours of web server based searching depending on the
-# setting. When disabled, doxygen will generate a PHP script for searching and
+# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for
-# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
+# searching and an index file used by the script. When EXTERNAL_SEARCH is
-# and searching needs to be provided by external tools. See the section
+# enabled the indexing and searching needs to be provided by external tools. See
-# "External Indexing and Searching" for details.
+# the section "External Indexing and Searching" for details.
 # The default value is: NO.
 # This tag requires that the tag SEARCHENGINE is set to YES.
@ -1505,7 +1477,7 @@ SERVER_BASED_SEARCH    = NO
 # external search engine pointed to by the SEARCHENGINE_URL option to obtain the
 # search results.
 #
-# Doxygen ships with an example indexer (doxyindexer) and search engine
+# Doxygen ships with an example indexer ( doxyindexer) and search engine
 # (doxysearch.cgi) which are based on the open source search engine library
 # Xapian (see: http://xapian.org/).
 #
@ -1518,7 +1490,7 @@ EXTERNAL_SEARCH        = NO
 # The SEARCHENGINE_URL should point to a search engine hosted by a web server
 # which will return the search results when EXTERNAL_SEARCH is enabled.
 #
-# Doxygen ships with an example indexer (doxyindexer) and search engine
+# Doxygen ships with an example indexer ( doxyindexer) and search engine
 # (doxysearch.cgi) which are based on the open source search engine library
 # Xapian (see: http://xapian.org/). See the section "External Indexing and
 # Searching" for details.
@ -1556,7 +1528,7 @@ EXTRA_SEARCH_MAPPINGS  =
 # Configuration options related to the LaTeX output
 #---------------------------------------------------------------------------
-# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
+# If the GENERATE_LATEX tag is set to YES doxygen will generate LaTeX output.
 # The default value is: YES.
 GENERATE_LATEX         = @DOXYFILE_GENERATE_LATEX@
@ -1587,7 +1559,7 @@ LATEX_CMD_NAME         = "@LATEX_COMPILER@"
 MAKEINDEX_CMD_NAME     = "@MAKEINDEX_COMPILER@"
-# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
+# If the COMPACT_LATEX tag is set to YES doxygen generates more compact LaTeX
 # documents. This may be useful for small projects and may help to save some
 # trees in general.
 # The default value is: NO.
@ -1621,36 +1593,23 @@ EXTRA_PACKAGES         =
 #
 # Note: Only use a user-defined header if you know what you are doing! The
 # following commands have a special meaning inside the header: $title,
-# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber. Doxygen will
-# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
+# replace them by respectively the title of the page, the current date and time,
-# string, for the replacement values of the other commands the user is referred
+# only the current date, the version number of doxygen, the project name (see
-# to HTML_HEADER.
+# PROJECT_NAME), or the project number (see PROJECT_NUMBER).
 # This tag requires that the tag GENERATE_LATEX is set to YES.
 LATEX_HEADER           =
 # The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
 # generated LaTeX document. The footer should contain everything after the last
-# chapter. If it is left blank doxygen will generate a standard footer. See
+# chapter. If it is left blank doxygen will generate a standard footer.
 # LATEX_HEADER for more information on how to generate a default footer and what
 # special commands can be used inside the footer.
 #
 # Note: Only use a user-defined footer if you know what you are doing!
 # This tag requires that the tag GENERATE_LATEX is set to YES.
 LATEX_FOOTER           =
 # The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
 # LaTeX style sheets that are included after the standard style sheets created
 # by doxygen. Using this option one can overrule certain style aspects. Doxygen
 # will copy the style sheet files to the output directory.
 # Note: The order of the extra style sheet files is of importance (e.g. the last
 # style sheet in the list overrules the setting of the previous ones in the
 # list).
 # This tag requires that the tag GENERATE_LATEX is set to YES.
 LATEX_EXTRA_STYLESHEET =
 # The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
 # other source files which should be copied to the LATEX_OUTPUT output
 # directory. Note that the files will be copied as-is; there are no commands or
@ -1668,8 +1627,8 @@ LATEX_EXTRA_FILES      =
 PDF_HYPERLINKS         = YES
-# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# If the LATEX_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
-# the PDF file directly from the LaTeX files. Set this option to YES, to get a
+# the PDF file directly from the LaTeX files. Set this option to YES to get a
 # higher quality PDF documentation.
 # The default value is: YES.
 # This tag requires that the tag GENERATE_LATEX is set to YES.
@ -1714,7 +1673,7 @@ LATEX_BIB_STYLE        = plain
 # Configuration options related to the RTF output
 #---------------------------------------------------------------------------
-# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
+# If the GENERATE_RTF tag is set to YES doxygen will generate RTF output. The
 # RTF output is optimized for Word 97 and may not look too pretty with other RTF
 # readers/editors.
 # The default value is: NO.
@ -1729,7 +1688,7 @@ GENERATE_RTF           = NO
 RTF_OUTPUT             = rtf
-# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
+# If the COMPACT_RTF tag is set to YES doxygen generates more compact RTF
 # documents. This may be useful for small projects and may help to save some
 # trees in general.
 # The default value is: NO.
@ -1766,21 +1725,11 @@ RTF_STYLESHEET_FILE    =
 RTF_EXTENSIONS_FILE    =
 # If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
 # with syntax highlighting in the RTF output.
 #
 # Note that which sources are shown also depends on other settings such as
 # SOURCE_BROWSER.
 # The default value is: NO.
 # This tag requires that the tag GENERATE_RTF is set to YES.
 RTF_SOURCE_CODE        = NO
 #---------------------------------------------------------------------------
 # Configuration options related to the man page output
 #---------------------------------------------------------------------------
-# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
+# If the GENERATE_MAN tag is set to YES doxygen will generate man pages for
 # classes and files.
 # The default value is: NO.
@ -1804,13 +1753,6 @@ MAN_OUTPUT             = man
 MAN_EXTENSION          = .3
 # The MAN_SUBDIR tag determines the name of the directory created within
 # MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
 # MAN_EXTENSION with the initial . removed.
 # This tag requires that the tag GENERATE_MAN is set to YES.
 MAN_SUBDIR             =
 # If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
 # will generate one additional man file for each entity documented in the real
 # man page(s). These additional files only source the real man page, but without
@ -1824,7 +1766,7 @@ MAN_LINKS              = NO
 # Configuration options related to the XML output
 #---------------------------------------------------------------------------
-# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
+# If the GENERATE_XML tag is set to YES doxygen will generate an XML file that
 # captures the structure of the code including all documentation.
 # The default value is: NO.
@ -1838,7 +1780,19 @@ GENERATE_XML           = NO
 XML_OUTPUT             = xml
-# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
+# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a
 # validating XML parser to check the syntax of the XML files.
 # This tag requires that the tag GENERATE_XML is set to YES.
 XML_SCHEMA             =
 # The XML_DTD tag can be used to specify a XML DTD, which can be used by a
 # validating XML parser to check the syntax of the XML files.
 # This tag requires that the tag GENERATE_XML is set to YES.
 XML_DTD                =
 # If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
 # listings (including syntax highlighting and cross-referencing information) to
 # the XML output. Note that enabling this will significantly increase the size
 # of the XML output.
@ -1851,7 +1805,7 @@ XML_PROGRAMLISTING     = YES
 # Configuration options related to the DOCBOOK output
 #---------------------------------------------------------------------------
-# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
+# If the GENERATE_DOCBOOK tag is set to YES doxygen will generate Docbook files
 # that can be used to generate PDF.
 # The default value is: NO.
@ -1865,23 +1819,14 @@ GENERATE_DOCBOOK       = NO
 DOCBOOK_OUTPUT         = docbook
 # If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
 # program listings (including syntax highlighting and cross-referencing
 # information) to the DOCBOOK output. Note that enabling this will significantly
 # increase the size of the DOCBOOK output.
 # The default value is: NO.
 # This tag requires that the tag GENERATE_DOCBOOK is set to YES.
 DOCBOOK_PROGRAMLISTING = NO
 #---------------------------------------------------------------------------
 # Configuration options for the AutoGen Definitions output
 #---------------------------------------------------------------------------
-# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
+# If the GENERATE_AUTOGEN_DEF tag is set to YES doxygen will generate an AutoGen
-# AutoGen Definitions (see http://autogen.sf.net) file that captures the
+# Definitions (see http://autogen.sf.net) file that captures the structure of
-# structure of the code including all documentation. Note that this feature is
+# the code including all documentation. Note that this feature is still
-# still experimental and incomplete at the moment.
+# experimental and incomplete at the moment.
 # The default value is: NO.
 GENERATE_AUTOGEN_DEF   = NO
@ -1890,7 +1835,7 @@ GENERATE_AUTOGEN_DEF   = NO
 # Configuration options related to the Perl module output
 #---------------------------------------------------------------------------
-# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
+# If the GENERATE_PERLMOD tag is set to YES doxygen will generate a Perl module
 # file that captures the structure of the code including all documentation.
 #
 # Note that this feature is still experimental and incomplete at the moment.
@ -1898,7 +1843,7 @@ GENERATE_AUTOGEN_DEF   = NO
 GENERATE_PERLMOD       = NO
-# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
+# If the PERLMOD_LATEX tag is set to YES doxygen will generate the necessary
 # Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
 # output from the Perl module output.
 # The default value is: NO.
@ -1906,9 +1851,9 @@ GENERATE_PERLMOD       = NO
 PERLMOD_LATEX          = NO
-# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be nicely
 # formatted so it can be parsed by a human reader. This is useful if you want to
-# understand what is going on. On the other hand, if this tag is set to NO, the
+# understand what is going on. On the other hand, if this tag is set to NO the
 # size of the Perl module output will be much smaller and Perl will parse it
 # just the same.
 # The default value is: YES.
@ -1928,14 +1873,14 @@ PERLMOD_MAKEVAR_PREFIX =
 # Configuration options related to the preprocessor
 #---------------------------------------------------------------------------
-# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
+# If the ENABLE_PREPROCESSING tag is set to YES doxygen will evaluate all
 # C-preprocessor directives found in the sources and include files.
 # The default value is: YES.
 ENABLE_PREPROCESSING   = YES
-# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# If the MACRO_EXPANSION tag is set to YES doxygen will expand all macro names
-# in the source code. If set to NO, only conditional compilation will be
+# in the source code. If set to NO only conditional compilation will be
 # performed. Macro expansion can be done in a controlled way by setting
 # EXPAND_ONLY_PREDEF to YES.
 # The default value is: NO.
@ -1951,7 +1896,7 @@ MACRO_EXPANSION        = YES
 EXPAND_ONLY_PREDEF     = YES
-# If the SEARCH_INCLUDES tag is set to YES, the include files in the
+# If the SEARCH_INCLUDES tag is set to YES the includes files in the
 # INCLUDE_PATH will be searched if a #include is found.
 # The default value is: YES.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@ -1993,9 +1938,9 @@ PREDEFINED             = DEPRECATED=
 EXPAND_AS_DEFINED      =
 # If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
-# remove all references to function-like macros that are alone on a line, have
+# remove all refrences to function-like macros that are alone on a line, have an
-# an all uppercase name, and do not end with a semicolon. Such function macros
+# all uppercase name, and do not end with a semicolon. Such function macros are
-# are typically used for boiler-plate code, and will confuse the parser if not
+# typically used for boiler-plate code, and will confuse the parser if not
 # removed.
 # The default value is: YES.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@ -2015,7 +1960,7 @@ SKIP_FUNCTION_MACROS   = YES
 # where loc1 and loc2 can be relative or absolute paths or URLs. See the
 # section "Linking to external documentation" for more information about the use
 # of tag files.
-# Note: Each tag file must have a unique name (where the name does NOT include
+# Note: Each tag file must have an unique name (where the name does NOT include
 # the path). If a tag file is not located in the directory in which doxygen is
 # run, you must also specify the path to the tagfile here.
@ -2027,21 +1972,20 @@ TAGFILES               =
 GENERATE_TAGFILE       =
-# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
+# If the ALLEXTERNALS tag is set to YES all external class will be listed in the
-# the class index. If set to NO, only the inherited external classes will be
+# class index. If set to NO only the inherited external classes will be listed.
 # listed.
 # The default value is: NO.
 ALLEXTERNALS           = NO
-# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed in
-# in the modules index. If set to NO, only the current project's groups will be
+# the modules index. If set to NO, only the current project's groups will be
 # listed.
 # The default value is: YES.
 EXTERNAL_GROUPS        = YES
-# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
+# If the EXTERNAL_PAGES tag is set to YES all external pages will be listed in
 # the related pages index. If set to NO, only the current project's pages will
 # be listed.
 # The default value is: YES.
@ -2058,7 +2002,7 @@ PERL_PATH              = /usr/bin/perl
 # Configuration options related to the dot tool
 #---------------------------------------------------------------------------
-# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
+# If the CLASS_DIAGRAMS tag is set to YES doxygen will generate a class diagram
 # (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
 # NO turns the diagrams off. Note that this option also works with HAVE_DOT
 # disabled, but it is recommended to install and use dot, since it yields more
@ -2076,14 +2020,7 @@ CLASS_DIAGRAMS         = YES
 MSCGEN_PATH            =
-# You can include diagrams made with dia in doxygen documentation. Doxygen will
+# If set to YES, the inheritance and collaboration graphs will hide inheritance
 # then run dia to produce the diagram and insert it in the documentation. The
 # DIA_PATH tag allows you to specify the directory where the dia binary resides.
 # If left empty dia is assumed to be found in the default search path.
 DIA_PATH               =
 # If set to YES the inheritance and collaboration graphs will hide inheritance
 # and usage relations if the target is undocumented or is not a class.
 # The default value is: YES.
@ -2108,7 +2045,7 @@ HAVE_DOT               = @DOXYFILE_DOT@
 DOT_NUM_THREADS        = 0
-# When you want a differently looking font in the dot files that doxygen
+# When you want a differently looking font n the dot files that doxygen
 # generates you can specify the font name using DOT_FONTNAME. You need to make
 # sure dot is able to find the font, which can be done by putting it in a
 # standard location or by setting the DOTFONTPATH environment variable or by
@ -2156,7 +2093,7 @@ COLLABORATION_GRAPH    = YES
 GROUP_GRAPHS           = YES
-# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
 # collaboration diagrams in a style similar to the OMG's Unified Modeling
 # Language.
 # The default value is: NO.
@ -2283,25 +2220,6 @@ DOTFILE_DIRS           =
 MSCFILE_DIRS           =
 # The DIAFILE_DIRS tag can be used to specify one or more directories that
 # contain dia files that are included in the documentation (see the \diafile
 # command).
 DIAFILE_DIRS           =
 # When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
 # path where java can find the plantuml.jar file. If left blank, it is assumed
 # PlantUML is not used or called during a preprocessing step. Doxygen will
 # generate a warning when it encounters a \startuml command in this case and
 # will not generate output for the diagram.
 PLANTUML_JAR_PATH      =
 # When using plantuml, the specified paths are searched for files specified by
 # the !include statement in a plantuml block.
 PLANTUML_INCLUDE_PATH  =
 # The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
 # that will be shown in the graph. If the number of nodes in a graph becomes
 # larger than this value, doxygen will truncate the graph, which is visualized
@ -2338,7 +2256,7 @@ MAX_DOT_GRAPH_DEPTH    = 0
 DOT_TRANSPARENT        = YES
-# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
 # files in one run (i.e. multiple -o and -T options on the command line). This
 # makes dot run faster, but since only newer versions of dot (>1.8.10) support
 # this, this feature is disabled by default.
@ -2355,7 +2273,7 @@ DOT_MULTI_TARGETS      = NO
 GENERATE_LEGEND        = YES
-# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot
+# If the DOT_CLEANUP tag is set to YES doxygen will remove the intermediate dot
 # files that are used to generate the various graphs.
 # The default value is: YES.
 # This tag requires that the tag HAVE_DOT is set to YES.
--- a/30
+++ b/30
@ -1,30 +0,0 @@
 libuecc is a very small generic-purpose Elliptic Curve Cryptography library
 compatible with Ed25519.
 Most documentation can be found as Doxygen comments in the ecc.h header
 file. You can use `make doxygen` after running CMake to create HTML
 documenation from it.
 There are two sets of functions converting between libuecc's internal point
 representation and coordinates or compressed representation. The functions
 ending with _ed25519 use the same representation as original Ed25519
 implementation and should be used by new software. The functions with the
 suffix _legacy are provided for compatiblity with libuecc version before
 v6.
 Ed25519 and the legacy representation are isomorphic, they use a Twisted
 Edwards Curve
    ax^2 + y^2 = 1 + dx^2y^2
 over the prime field for p = 2^255 - 19.
 Ed25519 uses the parameters
    a = -1 and
    d = -(121665/121666),
 while the legacy curve has
    a = 486664
    d = 486660.
--- a/UseDoxygen.cmake
+++ b/UseDoxygen.cmake
@ -32,7 +32,7 @@
 #  	 "${CMAKE_CURRENT_BINARY_DIR}/foo.c" "${CMAKE_CURRENT_BINARY_DIR}/bar/"
 #  
 #  DOXYFILE_OUTPUT_DIR - Path where the Doxygen output is stored.
-#  	Defaults to "${CMAKE_CURRENT_BINARY_DIR}/doxygen".
+#  	Defaults to "${CMAKE_CURRENT_BINARY_DIR}/doc".
 #  
 #  DOXYFILE_LATEX - ON/OFF; Set to "ON" if you want the LaTeX documentation
 #  	to be built.
@ -57,32 +57,20 @@ macro(usedoxygen_set_default name value type docstring)
 	endif()
 endmacro()
-if(ANDROID)
+find_package(Doxygen)
 	find_host_package(Doxygen)
 else(ANDROID)
 	find_package(Doxygen)
 endif(ANDROID)
 if(DOXYGEN_FOUND)
 	if(ANDROID)
 		# android-cmake doesn't provide a find_host_file and here's the workaround
 		set(_save_root_path ${CMAKE_FIND_ROOT_PATH})
 		set(CMAKE_FIND_ROOT_PATH)
 	endif(ANDROID)
 	find_file(DOXYFILE_IN "Doxyfile.in"
 			PATHS "${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_ROOT}/Modules/"
 			NO_DEFAULT_PATH
 			DOC "Path to the doxygen configuration template file")
 	if(ANDROID)
 		set(CMAKE_FIND_ROOT_PATH $_save_root_path)
 	endif(ANDROID)
 	set(DOXYFILE "${CMAKE_CURRENT_BINARY_DIR}/Doxyfile")
 	include(FindPackageHandleStandardArgs)
 	find_package_handle_standard_args(DOXYFILE_IN DEFAULT_MSG "DOXYFILE_IN")
 endif()
 if(DOXYGEN_FOUND AND DOXYFILE_IN_FOUND)
-	usedoxygen_set_default(DOXYFILE_OUTPUT_DIR "${CMAKE_CURRENT_BINARY_DIR}/doxygen"
+	usedoxygen_set_default(DOXYFILE_OUTPUT_DIR "${CMAKE_CURRENT_BINARY_DIR}/doc"
 		PATH "Doxygen output directory")
 	usedoxygen_set_default(DOXYFILE_HTML_DIR "html"
 		STRING "Doxygen HTML output directory")
@ -146,4 +134,11 @@ if(DOXYGEN_FOUND AND DOXYFILE_IN_FOUND)
 	configure_file("${DOXYFILE_IN}" "${DOXYFILE}" @ONLY)
 	get_target_property(DOC_TARGET doc TYPE)
 	if(NOT DOC_TARGET)
 		add_custom_target(doc)
 	endif()
 	add_dependencies(doc doxygen)
 endif()
--- a/include/libuecc/ecc.h
+++ b/include/libuecc/ecc.h
@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2012-2015, Matthias Schiffer <mschiffer@universe-factory.net>
+  Copyright (c) 2012, Matthias Schiffer <mschiffer@universe-factory.net>
  Partly based on public domain code by Matthew Dempsky and D. J. Bernstein.
  All rights reserved.
@ -27,14 +27,6 @@
 #ifndef _LIBUECC_ECC_H_
 #define _LIBUECC_ECC_H_
 #ifndef DEPRECATED
 #define DEPRECATED __attribute__((deprecated))
 #endif
 #include <stdint.h>
 /**
 * A 256 bit integer
 *
@ -42,7 +34,7 @@
 */
 typedef union _ecc_int256 {
 	/** Data bytes */
-	uint8_t p[32];
+	unsigned char p[32];
 } ecc_int256_t;
 /**
@ -52,10 +44,10 @@ typedef union _ecc_int256 {
 * it should always be packed.
 */
 typedef struct _ecc_25519_work {
-	uint32_t X[32];
+	unsigned int X[32];
-	uint32_t Y[32];
+	unsigned int Y[32];
-	uint32_t Z[32];
+	unsigned int Z[32];
-	uint32_t T[32];
+	unsigned int T[32];
 } ecc_25519_work_t;
 /**
@ -63,205 +55,16 @@ typedef struct _ecc_25519_work {
 * @{
 */
-/** The identity element */
+int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y);
-extern const ecc_25519_work_t ecc_25519_work_identity;
+void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in);
 int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in);
 void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in);
 /**
 * The Ed25519 default generator point
 *
 * \deprecated Use the equivalent \ref ecc_25519_work_default_base instead.
 *
 **/
 DEPRECATED extern const ecc_25519_work_t ecc_25519_work_base_ed25519;
 /**
 * The Ed25519 default generator point
 *
 * \deprecated Use the equivalent \ref ecc_25519_work_default_base instead.
 */
 DEPRECATED extern const ecc_25519_work_t ecc_25519_work_base_legacy;
 /**
 * The Ed25519 default generator point
 *
 * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
 */
 extern const ecc_25519_work_t ecc_25519_work_default_base;
 /** Loads a point of the Ed25519 curve with given coordinates into its unpacked representation */
 int ecc_25519_load_xy_ed25519(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y);
 /**
 * Loads a point of the legacy curve with given coordinates into its unpacked representation
 *
 * New software should use \ref ecc_25519_load_xy_ed25519, which uses the same curve as the Ed25519 algorithm.
 */
 int ecc_25519_load_xy_legacy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y);
 /**
 * Loads a point of the legacy curve with given coordinates into its unpacked representation
 *
 * \deprecated Use \ref ecc_25519_load_xy_legacy
 */
 DEPRECATED int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y);
 /**
 * Stores the x and y coordinates of a point of the Ed25519 curve
 *
 * \param x Returns the x coordinate of the point. May be NULL.
 * \param y Returns the y coordinate of the point. May be NULL.
 * \param in The unpacked point to store.
 */
 void ecc_25519_store_xy_ed25519(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in);
 /**
 * Stores the x and y coordinates of a point of the legacy curve
 *
 * New software should use \ref ecc_25519_store_xy_ed25519, which uses the same curve as the Ed25519 algorithm.
 *
 * \param x Returns the x coordinate of the point. May be NULL.
 * \param y Returns the y coordinate of the point. May be NULL.
 * \param in The unpacked point to store.
 */
 void ecc_25519_store_xy_legacy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in);
 /**
 * Stores a point's x and y coordinates
 *
 * \param x Returns the x coordinate of the point. May be NULL.
 * \param y Returns the y coordinate of the point. May be NULL.
 * \param in The unpacked point to store.
 *
 * \deprecated Use \ref ecc_25519_store_xy_legacy
 */
 DEPRECATED void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in);
 /**
 * Loads a packed point of the Ed25519 curve into its unpacked representation
 *
 * The packed format is different from the legacy one: the legacy format contains that X coordinate and the parity of the Y coordinate,
 * Ed25519 uses the Y coordinate and the parity of the X coordinate.
 */
 int ecc_25519_load_packed_ed25519(ecc_25519_work_t *out, const ecc_int256_t *in);
 /**
 * Loads a packed point of the legacy curve into its unpacked representation
 *
 * New software should use \ref ecc_25519_load_packed_ed25519, which uses the same curve and packed representation as the Ed25519 algorithm.
 *
 * The packed format is different from the Ed25519 one: the legacy format contains that X coordinate and the parity of the Y coordinate,
 * Ed25519 uses the Y coordinate and the parity of the X coordinate.
 */
 int ecc_25519_load_packed_legacy(ecc_25519_work_t *out, const ecc_int256_t *in);
 /**
 * Loads a packed point of the legacy curve into its unpacked representation
 *
 * \deprecated Use \ref ecc_25519_load_packed_legacy
 */
 DEPRECATED int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in);
 /**
 * Stores a point of the Ed25519 curve into its packed representation
 *
 * The packed format is different from the Ed25519 one: the legacy format contains that X coordinate and the parity of the Y coordinate,
 * Ed25519 uses the Y coordinate and the parity of the X coordinate.
 */
 void ecc_25519_store_packed_ed25519(ecc_int256_t *out, const ecc_25519_work_t *in);
 /**
 * Stores a point of the legacy curve into its packed representation
 *
 * New software should use \ref ecc_25519_store_packed_ed25519, which uses the same curve and packed representation as the Ed25519 algorithm.
 *
 * The packed format is different from the Ed25519 one: the legacy format contains that X coordinate and the parity of the Y coordinate,
 * Ed25519 uses the Y coordinate and the parity of the X coordinate.
 */
 void ecc_25519_store_packed_legacy(ecc_int256_t *out, const ecc_25519_work_t *in);
 /**
 * Stores a point of the legacy curve into its packed representation
 *
 * \deprecated Use \ref ecc_25519_store_packed_legacy
 */
 DEPRECATED void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in);
 /** Checks if a point is the identity element of the Elliptic Curve group */
 int ecc_25519_is_identity(const ecc_25519_work_t *in);
 /**
 * Negates a point of the Elliptic Curve
 *
 * The same pointer may be given for input and output
 */
 void ecc_25519_negate(ecc_25519_work_t *out, const ecc_25519_work_t *in);
 /**
 * Doubles a point of the Elliptic Curve
 *
 * ecc_25519_double(out, in) is equivalent to ecc_25519_add(out, in, in), but faster.
 *
 * The same pointer may be given for input and output.
 */
 void ecc_25519_double(ecc_25519_work_t *out, const ecc_25519_work_t *in);
 /**
 * Adds two points of the Elliptic Curve
 *
 * The same pointers may be given for input and output.
 */
 void ecc_25519_add(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2);
 /**
 * Subtracts two points of the Elliptic Curve
 *
 * The same pointers may be given for input and output.
 */
 void ecc_25519_sub(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2);
 /**
 * Does a scalar multiplication of a point of the Elliptic Curve with an integer of a given bit length
 *
 * To speed up scalar multiplication when it is known that not the whole 256 bits of the scalar
 * are used. The bit length should always be a constant and not computed at runtime to ensure
 * that no timing attacks are possible.
 *
 * The same pointer may be given for input and output.
 **/
 void ecc_25519_scalarmult_bits(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base, unsigned bits);
 /**
 * Does a scalar multiplication of a point of the Elliptic Curve with an integer
 *
 * The same pointer may be given for input and output.
 **/
 void ecc_25519_scalarmult(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base);
 /**
 * Does a scalar multiplication of the default base point (generator element) of the Elliptic Curve with an integer of a given bit length
 *
 * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
 *
 * ecc_25519_scalarmult_base_bits(out, n, bits) is faster than ecc_25519_scalarmult_bits(out, n, &ecc_25519_work_default_base, bits).
 *
 * See the notes about \ref ecc_25519_scalarmult_bits before using this function.
 */
 void ecc_25519_scalarmult_base_bits(ecc_25519_work_t *out, const ecc_int256_t *n, unsigned bits);
 /**
 * Does a scalar multiplication of the default base point (generator element) of the Elliptic Curve with an integer
 *
 * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
 *
 * ecc_25519_scalarmult_base(out, n) is faster than ecc_25519_scalarmult(out, n, &ecc_25519_work_default_base).
 */
 void ecc_25519_scalarmult_base(ecc_25519_work_t *out, const ecc_int256_t *n);
 /**@}*/
@ -271,61 +74,14 @@ void ecc_25519_scalarmult_base(ecc_25519_work_t *out, const ecc_int256_t *n);
 * @{
 */
 /**
 * The order of the prime field
 *
 * The order is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
 */
 extern const ecc_int256_t ecc_25519_gf_order;
 /** Checks if an integer is equal to zero (after reduction) */
 int ecc_25519_gf_is_zero(const ecc_int256_t *in);
 /**
 * Adds two integers as Galois field elements
 *
 * The same pointers may be given for input and output.
 */
 void ecc_25519_gf_add(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2);
 /**
 * Subtracts two integers as Galois field elements
 *
 * The same pointers may be given for input and output.
 */
 void ecc_25519_gf_sub(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2);
 /**
 * Reduces an integer to a unique representation in the range \f$ [0,q-1] \f$
 *
 * The same pointer may be given for input and output.
 */
 void ecc_25519_gf_reduce(ecc_int256_t *out, const ecc_int256_t *in);
 /**
 * Multiplies two integers as Galois field elements
 *
 * The same pointers may be given for input and output.
 */
 void ecc_25519_gf_mult(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2);
 /**
 * Computes the reciprocal of a Galois field element
 *
 * The same pointers may be given for input and output.
 */
 void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in);
 /**
 * Ensures some properties of a Galois field element to make it fit for use as a secret key
 *
 * This sets the 255th bit and clears the 256th and the bottom three bits (so the key
 * will be a multiple of 8). See Daniel J. Bernsteins paper "Curve25519: new Diffie-Hellman speed records."
 * for the rationale of this.
 *
 * The same pointer may be given for input and output.
 */
 void ecc_25519_gf_sanitize_secret(ecc_int256_t *out, const ecc_int256_t *in);
 /**@}*/
--- a/src/ec25519.c
+++ b/src/ec25519.c
@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2012-2015, Matthias Schiffer <mschiffer@universe-factory.net>
+  Copyright (c) 2012, Matthias Schiffer <mschiffer@universe-factory.net>
  Partly based on public domain code by Matthew Dempsky and D. J. Bernstein.
  All rights reserved.
@ -25,324 +25,134 @@
 */
 /** \file
- * EC group operations for Twisted Edwards Curve \f$ ax^2 + y^2 = 1 + dx^2y^2 \f$
+ * EC group operations for Twisted Edwards Curve \f$ ax^2 + y^2 = 1 + dx^2y^2 \f$ with
 * on prime field \f$ p = 2^{255} - 19 \f$.
 *
 * Two different (isomorphic) sets of curve parameters are supported:
 *
 *    \f$ a = 486664 \f$ and
 *    \f$ d = 486660 \f$
- * are the parameters used by the original libuecc implementation (till v5).
+ * on prime field \f$ p = 2^{255} - 19 \f$.
 * To use points on this curve, use the functions with the suffix \em legacy.
 *
- * The other supported curve uses the parameters
+ * The curve is equivalent to the Montgomery Curve used in D. J. Bernstein's
 *    \f$ a = -1 \f$ and
 *    \f$ d = -(121665/121666) \f$,
 * which is the curve used by the Ed25519 algorithm. The functions for this curve
 * have the suffix \em ed25519.
 *
 * Internally, libuecc always uses the latter representation for its \em work structure.
 *
 * The curves are equivalent to the Montgomery Curve used in D. J. Bernstein's
 * Curve25519 Diffie-Hellman algorithm.
 *
 * See http://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html for add and
 * double operations.
 *
 * Doxygen comments for public APIs can be found in the public header file.
 *
 * Invariant that must be held by all public API: the components of an
 * \ref ecc_25519_work_t are always in the range \f$ [0, 2p) \f$.
 * Integers in this range will be called \em squeezed in the following.
 */
 #include <libuecc/ecc.h>
-const ecc_25519_work_t ecc_25519_work_identity = {{0}, {1}, {1}, {0}};
+static const unsigned int zero[32] = {0};
-
+static const unsigned int one[32] = {1};
 const ecc_25519_work_t ecc_25519_work_base_legacy = {
 	{0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9,
 	 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69,
 	 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
 	 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21},
 	{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
 	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
 	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
 	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66},
 	{1},
 	{0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d,
 	 0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20,
 	 0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66,
 	 0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67},
 };
 const ecc_25519_work_t ecc_25519_work_default_base = {
 	{0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9,
 	 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69,
 	 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
 	 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21},
 	{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
 	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
 	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
 	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66},
 	{1},
 	{0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d,
 	 0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20,
 	 0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66,
 	 0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67},
 };
 const ecc_25519_work_t ecc_25519_work_base_ed25519 = {
 	{0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9,
 	 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69,
 	 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
 	 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21},
 	{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
 	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
 	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
 	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66},
 	{1},
 	{0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d,
 	 0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20,
 	 0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66,
 	 0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67},
 };
 static const uint32_t zero[32] = {0};
 static const uint32_t one[32] = {1};
 static const uint32_t minus1[32] = {
 	0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f,
 };
 /** Ed25519 parameter -(121665/121666) */
 static const uint32_t d[32] = {
 	0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
 	0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
 	0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
 	0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52,
 };
 /** Factor to multiply the X coordinate with to convert from the legacy to the Ed25519 curve */
 static const uint32_t legacy_to_ed25519[32] = {
 	0xe7, 0x81, 0xba, 0x00, 0x55, 0xfb, 0x91, 0x33,
 	0x7d, 0xe5, 0x82, 0xb4, 0x2e, 0x2c, 0x5e, 0x3a,
 	0x81, 0xb0, 0x03, 0xfc, 0x23, 0xf7, 0x84, 0x2d,
 	0x44, 0xf9, 0x5f, 0x9f, 0x0b, 0x12, 0xd9, 0x70,
 };
 /** Factor to multiply the X coordinate with to convert from the Ed25519 to the legacy curve */
 static const uint32_t ed25519_to_legacy[32] = {
 	0xe9, 0x68, 0x42, 0xdb, 0xaf, 0x04, 0xb4, 0x40,
 	0xa1, 0xd5, 0x43, 0xf2, 0xf9, 0x38, 0x31, 0x28,
 	0x01, 0x17, 0x05, 0x67, 0x9b, 0x81, 0x61, 0xf8,
 	0xa9, 0x5b, 0x3e, 0x6a, 0x20, 0x67, 0x4b, 0x24,
 };
 /** Adds two unpacked integers (modulo p) */
-static void add(uint32_t out[32], const uint32_t a[32], const uint32_t b[32]) {
+static void add(unsigned int out[32], const unsigned int a[32], const unsigned int b[32]) {
 	unsigned int j;
-	uint32_t u;
+	unsigned int u;
 	u = 0;
-
+	for (j = 0;j < 31;++j) { u += a[j] + b[j]; out[j] = u & 255; u >>= 8; }
-	for (j = 0; j < 31; j++) {
+	u += a[31] + b[31]; out[31] = u;
 		u += a[j] + b[j];
 		out[j] = u & 255;
 		u >>= 8;
 	}
 	u += a[31] + b[31];
 	out[31] = u;
 }
-/**
+/** Subtracts two unpacked integers (modulo p) */
- * Subtracts two unpacked integers (modulo p)
+static void sub(unsigned int out[32], const unsigned int a[32], const unsigned int b[32]) {
 *
 * b must be \em squeezed.
 */
 static void sub(uint32_t out[32], const uint32_t a[32], const uint32_t b[32]) {
 	unsigned int j;
-	uint32_t u;
+	unsigned int u;
 	u = 218;
 	for (j = 0;j < 31;++j) {
-		u += a[j] + UINT32_C(65280) - b[j];
+		u += a[j] + 65280 - b[j];
 		out[j] = u & 255;
 		u >>= 8;
 	}
 	u += a[31] - b[31];
 	out[31] = u;
 }
-/**
+/** Performs carry and reduce on an unpacked integer */
- * Performs carry and reduce on an unpacked integer
+static void squeeze(unsigned int a[32]) {
 *
 * The result is not always fully reduced, but it will be significantly smaller than \f$ 2p \f$.
 */
 static void squeeze(uint32_t a[32]) {
 	unsigned int j;
-	uint32_t u;
+	unsigned int u;
 	u = 0;
-
+	for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; }
-	for (j = 0;j < 31;++j) {
+	u += a[31]; a[31] = u & 127;
 		u += a[j];
 		a[j] = u & 255;
 		u >>= 8;
 	}
 	u += a[31];
 	a[31] = u & 127;
 	u = 19 * (u >> 7);
-
+	for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; }
-	for (j = 0;j < 31;++j) {
+	u += a[31]; a[31] = u;
 		u += a[j];
 		a[j] = u & 255;
 		u >>= 8;
 	}
 	u += a[31];
 	a[31] = u;
 }
 static const uint32_t minusp[32] = {
 	19, 0, 0, 0, 0, 0, 0, 0,
 	0, 0, 0, 0, 0, 0, 0, 0,
 	0, 0, 0, 0, 0, 0, 0, 0,
 	0, 0, 0, 0, 0, 0, 0, 128
 };
 /**
 * Ensures that the output of a previous \ref squeeze is fully reduced
 *
- * After a \ref freeze, only the lower byte of each integer part holds a meaningful value.
+ * After a \ref freeze, only the lower byte of each integer part holds a meaningful value
 */
-static void freeze(uint32_t a[32]) {
+static void freeze(unsigned int a[32]) {
-	uint32_t aorig[32];
+	static const unsigned int minusp[32] = {
-	unsigned int j;
+		19, 0, 0, 0, 0, 0, 0, 0,
-	uint32_t negative;
+		0, 0, 0, 0, 0, 0, 0, 0,
 		0, 0, 0, 0, 0, 0, 0, 0,
 		0, 0, 0, 0, 0, 0, 0, 128
 	};
-	for (j = 0; j < 32; j++)
+	unsigned int aorig[32];
-		aorig[j] = a[j];
+	unsigned int j;
 	unsigned int negative;
 	for (j = 0; j < 32; j++) aorig[j] = a[j];
 	add(a, a, minusp);
 	negative = -((a[31] >> 7) & 1);
-
+	for (j = 0; j < 32; j++) a[j] ^= negative & (aorig[j] ^ a[j]);
 	for (j = 0; j < 32; j++)
 		a[j] ^= negative & (aorig[j] ^ a[j]);
 }
-/**
+/** Multiplies two unpacked integers (modulo p) */
- * Returns the parity (lowest bit of the fully reduced value) of a
+static void mult(unsigned int out[32], const unsigned int a[32], const unsigned int b[32]) {
- *
+	unsigned int i;
- * The input must be \em squeezed.
+	unsigned int j;
- */
+	unsigned int u;
 static int parity(const uint32_t a[32]) {
 	uint32_t b[32];
 	add(b, a, minusp);
 	return (a[0] ^ (b[31] >> 7) ^ 1) & 1;
 }
 /**
 * Multiplies two unpacked integers (modulo p)
 *
 * The result will be \em squeezed.
 */
 static void mult(uint32_t out[32], const uint32_t a[32], const uint32_t b[32]) {
 	unsigned int i, j;
 	uint32_t u;
 	for (i = 0; i < 32; ++i) {
 		u = 0;
-
+		for (j = 0;j <= i;++j) u += a[j] * b[i - j];
-		for (j = 0; j <= i; j++)
+		for (j = i + 1;j < 32;++j) u += 38 * a[j] * b[i + 32 - j];
 			u += a[j] * b[i - j];
 		for (j = i + 1; j < 32; j++)
 			u += 38 * a[j] * b[i + 32 - j];
 		out[i] = u;
 	}
 	squeeze(out);
 }
-/**
+/** Multiplies an unpacked integer with a small integer (modulo p) */
- * Multiplies an unpacked integer with a small integer (modulo p)
+static void mult_int(unsigned int out[32], unsigned int n, const unsigned int a[32]) {
 *
 * The result will be \em squeezed.
 */
 static void mult_int(uint32_t out[32], uint32_t n, const uint32_t a[32]) {
 	unsigned int j;
-	uint32_t u;
+	unsigned int u;
 	u = 0;
-
+	for (j = 0;j < 31;++j) { u += n * a[j]; out[j] = u & 255; u >>= 8; }
 	for (j = 0; j < 31; j++) {
 		u += n * a[j];
 		out[j] = u & 255;
 		u >>= 8;
 	}
 	u += n * a[31]; out[31] = u & 127;
 	u = 19 * (u >> 7);
-
+	for (j = 0;j < 31;++j) { u += out[j]; out[j] = u & 255; u >>= 8; }
-	for (j = 0; j < 31; j++) {
+	u += out[j]; out[j] = u;
 		u += out[j];
 		out[j] = u & 255;
 		u >>= 8;
 	}
 	u += out[j];
 	out[j] = u;
 }
-/**
+/** Squares an unpacked integer */
- * Squares an unpacked integer
+static void square(unsigned int out[32], const unsigned int a[32]) {
- *
+	unsigned int i;
- * The result will be sqeezed.
+	unsigned int j;
- */
+	unsigned int u;
 static void square(uint32_t out[32], const uint32_t a[32]) {
 	unsigned int i, j;
 	uint32_t u;
-	for (i = 0; i < 32; i++) {
+	for (i = 0; i < 32; ++i) {
 		u = 0;
-
+		for (j = 0;j < i - j;++j) u += a[j] * a[i - j];
-		for (j = 0; j < i - j; j++)
+		for (j = i + 1;j < i + 32 - j;++j) u += 38 * a[j] * a[i + 32 - j];
 			u += a[j] * a[i - j];
 		for (j = i + 1; j < i + 32 - j; j++)
 			u += 38 * a[j] * a[i + 32 - j];
 		u *= 2;
 		if ((i & 1) == 0) {
 			u += a[i / 2] * a[i / 2];
 			u += 38 * a[i / 2 + 16] * a[i / 2 + 16];
 		}
 		out[i] = u;
 	}
 	squeeze(out);
 }
 /** Checks for the equality of two unpacked integers */
-static int check_equal(const uint32_t x[32], const uint32_t y[32]) {
+static int check_equal(const unsigned int x[32], const unsigned int y[32]) {
-	uint32_t differentbits = 0;
+	unsigned int differentbits = 0;
 	int i;
 	for (i = 0; i < 32; i++) {
@ -354,12 +164,12 @@ static int check_equal(const uint32_t x[32], const uint32_t y[32]) {
 }
 /**
- * Checks if an unpacked integer equals zero (modulo p)
+ * Checks if an unpacked integer equals zero
 *
- * The integer must be squeezed before.
+ * The intergers must be must be \ref squeeze "squeezed" before.
 */
-static int check_zero(const uint32_t x[32]) {
+static int check_zero(const unsigned int x[32]) {
-	static const uint32_t p[32] = {
+	static const unsigned int p[32] = {
 		0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
@ -370,10 +180,10 @@ static int check_zero(const uint32_t x[32]) {
 }
 /** Copies r to out when b == 0, s when b == 1 */
-static void selectw(ecc_25519_work_t *out, const ecc_25519_work_t *r, const ecc_25519_work_t *s, uint32_t b) {
+static void selectw(ecc_25519_work_t *out, const ecc_25519_work_t *r, const ecc_25519_work_t *s, unsigned int b) {
 	unsigned int j;
-	uint32_t t;
+	unsigned int t;
-	uint32_t bminus1;
+	unsigned int bminus1;
 	bminus1 = b - 1;
 	for (j = 0; j < 32; ++j) {
@ -392,10 +202,10 @@ static void selectw(ecc_25519_work_t *out, const ecc_25519_work_t *r, const ecc_
 }
 /** Copies r to out when b == 0, s when b == 1 */
-static void select(uint32_t out[32], const uint32_t r[32], const uint32_t s[32], uint32_t b) {
+static void select(unsigned int out[32], const unsigned int r[32], const unsigned int s[32], unsigned int b) {
 	unsigned int j;
-	uint32_t t;
+	unsigned int t;
-	uint32_t bminus1;
+	unsigned int bminus1;
 	bminus1 = b - 1;
 	for (j = 0;j < 32;++j) {
@ -409,8 +219,15 @@ static void select(uint32_t out[32], const uint32_t r[32], const uint32_t s[32],
 *
 * If the given integer has no square root, 0 is returned, 1 otherwise.
 */
-static int square_root(uint32_t out[32], const uint32_t z[32]) {
+static int square_root(unsigned int out[32], const unsigned int z[32]) {
-	static const uint32_t rho_s[32] = {
+	static const unsigned int minus1[32] = {
 		0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
 	};
 	static const unsigned int rho_s[32] = {
 		0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4,
 		0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f,
 		0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b,
@ -419,18 +236,18 @@ static int square_root(uint32_t out[32], const uint32_t z[32]) {
 	/* raise z to power (2^252-2), check if power (2^253-5) equals -1 */
-	uint32_t z2[32];
+	unsigned int z2[32];
-	uint32_t z9[32];
+	unsigned int z9[32];
-	uint32_t z11[32];
+	unsigned int z11[32];
-	uint32_t z2_5_0[32];
+	unsigned int z2_5_0[32];
-	uint32_t z2_10_0[32];
+	unsigned int z2_10_0[32];
-	uint32_t z2_20_0[32];
+	unsigned int z2_20_0[32];
-	uint32_t z2_50_0[32];
+	unsigned int z2_50_0[32];
-	uint32_t z2_100_0[32];
+	unsigned int z2_100_0[32];
-	uint32_t t0[32];
+	unsigned int t0[32];
-	uint32_t t1[32];
+	unsigned int t1[32];
-	uint32_t z2_252_1[32];
+	unsigned int z2_252_1[32];
-	uint32_t z2_252_1_rho_s[32];
+	unsigned int z2_252_1_rho_s[32];
 	int i;
 	/* 2 */ square(z2, z);
@ -496,17 +313,17 @@ static int square_root(uint32_t out[32], const uint32_t z[32]) {
 }
 /** Computes the reciprocal of an unpacked integer (in the prime field modulo p) */
-static void recip(uint32_t out[32], const uint32_t z[32]) {
+static void recip(unsigned int out[32], const unsigned int z[32]) {
-	uint32_t z2[32];
+	unsigned int z2[32];
-	uint32_t z9[32];
+	unsigned int z9[32];
-	uint32_t z11[32];
+	unsigned int z11[32];
-	uint32_t z2_5_0[32];
+	unsigned int z2_5_0[32];
-	uint32_t z2_10_0[32];
+	unsigned int z2_10_0[32];
-	uint32_t z2_20_0[32];
+	unsigned int z2_20_0[32];
-	uint32_t z2_50_0[32];
+	unsigned int z2_50_0[32];
-	uint32_t z2_100_0[32];
+	unsigned int z2_100_0[32];
-	uint32_t t0[32];
+	unsigned int t0[32];
-	uint32_t t1[32];
+	unsigned int t1[32];
 	int i;
 	/* 2 */ square(z2, z);
@ -562,37 +379,10 @@ static void recip(uint32_t out[32], const uint32_t z[32]) {
 	/* 2^255 - 21 */ mult(out, t1, z11);
 }
-/**
+/** Loads a point with given coordinates into its unpacked representation */
- * Checks if the X and Y coordinates of a work structure represent a valid point of the curve
+int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) {
 *
 * Also fills in the T coordinate.
 */
 static int check_load_xy(ecc_25519_work_t *val) {
 	uint32_t X2[32], Y2[32], dX2[32], dX2Y2[32], Y2_X2[32], Y2_X2_1[32], r[32];
 	/* Check validity */
 	square(X2, val->X);
 	square(Y2, val->Y);
 	mult(dX2, d, X2);
 	mult(dX2Y2, dX2, Y2);
 	sub(Y2_X2, Y2, X2);
 	sub(Y2_X2_1, Y2_X2, one);
 	sub(r, Y2_X2_1, dX2Y2);
 	squeeze(r);
 	if (!check_zero(r))
 	    return 0;
 	mult(val->T, val->X, val->Y);
 	return 1;
 }
 int ecc_25519_load_xy_ed25519(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) {
 	int i;
 	unsigned int X2[32], Y2[32], aX2[32], dX2[32], dX2Y2[32], aX2_Y2[32], _1_dX2Y2[32], r[32];
 	for (i = 0; i < 32; i++) {
 		out->X[i] = x->p[i];
@ -600,31 +390,34 @@ int ecc_25519_load_xy_ed25519(ecc_25519_work_t *out, const ecc_int256_t *x, cons
 		out->Z[i] = (i == 0);
 	}
-	return check_load_xy(out);
+	/* Check validity */
 	square(X2, out->X);
 	square(Y2, out->Y);
 	mult_int(aX2, 486664, X2);
 	mult_int(dX2, 486660, X2);
 	mult(dX2Y2, dX2, Y2);
 	add(aX2_Y2, aX2, Y2);
 	add(_1_dX2Y2, one, dX2Y2);
 	sub(r, aX2_Y2, _1_dX2Y2);
 	squeeze(r);
 	if (!check_zero(r))
 	    return 0;
 	mult(out->T, out->X, out->Y);
 	return 1;
 }
-int ecc_25519_load_xy_legacy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) {
+/**
-	int i;
+ * Stores a point's x and y coordinates
-	uint32_t tmp[32];
+ *
-
+ * \param x Returns the x coordinate of the point. May be NULL.
-	for (i = 0; i < 32; i++) {
+ * \param y Returns the y coordinate of the point. May be NULL.
-		tmp[i] = x->p[i];
+ * \param in The unpacked point to store.
-		out->Y[i] = y->p[i];
+ */
-		out->Z[i] = (i == 0);
+void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) {
-	}
+	unsigned int X[32], Y[32], Z[32];
 	mult(out->X, tmp, legacy_to_ed25519);
 	return check_load_xy(out);
 }
 int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) {
 	return ecc_25519_load_xy_legacy(out, x, y);
 }
 void ecc_25519_store_xy_ed25519(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) {
 	uint32_t X[32], Y[32], Z[32];
 	int i;
 	recip(Z, in->Z);
@ -644,80 +437,22 @@ void ecc_25519_store_xy_ed25519(ecc_int256_t *x, ecc_int256_t *y, const ecc_2551
 	}
 }
-void ecc_25519_store_xy_legacy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) {
+/** Loads a packed point into its unpacked representation */
-	uint32_t X[32], tmp[32], Y[32], Z[32];
+int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in) {
 	int i;
-
+	unsigned int X2[32] /* X^2 */, aX2[32] /* aX^2 */, dX2[32] /* dX^2 */, _1_aX2[32] /* 1-aX^2 */, _1_dX2[32] /* 1-aX^2 */;
-	recip(Z, in->Z);
+	unsigned int _1_1_dX2[32]  /* 1/(1-aX^2) */, Y2[32] /* Y^2 */, Y[32], Yt[32];
 	if (x) {
 		mult(tmp, Z, in->X);
 		mult(X, tmp, ed25519_to_legacy);
 		freeze(X);
 		for (i = 0; i < 32; i++)
 			x->p[i] = X[i];
 	}
 	if (y) {
 		mult(Y, Z, in->Y);
 		freeze(Y);
 		for (i = 0; i < 32; i++)
 			y->p[i] = Y[i];
 	}
 }
 void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) {
 	ecc_25519_store_xy_legacy(x, y, in);
 }
 int ecc_25519_load_packed_ed25519(ecc_25519_work_t *out, const ecc_int256_t *in) {
 	int i;
 	uint32_t Y2[32] /* Y^2 */, dY2[32] /* dY^2 */, Y2_1[32] /* Y^2-1 */, dY2_1[32] /* dY^2+1 */, _1_dY2_1[32] /* 1/(dY^2+1) */;
 	uint32_t X2[32] /* X^2 */, X[32], Xt[32];
 	for (i = 0; i < 32; i++) {
-		out->Y[i] = in->p[i];
+		out->X[i] = in->p[i];
 		out->Z[i] = (i == 0);
 	}
-	out->Y[31] &= 0x7f;
+	out->X[31] &= 0x7f;
-	square(Y2, out->Y);
+	square(X2, out->X);
-	mult(dY2, d, Y2);
+	mult_int(aX2, 486664, X2);
-	sub(Y2_1, Y2, one);
+	mult_int(dX2, 486660, X2);
 	add(dY2_1, dY2, one);
 	recip(_1_dY2_1, dY2_1);
 	mult(X2, Y2_1, _1_dY2_1);
 	if (!square_root(X, X2))
 		return 0;
 	/* No squeeze is necessary after subtractions from zero if the subtrahend is squeezed */
 	sub(Xt, zero, X);
 	select(out->X, X, Xt, (in->p[31] >> 7) ^ parity(X));
 	mult(out->T, out->X, out->Y);
 	return 1;
 }
 int ecc_25519_load_packed_legacy(ecc_25519_work_t *out, const ecc_int256_t *in) {
 	int i;
 	uint32_t X2[32] /* X^2 */, aX2[32] /* aX^2 */, dX2[32] /* dX^2 */, _1_aX2[32] /* 1-aX^2 */, _1_dX2[32] /* 1-aX^2 */;
 	uint32_t _1_1_dX2[32]  /* 1/(1-aX^2) */, Y2[32] /* Y^2 */, Y[32], Yt[32], X_legacy[32];
 	for (i = 0; i < 32; i++) {
 		X_legacy[i] = in->p[i];
 		out->Z[i] = (i == 0);
 	}
 	X_legacy[31] &= 0x7f;
 	square(X2, X_legacy);
 	mult_int(aX2, UINT32_C(486664), X2);
 	mult_int(dX2, UINT32_C(486660), X2);
 	sub(_1_aX2, one, aX2);
 	sub(_1_dX2, one, dX2);
 	recip(_1_1_dX2, _1_dX2);
@ -726,43 +461,29 @@ int ecc_25519_load_packed_legacy(ecc_25519_work_t *out, const ecc_int256_t *in)
 	if (!square_root(Y, Y2))
 		return 0;
 	/* No squeeze is necessary after subtractions from zero if the subtrahend is squeezed */
 	sub(Yt, zero, Y);
-	select(out->Y, Y, Yt, (in->p[31] >> 7) ^ parity(Y));
+	select(out->Y, Y, Yt, (in->p[31] >> 7) ^ (Y[0] & 1));
 	mult(out->X, X_legacy, legacy_to_ed25519);
 	mult(out->T, out->X, out->Y);
 	return 1;
 }
-int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in) {
+/** Stores a point into its packed representation */
-	return ecc_25519_load_packed_legacy(out, in);
+void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in) {
 }
 void ecc_25519_store_packed_ed25519(ecc_int256_t *out, const ecc_25519_work_t *in) {
 	ecc_int256_t x;
 	ecc_25519_store_xy_ed25519(&x, out, in);
 	out->p[31] |= (x.p[0] << 7);
 }
 void ecc_25519_store_packed_legacy(ecc_int256_t *out, const ecc_25519_work_t *in) {
 	ecc_int256_t y;
-	ecc_25519_store_xy_legacy(out, &y, in);
+	ecc_25519_store_xy(out, &y, in);
 	out->p[31] |= (y.p[0] << 7);
 }
-void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in) {
+/** The identity element */
-	ecc_25519_store_packed_legacy(out, in);
+static const ecc_25519_work_t id = {{0}, {1}, {1}, {0}};
 }
 /** Checks if a point is the identity element of the Elliptic Curve group */
 int ecc_25519_is_identity(const ecc_25519_work_t *in) {
-	uint32_t Y_Z[32];
+	unsigned int Y_Z[32];
 	sub(Y_Z, in->Y, in->Z);
 	squeeze(Y_Z);
@ -770,126 +491,73 @@ int ecc_25519_is_identity(const ecc_25519_work_t *in) {
 	return (check_zero(in->X)&check_zero(Y_Z));
 }
-void ecc_25519_negate(ecc_25519_work_t *out, const ecc_25519_work_t *in) {
+/**
-	int i;
+ * Doubles a point of the Elliptic Curve
-
+ *
-	for (i = 0; i < 32; i++) {
+ * ecc_25519_double(out, in) is equivalent to ecc_25519_add(out, in, in), but faster.
-		out->Y[i] = in->Y[i];
+ *
-		out->Z[i] = in->Z[i];
+ * The same pointers may be used for input and output.
-	}
+ */
 	/* No squeeze is necessary after subtractions from zero if the subtrahend is squeezed */
 	sub(out->X, zero, in->X);
 	sub(out->T, zero, in->T);
 }
 void ecc_25519_double(ecc_25519_work_t *out, const ecc_25519_work_t *in) {
-	uint32_t A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32];
+	unsigned int A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32], t2[32], t3[32];
 	square(A, in->X);
 	square(B, in->Y);
 	square(t0, in->Z);
 	mult_int(C, 2, t0);
-
+	mult_int(D, 486664, A);
-	sub(D, zero, A);
+	add(t1, in->X, in->Y);
-
+	square(t2, t1);
-	add(t0, in->X, in->Y);
+	sub(t3, t2, A); squeeze(t3);
-	square(t1, t0);
+	sub(E, t3, B);
-	sub(t0, t1, A);
+	add(G, D, B); squeeze(G);
 	sub(E, t0, B);
 	add(G, D, B);
 	sub(F, G, C);
 	sub(H, D, B);
 	mult(out->X, E, F);
 	mult(out->Y, G, H);
 	mult(out->T, E, H);
 	mult(out->Z, F, G);
 }
 /**
 * Adds two points of the Elliptic Curve
 *
 * The same pointers may be used for input and output.
 */
 void ecc_25519_add(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2) {
-	const uint32_t j = UINT32_C(60833);
+	unsigned int A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32], t2[32], t3[32], t4[32], t5[32];
 	const uint32_t k = UINT32_C(121665);
 	uint32_t A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32];
-	sub(t0, in1->Y, in1->X);
+	mult(A, in1->X, in2->X);
-	mult_int(t1, j, t0);
+	mult(B, in1->Y, in2->Y);
-	sub(t0, in2->Y, in2->X);
+	mult_int(t0, 486660, in2->T);
 	mult(A, t0, t1);
 	add(t0, in1->Y, in1->X);
 	mult_int(t1, j, t0);
 	add(t0, in2->Y, in2->X);
 	mult(B, t0, t1);
 	mult_int(t0, k, in2->T);
 	mult(C, in1->T, t0);
-
+	mult(D, in1->Z, in2->Z);
-	mult_int(t0, 2*j, in2->Z);
+	add(t1, in1->X, in1->Y);
-	mult(D, in1->Z, t0);
+	add(t2, in2->X, in2->Y);
-
+	mult(t3, t1, t2);
-	sub(E, B, A);
+	sub(t4, t3, A); squeeze(t4);
-	add(F, D, C);
+	sub(E, t4, B);
-	sub(G, D, C);
+	sub(F, D, C);
-	add(H, B, A);
+	add(G, D, C);
-
+	mult_int(t5, 486664, A);
 	sub(H, B, t5);
 	mult(out->X, E, F);
 	mult(out->Y, G, H);
 	mult(out->T, E, H);
 	mult(out->Z, F, G);
 }
-/** Adds two points of the Elliptic Curve, assuming that in2->Z == 1 */
+/**
-static void ecc_25519_add1(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2) {
+ * Does a scalar multiplication of a point of the Elliptic Curve with an integer
-	const uint32_t j = UINT32_C(60833);
+ *
-	const uint32_t k = UINT32_C(121665);
+ * The same pointers may be used for input and output.
-	uint32_t A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32];
+ **/
-
+void ecc_25519_scalarmult(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base) {
 	sub(t0, in1->Y, in1->X);
 	mult_int(t1, j, t0);
 	sub(t0, in2->Y, in2->X);
 	mult(A, t0, t1);
 	add(t0, in1->Y, in1->X);
 	mult_int(t1, j, t0);
 	add(t0, in2->Y, in2->X);
 	mult(B, t0, t1);
 	mult_int(t0, k, in2->T);
 	mult(C, in1->T, t0);
 	mult_int(D, 2*j, in1->Z);
 	sub(E, B, A);
 	add(F, D, C);
 	sub(G, D, C);
 	add(H, B, A);
 	mult(out->X, E, F);
 	mult(out->Y, G, H);
 	mult(out->T, E, H);
 	mult(out->Z, F, G);
 }
 void ecc_25519_sub(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2) {
 	ecc_25519_work_t in2_neg;
 	ecc_25519_negate(&in2_neg, in2);
 	ecc_25519_add(out, in1, &in2_neg);
 }
 void ecc_25519_scalarmult_bits(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base, unsigned bits) {
 	ecc_25519_work_t Q2, Q2p;
-	ecc_25519_work_t cur = ecc_25519_work_identity;
+	ecc_25519_work_t cur = id;
 	int b, pos;
-	if (bits > 256)
+	for (pos = 255; pos >= 0; --pos) {
 		bits = 256;
 	for (pos = bits - 1; pos >= 0; --pos) {
 		b = n->p[pos / 8] >> (pos & 7);
 		b &= 1;
@ -901,30 +569,28 @@ void ecc_25519_scalarmult_bits(ecc_25519_work_t *out, const ecc_int256_t *n, con
 	*out = cur;
 }
-void ecc_25519_scalarmult(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base) {
+/** The ec25519 default base */
-	ecc_25519_scalarmult_bits(out, n, base, 256);
+static const ecc_25519_work_t default_base = {
-}
+	{0xd4, 0x6b, 0xfe, 0x7f, 0x39, 0xfa, 0x8c, 0x22,
-
+	 0xe1, 0x96, 0x23, 0xeb, 0x26, 0xb7, 0x8e, 0x6a,
-void ecc_25519_scalarmult_base_bits(ecc_25519_work_t *out, const ecc_int256_t *n, unsigned bits) {
+	 0x34, 0x74, 0x8b, 0x66, 0xd6, 0xa3, 0x26, 0xdd,
-	ecc_25519_work_t Q2, Q2p;
+	 0x19, 0x5e, 0x9f, 0x21, 0x50, 0x43, 0x7c, 0x54},
-	ecc_25519_work_t cur = ecc_25519_work_identity;
+	{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
-	int b, pos;
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
-
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
-	if (bits > 256)
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66},
-		bits = 256;
+	{1},
-
+	{0x47, 0x56, 0x98, 0x99, 0xc7, 0x61, 0x0a, 0x82,
-	for (pos = bits - 1; pos >= 0; --pos) {
+	 0x1a, 0xdf, 0x82, 0x22, 0x1f, 0x2c, 0x72, 0x88,
-		b = n->p[pos / 8] >> (pos & 7);
+	 0xc3, 0x29, 0x09, 0x52, 0x78, 0xe9, 0x1e, 0xe4,
-		b &= 1;
+	 0x47, 0x4b, 0x4c, 0x81, 0xa6, 0x02, 0xfd, 0x29}
-
+};
 		ecc_25519_double(&Q2, &cur);
 		ecc_25519_add1(&Q2p, &Q2, &ecc_25519_work_default_base);
 		selectw(&cur, &Q2, &Q2p, b);
 	}
 	*out = cur;
 }
 /**
 * Does a scalar multiplication of the default base point (generator element) of the Elliptic Curve with an integer
 *
 * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
 */
 void ecc_25519_scalarmult_base(ecc_25519_work_t *out, const ecc_int256_t *n) {
-	ecc_25519_scalarmult_base_bits(out, n, 256);
+	ecc_25519_scalarmult(out, n, &default_base);
 }
--- a/src/ec25519_gf.c
+++ b/src/ec25519_gf.c
@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2012-2015, Matthias Schiffer <mschiffer@universe-factory.net>
+  Copyright (c) 2012, Matthias Schiffer <mschiffer@universe-factory.net>
  Partly based on public domain code by Matthew Dempsky and D. J. Bernstein.
  All rights reserved.
@ -25,23 +25,26 @@
 */
 /** \file
- * Simple finite field operations on the prime field \f$ F_q \f$ for
+  Simple finite field operations on the prime field \f$ F_q \f$ for
- * \f$ q = 2^{252} + 27742317777372353535851937790883648493 \f$, which
+  \f$ q = 2^{252} + 27742317777372353535851937790883648493 \f$, which
- * is the order of the base point used for ec25519
+  is the order of the base point used for ec25519
- *
+*/
 * Doxygen comments for public APIs can be found in the public header file.
 */
 #include <libuecc/ecc.h>
-/** Checks if the highest bit of an uint32_teger is set */
+/** Checks if the highest bit of an unsigned integer is set */
 #define IS_NEGATIVE(n) ((int)((((unsigned)n) >> (8*sizeof(n)-1))&1))
 /** Performs an arithmetic right shift */
 #define ASR(n,s) (((n) >> s)|(IS_NEGATIVE(n)*((unsigned)-1) << (8*sizeof(n)-s)))
 /**
 * The order of the prime field
 *
 * The order is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
 */
 const ecc_int256_t ecc_25519_gf_order = {{
 	0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
 	0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
@ -50,15 +53,15 @@ const ecc_int256_t ecc_25519_gf_order = {{
 }};
 /** An internal alias for \ref ecc_25519_gf_order */
-static const uint8_t *q = ecc_25519_gf_order.p;
+static const unsigned char *q = ecc_25519_gf_order.p;
 /**
 * Copies the content of r into out if b == 0, the contents of s if b == 1
 */
-static void select(uint8_t out[32], const uint8_t r[32], const uint8_t s[32], uint32_t b) {
+static void select(unsigned char out[32], const unsigned char r[32], const unsigned char s[32], unsigned int b) {
 	unsigned int j;
-	uint8_t t;
+	unsigned int t;
-	uint8_t bminus1;
+	unsigned int bminus1;
 	bminus1 = b - 1;
 	for (j = 0;j < 32;++j) {
@ -67,10 +70,11 @@ static void select(uint8_t out[32], const uint8_t r[32], const uint8_t s[32], ui
 	}
 }
 /** Checks if an integer is equal to zero (after reduction) */
 int ecc_25519_gf_is_zero(const ecc_int256_t *in) {
 	int i;
 	ecc_int256_t r;
-	uint32_t bits = 0;
+	unsigned int bits = 0;
 	ecc_25519_gf_reduce(&r, in);
@ -80,9 +84,14 @@ int ecc_25519_gf_is_zero(const ecc_int256_t *in) {
 	return (((bits-1)>>8) & 1);
 }
 /**
 * Adds two integers as Galois field elements
 *
 * The same pointers may be used for input and output.
 */
 void ecc_25519_gf_add(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2) {
 	unsigned int j;
-	uint32_t u;
+	unsigned int u;
 	int nq = 1 - (in1->p[31]>>4) - (in2->p[31]>>4);
 	u = 0;
@ -94,9 +103,14 @@ void ecc_25519_gf_add(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int2
 	}
 }
 /**
 * Subtracts two integers as Galois field elements
 *
 * The same pointers may be used for input and output.
 */
 void ecc_25519_gf_sub(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2) {
 	unsigned int j;
-	uint32_t u;
+	unsigned int u;
 	int nq = 8 - (in1->p[31]>>4) + (in2->p[31]>>4);
 	u = 0;
@ -109,11 +123,11 @@ void ecc_25519_gf_sub(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int2
 }
 /** Reduces an integer to a unique representation in the range \f$ [0,q-1] \f$ */
-static void reduce(uint8_t a[32]) {
+static void reduce(unsigned char a[32]) {
 	unsigned int j;
-	uint32_t nq = a[31] >> 4;
+	unsigned int nq = a[31] >> 4;
-	uint32_t u1, u2;
+	unsigned int u1, u2;
-	uint8_t out1[32], out2[32];
+	unsigned char out1[32], out2[32];
 	u1 = u2 = 0;
 	for (j = 0; j < 31; ++j) {
@ -131,6 +145,11 @@ static void reduce(uint8_t a[32]) {
 	select(a, out1, out2, IS_NEGATIVE(u1));
 }
 /**
 * Reduces an integer to a unique representation in the range \f$ [0,q-1] \f$
 *
 * The same pointers may be used for input and output.
 */
 void ecc_25519_gf_reduce(ecc_int256_t *out, const ecc_int256_t *in) {
 	int i;
@ -141,10 +160,10 @@ void ecc_25519_gf_reduce(ecc_int256_t *out, const ecc_int256_t *in) {
 }
 /** Montgomery modular multiplication algorithm */
-static void montgomery(uint8_t out[32], const uint8_t a[32], const uint8_t b[32]) {
+static void montgomery(unsigned char out[32], const unsigned char a[32], const unsigned char b[32]) {
 	unsigned int i, j;
-	uint32_t nq;
+	unsigned int nq;
-	uint32_t u;
+	unsigned int u;
 	for (i = 0; i < 32; i++)
 		out[i] = 0;
@ -164,17 +183,22 @@ static void montgomery(uint8_t out[32], const uint8_t a[32], const uint8_t b[32]
 	}
 }
 /**
 * Multiplies two integers as Galois field elements
 *
 * The same pointers may be used for input and output.
 */
 void ecc_25519_gf_mult(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2) {
 	/* 2^512 mod q */
-	static const uint8_t C[32] = {
+	static const unsigned char C[32] = {
 		0x01, 0x0f, 0x9c, 0x44, 0xe3, 0x11, 0x06, 0xa4,
 		0x47, 0x93, 0x85, 0x68, 0xa7, 0x1b, 0x0e, 0xd0,
 		0x65, 0xbe, 0xf5, 0x17, 0xd2, 0x73, 0xec, 0xce,
 		0x3d, 0x9a, 0x30, 0x7c, 0x1b, 0x41, 0x99, 0x03
 	};
-	uint8_t B[32];
+	unsigned char B[32];
-	uint8_t R[32];
+	unsigned char R[32];
 	unsigned int i;
 	for (i = 0; i < 32; i++)
@ -186,13 +210,18 @@ void ecc_25519_gf_mult(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int
 	montgomery(out->p, R, C);
 }
 /**
 * Computes the reciprocal of a Galois field element
 *
 * The same pointers may be used for input and output.
 */
 void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in) {
-	static const uint8_t C[32] = {
+	static const unsigned char C[32] = {
 		0x01
 	};
-	uint8_t A[32], B[32];
+	unsigned char A[32], B[32];
-	uint8_t R1[32], R2[32];
+	unsigned char R1[32], R2[32];
 	int use_r2 = 0;
 	unsigned int i, j;
@ -204,7 +233,7 @@ void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in) {
 	reduce(A);
 	for (i = 0; i < 32; i++) {
-		uint8_t c;
+		unsigned char c;
 		if (i == 0)
 			c = 0xeb; /* q[0] - 2 */
@ -239,6 +268,11 @@ void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in) {
 	montgomery(out->p, R2, C);
 }
 /**
 * Ensures some properties of a Galois field element to make it fit for use as a secret key
 *
 * The same pointers may be used for input and output.
 */
 void ecc_25519_gf_sanitize_secret(ecc_int256_t *out, const ecc_int256_t *in) {
 	int i;