libuecc v7

We can elide one multiplication assuming that Z == 1 for the default base.

CHANGELOG

@@ -0,0 +1,34 @@
+libuecc v7 (2016/03/27)
+
+* Change conversion between Ed25519 and legacy representation. This should
+    not affect any operations unless Ed25519 and legacy load/store
+    functions are mixed when accessing a work structure. Doing so is now
+    officially supported, for example to convert a legacy public key to
+    Ed25519 format.
+* The changed representation allows to use the same
+    ecc_25519_work_default_base for both Ed25519 and legacy.
+    ecc_25519_work_default_base and ecc_25519_scalarmult_base have been
+    undeprecated, ecc_25519_work_base_ed25519 and
+    ecc_25519_work_base_legacy are deprecated now.
+* All points are now internally represented with Ed25519 coordinates, which
+    allows about 6% faster scalar multplication than the legacy
+    representation.
+* ecc_25519_scalarmult_base has been further optimized, making it another
+    6% faster than normal ecc_25519_scalarmult.
+
+
+libuecc v6 (2015/10/25)
+
+* Fixes a bug which might have caused a point's y coordinate to be negated
+    in certain circumstances when the point was stored in packed
+    representation and loaded again. It is extremely improbable that this
+    has ever actually happened, as only a small range of coordinates was
+    affected.
+* Use stdint types to clarify ABI and add support for systems with
+    sizeof(int) < 4 (this is not an ABI break in practise as all systems on
+    which libuecc has been used in the past should have int == int32_t)
+* Add point negation and subtraction functions
+* Rename all point access functions to bear a _legacy suffix (the old names
+    are still available, but marked as deprecated)
+* Add new point access functions and a new generator point that are
+    compatible with Ed25519

CMakeLists.txt

@@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 2.6)
 project(LIBUECC C)
-set(PROJECT_VERSION 4)
+set(PROJECT_VERSION 7)
 
 set(CMAKE_MODULE_PATH ${LIBUECC_SOURCE_DIR})
 

COPYRIGHT

@@ -1,4 +1,4 @@
-Copyright (c) 2012, Matthias Schiffer <mschiffer@universe-factory.net>
+Copyright (c) 2012-2015, Matthias Schiffer <mschiffer@universe-factory.net>
 Partly based on public domain code by Matthew Dempsky and D. J. Bernstein.
 All rights reserved.
 

Doxyfile.in

@@ -1,4 +1,4 @@
-# Doxyfile 1.8.5
+# Doxyfile 1.8.9.1
 
 # This file describes the settings to be used by the documentation system
 # doxygen (www.doxygen.org) for a project.
@@ -46,10 +46,10 @@ PROJECT_NUMBER         = "@PROJECT_VERSION@"
 
 PROJECT_BRIEF          =
 
-# With the PROJECT_LOGO tag one can specify an logo or icon that is included in
-# the documentation. The maximum height of the logo should not exceed 55 pixels
-# and the maximum width should not exceed 200 pixels. Doxygen will copy the logo
-# to the output directory.
+# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
+# in the documentation. The maximum height of the logo should not exceed 55
+# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
+# the logo to the output directory.
 
 PROJECT_LOGO           =
 
@@ -60,7 +60,7 @@ PROJECT_LOGO           =
 
 OUTPUT_DIRECTORY       = "@DOXYFILE_OUTPUT_DIR@"
 
-# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub-
+# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
 # directories (in 2 levels) under the output directory of each output format and
 # will distribute the generated files over these directories. Enabling this
 # option can be useful when feeding doxygen a huge amount of source files, where
@@ -70,27 +70,37 @@ OUTPUT_DIRECTORY       = "@DOXYFILE_OUTPUT_DIR@"
 
 CREATE_SUBDIRS         = NO
 
+# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
+# characters to appear in the names of generated files. If set to NO, non-ASCII
+# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
+# U+3044.
+# The default value is: NO.
+
+ALLOW_UNICODE_NAMES    = NO
+
 # The OUTPUT_LANGUAGE tag is used to specify the language in which all
 # documentation generated by doxygen is written. Doxygen will use this
 # information to generate all constant output in the proper language.
-# Possible values are: Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-
-# Traditional, Croatian, Czech, Danish, Dutch, English, Esperanto, Farsi,
-# Finnish, French, German, Greek, Hungarian, Italian, Japanese, Japanese-en,
-# Korean, Korean-en, Latvian, Norwegian, Macedonian, Persian, Polish,
-# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish,
-# Turkish, Ukrainian and Vietnamese.
+# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese,
+# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States),
+# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian,
+# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages),
+# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian,
+# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian,
+# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish,
+# Ukrainian and Vietnamese.
 # The default value is: English.
 
 OUTPUT_LANGUAGE        = English
 
-# If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member
+# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
 # descriptions after the members that are listed in the file and class
 # documentation (similar to Javadoc). Set to NO to disable this.
 # The default value is: YES.
 
 BRIEF_MEMBER_DESC      = YES
 
-# If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief
+# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
 # description of a member or function before the detailed description
 #
 # Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
@@ -125,7 +135,7 @@ ALWAYS_DETAILED_SEC    = NO
 
 INLINE_INHERITED_MEMB  = NO
 
-# If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path
+# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
 # before files name in the file list and in the header files. If set to NO the
 # shortest path that makes the file name unique will be used
 # The default value is: YES.
@@ -195,9 +205,9 @@ MULTILINE_CPP_IS_BRIEF = NO
 
 INHERIT_DOCS           = YES
 
-# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a
-# new page for each member. If set to NO, the documentation of a member will be
-# part of the file/class/namespace that contains it.
+# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
+# page for each member. If set to NO, the documentation of a member will be part
+# of the file/class/namespace that contains it.
 # The default value is: NO.
 
 SEPARATE_MEMBER_PAGES  = NO
@@ -259,11 +269,14 @@ OPTIMIZE_OUTPUT_VHDL   = NO
 # extension. Doxygen has a built-in mapping, but you can override or extend it
 # using this tag. The format is ext=language, where ext is a file extension, and
 # language is one of the parsers supported by doxygen: IDL, Java, Javascript,
-# C#, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL. For instance to make
-# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
-# (default is Fortran), use: inc=Fortran f=C.
+# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran:
+# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran:
+# Fortran. In the later case the parser tries to guess whether the code is fixed
+# or free formatted code, this is the default for Fortran type files), VHDL. For
+# instance to make doxygen treat .inc files as Fortran files (default is PHP),
+# and .f files as C (default is Fortran), use: inc=Fortran f=C.
 #
-# Note For files without extension you can use no_extension as a placeholder.
+# Note: For files without extension you can use no_extension as a placeholder.
 #
 # Note that for custom extensions you also need to set FILE_PATTERNS otherwise
 # the files are not read by doxygen.
@@ -282,8 +295,8 @@ MARKDOWN_SUPPORT       = YES
 
 # When enabled doxygen tries to link words that correspond to documented
 # classes, or namespaces to their corresponding documentation. Such a link can
-# be prevented in individual cases by by putting a % sign in front of the word
-# or globally by setting AUTOLINK_SUPPORT to NO.
+# be prevented in individual cases by putting a % sign in front of the word or
+# globally by setting AUTOLINK_SUPPORT to NO.
 # The default value is: YES.
 
 AUTOLINK_SUPPORT       = YES
@@ -323,7 +336,7 @@ SIP_SUPPORT            = NO
 IDL_PROPERTY_SUPPORT   = YES
 
 # If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
-# tag is set to YES, then doxygen will reuse the documentation of the first
+# tag is set to YES then doxygen will reuse the documentation of the first
 # member in the group (if any) for the other members of the group. By default
 # all members of a group must be documented explicitly.
 # The default value is: NO.
@@ -388,7 +401,7 @@ LOOKUP_CACHE_SIZE      = 0
 # Build related configuration options
 #---------------------------------------------------------------------------
 
-# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
+# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
 # documentation are documented, even if no documentation was available. Private
 # class members and static file members will be hidden unless the
 # EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
@@ -398,35 +411,35 @@ LOOKUP_CACHE_SIZE      = 0
 
 EXTRACT_ALL            = YES
 
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class will
+# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
 # be included in the documentation.
 # The default value is: NO.
 
 EXTRACT_PRIVATE        = NO
 
-# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal
+# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
 # scope will be included in the documentation.
 # The default value is: NO.
 
 EXTRACT_PACKAGE        = NO
 
-# If the EXTRACT_STATIC tag is set to YES all static members of a file will be
+# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
 # included in the documentation.
 # The default value is: NO.
 
 EXTRACT_STATIC         = YES
 
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined
-# locally in source files will be included in the documentation. If set to NO
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
+# locally in source files will be included in the documentation. If set to NO,
 # only classes defined in header files are included. Does not have any effect
 # for Java sources.
 # The default value is: YES.
 
 EXTRACT_LOCAL_CLASSES  = YES
 
-# This flag is only useful for Objective-C code. When set to YES local methods,
+# This flag is only useful for Objective-C code. If set to YES, local methods,
 # which are defined in the implementation section but not in the interface are
-# included in the documentation. If set to NO only methods in the interface are
+# included in the documentation. If set to NO, only methods in the interface are
 # included.
 # The default value is: NO.
 
@@ -451,21 +464,21 @@ HIDE_UNDOC_MEMBERS     = NO
 
 # If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
 # undocumented classes that are normally visible in the class hierarchy. If set
-# to NO these classes will be included in the various overviews. This option has
-# no effect if EXTRACT_ALL is enabled.
+# to NO, these classes will be included in the various overviews. This option
+# has no effect if EXTRACT_ALL is enabled.
 # The default value is: NO.
 
 HIDE_UNDOC_CLASSES     = NO
 
 # If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
-# (class|struct|union) declarations. If set to NO these declarations will be
+# (class|struct|union) declarations. If set to NO, these declarations will be
 # included in the documentation.
 # The default value is: NO.
 
 HIDE_FRIEND_COMPOUNDS  = NO
 
 # If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
-# documentation blocks found inside the body of a function. If set to NO these
+# documentation blocks found inside the body of a function. If set to NO, these
 # blocks will be appended to the function's detailed documentation block.
 # The default value is: NO.
 
@@ -479,7 +492,7 @@ HIDE_IN_BODY_DOCS      = NO
 INTERNAL_DOCS          = NO
 
 # If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
-# names in lower-case letters. If set to YES upper-case letters are also
+# names in lower-case letters. If set to YES, upper-case letters are also
 # allowed. This is useful if you have classes or files whose names only differ
 # in case and if your file system supports case sensitive file names. Windows
 # and Mac users are advised to set this option to NO.
@@ -488,18 +501,32 @@ INTERNAL_DOCS          = NO
 CASE_SENSE_NAMES       = YES
 
 # If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
-# their full class and namespace scopes in the documentation. If set to YES the
+# their full class and namespace scopes in the documentation. If set to YES, the
 # scope will be hidden.
 # The default value is: NO.
 
 HIDE_SCOPE_NAMES       = NO
 
+# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
+# append additional text to a page's title, such as Class Reference. If set to
+# YES the compound reference will be hidden.
+# The default value is: NO.
+
+HIDE_COMPOUND_REFERENCE= NO
+
 # If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
 # the files that are included by a file in the documentation of that file.
 # The default value is: YES.
 
 SHOW_INCLUDE_FILES     = YES
 
+# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each
+# grouped member an include statement to the documentation, telling the reader
+# which file to include in order to use the member.
+# The default value is: NO.
+
+SHOW_GROUPED_MEMB_INC  = NO
+
 # If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include
 # files with double quotes in the documentation rather than with sharp brackets.
 # The default value is: NO.
@@ -514,14 +541,15 @@ INLINE_INFO            = YES
 
 # If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
 # (detailed) documentation of file and class members alphabetically by member
-# name. If set to NO the members will appear in declaration order.
+# name. If set to NO, the members will appear in declaration order.
 # The default value is: YES.
 
 SORT_MEMBER_DOCS       = YES
 
 # If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
 # descriptions of file, namespace and class members alphabetically by member
-# name. If set to NO the members will appear in declaration order.
+# name. If set to NO, the members will appear in declaration order. Note that
+# this will also influence the order of the classes in the class list.
 # The default value is: NO.
 
 SORT_BRIEF_DOCS        = NO
@@ -565,27 +593,25 @@ SORT_BY_SCOPE_NAME     = NO
 
 STRICT_PROTO_MATCHING  = NO
 
-# The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the
-# todo list. This list is created by putting \todo commands in the
-# documentation.
+# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
+# list. This list is created by putting \todo commands in the documentation.
 # The default value is: YES.
 
 GENERATE_TODOLIST      = YES
 
-# The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the
-# test list. This list is created by putting \test commands in the
-# documentation.
+# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
+# list. This list is created by putting \test commands in the documentation.
 # The default value is: YES.
 
 GENERATE_TESTLIST      = YES
 
-# The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug
+# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
 # list. This list is created by putting \bug commands in the documentation.
 # The default value is: YES.
 
 GENERATE_BUGLIST       = YES
 
-# The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO)
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
 # the deprecated list. This list is created by putting \deprecated commands in
 # the documentation.
 # The default value is: YES.
@@ -610,8 +636,8 @@ ENABLED_SECTIONS       =
 MAX_INITIALIZER_LINES  = 30
 
 # Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
-# the bottom of the documentation of classes and structs. If set to YES the list
-# will mention the files that were used to generate the documentation.
+# the bottom of the documentation of classes and structs. If set to YES, the
+# list will mention the files that were used to generate the documentation.
 # The default value is: YES.
 
 SHOW_USED_FILES        = YES
@@ -659,8 +685,7 @@ LAYOUT_FILE            =
 # to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
 # For LaTeX the style of the bibliography can be controlled using
 # LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
-# search path. Do not use file names with spaces, bibtex cannot handle them. See
-# also \cite for info how to create references.
+# search path. See also \cite for info how to create references.
 
 CITE_BIB_FILES         =
 
@@ -676,7 +701,7 @@ CITE_BIB_FILES         =
 QUIET                  = YES
 
 # The WARNINGS tag can be used to turn on/off the warning messages that are
-# generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES
+# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
 # this implies that the warnings are on.
 #
 # Tip: Turn warnings on while writing the documentation.
@@ -684,7 +709,7 @@ QUIET                  = YES
 
 WARNINGS               = YES
 
-# If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate
+# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
 # warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
 # will automatically be disabled.
 # The default value is: YES.
@@ -701,8 +726,8 @@ WARN_IF_DOC_ERROR      = YES
 
 # This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
 # are documented, but have no documentation for their parameters or return
-# value. If set to NO doxygen will only warn about wrong or incomplete parameter
-# documentation, but not about the absence of documentation.
+# value. If set to NO, doxygen will only warn about wrong or incomplete
+# parameter documentation, but not about the absence of documentation.
 # The default value is: NO.
 
 WARN_NO_PARAMDOC       = NO
@@ -851,7 +876,7 @@ INPUT_FILTER           =
 FILTER_PATTERNS        =
 
 # If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
-# INPUT_FILTER ) will also be used to filter the input files that are used for
+# INPUT_FILTER) will also be used to filter the input files that are used for
 # producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
 # The default value is: NO.
 
@@ -911,7 +936,7 @@ REFERENCED_BY_RELATION = NO
 REFERENCES_RELATION    = NO
 
 # If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
-# to YES, then the hyperlinks from functions in REFERENCES_RELATION and
+# to YES then the hyperlinks from functions in REFERENCES_RELATION and
 # REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
 # link to the documentation.
 # The default value is: YES.
@@ -988,7 +1013,7 @@ IGNORE_PREFIX          =
 # Configuration options related to the HTML output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_HTML tag is set to YES doxygen will generate HTML output
+# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
 # The default value is: YES.
 
 GENERATE_HTML          = YES
@@ -1050,13 +1075,15 @@ HTML_FOOTER            =
 
 HTML_STYLESHEET        =
 
-# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user-
-# defined cascading style sheet that is included after the standard style sheets
+# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# cascading style sheets that are included after the standard style sheets
 # created by doxygen. Using this option one can overrule certain style aspects.
 # This is preferred over using HTML_STYLESHEET since it does not replace the
-# standard style sheet and is therefor more robust against future updates.
-# Doxygen will copy the style sheet file to the output directory. For an example
-# see the documentation.
+# standard style sheet and is therefore more robust against future updates.
+# Doxygen will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list). For an example see the documentation.
 # This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_EXTRA_STYLESHEET  =
@@ -1072,7 +1099,7 @@ HTML_EXTRA_STYLESHEET  =
 HTML_EXTRA_FILES       =
 
 # The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
-# will adjust the colors in the stylesheet and background images according to
+# will adjust the colors in the style sheet and background images according to
 # this color. Hue is specified as an angle on a colorwheel, see
 # http://en.wikipedia.org/wiki/Hue for more information. For instance the value
 # 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
@@ -1200,28 +1227,29 @@ GENERATE_HTMLHELP      = NO
 CHM_FILE               =
 
 # The HHC_LOCATION tag can be used to specify the location (absolute path
-# including file name) of the HTML help compiler ( hhc.exe). If non-empty
+# including file name) of the HTML help compiler (hhc.exe). If non-empty,
 # doxygen will try to run the HTML help compiler on the generated index.hhp.
 # The file has to be specified with full path.
 # This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
 HHC_LOCATION           =
 
-# The GENERATE_CHI flag controls if a separate .chi index file is generated (
-# YES) or that it should be included in the master .chm file ( NO).
+# The GENERATE_CHI flag controls if a separate .chi index file is generated
+# (YES) or that it should be included in the master .chm file (NO).
 # The default value is: NO.
 # This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
 GENERATE_CHI           = NO
 
-# The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc)
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
 # and project file content.
 # This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
 CHM_INDEX_ENCODING     =
 
-# The BINARY_TOC flag controls whether a binary table of contents is generated (
-# YES) or a normal table of contents ( NO) in the .chm file.
+# The BINARY_TOC flag controls whether a binary table of contents is generated
+# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
+# enables the Previous and Next buttons.
 # The default value is: NO.
 # This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
@@ -1334,7 +1362,7 @@ DISABLE_INDEX          = NO
 # index structure (just like the one that is generated for HTML Help). For this
 # to work a browser that supports JavaScript, DHTML, CSS and frames is required
 # (i.e. any modern browser). Windows users are probably better off using the
-# HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can
+# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
 # further fine-tune the look of the index. As an example, the default style
 # sheet generated by doxygen has an example that shows how to put an image at
 # the root of the tree instead of the PROJECT_NAME. Since the tree basically has
@@ -1362,7 +1390,7 @@ ENUM_VALUES_PER_LINE   = 4
 
 TREEVIEW_WIDTH         = 250
 
-# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to
+# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
 # external symbols imported via tag files in a separate window.
 # The default value is: NO.
 # This tag requires that the tag GENERATE_HTML is set to YES.
@@ -1391,7 +1419,7 @@ FORMULA_TRANSPARENT    = YES
 
 # Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
 # http://www.mathjax.org) which uses client side Javascript for the rendering
-# instead of using prerendered bitmaps. Use this if you do not have LaTeX
+# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
 # installed or if you want to formulas look prettier in the HTML output. When
 # enabled you may also need to install MathJax separately and configure the path
 # to it using the MATHJAX_RELPATH option.
@@ -1461,11 +1489,11 @@ SEARCHENGINE           = NO
 
 # When the SERVER_BASED_SEARCH tag is enabled the search engine will be
 # implemented using a web server instead of a web client using Javascript. There
-# are two flavours of web server based searching depending on the
-# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for
-# searching and an index file used by the script. When EXTERNAL_SEARCH is
-# enabled the indexing and searching needs to be provided by external tools. See
-# the section "External Indexing and Searching" for details.
+# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
+# setting. When disabled, doxygen will generate a PHP script for searching and
+# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
+# and searching needs to be provided by external tools. See the section
+# "External Indexing and Searching" for details.
 # The default value is: NO.
 # This tag requires that the tag SEARCHENGINE is set to YES.
 
@@ -1477,7 +1505,7 @@ SERVER_BASED_SEARCH    = NO
 # external search engine pointed to by the SEARCHENGINE_URL option to obtain the
 # search results.
 #
-# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# Doxygen ships with an example indexer (doxyindexer) and search engine
 # (doxysearch.cgi) which are based on the open source search engine library
 # Xapian (see: http://xapian.org/).
 #
@@ -1490,7 +1518,7 @@ EXTERNAL_SEARCH        = NO
 # The SEARCHENGINE_URL should point to a search engine hosted by a web server
 # which will return the search results when EXTERNAL_SEARCH is enabled.
 #
-# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# Doxygen ships with an example indexer (doxyindexer) and search engine
 # (doxysearch.cgi) which are based on the open source search engine library
 # Xapian (see: http://xapian.org/). See the section "External Indexing and
 # Searching" for details.
@@ -1528,7 +1556,7 @@ EXTRA_SEARCH_MAPPINGS  =
 # Configuration options related to the LaTeX output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_LATEX tag is set to YES doxygen will generate LaTeX output.
+# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
 # The default value is: YES.
 
 GENERATE_LATEX         = @DOXYFILE_GENERATE_LATEX@
@@ -1559,7 +1587,7 @@ LATEX_CMD_NAME         = "@LATEX_COMPILER@"
 
 MAKEINDEX_CMD_NAME     = "@MAKEINDEX_COMPILER@"
 
-# If the COMPACT_LATEX tag is set to YES doxygen generates more compact LaTeX
+# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
 # documents. This may be useful for small projects and may help to save some
 # trees in general.
 # The default value is: NO.
@@ -1593,23 +1621,36 @@ EXTRA_PACKAGES         =
 #
 # Note: Only use a user-defined header if you know what you are doing! The
 # following commands have a special meaning inside the header: $title,
-# $datetime, $date, $doxygenversion, $projectname, $projectnumber. Doxygen will
-# replace them by respectively the title of the page, the current date and time,
-# only the current date, the version number of doxygen, the project name (see
-# PROJECT_NAME), or the project number (see PROJECT_NUMBER).
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
+# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
+# string, for the replacement values of the other commands the user is referred
+# to HTML_HEADER.
 # This tag requires that the tag GENERATE_LATEX is set to YES.
 
 LATEX_HEADER           =
 
 # The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
 # generated LaTeX document. The footer should contain everything after the last
-# chapter. If it is left blank doxygen will generate a standard footer.
+# chapter. If it is left blank doxygen will generate a standard footer. See
+# LATEX_HEADER for more information on how to generate a default footer and what
+# special commands can be used inside the footer.
 #
 # Note: Only use a user-defined footer if you know what you are doing!
 # This tag requires that the tag GENERATE_LATEX is set to YES.
 
 LATEX_FOOTER           =
 
+# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# LaTeX style sheets that are included after the standard style sheets created
+# by doxygen. Using this option one can overrule certain style aspects. Doxygen
+# will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list).
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_STYLESHEET =
+
 # The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
 # other source files which should be copied to the LATEX_OUTPUT output
 # directory. Note that the files will be copied as-is; there are no commands or
@@ -1627,8 +1668,8 @@ LATEX_EXTRA_FILES      =
 
 PDF_HYPERLINKS         = YES
 
-# If the LATEX_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
-# the PDF file directly from the LaTeX files. Set this option to YES to get a
+# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# the PDF file directly from the LaTeX files. Set this option to YES, to get a
 # higher quality PDF documentation.
 # The default value is: YES.
 # This tag requires that the tag GENERATE_LATEX is set to YES.
@@ -1673,7 +1714,7 @@ LATEX_BIB_STYLE        = plain
 # Configuration options related to the RTF output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_RTF tag is set to YES doxygen will generate RTF output. The
+# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
 # RTF output is optimized for Word 97 and may not look too pretty with other RTF
 # readers/editors.
 # The default value is: NO.
@@ -1688,7 +1729,7 @@ GENERATE_RTF           = NO
 
 RTF_OUTPUT             = rtf
 
-# If the COMPACT_RTF tag is set to YES doxygen generates more compact RTF
+# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
 # documents. This may be useful for small projects and may help to save some
 # trees in general.
 # The default value is: NO.
@@ -1725,11 +1766,21 @@ RTF_STYLESHEET_FILE    =
 
 RTF_EXTENSIONS_FILE    =
 
+# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
+# with syntax highlighting in the RTF output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_SOURCE_CODE        = NO
+
 #---------------------------------------------------------------------------
 # Configuration options related to the man page output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_MAN tag is set to YES doxygen will generate man pages for
+# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
 # classes and files.
 # The default value is: NO.
 
@@ -1753,6 +1804,13 @@ MAN_OUTPUT             = man
 
 MAN_EXTENSION          = .3
 
+# The MAN_SUBDIR tag determines the name of the directory created within
+# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
+# MAN_EXTENSION with the initial . removed.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_SUBDIR             =
+
 # If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
 # will generate one additional man file for each entity documented in the real
 # man page(s). These additional files only source the real man page, but without
@@ -1766,7 +1824,7 @@ MAN_LINKS              = NO
 # Configuration options related to the XML output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_XML tag is set to YES doxygen will generate an XML file that
+# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
 # captures the structure of the code including all documentation.
 # The default value is: NO.
 
@@ -1780,19 +1838,7 @@ GENERATE_XML           = NO
 
 XML_OUTPUT             = xml
 
-# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_SCHEMA             =
-
-# The XML_DTD tag can be used to specify a XML DTD, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_DTD                =
-
-# If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
+# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
 # listings (including syntax highlighting and cross-referencing information) to
 # the XML output. Note that enabling this will significantly increase the size
 # of the XML output.
@@ -1805,7 +1851,7 @@ XML_PROGRAMLISTING     = YES
 # Configuration options related to the DOCBOOK output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_DOCBOOK tag is set to YES doxygen will generate Docbook files
+# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
 # that can be used to generate PDF.
 # The default value is: NO.
 
@@ -1819,14 +1865,23 @@ GENERATE_DOCBOOK       = NO
 
 DOCBOOK_OUTPUT         = docbook
 
+# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
+# program listings (including syntax highlighting and cross-referencing
+# information) to the DOCBOOK output. Note that enabling this will significantly
+# increase the size of the DOCBOOK output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_PROGRAMLISTING = NO
+
 #---------------------------------------------------------------------------
 # Configuration options for the AutoGen Definitions output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_AUTOGEN_DEF tag is set to YES doxygen will generate an AutoGen
-# Definitions (see http://autogen.sf.net) file that captures the structure of
-# the code including all documentation. Note that this feature is still
-# experimental and incomplete at the moment.
+# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
+# AutoGen Definitions (see http://autogen.sf.net) file that captures the
+# structure of the code including all documentation. Note that this feature is
+# still experimental and incomplete at the moment.
 # The default value is: NO.
 
 GENERATE_AUTOGEN_DEF   = NO
@@ -1835,7 +1890,7 @@ GENERATE_AUTOGEN_DEF   = NO
 # Configuration options related to the Perl module output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_PERLMOD tag is set to YES doxygen will generate a Perl module
+# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
 # file that captures the structure of the code including all documentation.
 #
 # Note that this feature is still experimental and incomplete at the moment.
@@ -1843,7 +1898,7 @@ GENERATE_AUTOGEN_DEF   = NO
 
 GENERATE_PERLMOD       = NO
 
-# If the PERLMOD_LATEX tag is set to YES doxygen will generate the necessary
+# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
 # Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
 # output from the Perl module output.
 # The default value is: NO.
@@ -1851,9 +1906,9 @@ GENERATE_PERLMOD       = NO
 
 PERLMOD_LATEX          = NO
 
-# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be nicely
+# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
 # formatted so it can be parsed by a human reader. This is useful if you want to
-# understand what is going on. On the other hand, if this tag is set to NO the
+# understand what is going on. On the other hand, if this tag is set to NO, the
 # size of the Perl module output will be much smaller and Perl will parse it
 # just the same.
 # The default value is: YES.
@@ -1873,14 +1928,14 @@ PERLMOD_MAKEVAR_PREFIX =
 # Configuration options related to the preprocessor
 #---------------------------------------------------------------------------
 
-# If the ENABLE_PREPROCESSING tag is set to YES doxygen will evaluate all
+# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
 # C-preprocessor directives found in the sources and include files.
 # The default value is: YES.
 
 ENABLE_PREPROCESSING   = YES
 
-# If the MACRO_EXPANSION tag is set to YES doxygen will expand all macro names
-# in the source code. If set to NO only conditional compilation will be
+# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# in the source code. If set to NO, only conditional compilation will be
 # performed. Macro expansion can be done in a controlled way by setting
 # EXPAND_ONLY_PREDEF to YES.
 # The default value is: NO.
@@ -1896,7 +1951,7 @@ MACRO_EXPANSION        = YES
 
 EXPAND_ONLY_PREDEF     = YES
 
-# If the SEARCH_INCLUDES tag is set to YES the includes files in the
+# If the SEARCH_INCLUDES tag is set to YES, the include files in the
 # INCLUDE_PATH will be searched if a #include is found.
 # The default value is: YES.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@@ -1938,9 +1993,9 @@ PREDEFINED             = DEPRECATED=
 EXPAND_AS_DEFINED      =
 
 # If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
-# remove all refrences to function-like macros that are alone on a line, have an
-# all uppercase name, and do not end with a semicolon. Such function macros are
-# typically used for boiler-plate code, and will confuse the parser if not
+# remove all references to function-like macros that are alone on a line, have
+# an all uppercase name, and do not end with a semicolon. Such function macros
+# are typically used for boiler-plate code, and will confuse the parser if not
 # removed.
 # The default value is: YES.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@@ -1960,7 +2015,7 @@ SKIP_FUNCTION_MACROS   = YES
 # where loc1 and loc2 can be relative or absolute paths or URLs. See the
 # section "Linking to external documentation" for more information about the use
 # of tag files.
-# Note: Each tag file must have an unique name (where the name does NOT include
+# Note: Each tag file must have a unique name (where the name does NOT include
 # the path). If a tag file is not located in the directory in which doxygen is
 # run, you must also specify the path to the tagfile here.
 
@@ -1972,20 +2027,21 @@ TAGFILES               =
 
 GENERATE_TAGFILE       =
 
-# If the ALLEXTERNALS tag is set to YES all external class will be listed in the
-# class index. If set to NO only the inherited external classes will be listed.
+# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
+# the class index. If set to NO, only the inherited external classes will be
+# listed.
 # The default value is: NO.
 
 ALLEXTERNALS           = NO
 
-# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed in
-# the modules index. If set to NO, only the current project's groups will be
+# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will be
 # listed.
 # The default value is: YES.
 
 EXTERNAL_GROUPS        = YES
 
-# If the EXTERNAL_PAGES tag is set to YES all external pages will be listed in
+# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
 # the related pages index. If set to NO, only the current project's pages will
 # be listed.
 # The default value is: YES.
@@ -2002,7 +2058,7 @@ PERL_PATH              = /usr/bin/perl
 # Configuration options related to the dot tool
 #---------------------------------------------------------------------------
 
-# If the CLASS_DIAGRAMS tag is set to YES doxygen will generate a class diagram
+# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
 # (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
 # NO turns the diagrams off. Note that this option also works with HAVE_DOT
 # disabled, but it is recommended to install and use dot, since it yields more
@@ -2020,7 +2076,14 @@ CLASS_DIAGRAMS         = YES
 
 MSCGEN_PATH            =
 
-# If set to YES, the inheritance and collaboration graphs will hide inheritance
+# You can include diagrams made with dia in doxygen documentation. Doxygen will
+# then run dia to produce the diagram and insert it in the documentation. The
+# DIA_PATH tag allows you to specify the directory where the dia binary resides.
+# If left empty dia is assumed to be found in the default search path.
+
+DIA_PATH               =
+
+# If set to YES the inheritance and collaboration graphs will hide inheritance
 # and usage relations if the target is undocumented or is not a class.
 # The default value is: YES.
 
@@ -2045,7 +2108,7 @@ HAVE_DOT               = @DOXYFILE_DOT@
 
 DOT_NUM_THREADS        = 0
 
-# When you want a differently looking font n the dot files that doxygen
+# When you want a differently looking font in the dot files that doxygen
 # generates you can specify the font name using DOT_FONTNAME. You need to make
 # sure dot is able to find the font, which can be done by putting it in a
 # standard location or by setting the DOTFONTPATH environment variable or by
@@ -2093,7 +2156,7 @@ COLLABORATION_GRAPH    = YES
 
 GROUP_GRAPHS           = YES
 
-# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
+# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
 # collaboration diagrams in a style similar to the OMG's Unified Modeling
 # Language.
 # The default value is: NO.
@@ -2220,6 +2283,25 @@ DOTFILE_DIRS           =
 
 MSCFILE_DIRS           =
 
+# The DIAFILE_DIRS tag can be used to specify one or more directories that
+# contain dia files that are included in the documentation (see the \diafile
+# command).
+
+DIAFILE_DIRS           =
+
+# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
+# path where java can find the plantuml.jar file. If left blank, it is assumed
+# PlantUML is not used or called during a preprocessing step. Doxygen will
+# generate a warning when it encounters a \startuml command in this case and
+# will not generate output for the diagram.
+
+PLANTUML_JAR_PATH      =
+
+# When using plantuml, the specified paths are searched for files specified by
+# the !include statement in a plantuml block.
+
+PLANTUML_INCLUDE_PATH  =
+
 # The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
 # that will be shown in the graph. If the number of nodes in a graph becomes
 # larger than this value, doxygen will truncate the graph, which is visualized
@@ -2256,7 +2338,7 @@ MAX_DOT_GRAPH_DEPTH    = 0
 
 DOT_TRANSPARENT        = YES
 
-# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
+# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
 # files in one run (i.e. multiple -o and -T options on the command line). This
 # makes dot run faster, but since only newer versions of dot (>1.8.10) support
 # this, this feature is disabled by default.
@@ -2273,7 +2355,7 @@ DOT_MULTI_TARGETS      = NO
 
 GENERATE_LEGEND        = YES
 
-# If the DOT_CLEANUP tag is set to YES doxygen will remove the intermediate dot
+# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot
 # files that are used to generate the various graphs.
 # The default value is: YES.
 # This tag requires that the tag HAVE_DOT is set to YES.

README

@@ -0,0 +1,30 @@
+libuecc is a very small generic-purpose Elliptic Curve Cryptography library
+compatible with Ed25519.
+
+Most documentation can be found as Doxygen comments in the ecc.h header
+file. You can use `make doxygen` after running CMake to create HTML
+documenation from it.
+
+There are two sets of functions converting between libuecc's internal point
+representation and coordinates or compressed representation. The functions
+ending with _ed25519 use the same representation as original Ed25519
+implementation and should be used by new software. The functions with the
+suffix _legacy are provided for compatiblity with libuecc version before
+v6.
+
+Ed25519 and the legacy representation are isomorphic, they use a Twisted
+Edwards Curve
+
+    ax^2 + y^2 = 1 + dx^2y^2
+
+over the prime field for p = 2^255 - 19.
+
+Ed25519 uses the parameters
+
+    a = -1 and
+    d = -(121665/121666),
+
+while the legacy curve has
+
+    a = 486664
+    d = 486660.

UseDoxygen.cmake

@@ -32,7 +32,7 @@
 #  	 "${CMAKE_CURRENT_BINARY_DIR}/foo.c" "${CMAKE_CURRENT_BINARY_DIR}/bar/"
 #  
 #  DOXYFILE_OUTPUT_DIR - Path where the Doxygen output is stored.
-#  	Defaults to "${CMAKE_CURRENT_BINARY_DIR}/doc".
+#  	Defaults to "${CMAKE_CURRENT_BINARY_DIR}/doxygen".
 #  
 #  DOXYFILE_LATEX - ON/OFF; Set to "ON" if you want the LaTeX documentation
 #  	to be built.
@@ -57,20 +57,32 @@ macro(usedoxygen_set_default name value type docstring)
 	endif()
 endmacro()
 
-find_package(Doxygen)
+if(ANDROID)
+	find_host_package(Doxygen)
+else(ANDROID)
+	find_package(Doxygen)
+endif(ANDROID)
 
 if(DOXYGEN_FOUND)
+	if(ANDROID)
+		# android-cmake doesn't provide a find_host_file and here's the workaround
+		set(_save_root_path ${CMAKE_FIND_ROOT_PATH})
+		set(CMAKE_FIND_ROOT_PATH)
+	endif(ANDROID)
 	find_file(DOXYFILE_IN "Doxyfile.in"
 			PATHS "${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_ROOT}/Modules/"
 			NO_DEFAULT_PATH
 			DOC "Path to the doxygen configuration template file")
+	if(ANDROID)
+		set(CMAKE_FIND_ROOT_PATH $_save_root_path)
+	endif(ANDROID)
 	set(DOXYFILE "${CMAKE_CURRENT_BINARY_DIR}/Doxyfile")
 	include(FindPackageHandleStandardArgs)
 	find_package_handle_standard_args(DOXYFILE_IN DEFAULT_MSG "DOXYFILE_IN")
 endif()
 
 if(DOXYGEN_FOUND AND DOXYFILE_IN_FOUND)
-	usedoxygen_set_default(DOXYFILE_OUTPUT_DIR "${CMAKE_CURRENT_BINARY_DIR}/doc"
+	usedoxygen_set_default(DOXYFILE_OUTPUT_DIR "${CMAKE_CURRENT_BINARY_DIR}/doxygen"
 		PATH "Doxygen output directory")
 	usedoxygen_set_default(DOXYFILE_HTML_DIR "html"
 		STRING "Doxygen HTML output directory")
@@ -134,11 +146,4 @@ if(DOXYGEN_FOUND AND DOXYFILE_IN_FOUND)
 
 
 	configure_file("${DOXYFILE_IN}" "${DOXYFILE}" @ONLY)
-
-	get_target_property(DOC_TARGET doc TYPE)
-	if(NOT DOC_TARGET)
-		add_custom_target(doc)
-	endif()
-
-	add_dependencies(doc doxygen)
 endif()

include/libuecc/ecc.h

@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2012, Matthias Schiffer <mschiffer@universe-factory.net>
+  Copyright (c) 2012-2015, Matthias Schiffer <mschiffer@universe-factory.net>
   Partly based on public domain code by Matthew Dempsky and D. J. Bernstein.
   All rights reserved.
 
@@ -27,6 +27,14 @@
 #ifndef _LIBUECC_ECC_H_
 #define _LIBUECC_ECC_H_
 
+#ifndef DEPRECATED
+#define DEPRECATED __attribute__((deprecated))
+#endif
+
+
+#include <stdint.h>
+
+
 /**
  * A 256 bit integer
  *
@@ -34,7 +42,7 @@
  */
 typedef union _ecc_int256 {
 	/** Data bytes */
-	unsigned char p[32];
+	uint8_t p[32];
 } ecc_int256_t;
 
 /**
@@ -44,10 +52,10 @@ typedef union _ecc_int256 {
  * it should always be packed.
  */
 typedef struct _ecc_25519_work {
-	unsigned int X[32];
-	unsigned int Y[32];
-	unsigned int Z[32];
-	unsigned int T[32];
+	uint32_t X[32];
+	uint32_t Y[32];
+	uint32_t Z[32];
+	uint32_t T[32];
 } ecc_25519_work_t;
 
 /**
@@ -55,16 +63,205 @@ typedef struct _ecc_25519_work {
  * @{
  */
 
-int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y);
-void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in);
+/** The identity element */
+extern const ecc_25519_work_t ecc_25519_work_identity;
 
-int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in);
-void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in);
 
+/**
+ * The Ed25519 default generator point
+ *
+ * \deprecated Use the equivalent \ref ecc_25519_work_default_base instead.
+ *
+ **/
+DEPRECATED extern const ecc_25519_work_t ecc_25519_work_base_ed25519;
+
+/**
+ * The Ed25519 default generator point
+ *
+ * \deprecated Use the equivalent \ref ecc_25519_work_default_base instead.
+ */
+DEPRECATED extern const ecc_25519_work_t ecc_25519_work_base_legacy;
+
+
+/**
+ * The Ed25519 default generator point
+ *
+ * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
+ */
+extern const ecc_25519_work_t ecc_25519_work_default_base;
+
+
+/** Loads a point of the Ed25519 curve with given coordinates into its unpacked representation */
+int ecc_25519_load_xy_ed25519(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y);
+
+/**
+ * Loads a point of the legacy curve with given coordinates into its unpacked representation
+ *
+ * New software should use \ref ecc_25519_load_xy_ed25519, which uses the same curve as the Ed25519 algorithm.
+ */
+int ecc_25519_load_xy_legacy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y);
+
+/**
+ * Loads a point of the legacy curve with given coordinates into its unpacked representation
+ *
+ * \deprecated Use \ref ecc_25519_load_xy_legacy
+ */
+DEPRECATED int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y);
+
+
+/**
+ * Stores the x and y coordinates of a point of the Ed25519 curve
+ *
+ * \param x Returns the x coordinate of the point. May be NULL.
+ * \param y Returns the y coordinate of the point. May be NULL.
+ * \param in The unpacked point to store.
+ */
+void ecc_25519_store_xy_ed25519(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in);
+
+/**
+ * Stores the x and y coordinates of a point of the legacy curve
+ *
+ * New software should use \ref ecc_25519_store_xy_ed25519, which uses the same curve as the Ed25519 algorithm.
+ *
+ * \param x Returns the x coordinate of the point. May be NULL.
+ * \param y Returns the y coordinate of the point. May be NULL.
+ * \param in The unpacked point to store.
+ */
+void ecc_25519_store_xy_legacy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in);
+
+/**
+ * Stores a point's x and y coordinates
+ *
+ * \param x Returns the x coordinate of the point. May be NULL.
+ * \param y Returns the y coordinate of the point. May be NULL.
+ * \param in The unpacked point to store.
+ *
+ * \deprecated Use \ref ecc_25519_store_xy_legacy
+ */
+DEPRECATED void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in);
+
+
+/**
+ * Loads a packed point of the Ed25519 curve into its unpacked representation
+ *
+ * The packed format is different from the legacy one: the legacy format contains that X coordinate and the parity of the Y coordinate,
+ * Ed25519 uses the Y coordinate and the parity of the X coordinate.
+*/
+int ecc_25519_load_packed_ed25519(ecc_25519_work_t *out, const ecc_int256_t *in);
+
+/**
+ * Loads a packed point of the legacy curve into its unpacked representation
+ *
+ * New software should use \ref ecc_25519_load_packed_ed25519, which uses the same curve and packed representation as the Ed25519 algorithm.
+ *
+ * The packed format is different from the Ed25519 one: the legacy format contains that X coordinate and the parity of the Y coordinate,
+ * Ed25519 uses the Y coordinate and the parity of the X coordinate.
+ */
+int ecc_25519_load_packed_legacy(ecc_25519_work_t *out, const ecc_int256_t *in);
+
+/**
+ * Loads a packed point of the legacy curve into its unpacked representation
+ *
+ * \deprecated Use \ref ecc_25519_load_packed_legacy
+ */
+DEPRECATED int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in);
+
+
+/**
+ * Stores a point of the Ed25519 curve into its packed representation
+ *
+ * The packed format is different from the Ed25519 one: the legacy format contains that X coordinate and the parity of the Y coordinate,
+ * Ed25519 uses the Y coordinate and the parity of the X coordinate.
+ */
+void ecc_25519_store_packed_ed25519(ecc_int256_t *out, const ecc_25519_work_t *in);
+
+/**
+ * Stores a point of the legacy curve into its packed representation
+ *
+ * New software should use \ref ecc_25519_store_packed_ed25519, which uses the same curve and packed representation as the Ed25519 algorithm.
+ *
+ * The packed format is different from the Ed25519 one: the legacy format contains that X coordinate and the parity of the Y coordinate,
+ * Ed25519 uses the Y coordinate and the parity of the X coordinate.
+ */
+void ecc_25519_store_packed_legacy(ecc_int256_t *out, const ecc_25519_work_t *in);
+
+/**
+ * Stores a point of the legacy curve into its packed representation
+ *
+ * \deprecated Use \ref ecc_25519_store_packed_legacy
+ */
+DEPRECATED void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in);
+
+
+/** Checks if a point is the identity element of the Elliptic Curve group */
 int ecc_25519_is_identity(const ecc_25519_work_t *in);
+
+/**
+ * Negates a point of the Elliptic Curve
+ *
+ * The same pointer may be given for input and output
+ */
+void ecc_25519_negate(ecc_25519_work_t *out, const ecc_25519_work_t *in);
+
+/**
+ * Doubles a point of the Elliptic Curve
+ *
+ * ecc_25519_double(out, in) is equivalent to ecc_25519_add(out, in, in), but faster.
+ *
+ * The same pointer may be given for input and output.
+ */
 void ecc_25519_double(ecc_25519_work_t *out, const ecc_25519_work_t *in);
+
+/**
+ * Adds two points of the Elliptic Curve
+ *
+ * The same pointers may be given for input and output.
+ */
 void ecc_25519_add(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2);
+
+/**
+ * Subtracts two points of the Elliptic Curve
+ *
+ * The same pointers may be given for input and output.
+ */
+void ecc_25519_sub(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2);
+
+/**
+ * Does a scalar multiplication of a point of the Elliptic Curve with an integer of a given bit length
+ *
+ * To speed up scalar multiplication when it is known that not the whole 256 bits of the scalar
+ * are used. The bit length should always be a constant and not computed at runtime to ensure
+ * that no timing attacks are possible.
+ *
+ * The same pointer may be given for input and output.
+ **/
+void ecc_25519_scalarmult_bits(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base, unsigned bits);
+
+/**
+ * Does a scalar multiplication of a point of the Elliptic Curve with an integer
+ *
+ * The same pointer may be given for input and output.
+ **/
 void ecc_25519_scalarmult(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base);
+
+/**
+ * Does a scalar multiplication of the default base point (generator element) of the Elliptic Curve with an integer of a given bit length
+ *
+ * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
+ *
+ * ecc_25519_scalarmult_base_bits(out, n, bits) is faster than ecc_25519_scalarmult_bits(out, n, &ecc_25519_work_default_base, bits).
+ *
+ * See the notes about \ref ecc_25519_scalarmult_bits before using this function.
+ */
+void ecc_25519_scalarmult_base_bits(ecc_25519_work_t *out, const ecc_int256_t *n, unsigned bits);
+
+/**
+ * Does a scalar multiplication of the default base point (generator element) of the Elliptic Curve with an integer
+ *
+ * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
+ *
+ * ecc_25519_scalarmult_base(out, n) is faster than ecc_25519_scalarmult(out, n, &ecc_25519_work_default_base).
+ */
 void ecc_25519_scalarmult_base(ecc_25519_work_t *out, const ecc_int256_t *n);
 
 /**@}*/
@@ -74,14 +271,61 @@ void ecc_25519_scalarmult_base(ecc_25519_work_t *out, const ecc_int256_t *n);
  * @{
  */
 
+/**
+ * The order of the prime field
+ *
+ * The order is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
+ */
 extern const ecc_int256_t ecc_25519_gf_order;
 
+
+/** Checks if an integer is equal to zero (after reduction) */
 int ecc_25519_gf_is_zero(const ecc_int256_t *in);
+
+/**
+ * Adds two integers as Galois field elements
+ *
+ * The same pointers may be given for input and output.
+ */
 void ecc_25519_gf_add(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2);
+
+/**
+ * Subtracts two integers as Galois field elements
+ *
+ * The same pointers may be given for input and output.
+ */
 void ecc_25519_gf_sub(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2);
+
+/**
+ * Reduces an integer to a unique representation in the range \f$ [0,q-1] \f$
+ *
+ * The same pointer may be given for input and output.
+ */
 void ecc_25519_gf_reduce(ecc_int256_t *out, const ecc_int256_t *in);
+
+/**
+ * Multiplies two integers as Galois field elements
+ *
+ * The same pointers may be given for input and output.
+ */
 void ecc_25519_gf_mult(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2);
+
+/**
+ * Computes the reciprocal of a Galois field element
+ *
+ * The same pointers may be given for input and output.
+ */
 void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in);
+
+/**
+ * Ensures some properties of a Galois field element to make it fit for use as a secret key
+ *
+ * This sets the 255th bit and clears the 256th and the bottom three bits (so the key
+ * will be a multiple of 8). See Daniel J. Bernsteins paper "Curve25519: new Diffie-Hellman speed records."
+ * for the rationale of this.
+ *
+ * The same pointer may be given for input and output.
+ */
 void ecc_25519_gf_sanitize_secret(ecc_int256_t *out, const ecc_int256_t *in);
 
 /**@}*/

src/ec25519.c

@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2012, Matthias Schiffer <mschiffer@universe-factory.net>
+  Copyright (c) 2012-2015, Matthias Schiffer <mschiffer@universe-factory.net>
   Partly based on public domain code by Matthew Dempsky and D. J. Bernstein.
   All rights reserved.
 
@@ -25,134 +25,324 @@
 */
 
 /** \file
- * EC group operations for Twisted Edwards Curve \f$ ax^2 + y^2 = 1 + dx^2y^2 \f$ with
- *    \f$ a = 486664 \f$ and
- *    \f$ d = 486660 \f$
+ * EC group operations for Twisted Edwards Curve \f$ ax^2 + y^2 = 1 + dx^2y^2 \f$
  * on prime field \f$ p = 2^{255} - 19 \f$.
  *
- * The curve is equivalent to the Montgomery Curve used in D. J. Bernstein's
+ * Two different (isomorphic) sets of curve parameters are supported:
+ *
+ *    \f$ a = 486664 \f$ and
+ *    \f$ d = 486660 \f$
+ * are the parameters used by the original libuecc implementation (till v5).
+ * To use points on this curve, use the functions with the suffix \em legacy.
+ *
+ * The other supported curve uses the parameters
+ *    \f$ a = -1 \f$ and
+ *    \f$ d = -(121665/121666) \f$,
+ * which is the curve used by the Ed25519 algorithm. The functions for this curve
+ * have the suffix \em ed25519.
+ *
+ * Internally, libuecc always uses the latter representation for its \em work structure.
+ *
+ * The curves are equivalent to the Montgomery Curve used in D. J. Bernstein's
  * Curve25519 Diffie-Hellman algorithm.
  *
  * See http://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html for add and
  * double operations.
+ *
+ * Doxygen comments for public APIs can be found in the public header file.
+ *
+ * Invariant that must be held by all public API: the components of an
+ * \ref ecc_25519_work_t are always in the range \f$ [0, 2p) \f$.
+ * Integers in this range will be called \em squeezed in the following.
  */
 
 #include <libuecc/ecc.h>
 
 
-static const unsigned int zero[32] = {0};
-static const unsigned int one[32] = {1};
+const ecc_25519_work_t ecc_25519_work_identity = {{0}, {1}, {1}, {0}};
+
+const ecc_25519_work_t ecc_25519_work_base_legacy = {
+	{0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9,
+	 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69,
+	 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
+	 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21},
+	{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66},
+	{1},
+	{0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d,
+	 0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20,
+	 0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66,
+	 0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67},
+};
+
+const ecc_25519_work_t ecc_25519_work_default_base = {
+	{0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9,
+	 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69,
+	 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
+	 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21},
+	{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66},
+	{1},
+	{0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d,
+	 0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20,
+	 0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66,
+	 0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67},
+};
+
+
+const ecc_25519_work_t ecc_25519_work_base_ed25519 = {
+	{0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9,
+	 0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69,
+	 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
+	 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21},
+	{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66},
+	{1},
+	{0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d,
+	 0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20,
+	 0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66,
+	 0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67},
+};
+
+
+static const uint32_t zero[32] = {0};
+static const uint32_t one[32] = {1};
+
+static const uint32_t minus1[32] = {
+	0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f,
+};
+
+/** Ed25519 parameter -(121665/121666) */
+static const uint32_t d[32] = {
+	0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
+	0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
+	0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
+	0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52,
+};
+
+
+/** Factor to multiply the X coordinate with to convert from the legacy to the Ed25519 curve */
+static const uint32_t legacy_to_ed25519[32] = {
+	0xe7, 0x81, 0xba, 0x00, 0x55, 0xfb, 0x91, 0x33,
+	0x7d, 0xe5, 0x82, 0xb4, 0x2e, 0x2c, 0x5e, 0x3a,
+	0x81, 0xb0, 0x03, 0xfc, 0x23, 0xf7, 0x84, 0x2d,
+	0x44, 0xf9, 0x5f, 0x9f, 0x0b, 0x12, 0xd9, 0x70,
+};
+
+/** Factor to multiply the X coordinate with to convert from the Ed25519 to the legacy curve */
+static const uint32_t ed25519_to_legacy[32] = {
+	0xe9, 0x68, 0x42, 0xdb, 0xaf, 0x04, 0xb4, 0x40,
+	0xa1, 0xd5, 0x43, 0xf2, 0xf9, 0x38, 0x31, 0x28,
+	0x01, 0x17, 0x05, 0x67, 0x9b, 0x81, 0x61, 0xf8,
+	0xa9, 0x5b, 0x3e, 0x6a, 0x20, 0x67, 0x4b, 0x24,
+};
 
 
 /** Adds two unpacked integers (modulo p) */
-static void add(unsigned int out[32], const unsigned int a[32], const unsigned int b[32]) {
+static void add(uint32_t out[32], const uint32_t a[32], const uint32_t b[32]) {
 	unsigned int j;
-	unsigned int u;
-	u = 0;
-	for (j = 0;j < 31;++j) { u += a[j] + b[j]; out[j] = u & 255; u >>= 8; }
-	u += a[31] + b[31]; out[31] = u;
-}
+	uint32_t u;
 
-/** Subtracts two unpacked integers (modulo p) */
-static void sub(unsigned int out[32], const unsigned int a[32], const unsigned int b[32]) {
-	unsigned int j;
-	unsigned int u;
-	u = 218;
-	for (j = 0;j < 31;++j) {
-		u += a[j] + 65280 - b[j];
+	u = 0;
+
+	for (j = 0; j < 31; j++) {
+		u += a[j] + b[j];
 		out[j] = u & 255;
 		u >>= 8;
 	}
+
+	u += a[31] + b[31];
+	out[31] = u;
+}
+
+/**
+ * Subtracts two unpacked integers (modulo p)
+ *
+ * b must be \em squeezed.
+ */
+static void sub(uint32_t out[32], const uint32_t a[32], const uint32_t b[32]) {
+	unsigned int j;
+	uint32_t u;
+
+	u = 218;
+
+	for (j = 0;j < 31;++j) {
+		u += a[j] + UINT32_C(65280) - b[j];
+		out[j] = u & 255;
+		u >>= 8;
+	}
+
 	u += a[31] - b[31];
 	out[31] = u;
 }
 
-/** Performs carry and reduce on an unpacked integer */
-static void squeeze(unsigned int a[32]) {
+/**
+ * Performs carry and reduce on an unpacked integer
+ *
+ * The result is not always fully reduced, but it will be significantly smaller than \f$ 2p \f$.
+ */
+static void squeeze(uint32_t a[32]) {
 	unsigned int j;
-	unsigned int u;
+	uint32_t u;
+
 	u = 0;
-	for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; }
-	u += a[31]; a[31] = u & 127;
+
+	for (j = 0;j < 31;++j) {
+		u += a[j];
+		a[j] = u & 255;
+		u >>= 8;
+	}
+
+	u += a[31];
+	a[31] = u & 127;
 	u = 19 * (u >> 7);
-	for (j = 0;j < 31;++j) { u += a[j]; a[j] = u & 255; u >>= 8; }
-	u += a[31]; a[31] = u;
+
+	for (j = 0;j < 31;++j) {
+		u += a[j];
+		a[j] = u & 255;
+		u >>= 8;
+	}
+
+	u += a[31];
+	a[31] = u;
 }
 
+
+static const uint32_t minusp[32] = {
+	19, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 128
+};
+
 /**
  * Ensures that the output of a previous \ref squeeze is fully reduced
  *
- * After a \ref freeze, only the lower byte of each integer part holds a meaningful value
+ * After a \ref freeze, only the lower byte of each integer part holds a meaningful value.
  */
-static void freeze(unsigned int a[32]) {
-	static const unsigned int minusp[32] = {
-		19, 0, 0, 0, 0, 0, 0, 0,
-		0, 0, 0, 0, 0, 0, 0, 0,
-		0, 0, 0, 0, 0, 0, 0, 0,
-		0, 0, 0, 0, 0, 0, 0, 128
-	};
-
-	unsigned int aorig[32];
+static void freeze(uint32_t a[32]) {
+	uint32_t aorig[32];
 	unsigned int j;
-	unsigned int negative;
+	uint32_t negative;
 
-	for (j = 0; j < 32; j++) aorig[j] = a[j];
+	for (j = 0; j < 32; j++)
+		aorig[j] = a[j];
 	add(a, a, minusp);
 	negative = -((a[31] >> 7) & 1);
-	for (j = 0; j < 32; j++) a[j] ^= negative & (aorig[j] ^ a[j]);
+
+	for (j = 0; j < 32; j++)
+		a[j] ^= negative & (aorig[j] ^ a[j]);
 }
 
-/** Multiplies two unpacked integers (modulo p) */
-static void mult(unsigned int out[32], const unsigned int a[32], const unsigned int b[32]) {
-	unsigned int i;
-	unsigned int j;
-	unsigned int u;
+/**
+ * Returns the parity (lowest bit of the fully reduced value) of a
+ *
+ * The input must be \em squeezed.
+ */
+static int parity(const uint32_t a[32]) {
+	uint32_t b[32];
+
+	add(b, a, minusp);
+	return (a[0] ^ (b[31] >> 7) ^ 1) & 1;
+}
+
+/**
+ * Multiplies two unpacked integers (modulo p)
+ *
+ * The result will be \em squeezed.
+ */
+static void mult(uint32_t out[32], const uint32_t a[32], const uint32_t b[32]) {
+	unsigned int i, j;
+	uint32_t u;
 
 	for (i = 0; i < 32; ++i) {
 		u = 0;
-		for (j = 0;j <= i;++j) u += a[j] * b[i - j];
-		for (j = i + 1;j < 32;++j) u += 38 * a[j] * b[i + 32 - j];
+
+		for (j = 0; j <= i; j++)
+			u += a[j] * b[i - j];
+
+		for (j = i + 1; j < 32; j++)
+			u += 38 * a[j] * b[i + 32 - j];
+
 		out[i] = u;
 	}
+
 	squeeze(out);
 }
 
-/** Multiplies an unpacked integer with a small integer (modulo p) */
-static void mult_int(unsigned int out[32], unsigned int n, const unsigned int a[32]) {
+/**
+ * Multiplies an unpacked integer with a small integer (modulo p)
+ *
+ * The result will be \em squeezed.
+ */
+static void mult_int(uint32_t out[32], uint32_t n, const uint32_t a[32]) {
 	unsigned int j;
-	unsigned int u;
+	uint32_t u;
 
 	u = 0;
-	for (j = 0;j < 31;++j) { u += n * a[j]; out[j] = u & 255; u >>= 8; }
+
+	for (j = 0; j < 31; j++) {
+		u += n * a[j];
+		out[j] = u & 255;
+		u >>= 8;
+	}
+
 	u += n * a[31]; out[31] = u & 127;
 	u = 19 * (u >> 7);
-	for (j = 0;j < 31;++j) { u += out[j]; out[j] = u & 255; u >>= 8; }
-	u += out[j]; out[j] = u;
+
+	for (j = 0; j < 31; j++) {
+		u += out[j];
+		out[j] = u & 255;
+		u >>= 8;
+	}
+
+	u += out[j];
+	out[j] = u;
 }
 
-/** Squares an unpacked integer */
-static void square(unsigned int out[32], const unsigned int a[32]) {
-	unsigned int i;
-	unsigned int j;
-	unsigned int u;
+/**
+ * Squares an unpacked integer
+ *
+ * The result will be sqeezed.
+ */
+static void square(uint32_t out[32], const uint32_t a[32]) {
+	unsigned int i, j;
+	uint32_t u;
 
-	for (i = 0; i < 32; ++i) {
+	for (i = 0; i < 32; i++) {
 		u = 0;
-		for (j = 0;j < i - j;++j) u += a[j] * a[i - j];
-		for (j = i + 1;j < i + 32 - j;++j) u += 38 * a[j] * a[i + 32 - j];
+
+		for (j = 0; j < i - j; j++)
+			u += a[j] * a[i - j];
+
+		for (j = i + 1; j < i + 32 - j; j++)
+			u += 38 * a[j] * a[i + 32 - j];
+
 		u *= 2;
+
 		if ((i & 1) == 0) {
 			u += a[i / 2] * a[i / 2];
 			u += 38 * a[i / 2 + 16] * a[i / 2 + 16];
 		}
+
 		out[i] = u;
 	}
+
 	squeeze(out);
 }
 
 /** Checks for the equality of two unpacked integers */
-static int check_equal(const unsigned int x[32], const unsigned int y[32]) {
-	unsigned int differentbits = 0;
+static int check_equal(const uint32_t x[32], const uint32_t y[32]) {
+	uint32_t differentbits = 0;
 	int i;
 
 	for (i = 0; i < 32; i++) {
@@ -164,12 +354,12 @@ static int check_equal(const unsigned int x[32], const unsigned int y[32]) {
 }
 
 /**
- * Checks if an unpacked integer equals zero
+ * Checks if an unpacked integer equals zero (modulo p)
  *
- * The intergers must be must be \ref squeeze "squeezed" before.
+ * The integer must be squeezed before.
  */
-static int check_zero(const unsigned int x[32]) {
-	static const unsigned int p[32] = {
+static int check_zero(const uint32_t x[32]) {
+	static const uint32_t p[32] = {
 		0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
@@ -180,10 +370,10 @@ static int check_zero(const unsigned int x[32]) {
 }
 
 /** Copies r to out when b == 0, s when b == 1 */
-static void selectw(ecc_25519_work_t *out, const ecc_25519_work_t *r, const ecc_25519_work_t *s, unsigned int b) {
+static void selectw(ecc_25519_work_t *out, const ecc_25519_work_t *r, const ecc_25519_work_t *s, uint32_t b) {
 	unsigned int j;
-	unsigned int t;
-	unsigned int bminus1;
+	uint32_t t;
+	uint32_t bminus1;
 
 	bminus1 = b - 1;
 	for (j = 0; j < 32; ++j) {
@@ -202,10 +392,10 @@ static void selectw(ecc_25519_work_t *out, const ecc_25519_work_t *r, const ecc_
 }
 
 /** Copies r to out when b == 0, s when b == 1 */
-static void select(unsigned int out[32], const unsigned int r[32], const unsigned int s[32], unsigned int b) {
+static void select(uint32_t out[32], const uint32_t r[32], const uint32_t s[32], uint32_t b) {
 	unsigned int j;
-	unsigned int t;
-	unsigned int bminus1;
+	uint32_t t;
+	uint32_t bminus1;
 
 	bminus1 = b - 1;
 	for (j = 0;j < 32;++j) {
@@ -219,15 +409,8 @@ static void select(unsigned int out[32], const unsigned int r[32], const unsigne
  *
  * If the given integer has no square root, 0 is returned, 1 otherwise.
  */
-static int square_root(unsigned int out[32], const unsigned int z[32]) {
-	static const unsigned int minus1[32] = {
-		0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
-	};
-
-	static const unsigned int rho_s[32] = {
+static int square_root(uint32_t out[32], const uint32_t z[32]) {
+	static const uint32_t rho_s[32] = {
 		0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4,
 		0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f,
 		0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b,
@@ -236,18 +419,18 @@ static int square_root(unsigned int out[32], const unsigned int z[32]) {
 
 	/* raise z to power (2^252-2), check if power (2^253-5) equals -1 */
 
-	unsigned int z2[32];
-	unsigned int z9[32];
-	unsigned int z11[32];
-	unsigned int z2_5_0[32];
-	unsigned int z2_10_0[32];
-	unsigned int z2_20_0[32];
-	unsigned int z2_50_0[32];
-	unsigned int z2_100_0[32];
-	unsigned int t0[32];
-	unsigned int t1[32];
-	unsigned int z2_252_1[32];
-	unsigned int z2_252_1_rho_s[32];
+	uint32_t z2[32];
+	uint32_t z9[32];
+	uint32_t z11[32];
+	uint32_t z2_5_0[32];
+	uint32_t z2_10_0[32];
+	uint32_t z2_20_0[32];
+	uint32_t z2_50_0[32];
+	uint32_t z2_100_0[32];
+	uint32_t t0[32];
+	uint32_t t1[32];
+	uint32_t z2_252_1[32];
+	uint32_t z2_252_1_rho_s[32];
 	int i;
 
 	/* 2 */ square(z2, z);
@@ -313,17 +496,17 @@ static int square_root(unsigned int out[32], const unsigned int z[32]) {
 }
 
 /** Computes the reciprocal of an unpacked integer (in the prime field modulo p) */
-static void recip(unsigned int out[32], const unsigned int z[32]) {
-	unsigned int z2[32];
-	unsigned int z9[32];
-	unsigned int z11[32];
-	unsigned int z2_5_0[32];
-	unsigned int z2_10_0[32];
-	unsigned int z2_20_0[32];
-	unsigned int z2_50_0[32];
-	unsigned int z2_100_0[32];
-	unsigned int t0[32];
-	unsigned int t1[32];
+static void recip(uint32_t out[32], const uint32_t z[32]) {
+	uint32_t z2[32];
+	uint32_t z9[32];
+	uint32_t z11[32];
+	uint32_t z2_5_0[32];
+	uint32_t z2_10_0[32];
+	uint32_t z2_20_0[32];
+	uint32_t z2_50_0[32];
+	uint32_t z2_100_0[32];
+	uint32_t t0[32];
+	uint32_t t1[32];
 	int i;
 
 	/* 2 */ square(z2, z);
@@ -379,10 +562,37 @@ static void recip(unsigned int out[32], const unsigned int z[32]) {
 	/* 2^255 - 21 */ mult(out, t1, z11);
 }
 
-/** Loads a point with given coordinates into its unpacked representation */
-int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) {
+/**
+ * Checks if the X and Y coordinates of a work structure represent a valid point of the curve
+ *
+ * Also fills in the T coordinate.
+ */
+static int check_load_xy(ecc_25519_work_t *val) {
+	uint32_t X2[32], Y2[32], dX2[32], dX2Y2[32], Y2_X2[32], Y2_X2_1[32], r[32];
+
+	/* Check validity */
+	square(X2, val->X);
+	square(Y2, val->Y);
+
+	mult(dX2, d, X2);
+	mult(dX2Y2, dX2, Y2);
+
+	sub(Y2_X2, Y2, X2);
+	sub(Y2_X2_1, Y2_X2, one);
+
+	sub(r, Y2_X2_1, dX2Y2);
+	squeeze(r);
+
+	if (!check_zero(r))
+	    return 0;
+
+	mult(val->T, val->X, val->Y);
+
+	return 1;
+}
+
+int ecc_25519_load_xy_ed25519(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) {
 	int i;
-	unsigned int X2[32], Y2[32], aX2[32], dX2[32], dX2Y2[32], aX2_Y2[32], _1_dX2Y2[32], r[32];
 
 	for (i = 0; i < 32; i++) {
 		out->X[i] = x->p[i];
@@ -390,34 +600,31 @@ int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_in
 		out->Z[i] = (i == 0);
 	}
 
-	/* Check validity */
-	square(X2, out->X);
-	square(Y2, out->Y);
-	mult_int(aX2, 486664, X2);
-	mult_int(dX2, 486660, X2);
-	mult(dX2Y2, dX2, Y2);
-	add(aX2_Y2, aX2, Y2);
-	add(_1_dX2Y2, one, dX2Y2);
-	sub(r, aX2_Y2, _1_dX2Y2);
-	squeeze(r);
-
-	if (!check_zero(r))
-	    return 0;
-
-	mult(out->T, out->X, out->Y);
-
-	return 1;
+	return check_load_xy(out);
 }
 
-/**
- * Stores a point's x and y coordinates
- *
- * \param x Returns the x coordinate of the point. May be NULL.
- * \param y Returns the y coordinate of the point. May be NULL.
- * \param in The unpacked point to store.
- */
-void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) {
-	unsigned int X[32], Y[32], Z[32];
+int ecc_25519_load_xy_legacy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) {
+	int i;
+	uint32_t tmp[32];
+
+	for (i = 0; i < 32; i++) {
+		tmp[i] = x->p[i];
+		out->Y[i] = y->p[i];
+		out->Z[i] = (i == 0);
+	}
+
+	mult(out->X, tmp, legacy_to_ed25519);
+
+	return check_load_xy(out);
+}
+
+int ecc_25519_load_xy(ecc_25519_work_t *out, const ecc_int256_t *x, const ecc_int256_t *y) {
+	return ecc_25519_load_xy_legacy(out, x, y);
+}
+
+
+void ecc_25519_store_xy_ed25519(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) {
+	uint32_t X[32], Y[32], Z[32];
 	int i;
 
 	recip(Z, in->Z);
@@ -437,22 +644,80 @@ void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t
 	}
 }
 
-/** Loads a packed point into its unpacked representation */
-int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in) {
+void ecc_25519_store_xy_legacy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) {
+	uint32_t X[32], tmp[32], Y[32], Z[32];
 	int i;
-	unsigned int X2[32] /* X^2 */, aX2[32] /* aX^2 */, dX2[32] /* dX^2 */, _1_aX2[32] /* 1-aX^2 */, _1_dX2[32] /* 1-aX^2 */;
-	unsigned int _1_1_dX2[32]  /* 1/(1-aX^2) */, Y2[32] /* Y^2 */, Y[32], Yt[32];
+
+	recip(Z, in->Z);
+
+	if (x) {
+		mult(tmp, Z, in->X);
+		mult(X, tmp, ed25519_to_legacy);
+		freeze(X);
+		for (i = 0; i < 32; i++)
+			x->p[i] = X[i];
+	}
+
+	if (y) {
+		mult(Y, Z, in->Y);
+		freeze(Y);
+		for (i = 0; i < 32; i++)
+			y->p[i] = Y[i];
+	}
+}
+
+void ecc_25519_store_xy(ecc_int256_t *x, ecc_int256_t *y, const ecc_25519_work_t *in) {
+	ecc_25519_store_xy_legacy(x, y, in);
+}
+
+
+int ecc_25519_load_packed_ed25519(ecc_25519_work_t *out, const ecc_int256_t *in) {
+	int i;
+	uint32_t Y2[32] /* Y^2 */, dY2[32] /* dY^2 */, Y2_1[32] /* Y^2-1 */, dY2_1[32] /* dY^2+1 */, _1_dY2_1[32] /* 1/(dY^2+1) */;
+	uint32_t X2[32] /* X^2 */, X[32], Xt[32];
 
 	for (i = 0; i < 32; i++) {
-		out->X[i] = in->p[i];
+		out->Y[i] = in->p[i];
 		out->Z[i] = (i == 0);
 	}
 
-	out->X[31] &= 0x7f;
+	out->Y[31] &= 0x7f;
 
-	square(X2, out->X);
-	mult_int(aX2, 486664, X2);
-	mult_int(dX2, 486660, X2);
+	square(Y2, out->Y);
+	mult(dY2, d, Y2);
+	sub(Y2_1, Y2, one);
+	add(dY2_1, dY2, one);
+	recip(_1_dY2_1, dY2_1);
+	mult(X2, Y2_1, _1_dY2_1);
+
+	if (!square_root(X, X2))
+		return 0;
+
+	/* No squeeze is necessary after subtractions from zero if the subtrahend is squeezed */
+	sub(Xt, zero, X);
+
+	select(out->X, X, Xt, (in->p[31] >> 7) ^ parity(X));
+
+	mult(out->T, out->X, out->Y);
+
+	return 1;
+}
+
+int ecc_25519_load_packed_legacy(ecc_25519_work_t *out, const ecc_int256_t *in) {
+	int i;
+	uint32_t X2[32] /* X^2 */, aX2[32] /* aX^2 */, dX2[32] /* dX^2 */, _1_aX2[32] /* 1-aX^2 */, _1_dX2[32] /* 1-aX^2 */;
+	uint32_t _1_1_dX2[32]  /* 1/(1-aX^2) */, Y2[32] /* Y^2 */, Y[32], Yt[32], X_legacy[32];
+
+	for (i = 0; i < 32; i++) {
+		X_legacy[i] = in->p[i];
+		out->Z[i] = (i == 0);
+	}
+
+	X_legacy[31] &= 0x7f;
+
+	square(X2, X_legacy);
+	mult_int(aX2, UINT32_C(486664), X2);
+	mult_int(dX2, UINT32_C(486660), X2);
 	sub(_1_aX2, one, aX2);
 	sub(_1_dX2, one, dX2);
 	recip(_1_1_dX2, _1_dX2);
@@ -461,29 +726,43 @@ int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in) {
 	if (!square_root(Y, Y2))
 		return 0;
 
+	/* No squeeze is necessary after subtractions from zero if the subtrahend is squeezed */
 	sub(Yt, zero, Y);
 
-	select(out->Y, Y, Yt, (in->p[31] >> 7) ^ (Y[0] & 1));
+	select(out->Y, Y, Yt, (in->p[31] >> 7) ^ parity(Y));
 
+	mult(out->X, X_legacy, legacy_to_ed25519);
 	mult(out->T, out->X, out->Y);
 
 	return 1;
 }
 
-/** Stores a point into its packed representation */
-void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in) {
+int ecc_25519_load_packed(ecc_25519_work_t *out, const ecc_int256_t *in) {
+	return ecc_25519_load_packed_legacy(out, in);
+}
+
+
+void ecc_25519_store_packed_ed25519(ecc_int256_t *out, const ecc_25519_work_t *in) {
+	ecc_int256_t x;
+
+	ecc_25519_store_xy_ed25519(&x, out, in);
+	out->p[31] |= (x.p[0] << 7);
+}
+
+void ecc_25519_store_packed_legacy(ecc_int256_t *out, const ecc_25519_work_t *in) {
 	ecc_int256_t y;
 
-	ecc_25519_store_xy(out, &y, in);
+	ecc_25519_store_xy_legacy(out, &y, in);
 	out->p[31] |= (y.p[0] << 7);
 }
 
-/** The identity element */
-static const ecc_25519_work_t id = {{0}, {1}, {1}, {0}};
+void ecc_25519_store_packed(ecc_int256_t *out, const ecc_25519_work_t *in) {
+	ecc_25519_store_packed_legacy(out, in);
+}
+
 
-/** Checks if a point is the identity element of the Elliptic Curve group */
 int ecc_25519_is_identity(const ecc_25519_work_t *in) {
-	unsigned int Y_Z[32];
+	uint32_t Y_Z[32];
 
 	sub(Y_Z, in->Y, in->Z);
 	squeeze(Y_Z);
@@ -491,73 +770,126 @@ int ecc_25519_is_identity(const ecc_25519_work_t *in) {
 	return (check_zero(in->X)&check_zero(Y_Z));
 }
 
-/**
- * Doubles a point of the Elliptic Curve
- *
- * ecc_25519_double(out, in) is equivalent to ecc_25519_add(out, in, in), but faster.
- *
- * The same pointers may be used for input and output.
- */
+void ecc_25519_negate(ecc_25519_work_t *out, const ecc_25519_work_t *in) {
+	int i;
+
+	for (i = 0; i < 32; i++) {
+		out->Y[i] = in->Y[i];
+		out->Z[i] = in->Z[i];
+	}
+
+	/* No squeeze is necessary after subtractions from zero if the subtrahend is squeezed */
+	sub(out->X, zero, in->X);
+	sub(out->T, zero, in->T);
+}
+
 void ecc_25519_double(ecc_25519_work_t *out, const ecc_25519_work_t *in) {
-	unsigned int A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32], t2[32], t3[32];
+	uint32_t A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32];
 
 	square(A, in->X);
+
 	square(B, in->Y);
+
 	square(t0, in->Z);
 	mult_int(C, 2, t0);
-	mult_int(D, 486664, A);
-	add(t1, in->X, in->Y);
-	square(t2, t1);
-	sub(t3, t2, A); squeeze(t3);
-	sub(E, t3, B);
-	add(G, D, B); squeeze(G);
+
+	sub(D, zero, A);
+
+	add(t0, in->X, in->Y);
+	square(t1, t0);
+	sub(t0, t1, A);
+	sub(E, t0, B);
+
+	add(G, D, B);
 	sub(F, G, C);
 	sub(H, D, B);
+
 	mult(out->X, E, F);
 	mult(out->Y, G, H);
 	mult(out->T, E, H);
 	mult(out->Z, F, G);
 }
 
-/**
- * Adds two points of the Elliptic Curve
- *
- * The same pointers may be used for input and output.
- */
 void ecc_25519_add(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2) {
-	unsigned int A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32], t2[32], t3[32], t4[32], t5[32];
+	const uint32_t j = UINT32_C(60833);
+	const uint32_t k = UINT32_C(121665);
+	uint32_t A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32];
 
-	mult(A, in1->X, in2->X);
-	mult(B, in1->Y, in2->Y);
-	mult_int(t0, 486660, in2->T);
+	sub(t0, in1->Y, in1->X);
+	mult_int(t1, j, t0);
+	sub(t0, in2->Y, in2->X);
+	mult(A, t0, t1);
+
+	add(t0, in1->Y, in1->X);
+	mult_int(t1, j, t0);
+	add(t0, in2->Y, in2->X);
+	mult(B, t0, t1);
+
+	mult_int(t0, k, in2->T);
 	mult(C, in1->T, t0);
-	mult(D, in1->Z, in2->Z);
-	add(t1, in1->X, in1->Y);
-	add(t2, in2->X, in2->Y);
-	mult(t3, t1, t2);
-	sub(t4, t3, A); squeeze(t4);
-	sub(E, t4, B);
-	sub(F, D, C);
-	add(G, D, C);
-	mult_int(t5, 486664, A);
-	sub(H, B, t5);
+
+	mult_int(t0, 2*j, in2->Z);
+	mult(D, in1->Z, t0);
+
+	sub(E, B, A);
+	add(F, D, C);
+	sub(G, D, C);
+	add(H, B, A);
+
 	mult(out->X, E, F);
 	mult(out->Y, G, H);
 	mult(out->T, E, H);
 	mult(out->Z, F, G);
 }
 
-/**
- * Does a scalar multiplication of a point of the Elliptic Curve with an integer
- *
- * The same pointers may be used for input and output.
- **/
-void ecc_25519_scalarmult(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base) {
+/** Adds two points of the Elliptic Curve, assuming that in2->Z == 1 */
+static void ecc_25519_add1(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2) {
+	const uint32_t j = UINT32_C(60833);
+	const uint32_t k = UINT32_C(121665);
+	uint32_t A[32], B[32], C[32], D[32], E[32], F[32], G[32], H[32], t0[32], t1[32];
+
+	sub(t0, in1->Y, in1->X);
+	mult_int(t1, j, t0);
+	sub(t0, in2->Y, in2->X);
+	mult(A, t0, t1);
+
+	add(t0, in1->Y, in1->X);
+	mult_int(t1, j, t0);
+	add(t0, in2->Y, in2->X);
+	mult(B, t0, t1);
+
+	mult_int(t0, k, in2->T);
+	mult(C, in1->T, t0);
+
+	mult_int(D, 2*j, in1->Z);
+
+	sub(E, B, A);
+	add(F, D, C);
+	sub(G, D, C);
+	add(H, B, A);
+
+	mult(out->X, E, F);
+	mult(out->Y, G, H);
+	mult(out->T, E, H);
+	mult(out->Z, F, G);
+}
+
+void ecc_25519_sub(ecc_25519_work_t *out, const ecc_25519_work_t *in1, const ecc_25519_work_t *in2) {
+	ecc_25519_work_t in2_neg;
+
+	ecc_25519_negate(&in2_neg, in2);
+	ecc_25519_add(out, in1, &in2_neg);
+}
+
+void ecc_25519_scalarmult_bits(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base, unsigned bits) {
 	ecc_25519_work_t Q2, Q2p;
-	ecc_25519_work_t cur = id;
+	ecc_25519_work_t cur = ecc_25519_work_identity;
 	int b, pos;
 
-	for (pos = 255; pos >= 0; --pos) {
+	if (bits > 256)
+		bits = 256;
+
+	for (pos = bits - 1; pos >= 0; --pos) {
 		b = n->p[pos / 8] >> (pos & 7);
 		b &= 1;
 
@@ -569,28 +901,30 @@ void ecc_25519_scalarmult(ecc_25519_work_t *out, const ecc_int256_t *n, const ec
 	*out = cur;
 }
 
-/** The ec25519 default base */
-static const ecc_25519_work_t default_base = {
-	{0xd4, 0x6b, 0xfe, 0x7f, 0x39, 0xfa, 0x8c, 0x22,
-	 0xe1, 0x96, 0x23, 0xeb, 0x26, 0xb7, 0x8e, 0x6a,
-	 0x34, 0x74, 0x8b, 0x66, 0xd6, 0xa3, 0x26, 0xdd,
-	 0x19, 0x5e, 0x9f, 0x21, 0x50, 0x43, 0x7c, 0x54},
-	{0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
-	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
-	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
-	 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66},
-	{1},
-	{0x47, 0x56, 0x98, 0x99, 0xc7, 0x61, 0x0a, 0x82,
-	 0x1a, 0xdf, 0x82, 0x22, 0x1f, 0x2c, 0x72, 0x88,
-	 0xc3, 0x29, 0x09, 0x52, 0x78, 0xe9, 0x1e, 0xe4,
-	 0x47, 0x4b, 0x4c, 0x81, 0xa6, 0x02, 0xfd, 0x29}
-};
-
-/**
- * Does a scalar multiplication of the default base point (generator element) of the Elliptic Curve with an integer
- *
- * The order of the base point is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
- */
-void ecc_25519_scalarmult_base(ecc_25519_work_t *out, const ecc_int256_t *n) {
-	ecc_25519_scalarmult(out, n, &default_base);
+void ecc_25519_scalarmult(ecc_25519_work_t *out, const ecc_int256_t *n, const ecc_25519_work_t *base) {
+	ecc_25519_scalarmult_bits(out, n, base, 256);
+}
+
+void ecc_25519_scalarmult_base_bits(ecc_25519_work_t *out, const ecc_int256_t *n, unsigned bits) {
+	ecc_25519_work_t Q2, Q2p;
+	ecc_25519_work_t cur = ecc_25519_work_identity;
+	int b, pos;
+
+	if (bits > 256)
+		bits = 256;
+
+	for (pos = bits - 1; pos >= 0; --pos) {
+		b = n->p[pos / 8] >> (pos & 7);
+		b &= 1;
+
+		ecc_25519_double(&Q2, &cur);
+		ecc_25519_add1(&Q2p, &Q2, &ecc_25519_work_default_base);
+		selectw(&cur, &Q2, &Q2p, b);
+	}
+
+	*out = cur;
+}
+
+void ecc_25519_scalarmult_base(ecc_25519_work_t *out, const ecc_int256_t *n) {
+	ecc_25519_scalarmult_base_bits(out, n, 256);
 }

src/ec25519_gf.c

@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2012, Matthias Schiffer <mschiffer@universe-factory.net>
+  Copyright (c) 2012-2015, Matthias Schiffer <mschiffer@universe-factory.net>
   Partly based on public domain code by Matthew Dempsky and D. J. Bernstein.
   All rights reserved.
 
@@ -25,26 +25,23 @@
 */
 
 /** \file
-  Simple finite field operations on the prime field \f$ F_q \f$ for
-  \f$ q = 2^{252} + 27742317777372353535851937790883648493 \f$, which
-  is the order of the base point used for ec25519
-*/
+ * Simple finite field operations on the prime field \f$ F_q \f$ for
+ * \f$ q = 2^{252} + 27742317777372353535851937790883648493 \f$, which
+ * is the order of the base point used for ec25519
+ *
+ * Doxygen comments for public APIs can be found in the public header file.
+ */
 
 #include <libuecc/ecc.h>
 
 
-/** Checks if the highest bit of an unsigned integer is set */
+/** Checks if the highest bit of an uint32_teger is set */
 #define IS_NEGATIVE(n) ((int)((((unsigned)n) >> (8*sizeof(n)-1))&1))
 
 /** Performs an arithmetic right shift */
 #define ASR(n,s) (((n) >> s)|(IS_NEGATIVE(n)*((unsigned)-1) << (8*sizeof(n)-s)))
 
 
-/**
- * The order of the prime field
- *
- * The order is \f$ 2^{252} + 27742317777372353535851937790883648493 \f$.
- */
 const ecc_int256_t ecc_25519_gf_order = {{
 	0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
 	0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
@@ -53,15 +50,15 @@ const ecc_int256_t ecc_25519_gf_order = {{
 }};
 
 /** An internal alias for \ref ecc_25519_gf_order */
-static const unsigned char *q = ecc_25519_gf_order.p;
+static const uint8_t *q = ecc_25519_gf_order.p;
 
 /**
  * Copies the content of r into out if b == 0, the contents of s if b == 1
  */
-static void select(unsigned char out[32], const unsigned char r[32], const unsigned char s[32], unsigned int b) {
+static void select(uint8_t out[32], const uint8_t r[32], const uint8_t s[32], uint32_t b) {
 	unsigned int j;
-	unsigned int t;
-	unsigned int bminus1;
+	uint8_t t;
+	uint8_t bminus1;
 
 	bminus1 = b - 1;
 	for (j = 0;j < 32;++j) {
@@ -70,11 +67,10 @@ static void select(unsigned char out[32], const unsigned char r[32], const unsig
 	}
 }
 
-/** Checks if an integer is equal to zero (after reduction) */
 int ecc_25519_gf_is_zero(const ecc_int256_t *in) {
 	int i;
 	ecc_int256_t r;
-	unsigned int bits = 0;
+	uint32_t bits = 0;
 
 	ecc_25519_gf_reduce(&r, in);
 
@@ -84,14 +80,9 @@ int ecc_25519_gf_is_zero(const ecc_int256_t *in) {
 	return (((bits-1)>>8) & 1);
 }
 
-/**
- * Adds two integers as Galois field elements
- *
- * The same pointers may be used for input and output.
- */
 void ecc_25519_gf_add(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2) {
 	unsigned int j;
-	unsigned int u;
+	uint32_t u;
 	int nq = 1 - (in1->p[31]>>4) - (in2->p[31]>>4);
 
 	u = 0;
@@ -103,14 +94,9 @@ void ecc_25519_gf_add(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int2
 	}
 }
 
-/**
- * Subtracts two integers as Galois field elements
- *
- * The same pointers may be used for input and output.
- */
 void ecc_25519_gf_sub(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2) {
 	unsigned int j;
-	unsigned int u;
+	uint32_t u;
 	int nq = 8 - (in1->p[31]>>4) + (in2->p[31]>>4);
 
 	u = 0;
@@ -123,11 +109,11 @@ void ecc_25519_gf_sub(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int2
 }
 
 /** Reduces an integer to a unique representation in the range \f$ [0,q-1] \f$ */
-static void reduce(unsigned char a[32]) {
+static void reduce(uint8_t a[32]) {
 	unsigned int j;
-	unsigned int nq = a[31] >> 4;
-	unsigned int u1, u2;
-	unsigned char out1[32], out2[32];
+	uint32_t nq = a[31] >> 4;
+	uint32_t u1, u2;
+	uint8_t out1[32], out2[32];
 
 	u1 = u2 = 0;
 	for (j = 0; j < 31; ++j) {
@@ -145,11 +131,6 @@ static void reduce(unsigned char a[32]) {
 	select(a, out1, out2, IS_NEGATIVE(u1));
 }
 
-/**
- * Reduces an integer to a unique representation in the range \f$ [0,q-1] \f$
- *
- * The same pointers may be used for input and output.
- */
 void ecc_25519_gf_reduce(ecc_int256_t *out, const ecc_int256_t *in) {
 	int i;
 
@@ -160,10 +141,10 @@ void ecc_25519_gf_reduce(ecc_int256_t *out, const ecc_int256_t *in) {
 }
 
 /** Montgomery modular multiplication algorithm */
-static void montgomery(unsigned char out[32], const unsigned char a[32], const unsigned char b[32]) {
+static void montgomery(uint8_t out[32], const uint8_t a[32], const uint8_t b[32]) {
 	unsigned int i, j;
-	unsigned int nq;
-	unsigned int u;
+	uint32_t nq;
+	uint32_t u;
 
 	for (i = 0; i < 32; i++)
 		out[i] = 0;
@@ -183,22 +164,17 @@ static void montgomery(unsigned char out[32], const unsigned char a[32], const u
 	}
 }
 
-/**
- * Multiplies two integers as Galois field elements
- *
- * The same pointers may be used for input and output.
- */
 void ecc_25519_gf_mult(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int256_t *in2) {
 	/* 2^512 mod q */
-	static const unsigned char C[32] = {
+	static const uint8_t C[32] = {
 		0x01, 0x0f, 0x9c, 0x44, 0xe3, 0x11, 0x06, 0xa4,
 		0x47, 0x93, 0x85, 0x68, 0xa7, 0x1b, 0x0e, 0xd0,
 		0x65, 0xbe, 0xf5, 0x17, 0xd2, 0x73, 0xec, 0xce,
 		0x3d, 0x9a, 0x30, 0x7c, 0x1b, 0x41, 0x99, 0x03
 	};
 
-	unsigned char B[32];
-	unsigned char R[32];
+	uint8_t B[32];
+	uint8_t R[32];
 	unsigned int i;
 
 	for (i = 0; i < 32; i++)
@@ -210,18 +186,13 @@ void ecc_25519_gf_mult(ecc_int256_t *out, const ecc_int256_t *in1, const ecc_int
 	montgomery(out->p, R, C);
 }
 
-/**
- * Computes the reciprocal of a Galois field element
- *
- * The same pointers may be used for input and output.
- */
 void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in) {
-	static const unsigned char C[32] = {
+	static const uint8_t C[32] = {
 		0x01
 	};
 
-	unsigned char A[32], B[32];
-	unsigned char R1[32], R2[32];
+	uint8_t A[32], B[32];
+	uint8_t R1[32], R2[32];
 	int use_r2 = 0;
 	unsigned int i, j;
 
@@ -233,7 +204,7 @@ void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in) {
 	reduce(A);
 
 	for (i = 0; i < 32; i++) {
-		unsigned char c;
+		uint8_t c;
 
 		if (i == 0)
 			c = 0xeb; /* q[0] - 2 */
@@ -268,11 +239,6 @@ void ecc_25519_gf_recip(ecc_int256_t *out, const ecc_int256_t *in) {
 	montgomery(out->p, R2, C);
 }
 
-/**
- * Ensures some properties of a Galois field element to make it fit for use as a secret key
- *
- * The same pointers may be used for input and output.
- */
 void ecc_25519_gf_sanitize_secret(ecc_int256_t *out, const ecc_int256_t *in) {
 	int i;