Branch data Line data Source code
1 : : /* Arithmetic mod p = 2^255-19
2 : : * Daniel Beer <dlbeer@gmail.com>, 8 Jan 2014
3 : : *
4 : : * This file is in the public domain.
5 : : */
6 : :
7 : : #ifndef F25519_H_
8 : : #define F25519_H_
9 : :
10 : : #include <stdint.h>
11 : : #include <string.h>
12 : :
13 : : /* Field elements are represented as little-endian byte strings. All
14 : : * operations have timings which are independent of input data, so they
15 : : * can be safely used for cryptography.
16 : : *
17 : : * Computation is performed on un-normalized elements. These are byte
18 : : * strings which fall into the range 0 <= x < 2p. Use f25519_normalize()
19 : : * to convert to a value 0 <= x < p.
20 : : *
21 : : * Elements received from the outside may greater even than 2p.
22 : : * f25519_normalize() will correctly deal with these numbers too.
23 : : */
24 : : #define F25519_SIZE 32
25 : :
26 : : /* Identity constants */
27 : : #ifdef FULL_C25519_CODE
28 : : extern const uint8_t f25519_zero[F25519_SIZE];
29 : : #endif
30 : : extern const uint8_t f25519_one[F25519_SIZE];
31 : :
32 : : /* Load a small constant */
33 : : void f25519_load(uint8_t *x, uint32_t c);
34 : :
35 : : /* Copy two points */
36 : 28 : static inline void f25519_copy(uint8_t *x, const uint8_t *a)
37 : : {
38 : 28 : memcpy(x, a, F25519_SIZE);
39 : 28 : }
40 : :
41 : : /* Normalize a field point x < 2*p by subtracting p if necessary */
42 : : void f25519_normalize(uint8_t *x);
43 : :
44 : : /* Compare two field points in constant time. Return one if equal, zero
45 : : * otherwise. This should be performed only on normalized values.
46 : : */
47 : : uint8_t f25519_eq(const uint8_t *x, const uint8_t *y);
48 : :
49 : : /* Conditional copy. If condition == 0, then zero is copied to dst. If
50 : : * condition == 1, then one is copied to dst. Any other value results in
51 : : * undefined behaviour.
52 : : */
53 : : void f25519_select(uint8_t *dst,
54 : : const uint8_t *zero, const uint8_t *one,
55 : : uint8_t condition);
56 : :
57 : : /* Add/subtract two field points. The three pointers are not required to
58 : : * be distinct.
59 : : */
60 : : void f25519_add(uint8_t *r, const uint8_t *a, const uint8_t *b);
61 : : void f25519_sub(uint8_t *r, const uint8_t *a, const uint8_t *b);
62 : :
63 : : /* Unary negation */
64 : : void f25519_neg(uint8_t *r, const uint8_t *a);
65 : :
66 : : /* Multiply two field points. The __distinct variant is used when r is
67 : : * known to be in a different location to a and b.
68 : : */
69 : : #ifdef FULL_C25519_CODE
70 : : void f25519_mul(uint8_t *r, const uint8_t *a, const uint8_t *b);
71 : : #endif
72 : : void f25519_mul__distinct(uint8_t *r, const uint8_t *a, const uint8_t *b);
73 : :
74 : : /* Multiply a point by a small constant. The two pointers are not
75 : : * required to be distinct.
76 : : *
77 : : * The constant must be less than 2^24.
78 : : */
79 : : void f25519_mul_c(uint8_t *r, const uint8_t *a, uint32_t b);
80 : :
81 : : /* Take the reciprocal of a field point. The __distinct variant is used
82 : : * when r is known to be in a different location to x.
83 : : */
84 : : #ifdef FULL_C25519_CODE
85 : : void f25519_inv(uint8_t *r, const uint8_t *x);
86 : : #endif
87 : : void f25519_inv__distinct(uint8_t *r, const uint8_t *x);
88 : :
89 : : /* Compute one of the square roots of the field element, if the element
90 : : * is square. The other square is -r.
91 : : *
92 : : * If the input is not square, the returned value is a valid field
93 : : * element, but not the correct answer. If you don't already know that
94 : : * your element is square, you should square the return value and test.
95 : : */
96 : : void f25519_sqrt(uint8_t *r, const uint8_t *x);
97 : :
98 : : #endif
|
