f25519.h

   1 /* Arithmetic mod p = 2^255-19
   2  * Daniel Beer <dlbeer@gmail.com>, 8 Jan 2014
   3  *
   4  * This file is in the public domain.
   5  */
   6
   7 #ifndef F25519_H_
   8 #define F25519_H_
   9
  10 #include <stdint.h>
  11 #include <string.h>
  12
  13 /* Field elements are represented as little-endian byte strings. All
  14  * operations have timings which are independent of input data, so they
  15  * can be safely used for cryptography.
  16  *
  17  * Computation is performed on un-normalized elements. These are byte
  18  * strings which fall into the range 0 <= x < 2p. Use f25519_normalize()
  19  * to convert to a value 0 <= x < p.
  20  *
  21  * Elements received from the outside may greater even than 2p.
  22  * f25519_normalize() will correctly deal with these numbers too.
  23  */
  24 #define F25519_SIZE             32
  25
  26 /* Identity constants */
  27 extern const uint8_t f25519_one[F25519_SIZE];
  28
  29 /* Load a small constant */
  30 void f25519_load(uint8_t *x, uint32_t c);
  31
  32 /* Copy two points */
  33 static inline void f25519_copy(uint8_t *x, const uint8_t *a)
  34 {
  35         memcpy(x, a, F25519_SIZE);
  36 }
  37
  38 /* Normalize a field point x < 2*p by subtracting p if necessary */
  39 void f25519_normalize(uint8_t *x);
  40
  41 /* Compare two field points in constant time. Return one if equal, zero
  42  * otherwise. This should be performed only on normalized values.
  43  */
  44 uint8_t f25519_eq(const uint8_t *x, const uint8_t *y);
  45
  46 /* Conditional copy. If condition == 0, then zero is copied to dst. If
  47  * condition == 1, then one is copied to dst. Any other value results in
  48  * undefined behaviour.
  49  */
  50 void f25519_select(uint8_t *dst,
  51                    const uint8_t *zero, const uint8_t *one,
  52                    uint8_t condition);
  53
  54 /* Add/subtract two field points. The three pointers are not required to
  55  * be distinct.
  56  */
  57 void f25519_add(uint8_t *r, const uint8_t *a, const uint8_t *b);
  58 void f25519_sub(uint8_t *r, const uint8_t *a, const uint8_t *b);
  59
  60 /* Unary negation */
  61 void f25519_neg(uint8_t *r, const uint8_t *a);
  62
  63 /* Multiply two field points. The __distinct variant is used when r is
  64  * known to be in a different location to a and b.
  65  */
  66 void f25519_mul__distinct(uint8_t *r, const uint8_t *a, const uint8_t *b);
  67
  68 /* Take the reciprocal of a field point. The __distinct variant is used
  69  * when r is known to be in a different location to x.
  70  */
  71 void f25519_inv__distinct(uint8_t *r, const uint8_t *x);
  72
  73 /* Compute one of the square roots of the field element, if the element
  74  * is square. The other square is -r.
  75  *
  76  * If the input is not square, the returned value is a valid field
  77  * element, but not the correct answer. If you don't already know that
  78  * your element is square, you should square the return value and test.
  79  */
  80 void f25519_sqrt(uint8_t *r, const uint8_t *x);
  81
  82 #endif