1 /* Edwards curve operations
2 * Daniel Beer <dlbeer@gmail.com>, 9 Jan 2014
4 * This file is in the public domain.
12 /* This is not the Ed25519 signature system. Rather, we're implementing
13 * basic operations on the twisted Edwards curve over (Z mod 2^255-19):
15 * -x^2 + y^2 = 1 - (121665/121666)x^2y^2
17 * With the positive-x base point y = 4/5.
19 * These functions will not leak secret data through timing.
21 * For more information, see:
23 * Bernstein, D.J. & Lange, T. (2007) "Faster addition and doubling on
24 * elliptic curves". Document ID: 95616567a6ba20f575c5f25e7cebaf83.
26 * Hisil, H. & Wong, K K. & Carter, G. & Dawson, E. (2008) "Twisted
27 * Edwards curves revisited". Advances in Cryptology, ASIACRYPT 2008,
28 * Vol. 5350, pp. 326-343.
31 /* Projective coordinates */
33 uint8_t x
[F25519_SIZE
];
34 uint8_t y
[F25519_SIZE
];
35 uint8_t t
[F25519_SIZE
];
36 uint8_t z
[F25519_SIZE
];
39 extern const struct ed25519_pt ed25519_base
;
41 /* Convert between projective and affine coordinates (x/y in F25519) */
42 void ed25519_project(struct ed25519_pt
*p
,
43 const uint8_t *x
, const uint8_t *y
);
45 void ed25519_unproject(uint8_t *x
, uint8_t *y
,
46 const struct ed25519_pt
*p
);
48 /* Compress/uncompress points. try_unpack() will check that the
49 * compressed point is on the curve, returning 1 if the unpacked point
50 * is valid, and 0 otherwise.
52 #define ED25519_PACK_SIZE F25519_SIZE
54 void ed25519_pack(uint8_t *c
, const uint8_t *x
, const uint8_t *y
);
55 uint8_t ed25519_try_unpack(uint8_t *x
, uint8_t *y
, const uint8_t *c
);
57 /* Add, double and scalar multiply */
58 #define ED25519_EXPONENT_SIZE 32
60 /* Prepare an exponent by clamping appropriate bits */
61 static inline void ed25519_prepare(uint8_t *e
)
68 /* Order of the group generated by the base point */
69 static inline void ed25519_copy(struct ed25519_pt
*dst
,
70 const struct ed25519_pt
*src
)
72 memcpy(dst
, src
, sizeof(*dst
));
75 void ed25519_add(struct ed25519_pt
*r
,
76 const struct ed25519_pt
*a
, const struct ed25519_pt
*b
);
77 void ed25519_smult(struct ed25519_pt
*r
, const struct ed25519_pt
*a
,