for (k = 0; k < t; k++) {
unsigned int bit = i + s * (k + j * t);
- if (bit < C448_448_SCALAR_BITS) {
+ if (bit < C448_SCALAR_BITS) {
tab |=
(scalar1x->limb[bit / WBITS] >> (bit % WBITS) & 1) << k;
}
}
void curve448_point_mul_by_ratio_and_encode_like_eddsa(
- uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES],
+ uint8_t enc[EDDSA_448_PUBLIC_BYTES],
const curve448_point_t p)
{
gf_mul(x, y, z);
/* Encode */
- enc[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0;
+ enc[EDDSA_448_PRIVATE_BYTES - 1] = 0;
gf_serialize(enc, x, 1);
- enc[C448_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t);
+ enc[EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t);
OPENSSL_cleanse(x, sizeof(x));
OPENSSL_cleanse(y, sizeof(y));
c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
curve448_point_t p,
- const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES])
+ const uint8_t enc[EDDSA_448_PUBLIC_BYTES])
{
- uint8_t enc2[C448_EDDSA_448_PUBLIC_BYTES];
+ uint8_t enc2[EDDSA_448_PUBLIC_BYTES];
mask_t low;
mask_t succ;
memcpy(enc2, enc, sizeof(enc2));
- low = ~word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] & 0x80);
- enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80;
+ low = ~word_is_zero(enc2[EDDSA_448_PRIVATE_BYTES - 1] & 0x80);
+ enc2[EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80;
succ = gf_deserialize(p->y, enc2, 1, 0);
#if 0 == 0
- succ &= word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1]);
+ succ &= word_is_zero(enc2[EDDSA_448_PRIVATE_BYTES - 1]);
#endif
gf_sqr(p->x, p->y);
return c448_succeed_if(mask_to_bool(succ));
}
-c448_error_t c448_x448(uint8_t out[X_PUBLIC_BYTES],
- const uint8_t base[X_PUBLIC_BYTES],
- const uint8_t scalar[X_PRIVATE_BYTES])
+c448_error_t x448_int(uint8_t out[X_PUBLIC_BYTES],
+ const uint8_t base[X_PUBLIC_BYTES],
+ const uint8_t scalar[X_PRIVATE_BYTES])
{
gf x1, x2, z2, x3, z3, t1, t2;
int t;
curve448_point_destroy(q);
}
-void c448_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],
- const uint8_t scalar[X_PRIVATE_BYTES])
+void x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],
+ const uint8_t scalar[X_PRIVATE_BYTES])
{
/* Scalar conditioning */
uint8_t scalar2[X_PRIVATE_BYTES];
curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2));
/* Compensate for the encoding ratio */
- for (i = 1; i < C448_X448_ENCODE_RATIO; i <<= 1) {
+ for (i = 1; i < X448_ENCODE_RATIO; i <<= 1) {
curve448_scalar_halve(the_scalar, the_scalar);
}
curve448_precomputed_scalarmul(p, curve448_precomputed_base, the_scalar);
const curve448_scalar_t scalar,
unsigned int table_bits)
{
- unsigned int table_size = C448_448_SCALAR_BITS / (table_bits + 1) + 3;
+ unsigned int table_size = C448_SCALAR_BITS / (table_bits + 1) + 3;
int position = table_size - 1; /* at the end */
uint64_t current = scalar->limb[0] & 0xFFFF;
uint32_t mask = (1 << (table_bits + 1)) - 1;
* 1/5 op. Probably not worth it.
*/
- for (w = 1; w < (C448_448_SCALAR_BITS - 1) / 16 + 3; w++) {
- if (w < (C448_448_SCALAR_BITS - 1) / 16 + 1) {
+ for (w = 1; w < (C448_SCALAR_BITS - 1) / 16 + 3; w++) {
+ if (w < (C448_SCALAR_BITS - 1) / 16 + 1) {
/* Refill the 16 high bits of current */
current += (uint32_t)((scalar->limb[w / B_OVER_16]
>> (16 * (w % B_OVER_16))) << 16);
{
const int table_bits_var = C448_WNAF_VAR_TABLE_BITS,
table_bits_pre = C448_WNAF_FIXED_TABLE_BITS;
- struct smvt_control control_var[C448_448_SCALAR_BITS /
+ struct smvt_control control_var[C448_SCALAR_BITS /
(C448_WNAF_VAR_TABLE_BITS + 1) + 3];
- struct smvt_control control_pre[C448_448_SCALAR_BITS /
+ struct smvt_control control_pre[C448_SCALAR_BITS /
(C448_WNAF_FIXED_TABLE_BITS + 1) + 3];
int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],
const uint8_t peer_public_value[56])
{
- return c448_x448(out_shared_key, peer_public_value, private_key)
- == C448_SUCCESS;
+ return x448_int(out_shared_key, peer_public_value, private_key)
+ == C448_SUCCESS;
}
void X448_public_from_private(uint8_t out_public_value[56],
const uint8_t private_key[56])
{
- c448_x448_derive_public_key(out_public_value, private_key);
+ x448_derive_public_key(out_public_value, private_key);
}
#endif
/* Number of bytes in an EdDSA public key. */
-# define C448_EDDSA_448_PUBLIC_BYTES 57
+# define EDDSA_448_PUBLIC_BYTES 57
/* Number of bytes in an EdDSA private key. */
-# define C448_EDDSA_448_PRIVATE_BYTES C448_EDDSA_448_PUBLIC_BYTES
+# define EDDSA_448_PRIVATE_BYTES EDDSA_448_PUBLIC_BYTES
/* Number of bytes in an EdDSA private key. */
-# define C448_EDDSA_448_SIGNATURE_BYTES (C448_EDDSA_448_PUBLIC_BYTES + \
- C448_EDDSA_448_PRIVATE_BYTES)
+# define EDDSA_448_SIGNATURE_BYTES (EDDSA_448_PUBLIC_BYTES + \
+ EDDSA_448_PRIVATE_BYTES)
/* EdDSA encoding ratio. */
-# define C448_448_EDDSA_ENCODE_RATIO 4
+# define C448_EDDSA_ENCODE_RATIO 4
/* EdDSA decoding ratio. */
-# define C448_448_EDDSA_DECODE_RATIO (4 / 4)
+# define C448_EDDSA_DECODE_RATIO (4 / 4)
/*
* EdDSA key generation. This function uses a different (non-Decaf) encoding.
* privkey (in): The private key.
*/
c448_error_t c448_ed448_derive_public_key(
- uint8_t pubkey [C448_EDDSA_448_PUBLIC_BYTES],
- const uint8_t privkey [C448_EDDSA_448_PRIVATE_BYTES]);
+ uint8_t pubkey [EDDSA_448_PUBLIC_BYTES],
+ const uint8_t privkey [EDDSA_448_PRIVATE_BYTES]);
/*
* EdDSA signing.
* it harder to screw this up, but this C code gives you no seat belt.
*/
c448_error_t c448_ed448_sign(
- uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
- const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
+ const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
size_t context_len)
* it harder to screw this up, but this C code gives you no seat belt.
*/
c448_error_t c448_ed448_sign_prehash(
- uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
- const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
+ const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64],
const uint8_t *context,
size_t context_len)
* it harder to screw this up, but this C code gives you no seat belt.
*/
c448_error_t c448_ed448_verify(const uint8_t
- signature[C448_EDDSA_448_SIGNATURE_BYTES],
+ signature[EDDSA_448_SIGNATURE_BYTES],
const uint8_t
- pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ pubkey[EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
uint8_t context_len)
* it harder to screw this up, but this C code gives you no seat belt.
*/
c448_error_t c448_ed448_verify_prehash(
- const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64],
const uint8_t *context,
uint8_t context_len)
/*
* EdDSA point encoding. Used internally, exposed externally.
- * Multiplies by C448_448_EDDSA_ENCODE_RATIO first.
+ * Multiplies by C448_EDDSA_ENCODE_RATIO first.
*
* The multiplication is required because the EdDSA encoding represents
* the cofactor information, but the Decaf encoding ignores it (which
* EdDSA, the cofactor info must get cleared, because the intermediate
* representation doesn't track it.
*
- * The way we handle this is to multiply by C448_448_EDDSA_DECODE_RATIO when
- * decoding, and by C448_448_EDDSA_ENCODE_RATIO when encoding. The product of
+ * The way we handle this is to multiply by C448_EDDSA_DECODE_RATIO when
+ * decoding, and by C448_EDDSA_ENCODE_RATIO when encoding. The product of
* these ratios is always exactly the cofactor 4, so the cofactor ends up
* cleared one way or another. But exactly how that shakes out depends on the
* base points specified in RFC 8032.
*
* The upshot is that if you pass the Decaf/Ristretto base point to
- * this function, you will get C448_448_EDDSA_ENCODE_RATIO times the
+ * this function, you will get C448_EDDSA_ENCODE_RATIO times the
* EdDSA base point.
*
* enc (out): The encoded point.
* p (in): The point.
*/
void curve448_point_mul_by_ratio_and_encode_like_eddsa(
- uint8_t enc [C448_EDDSA_448_PUBLIC_BYTES],
+ uint8_t enc [EDDSA_448_PUBLIC_BYTES],
const curve448_point_t p);
/*
- * EdDSA point decoding. Multiplies by C448_448_EDDSA_DECODE_RATIO, and
+ * EdDSA point decoding. Multiplies by C448_EDDSA_DECODE_RATIO, and
* ignores cofactor information.
*
* See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa
*/
c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
curve448_point_t p,
- const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]);
+ const uint8_t enc[EDDSA_448_PUBLIC_BYTES]);
/*
* EdDSA to ECDH private key conversion
* ed (in): The EdDSA private key
*/
c448_error_t c448_ed448_convert_private_key_to_x448(
- uint8_t x[C448_X448_PRIVATE_BYTES],
- const uint8_t ed[C448_EDDSA_448_PRIVATE_BYTES]);
+ uint8_t x[X448_PRIVATE_BYTES],
+ const uint8_t ed[EDDSA_448_PRIVATE_BYTES]);
#ifdef __cplusplus
} /* extern "C" */
return C448_SUCCESS;
}
-static void clamp(uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES])
+static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
{
uint8_t hibit = (1 << 0) >> 1;
/* Blarg */
secret_scalar_ser[0] &= -COFACTOR;
if (hibit == 0) {
- secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0;
- secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
+ secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
+ secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
} else {
- secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
- secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
+ secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
+ secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
}
}
/* In this file because it uses the hash */
c448_error_t c448_ed448_convert_private_key_to_x448(
- uint8_t x[C448_X448_PRIVATE_BYTES],
- const uint8_t ed [C448_EDDSA_448_PRIVATE_BYTES])
+ uint8_t x[X448_PRIVATE_BYTES],
+ const uint8_t ed [EDDSA_448_PRIVATE_BYTES])
{
/* pass the private key through oneshot_hash function */
- /* and keep the first C448_X448_PRIVATE_BYTES bytes */
- return oneshot_hash(x, C448_X448_PRIVATE_BYTES, ed,
- C448_EDDSA_448_PRIVATE_BYTES);
+ /* and keep the first X448_PRIVATE_BYTES bytes */
+ return oneshot_hash(x, X448_PRIVATE_BYTES, ed,
+ EDDSA_448_PRIVATE_BYTES);
}
c448_error_t c448_ed448_derive_public_key(
- uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
- const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES])
+ uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
+ const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])
{
/* only this much used for keygen */
- uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES];
+ uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
curve448_scalar_t secret_scalar;
unsigned int c;
curve448_point_t p;
if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
- C448_EDDSA_448_PRIVATE_BYTES))
+ EDDSA_448_PRIVATE_BYTES))
return C448_FAILURE;
clamp(secret_scalar_ser);
* converted it effectively picks up a factor of 2 from the isogenies. So
* we might start at 2 instead of 1.
*/
- for (c = 1; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1)
+ for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
curve448_scalar_halve(secret_scalar, secret_scalar);
curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);
}
c448_error_t c448_ed448_sign(
- uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
- const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
+ const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
size_t context_len)
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
c448_error_t ret = C448_FAILURE;
curve448_scalar_t nonce_scalar;
- uint8_t nonce_point[C448_EDDSA_448_PUBLIC_BYTES] = { 0 };
+ uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
unsigned int c;
curve448_scalar_t challenge_scalar;
{
/* Schedule the secret key */
struct {
- uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES];
- uint8_t seed[C448_EDDSA_448_PRIVATE_BYTES];
+ uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
+ uint8_t seed[EDDSA_448_PRIVATE_BYTES];
} __attribute__ ((packed)) expanded;
if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey,
- C448_EDDSA_448_PRIVATE_BYTES))
+ EDDSA_448_PRIVATE_BYTES))
goto err;
clamp(expanded.secret_scalar_ser);
curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser,
/* Decode the nonce */
{
- uint8_t nonce[2 * C448_EDDSA_448_PRIVATE_BYTES];
+ uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
goto err;
curve448_point_t p;
curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
- for (c = 2; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) {
+ for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) {
curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
}
}
{
- uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES];
+ uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
/* Compute the challenge */
if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
|| !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
- || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES)
+ || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
|| !EVP_DigestUpdate(hashctx, message, message_len)
|| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
goto err;
curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
- OPENSSL_cleanse(signature, C448_EDDSA_448_SIGNATURE_BYTES);
+ OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
memcpy(signature, nonce_point, sizeof(nonce_point));
- curve448_scalar_encode(&signature[C448_EDDSA_448_PUBLIC_BYTES],
+ curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
challenge_scalar);
curve448_scalar_destroy(secret_scalar);
}
c448_error_t c448_ed448_sign_prehash(
- uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
- const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
+ const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64], const uint8_t *context,
size_t context_len)
{
}
c448_error_t c448_ed448_verify(
- const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
uint8_t context_len)
{
/* Compute the challenge */
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
- uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES];
+ uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
if (hashctx == NULL
|| !hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
|| !EVP_DigestUpdate(hashctx, signature,
- C448_EDDSA_448_PUBLIC_BYTES)
- || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES)
+ EDDSA_448_PUBLIC_BYTES)
+ || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
|| !EVP_DigestUpdate(hashctx, message, message_len)
|| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
EVP_MD_CTX_free(hashctx);
challenge_scalar);
curve448_scalar_decode_long(response_scalar,
- &signature[C448_EDDSA_448_PUBLIC_BYTES],
- C448_EDDSA_448_PRIVATE_BYTES);
+ &signature[EDDSA_448_PUBLIC_BYTES],
+ EDDSA_448_PRIVATE_BYTES);
- for (c = 1; c < C448_448_EDDSA_DECODE_RATIO; c <<= 1)
+ for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1)
curve448_scalar_add(response_scalar, response_scalar, response_scalar);
/* pk_point = -c(x(P)) + (cx + k)G = kG */
}
c448_error_t c448_ed448_verify_prehash(
- const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64], const uint8_t *context,
uint8_t context_len)
{
extern "C" {
#endif
-# define C448_448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1)
+# define C448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1)
/* The number of bits in a scalar */
-# define C448_448_SCALAR_BITS 446
+# define C448_SCALAR_BITS 446
/* Number of bytes in a serialized scalar. */
-# define C448_448_SCALAR_BYTES 56
+# define C448_SCALAR_BYTES 56
/* X448 encoding ratio. */
-# define C448_X448_ENCODE_RATIO 2
+# define X448_ENCODE_RATIO 2
/* Number of bytes in an x448 public key */
-# define C448_X448_PUBLIC_BYTES 56
+# define X448_PUBLIC_BYTES 56
/* Number of bytes in an x448 private key */
-# define C448_X448_PRIVATE_BYTES 56
+# define X448_PRIVATE_BYTES 56
/* Twisted Edwards extended homogeneous coordinates */
typedef struct curve448_point_s {
/* Scalar is stored packed, because we don't need the speed. */
typedef struct curve448_scalar_s {
- c448_word_t limb[C448_448_SCALAR_LIMBS];
+ c448_word_t limb[C448_SCALAR_LIMBS];
} curve448_scalar_t[1];
/* A scalar equal to 1. */
*/
__owur c448_error_t curve448_scalar_decode(
curve448_scalar_t out,
- const unsigned char ser[C448_448_SCALAR_BYTES]);
+ const unsigned char ser[C448_SCALAR_BYTES]);
/*
* Read a scalar from wire format or from bytes. Reduces mod scalar prime.
* ser (out): Serialized form of a scalar.
* s (in): Deserialized scalar.
*/
-void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES],
+void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES],
const curve448_scalar_t s);
/*
* C448_FAILURE: The scalarmul didn't succeed, because the base point is in a
* small subgroup.
*/
-__owur c448_error_t c448_x448(uint8_t out[C448_X448_PUBLIC_BYTES],
- const uint8_t base[C448_X448_PUBLIC_BYTES],
- const uint8_t scalar[C448_X448_PRIVATE_BYTES]);
+__owur c448_error_t x448_int(uint8_t out[X448_PUBLIC_BYTES],
+ const uint8_t base[X448_PUBLIC_BYTES],
+ const uint8_t scalar[X448_PRIVATE_BYTES]);
/*
- * Multiply a point by C448_X448_ENCODE_RATIO, then encode it like RFC 7748.
+ * Multiply a point by X448_ENCODE_RATIO, then encode it like RFC 7748.
*
* This function is mainly used internally, but is exported in case
* it will be useful.
*
* As it happens, this aligns with the base point definitions; that is,
* if you pass the Decaf/Ristretto base point to this function, the result
- * will be C448_X448_ENCODE_RATIO times the X448
+ * will be X448_ENCODE_RATIO times the X448
* base point.
*
* out (out): The scaled and encoded point.
* p (in): The point to be scaled and encoded.
*/
void curve448_point_mul_by_ratio_and_encode_like_x448(
- uint8_t out[C448_X448_PUBLIC_BYTES],
+ uint8_t out[X448_PUBLIC_BYTES],
const curve448_point_t p);
/*
* out (out): The scaled point base*scalar
* scalar (in): The scalar to multiply by.
*/
-void c448_x448_derive_public_key(
- uint8_t out[C448_X448_PUBLIC_BYTES],
- const uint8_t scalar[C448_X448_PRIVATE_BYTES]);
+void x448_derive_public_key(uint8_t out[X448_PUBLIC_BYTES],
+ const uint8_t scalar[X448_PRIVATE_BYTES]);
/*
* Multiply a precomputed base point by a scalar: out = scalar*base.
* Must have extra <= 1
*/
static void sc_subx(curve448_scalar_t out,
- const c448_word_t accum[C448_448_SCALAR_LIMBS],
+ const c448_word_t accum[C448_SCALAR_LIMBS],
const curve448_scalar_t sub,
const curve448_scalar_t p, c448_word_t extra)
{
unsigned int i;
c448_word_t borrow;
- for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
borrow = chain + extra; /* = 0 or -1 */
chain = 0;
- for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_SCALAR_LIMBS; i++) {
chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
out->limb[i] = chain;
chain >>= WBITS;
const curve448_scalar_t b)
{
unsigned int i, j;
- c448_word_t accum[C448_448_SCALAR_LIMBS + 1] = { 0 };
+ c448_word_t accum[C448_SCALAR_LIMBS + 1] = { 0 };
c448_word_t hi_carry = 0;
- for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_SCALAR_LIMBS; i++) {
c448_word_t mand = a->limb[i];
const c448_word_t *mier = b->limb;
c448_dword_t chain = 0;
- for (j = 0; j < C448_448_SCALAR_LIMBS; j++) {
+ for (j = 0; j < C448_SCALAR_LIMBS; j++) {
chain += ((c448_dword_t) mand) * mier[j] + accum[j];
accum[j] = chain;
chain >>= WBITS;
mand = accum[0] * MONTGOMERY_FACTOR;
chain = 0;
mier = sc_p->limb;
- for (j = 0; j < C448_448_SCALAR_LIMBS; j++) {
+ for (j = 0; j < C448_SCALAR_LIMBS; j++) {
chain += (c448_dword_t) mand *mier[j] + accum[j];
if (j)
accum[j - 1] = chain;
c448_dword_t chain = 0;
unsigned int i;
- for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + b->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
{
unsigned int i, j, k = 0;
- for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_SCALAR_LIMBS; i++) {
c448_word_t out = 0;
for (j = 0; j < sizeof(c448_word_t) && k < nbytes; j++, k++)
c448_error_t curve448_scalar_decode(
curve448_scalar_t s,
- const unsigned char ser[C448_448_SCALAR_BYTES])
+ const unsigned char ser[C448_SCALAR_BYTES])
{
unsigned int i;
c448_dsword_t accum = 0;
- scalar_decode_short(s, ser, C448_448_SCALAR_BYTES);
- for (i = 0; i < C448_448_SCALAR_LIMBS; i++)
+ scalar_decode_short(s, ser, C448_SCALAR_BYTES);
+ for (i = 0; i < C448_SCALAR_LIMBS; i++)
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
/* Here accum == 0 or -1 */
return;
}
- i = ser_len - (ser_len % C448_448_SCALAR_BYTES);
+ i = ser_len - (ser_len % C448_SCALAR_BYTES);
if (i == ser_len)
- i -= C448_448_SCALAR_BYTES;
+ i -= C448_SCALAR_BYTES;
scalar_decode_short(t1, &ser[i], ser_len - i);
}
while (i) {
- i -= C448_448_SCALAR_BYTES;
+ i -= C448_SCALAR_BYTES;
sc_montmul(t1, t1, sc_r2);
ignore_result(curve448_scalar_decode(t2, ser + i));
curve448_scalar_add(t1, t1, t2);
curve448_scalar_destroy(t2);
}
-void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES],
+void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES],
const curve448_scalar_t s)
{
unsigned int i, j, k = 0;
- for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_SCALAR_LIMBS; i++) {
for (j = 0; j < sizeof(c448_word_t); j++, k++)
ser[k] = s->limb[i] >> (8 * j);
}
c448_word_t mask = -(a->limb[0] & 1);
c448_dword_t chain = 0;
unsigned int i;
- for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
out->limb[i] = chain;
chain >>= C448_WORD_BITS;
}
- for (i = 0; i < C448_448_SCALAR_LIMBS - 1; i++)
+ for (i = 0; i < C448_SCALAR_LIMBS - 1; i++)
out->limb[i] = out->limb[i] >> 1 | out->limb[i + 1] << (WBITS - 1);
out->limb[i] = out->limb[i] >> 1 | chain << (WBITS - 1);
}