[catacomb] / pub / x25519.h

/* -*-c-*-
 *
 * The X25519 key-agreement algorithm
 *
 * (c) 2017 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#ifndef CATACOMB_X25519_H
#define CATACOMB_X25519_H

#ifdef __cplusplus
  extern "C" {
#endif

/*----- Notes on the X25519 key-agreement algorithm -----------------------*
 *
 * This is X25519, as described in Daniel J. Bernstein, `Curve25519: new
 * Diffie--Hellman speed records', PKC 2006,
 * https://cr.yp.to/ecdh/curve25519-20060209.pdf
 *
 * Since then, the name `Curve25519' has shifted somewhat, to refer to the
 * specific elliptic curve used, and the x-coordinate Diffie--Hellman
 * operation is now named `X25519'.
 *
 * The @x25519@ function essentially performs incompatible cofactor
 * multiplication on the elliptic curve %$E(k)$% containing points %$(x, y)$%
 * in %$\proj^2(k)$% satisfying the Montgomery-form equation
 *
 *	%$y^3 = x^3 + 486662 x^2 + x$% ,
 *
 * where $k = \gf{p}$, with $p = 2^{255} - 19$%.  The curve has
 * %$n = (p + 1) + 221938542218978828286815502327069187962$% points; this is
 * eight times a prime %$\ell$%.  The points with %$x$%-coordinate 9 have
 * order %$\ell$%.
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/bits.h>

#ifndef CATACOMB_KEY_H
#  include "key.h"
#endif

/*----- Important constants -----------------------------------------------*/

#define X25519_KEYSZ 32u
#define X25519_PUBSZ 32u
#define X25519_OUTSZ 32u

extern const octet x25519_base[32];

/*----- Key fetching ------------------------------------------------------*/

typedef struct x25519_priv { key_bin priv, pub; } x25519_priv;
typedef struct x25519_pub { key_bin pub; } x25519_pub;

extern const key_fetchdef x25519_pubfetch[], x25519_privfetch[];
#define X25519_PUBFETCHSZ 3
#define X25519_PRIVFETCHSZ 6

/*----- Functions provided ------------------------------------------------*/

/* --- @x25519@ --- *
 *
 * Arguments:	@octet zz[X25519_OUTSZ]@ = where to put the result
 *		@const octet k[X25519_KEYSZ]@ = pointer to private key
 *		@const octet qx[X25519_PUBSZ]@ = pointer to public value
 *
 * Returns:	---
 *
 * Use:		Calculates X25519 of @k@ and @qx@.
 *
 *		Note that there is disagreement over whether the most
 *		significant bit of @qx@ (i.e., the value @qx[31]&0x80@)
 *		should be ignored or counted towards the represented value.
 *		Historically implementations respected the bit; later
 *		convention seems to be to ignore it.  This implementation
 *		honours the bit: a caller who wants to ignore the bit can
 *		easily clear it, while caller who wants to respect it has a
 *		difficult job if this function ignores it.
 */

extern void x25519(octet /*zz*/[X25519_OUTSZ],
		   const octet /*k*/[X25519_KEYSZ],
		   const octet /*qx*/[X25519_PUBSZ]);

/*----- That's all, folks -------------------------------------------------*/

#ifdef __cplusplus
  }
#endif

#endif
Commit	Line	Data
fc2d44af MW	1	/* --c--
	2	*
	3	* The X25519 key-agreement algorithm
	4	*
	5	* (c) 2017 Straylight/Edgeware
	6	*/
	7
	8	/----- Licensing notice --------------------------------------------------
	9	*
	10	* This file is part of Catacomb.
	11	*
	12	* Catacomb is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU Library General Public License as
	14	* published by the Free Software Foundation; either version 2 of the
	15	* License, or (at your option) any later version.
	16	*
	17	* Catacomb is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU Library General Public License for more details.
	21	*
	22	* You should have received a copy of the GNU Library General Public
	23	* License along with Catacomb; if not, write to the Free
	24	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	25	* MA 02111-1307, USA.
	26	*/
	27
	28	#ifndef CATACOMB_X25519_H
	29	#define CATACOMB_X25519_H
	30
	31	#ifdef __cplusplus
	32	extern "C" {
	33	#endif
	34
	35	/----- Notes on the X25519 key-agreement algorithm -----------------------
	36	*
	37	* This is X25519, as described in Daniel J. Bernstein, `Curve25519: new
	38	* Diffie--Hellman speed records', PKC 2006,
	39	* https://cr.yp.to/ecdh/curve25519-20060209.pdf
	40	*
	41	* Since then, the name `Curve25519' has shifted somewhat, to refer to the
	42	* specific elliptic curve used, and the x-coordinate Diffie--Hellman
	43	* operation is now named `X25519'.
6dbc50ef MW	44	*
	45	* The @x25519@ function essentially performs incompatible cofactor
	46	* multiplication on the elliptic curve %$E(k)$% containing points %$(x, y)$%
	47	* in %$\proj^2(k)$% satisfying the Montgomery-form equation
	48	*
	49	* %$y^3 = x^3 + 486662 x^2 + x$% ,
	50	*
	51	* where $k = \gf{p}$, with $p = 2^{255} - 19$%. The curve has
	52	* %$n = (p + 1) + 221938542218978828286815502327069187962$% points; this is
	53	* eight times a prime %$\ell$%. The points with %$x$%-coordinate 9 have
	54	* order %$\ell$%.
fc2d44af MW	55	*/
	56
	57	/----- Header files ------------------------------------------------------/
	58
	59	#include <mLib/bits.h>
	60
	61	#ifndef CATACOMB_KEY_H
	62	# include "key.h"
	63	#endif
	64
	65	/----- Important constants -----------------------------------------------/
	66
	67	#define X25519_KEYSZ 32u
	68	#define X25519_PUBSZ 32u
	69	#define X25519_OUTSZ 32u
	70
	71	extern const octet x25519_base[32];
	72
	73	/----- Key fetching ------------------------------------------------------/
	74
	75	typedef struct x25519_priv { key_bin priv, pub; } x25519_priv;
	76	typedef struct x25519_pub { key_bin pub; } x25519_pub;
	77
	78	extern const key_fetchdef x25519_pubfetch[], x25519_privfetch[];
	79	#define X25519_PUBFETCHSZ 3
	80	#define X25519_PRIVFETCHSZ 6
	81
	82	/----- Functions provided ------------------------------------------------/
	83
	84	/* --- @x25519@ --- *
	85	*
	86	* Arguments: @octet zz[X25519_OUTSZ]@ = where to put the result
	87	* @const octet k[X25519_KEYSZ]@ = pointer to private key
	88	* @const octet qx[X25519_PUBSZ]@ = pointer to public value
	89	*
	90	* Returns: ---
	91	*
	92	* Use: Calculates X25519 of @k@ and @qx@.
	93	*
	94	* Note that there is disagreement over whether the most
	95	* significant bit of @qx@ (i.e., the value @qx[31]&0x80@)
	96	* should be ignored or counted towards the represented value.
	97	* Historically implementations respected the bit; later
	98	* convention seems to be to ignore it. This implementation
	99	* honours the bit: a caller who wants to ignore the bit can
	100	* easily clear it, while caller who wants to respect it has a
	101	* difficult job if this function ignores it.
	102	*/
	103
	104	extern void x25519(octet /zz/[X25519_OUTSZ],
	105	const octet /k/[X25519_KEYSZ],
	106	const octet /qx/[X25519_PUBSZ]);
	107
	108	/----- That's all, folks -------------------------------------------------/
	109
	110	#ifdef __cplusplus
	111	}
	112	#endif
	113
	114	#endif