base/permute.h, utils/permute.lisp, symm/...: Formalize bit permutations.

[catacomb] / pub / x25519.h

/* -*-c-*-
 *
 * The X25519 key-agreement algorithm
 *
 * (c) 2017 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#ifndef CATACOMB_X25519_H
#define CATACOMB_X25519_H

#ifdef __cplusplus
  extern "C" {
#endif

/*----- Notes on the X25519 key-agreement algorithm -----------------------*
 *
 * This is X25519, as described in Daniel J. Bernstein, `Curve25519: new
 * Diffie--Hellman speed records', PKC 2006,
 * https://cr.yp.to/ecdh/curve25519-20060209.pdf
 *
 * Since then, the name `Curve25519' has shifted somewhat, to refer to the
 * specific elliptic curve used, and the x-coordinate Diffie--Hellman
 * operation is now named `X25519'.
 *
 * The @x25519@ function essentially performs incompatible cofactor
 * multiplication on the elliptic curve %$E(k)$% containing points %$(x, y)$%
 * in %$\proj^2(k)$% satisfying the Montgomery-form equation
 *
 *      %$y^3 = x^3 + 486662 x^2 + x$% ,
 *
 * where $k = \gf{p}$, with $p = 2^{255} - 19$%.  The curve has
 * %$n = (p + 1) + 221938542218978828286815502327069187962$% points; this is
 * eight times a prime %$\ell$%.  The points with %$x$%-coordinate 9 have
 * order %$\ell$%.
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/bits.h>

#ifndef CATACOMB_KEY_H
#  include "key.h"
#endif

/*----- Important constants -----------------------------------------------*/

#define X25519_KEYSZ 32u
#define X25519_PUBSZ 32u
#define X25519_OUTSZ 32u

extern const octet x25519_base[32];

/*----- Key fetching ------------------------------------------------------*/

typedef struct x25519_priv { key_bin priv, pub; } x25519_priv;
typedef struct x25519_pub { key_bin pub; } x25519_pub;

extern const key_fetchdef x25519_pubfetch[], x25519_privfetch[];
#define X25519_PUBFETCHSZ 3
#define X25519_PRIVFETCHSZ 6

/*----- Functions provided ------------------------------------------------*/

/* --- @x25519@ --- *
 *
 * Arguments:   @octet zz[X25519_OUTSZ]@ = where to put the result
 *              @const octet k[X25519_KEYSZ]@ = pointer to private key
 *              @const octet qx[X25519_PUBSZ]@ = pointer to public value
 *
 * Returns:     ---
 *
 * Use:         Calculates X25519 of @k@ and @qx@.
 *
 *              Note that there is disagreement over whether the most
 *              significant bit of @qx@ (i.e., the value @qx[31]&0x80@)
 *              should be ignored or counted towards the represented value.
 *              Historically implementations respected the bit; later
 *              convention seems to be to ignore it.  This implementation
 *              honours the bit: a caller who wants to ignore the bit can
 *              easily clear it, while caller who wants to respect it has a
 *              difficult job if this function ignores it.
 */

extern void x25519(octet /*zz*/[X25519_OUTSZ],
                   const octet /*k*/[X25519_KEYSZ],
                   const octet /*qx*/[X25519_PUBSZ]);

/*----- That's all, folks -------------------------------------------------*/

#ifdef __cplusplus
  }
#endif

#endif