libdecaf
point_255.hxx
Go to the documentation of this file.
1
25#ifndef __DECAF_POINT_255_HXX__
26#define __DECAF_POINT_255_HXX__ 1
27
29#ifndef _XOPEN_SOURCE
30#define _XOPEN_SOURCE 600
31#endif
32#include <stdlib.h>
33#include <string.h> /* for memcpy */
34
35#include <decaf/point_255.h>
36#include <decaf/ed255.h>
38#include <string>
39#include <sys/types.h>
40#include <limits.h>
41
43#if __cplusplus >= 201103L
44#define DECAF_NOEXCEPT noexcept
45#else
46#define DECAF_NOEXCEPT throw()
47#endif
50namespace decaf {
51
55struct Ristretto {
56
58static inline const char *name() { return "Ristretto"; }
59
61static inline int bits() { return 255; }
62
64static const int REMOVED_COFACTOR = 8;
65
67static const int FIELD_MODULUS_TYPE = 5;
68
70class Point;
71class Precomputed;
78class Scalar : public Serializable<Scalar> {
79public:
82
84 static const size_t SER_BYTES = DECAF_255_SCALAR_BYTES;
85
88
91 inline Scalar(const NOINIT &) DECAF_NOEXCEPT {}
95 inline Scalar(uint64_t w) DECAF_NOEXCEPT { *this = w; }
96
98 inline Scalar(int64_t w) DECAF_NOEXCEPT { *this = w; }
99
101 inline Scalar(unsigned int w) DECAF_NOEXCEPT { *this = w; }
102
104 inline Scalar(int w) DECAF_NOEXCEPT { *this = w; }
105
107 inline explicit Scalar(Rng &rng) DECAF_NOEXCEPT {
109 *this = sb;
110 }
111
113 inline Scalar(const Wrapped &t = decaf_255_scalar_zero) DECAF_NOEXCEPT { decaf_255_scalar_copy(s,t); }
114
116 inline Scalar(const Scalar &x) DECAF_NOEXCEPT { *this = x; }
117
119 inline Scalar(const Block &buffer) DECAF_NOEXCEPT { *this = buffer; }
120
122 inline size_t ser_size() const DECAF_NOEXCEPT { return SER_BYTES; }
123
125 inline void serialize_into(unsigned char *buffer) const DECAF_NOEXCEPT {
126 decaf_255_scalar_encode(buffer, s);
127 }
128
130 inline Scalar& operator=(const Scalar &x) DECAF_NOEXCEPT { decaf_255_scalar_copy(s,x.s); return *this; }
131
133 inline Scalar& operator=(uint64_t w) DECAF_NOEXCEPT { decaf_255_scalar_set_unsigned(s,w); return *this; }
134
135
137 inline Scalar& operator=(int64_t w) DECAF_NOEXCEPT {
138 Scalar t(-(uint64_t)INT_MIN);
139 decaf_255_scalar_set_unsigned(s,(uint64_t)w - (uint64_t)INT_MIN);
140 *this -= t;
141 return *this;
142 }
143
145 inline Scalar& operator=(unsigned int w) DECAF_NOEXCEPT { return *this = (uint64_t)w; }
146
148 inline Scalar& operator=(int w) DECAF_NOEXCEPT { return *this = (int64_t)w; }
149
151 inline ~Scalar() DECAF_NOEXCEPT { decaf_255_scalar_destroy(s); }
152
154 inline Scalar &operator=(const Block &bl) DECAF_NOEXCEPT {
155 decaf_255_scalar_decode_long(s,bl.data(),bl.size()); return *this;
156 }
157
162 static inline decaf_error_t DECAF_WARN_UNUSED decode (
163 Scalar &sc, const FixedBlock<SER_BYTES> buffer
164 ) DECAF_NOEXCEPT {
165 return decaf_255_scalar_decode(sc.s,buffer.data());
166 }
167
169 inline Scalar operator+ (const Scalar &q) const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_add(r.s,s,q.s); return r; }
170
172 inline Scalar &operator+=(const Scalar &q) DECAF_NOEXCEPT { decaf_255_scalar_add(s,s,q.s); return *this; }
173
175 inline Scalar operator- (const Scalar &q) const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_sub(r.s,s,q.s); return r; }
176
178 inline Scalar &operator-=(const Scalar &q) DECAF_NOEXCEPT { decaf_255_scalar_sub(s,s,q.s); return *this; }
179
181 inline Scalar operator* (const Scalar &q) const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_mul(r.s,s,q.s); return r; }
182
184 inline Scalar &operator*=(const Scalar &q) DECAF_NOEXCEPT { decaf_255_scalar_mul(s,s,q.s); return *this; }
185
187 inline Scalar operator- () const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_sub(r.s,decaf_255_scalar_zero,s); return r; }
188
192 inline Scalar inverse() const /*throw(CryptoException)*/ {
193 Scalar r;
195 throw CryptoException();
196 }
197 return r;
198 }
199
202 inline decaf_error_t DECAF_WARN_UNUSED
203 inverse_noexcept(Scalar &r) const DECAF_NOEXCEPT {
204 return decaf_255_scalar_invert(r.s,s);
205 }
206
208 inline Scalar operator/ (const Scalar &q) const /*throw(CryptoException)*/ { return *this * q.inverse(); }
209
211 inline Scalar &operator/=(const Scalar &q) /*throw(CryptoException)*/ { return *this *= q.inverse(); }
212
214 inline Scalar half() const { Scalar out; decaf_255_scalar_halve(out.s,s); return out; }
215
217 inline bool operator!=(const Scalar &q) const DECAF_NOEXCEPT { return !(*this == q); }
218
220 inline bool operator==(const Scalar &q) const DECAF_NOEXCEPT { return !!decaf_255_scalar_eq(s,q.s); }
221
223 inline Point operator* (const Point &q) const DECAF_NOEXCEPT { return q * (*this); }
224
226 inline Point operator* (const Precomputed &q) const DECAF_NOEXCEPT { return q * (*this); }
227
232 const FixedBlock<SER_BYTES> &in,
233 decaf_bool_t allow_identity=DECAF_FALSE,
234 decaf_bool_t short_circuit=DECAF_TRUE
235 ) const /*throw(CryptoException)*/;
236
238 inline decaf_error_t DECAF_WARN_UNUSED direct_scalarmul_noexcept(
240 const FixedBlock<SER_BYTES> &in,
241 decaf_bool_t allow_identity=DECAF_FALSE,
242 decaf_bool_t short_circuit=DECAF_TRUE
243 ) const DECAF_NOEXCEPT;
244};
245
247class Point : public Serializable<Point> {
248public:
251
253 static const size_t SER_BYTES = DECAF_255_SER_BYTES;
254
256 static const size_t HASH_BYTES = DECAF_255_HASH_BYTES;
257
260
263
266
269
272
276 static const size_t STEG_BYTES = HASH_BYTES * 2;
277
280
283
286 inline Point(const NOINIT &) DECAF_NOEXCEPT {}
290 inline Point(const Wrapped &q = decaf_255_point_identity) DECAF_NOEXCEPT { decaf_255_point_copy(p,q); }
291
293 inline Point(const Point &q) DECAF_NOEXCEPT { *this = q; }
294
296 inline Point& operator=(const Point &q) DECAF_NOEXCEPT { decaf_255_point_copy(p,q.p); return *this; }
297
299 inline ~Point() DECAF_NOEXCEPT { decaf_255_point_destroy(p); }
300
302 inline explicit Point(Rng &rng, bool uniform = true) DECAF_NOEXCEPT {
303 if (uniform) {
305 set_to_hash(b);
306 } else {
308 set_to_hash(b);
309 }
310 }
311
319 inline explicit Point(const FixedBlock<SER_BYTES> &buffer, bool allow_identity=true)
320 /*throw(CryptoException)*/ {
321 if (DECAF_SUCCESS != decode(buffer,allow_identity)) {
322 throw CryptoException();
323 }
324 }
325
334 inline decaf_error_t DECAF_WARN_UNUSED decode (
335 const FixedBlock<SER_BYTES> &buffer, bool allow_identity=true
336 ) DECAF_NOEXCEPT {
337 return decaf_255_point_decode(p,buffer.data(),allow_identity ? DECAF_TRUE : DECAF_FALSE);
338 }
339
350 ) DECAF_NOEXCEPT {
352 }
353
361 ) /*throw(CryptoException)*/ {
363 }
364
369 return ret;
370 }
371
375 ) const {
377 }
378
383 return ret;
384 }
385
389 }
390
397 static inline Point from_hash ( const Block &s ) DECAF_NOEXCEPT {
398 Point p((NOINIT())); p.set_to_hash(s); return p;
399 }
400
407 inline void set_to_hash( const Block &s ) DECAF_NOEXCEPT {
408 if (s.size() < HASH_BYTES) {
410 memcpy(b.data(), s.data(), s.size());
412 } else if (s.size() == HASH_BYTES) {
414 } else if (s.size() < 2*HASH_BYTES) {
416 memcpy(b.data(), s.data(), s.size());
418 } else {
420 }
421 }
422
424 inline operator SecureBuffer() const {
425 SecureBuffer buffer(SER_BYTES);
426 decaf_255_point_encode(buffer.data(), p);
427 return buffer;
428 }
429
431 inline size_t ser_size() const DECAF_NOEXCEPT { return SER_BYTES; }
432
434 inline void serialize_into(unsigned char *buffer) const DECAF_NOEXCEPT {
435 decaf_255_point_encode(buffer, p);
436 }
437
439 inline Point operator+ (const Point &q) const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_255_point_add(r.p,p,q.p); return r; }
440
442 inline Point &operator+=(const Point &q) DECAF_NOEXCEPT { decaf_255_point_add(p,p,q.p); return *this; }
443
445 inline Point operator- (const Point &q) const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_255_point_sub(r.p,p,q.p); return r; }
446
448 inline Point &operator-=(const Point &q) DECAF_NOEXCEPT { decaf_255_point_sub(p,p,q.p); return *this; }
449
451 inline Point operator- () const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_255_point_negate(r.p,p); return r; }
452
454 inline Point times_two () const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_255_point_double(r.p,p); return r; }
455
457 inline Point &double_in_place() DECAF_NOEXCEPT { decaf_255_point_double(p,p); return *this; }
458
460 inline bool operator!=(const Point &q) const DECAF_NOEXCEPT { return ! decaf_255_point_eq(p,q.p); }
461
463 inline bool operator==(const Point &q) const DECAF_NOEXCEPT { return !!decaf_255_point_eq(p,q.p); }
464
466 inline Point operator* (const Scalar &s) const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_255_point_scalarmul(r.p,p,s.s); return r; }
467
469 inline Point &operator*=(const Scalar &s) DECAF_NOEXCEPT { decaf_255_point_scalarmul(p,p,s.s); return *this; }
470
472 inline Point operator/ (const Scalar &s) const /*throw(CryptoException)*/ { return (*this) * s.inverse(); }
473
475 inline Point &operator/=(const Scalar &s) /*throw(CryptoException)*/ { return (*this) *= s.inverse(); }
476
478 inline bool validate() const DECAF_NOEXCEPT { return decaf_255_point_valid(p); }
479
481 static inline Point double_scalarmul (
482 const Point &q, const Scalar &qs, const Point &r, const Scalar &rs
483 ) DECAF_NOEXCEPT {
484 Point p((NOINIT())); decaf_255_point_double_scalarmul(p.p,q.p,qs.s,r.p,rs.s); return p;
485 }
486
488 inline void dual_scalarmul (
489 Point &q1, Point &q2, const Scalar &r1, const Scalar &r2
490 ) const DECAF_NOEXCEPT {
491 decaf_255_point_dual_scalarmul(q1.p,q2.p,p,r1.s,r2.s);
492 }
493
498 static inline Point double_scalarmul (
499 const Scalar &qs, const Point &q, const Scalar &rs, const Point &r
500 ) DECAF_NOEXCEPT {
501 return double_scalarmul(q,qs,r,rs);
502 }
503
509 inline Point non_secret_combo_with_base(const Scalar &s, const Scalar &s_base) DECAF_NOEXCEPT {
510 Point r((NOINIT())); decaf_255_base_double_scalarmul_non_secret(r.p,s_base.s,p,s.s); return r;
511 }
512
514 inline Point debugging_torque() const DECAF_NOEXCEPT {
515 Point q;
517 return q;
518 }
519
521 inline Point debugging_pscale(const FixedBlock<SER_BYTES> factor) const DECAF_NOEXCEPT {
522 Point q;
523 decaf_255_point_debugging_pscale(q.p,p,factor.data());
524 return q;
525 }
526
528 inline Point debugging_pscale(Rng &r) const DECAF_NOEXCEPT {
530 return debugging_pscale(sb);
531 }
532
538 Buffer buf, uint32_t hint
539 ) const DECAF_NOEXCEPT {
540 unsigned char buf2[2*HASH_BYTES];
541 memset(buf2,0,sizeof(buf2));
542 memcpy(buf2,buf.data(),(buf.size() > 2*HASH_BYTES) ? 2*HASH_BYTES : buf.size());
543 decaf_bool_t ret;
544 if (buf.size() > HASH_BYTES) {
545 ret = decaf_successful(decaf_255_invert_elligator_uniform(buf2, p, hint));
546 } else {
547 ret = decaf_successful(decaf_255_invert_elligator_nonuniform(buf2, p, hint));
548 }
549 if (buf.size() < HASH_BYTES) {
550 ret &= decaf_memeq(&buf2[buf.size()], &buf2[HASH_BYTES], HASH_BYTES - buf.size());
551 }
552 for (size_t i=0; i<buf.size() && i<HASH_BYTES; i++) {
553 buf[i] = (buf[i] & ~ret) | (buf2[i] &ret);
554 }
555 decaf_bzero(buf2,sizeof(buf2));
556 return decaf_succeed_if(ret);
557 }
558
560 inline SecureBuffer steg_encode(Rng &rng, size_t size=STEG_BYTES) const /*throw(std::bad_alloc, LengthException)*/ {
561 if (size <= HASH_BYTES + 4 || size > 2*HASH_BYTES) throw LengthException();
563 decaf_error_t done;
564 do {
565 rng.read(Buffer(out).slice(HASH_BYTES-4,STEG_BYTES-HASH_BYTES+1));
566 uint32_t hint = 0;
567 for (int i=0; i<4; i++) { hint |= uint32_t(out[HASH_BYTES-4+i])<<(8*i); }
568 done = invert_elligator(out, hint);
569 } while (!decaf_successful(done));
570 return out;
571 }
572
574 static inline const Point base() DECAF_NOEXCEPT { return Point(decaf_255_point_base); }
575
577 static inline const Point identity() DECAF_NOEXCEPT { return Point(decaf_255_point_identity); }
578};
579
588typedef decaf_255_precomputed_s Precomputed_U;
592 : protected OwnedOrUnowned<Precomputed,Precomputed_U>
594{
595public:
596
598 inline ~Precomputed() DECAF_NOEXCEPT { clear(); }
599
611 inline Precomputed (
612 const Precomputed_U &yours = *decaf_255_precomputed_base
613 ) DECAF_NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>(yours) {}
614
615
616#if __cplusplus >= 201103L
618 inline Precomputed &operator=(Precomputed &&it) DECAF_NOEXCEPT {
619 OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);
620 return *this;
621 }
622
624 inline Precomputed(Precomputed &&it) DECAF_NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>() {
625 *this = it;
626 }
627
629 inline Precomputed &operator=(const Precomputed &it) DECAF_NOEXCEPT {
630 OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);
631 return *this;
632 }
633#endif
634
638 inline Precomputed &operator=(const Point &it) /*throw(std::bad_alloc)*/ {
639 alloc();
640 decaf_255_precompute(ours.mine,it.p);
641 return *this;
642 }
643
647 inline Precomputed(const Precomputed &it) /*throw(std::bad_alloc)*/
648 : OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }
649
653 inline explicit Precomputed(const Point &it) /*throw(std::bad_alloc)*/
654 : OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }
655
657 inline Point operator* (const Scalar &s) const DECAF_NOEXCEPT { Point r; decaf_255_precomputed_scalarmul(r.p,get(),s.s); return r; }
658
660 inline Point operator/ (const Scalar &s) const /*throw(CryptoException)*/ { return (*this) * s.inverse(); }
661
663 static inline const Precomputed base() DECAF_NOEXCEPT { return Precomputed(); }
664
665public:
667 friend class OwnedOrUnowned<Precomputed,Precomputed_U>;
668 static inline size_t size() DECAF_NOEXCEPT { return decaf_255_sizeof_precomputed_s; }
669 static inline size_t alignment() DECAF_NOEXCEPT { return decaf_255_alignof_precomputed_s; }
670 static inline const Precomputed_U * default_value() DECAF_NOEXCEPT { return decaf_255_precomputed_base; }
672};
673
675struct DhLadder {
676public:
679
682
684 static const FixedBlock<PUBLIC_BYTES> base_point() DECAF_NOEXCEPT {
686 }
687
690 const FixedBlock<PUBLIC_BYTES> &pk,
691 const FixedBlock<PRIVATE_BYTES> &scalar
692 ) /*throw(std::bad_alloc,CryptoException)*/ {
694 if (DECAF_SUCCESS != decaf_x25519(out.data(), pk.data(), scalar.data())) {
695 throw CryptoException();
696 }
697 return out;
698 }
699
701 static inline decaf_error_t DECAF_WARN_UNUSED
704 const FixedBlock<PUBLIC_BYTES> &pk,
705 const FixedBlock<PRIVATE_BYTES> &scalar
706 ) DECAF_NOEXCEPT {
707 return decaf_x25519(out.data(), pk.data(), scalar.data());
708 }
709
714 static inline SecureBuffer DECAF_DEPRECATED("Renamed to derive_public_key")
715 generate_key(
716 const FixedBlock<PRIVATE_BYTES> &scalar
717 ) /*throw(std::bad_alloc)*/ {
719 decaf_x25519_derive_public_key(out.data(), scalar.data());
720 return out;
721 }
722
727 const FixedBlock<PRIVATE_BYTES> &scalar
728 ) /*throw(std::bad_alloc)*/ {
730 decaf_x25519_derive_public_key(out.data(), scalar.data());
731 return out;
732 }
733
737 static inline void
740 const FixedBlock<PRIVATE_BYTES> &scalar
741 ) DECAF_NOEXCEPT {
742 decaf_x25519_derive_public_key(out.data(), scalar.data());
743 }
744
749 static inline void
750 DECAF_DEPRECATED("Renamed to derive_public_key_noexcept")
753 const FixedBlock<PRIVATE_BYTES> &scalar
754 ) DECAF_NOEXCEPT {
755 decaf_x25519_derive_public_key(out.data(), scalar.data());
756 }
757};
758
759}; /* struct Ristretto */
760
763 const FixedBlock<Ristretto::Point::SER_BYTES> &in,
764 decaf_bool_t allow_identity,
765 decaf_bool_t short_circuit
766) const /*throw(CryptoException)*/ {
768 if (DECAF_SUCCESS !=
769 decaf_255_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit)
770 ) {
771 throw CryptoException();
772 }
773 return out;
774}
775
777 FixedBuffer<Ristretto::Point::SER_BYTES> &out,
778 const FixedBlock<Ristretto::Point::SER_BYTES> &in,
779 decaf_bool_t allow_identity,
780 decaf_bool_t short_circuit
781) const DECAF_NOEXCEPT {
782 return decaf_255_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit);
783}
788
789
790#undef DECAF_NOEXCEPT
791} /* namespace decaf */
792
793#endif /* __DECAF_POINT_255_HXX__ */
A reference to a block of data, which (when accessed through this base class) is const.
Definition: secure_buffer.hxx:159
const unsigned char * data() const DECAF_NOEXCEPT
Get const data.
Definition: secure_buffer.hxx:193
A reference to a writable block of data.
Definition: secure_buffer.hxx:264
const unsigned char * data() const DECAF_NOEXCEPT
Get const data.
Definition: secure_buffer.hxx:276
An exception for when crypto (ie point decode) has failed.
Definition: secure_buffer.hxx:119
A fixed-size stack-allocated buffer (for DECAF_NOEXCEPT semantics)
Definition: secure_buffer.hxx:331
A fixed-size block.
Definition: secure_buffer.hxx:247
A fixed-size block.
Definition: secure_buffer.hxx:304
An exception for when crypto (ie point decode) has failed.
Definition: secure_buffer.hxx:126
Element of prime-order elliptic curve group.
Definition: point_255.hxx:247
static Point double_scalarmul(const Scalar &qs, const Point &q, const Scalar &rs, const Point &r) DECAF_NOEXCEPT
Double-scalar multiply, equivalent to q*qs + r*rs but faster.
Definition: point_255.hxx:498
static const size_t HASH_BYTES
Bytes required for hash.
Definition: point_255.hxx:256
static const size_t EDDSA_BYTES
Bytes required for EdDSA encoding.
Definition: point_255.hxx:259
Point & operator+=(const Point &q) DECAF_NOEXCEPT
Point add.
Definition: point_255.hxx:442
static const unsigned int INVERT_ELLIGATOR_WHICH_BITS
Number of bits in invert_elligator which are actually used.
Definition: point_255.hxx:279
bool validate() const DECAF_NOEXCEPT
Validate / sanity check.
Definition: point_255.hxx:478
void set_to_hash(const Block &s) DECAF_NOEXCEPT
Map to the curve from a hash buffer.
Definition: point_255.hxx:407
Point debugging_torque() const DECAF_NOEXCEPT
Return a point equal to *this, whose internal data is rotated by a torsion element.
Definition: point_255.hxx:514
Point debugging_pscale(Rng &r) const DECAF_NOEXCEPT
Return a point equal to *this, whose internal data has a randomized representation.
Definition: point_255.hxx:528
void serialize_into(unsigned char *buffer) const DECAF_NOEXCEPT
Serializable instance.
Definition: point_255.hxx:434
static const Point identity() DECAF_NOEXCEPT
Return the identity point of the curve.
Definition: point_255.hxx:577
decaf_255_point_t Wrapped
Wrapped C type.
Definition: point_255.hxx:250
Point operator*(const Scalar &s) const DECAF_NOEXCEPT
Scalar multiply.
Definition: point_255.hxx:466
Point operator+(const Point &q) const DECAF_NOEXCEPT
Point add.
Definition: point_255.hxx:439
Point operator-() const DECAF_NOEXCEPT
Point negate.
Definition: point_255.hxx:451
static const int EDDSA_DECODE_RATIO
Ratio due to EdDSA decoding.
Definition: point_255.hxx:268
SecureBuffer mul_by_ratio_and_encode_like_eddsa() const
Multiply by EDDSA_ENCODE_RATIO and encode like EdDSA.
Definition: point_255.hxx:366
Point operator/(const Scalar &s) const
Multiply by s.inverse().
Definition: point_255.hxx:472
Point debugging_pscale(const FixedBlock< SER_BYTES > factor) const DECAF_NOEXCEPT
Return a point equal to *this, whose internal data has a modified representation.
Definition: point_255.hxx:521
Point non_secret_combo_with_base(const Scalar &s, const Scalar &s_base) DECAF_NOEXCEPT
Double-scalar multiply: this point by the first scalar and base by the second scalar.
Definition: point_255.hxx:509
static const int EDDSA_ENCODE_RATIO
Ratio due to EdDSA encoding.
Definition: point_255.hxx:265
Point times_two() const DECAF_NOEXCEPT
Double the point out of place.
Definition: point_255.hxx:454
Point & operator-=(const Point &q) DECAF_NOEXCEPT
Point subtract.
Definition: point_255.hxx:448
void decode_like_eddsa_and_mul_by_ratio(const FixedBlock< DECAF_EDDSA_25519_PUBLIC_BYTES > &buffer)
Decode from EDDSA, multiply by EDDSA_DECODE_RATIO, and ignore any remaining cofactor information.
Definition: point_255.hxx:359
static Point from_hash(const Block &s) DECAF_NOEXCEPT
Map uniformly to the curve from a hash buffer.
Definition: point_255.hxx:397
SecureBuffer steg_encode(Rng &rng, size_t size=STEG_BYTES) const
Steganographically encode this.
Definition: point_255.hxx:560
Point & operator=(const Point &q) DECAF_NOEXCEPT
Assignment.
Definition: point_255.hxx:296
Point(const Point &q) DECAF_NOEXCEPT
Copy constructor.
Definition: point_255.hxx:293
static const size_t STEG_BYTES
Size of a steganographically-encoded curve element.
Definition: point_255.hxx:276
void mul_by_ratio_and_encode_like_eddsa(FixedBuffer< DECAF_EDDSA_25519_PUBLIC_BYTES > &out) const
Multiply by EDDSA_ENCODE_RATIO and encode like EdDSA.
Definition: point_255.hxx:373
static const size_t LADDER_BYTES
Bytes required for EdDSA encoding.
Definition: point_255.hxx:262
~Point() DECAF_NOEXCEPT
Destructor securely zeorizes the point.
Definition: point_255.hxx:299
bool operator==(const Point &q) const DECAF_NOEXCEPT
Constant-time compare.
Definition: point_255.hxx:463
Point & double_in_place() DECAF_NOEXCEPT
Double the point in place.
Definition: point_255.hxx:457
size_t ser_size() const DECAF_NOEXCEPT
Serializable instance.
Definition: point_255.hxx:431
decaf_error_t invert_elligator(Buffer buf, uint32_t hint) const DECAF_NOEXCEPT
Modify buffer so that Point::from_hash(Buffer) == *this, and return DECAF_SUCCESS; or leave buf unmod...
Definition: point_255.hxx:537
Point(const FixedBlock< SER_BYTES > &buffer, bool allow_identity=true)
Initialize from a fixed-length byte string.
Definition: point_255.hxx:319
void dual_scalarmul(Point &q1, Point &q2, const Scalar &r1, const Scalar &r2) const DECAF_NOEXCEPT
Dual-scalar multiply, equivalent to this*r1, this*r2 but faster.
Definition: point_255.hxx:488
Wrapped p
The c-level object.
Definition: point_255.hxx:282
static const size_t SER_BYTES
Size of a serialized element.
Definition: point_255.hxx:253
Point(Rng &rng, bool uniform=true) DECAF_NOEXCEPT
Construct from RNG.
Definition: point_255.hxx:302
static const int LADDER_ENCODE_RATIO
Ratio due to ladder decoding.
Definition: point_255.hxx:271
static const Point base() DECAF_NOEXCEPT
Return the base point of the curve.
Definition: point_255.hxx:574
void mul_by_ratio_and_encode_like_ladder(FixedBuffer< LADDER_BYTES > &out) const
Multiply by LADDER_ENCODE_RATIO and encode like X25519/X448.
Definition: point_255.hxx:387
SecureBuffer mul_by_ratio_and_encode_like_ladder() const
Multiply by LADDER_ENCODE_RATIO and encode like X25519/X448.
Definition: point_255.hxx:380
bool operator!=(const Point &q) const DECAF_NOEXCEPT
Constant-time compare.
Definition: point_255.hxx:460
Point(const Wrapped &q=decaf_255_point_identity) DECAF_NOEXCEPT
Constructor sets to identity by default.
Definition: point_255.hxx:290
Point & operator/=(const Scalar &s)
Multiply by s.inverse().
Definition: point_255.hxx:475
decaf_error_t DECAF_WARN_UNUSED decode_like_eddsa_and_mul_by_ratio_noexcept(const FixedBlock< DECAF_EDDSA_25519_PUBLIC_BYTES > &buffer) DECAF_NOEXCEPT
Initialize from C++ fixed-length byte string, like EdDSA.
Definition: point_255.hxx:348
decaf_error_t DECAF_WARN_UNUSED decode(const FixedBlock< SER_BYTES > &buffer, bool allow_identity=true) DECAF_NOEXCEPT
Initialize from C++ fixed-length byte string.
Definition: point_255.hxx:334
Point & operator*=(const Scalar &s) DECAF_NOEXCEPT
Scalar multiply in place.
Definition: point_255.hxx:469
static Point double_scalarmul(const Point &q, const Scalar &qs, const Point &r, const Scalar &rs) DECAF_NOEXCEPT
Double-scalar multiply, equivalent to q*qs + r*rs but faster.
Definition: point_255.hxx:481
Precomputed table of points.
Definition: point_255.hxx:594
Point operator/(const Scalar &s) const
Multiply by s.inverse().
Definition: point_255.hxx:660
Precomputed(const Precomputed &it)
Copy constructor.
Definition: point_255.hxx:647
~Precomputed() DECAF_NOEXCEPT
Destructor securely zeorizes the memory.
Definition: point_255.hxx:598
Precomputed(const Precomputed_U &yours= *decaf_255_precomputed_base) DECAF_NOEXCEPT
Initialize from underlying type, declared as a reference to prevent it from being called with 0,...
Definition: point_255.hxx:611
Point operator*(const Scalar &s) const DECAF_NOEXCEPT
Fixed base scalarmul.
Definition: point_255.hxx:657
static const Precomputed base() DECAF_NOEXCEPT
Return the table for the base point.
Definition: point_255.hxx:663
Precomputed & operator=(const Point &it)
Initilaize from point.
Definition: point_255.hxx:638
Precomputed(const Point &it)
Constructor which initializes from point.
Definition: point_255.hxx:653
A scalar modulo the curve order.
Definition: point_255.hxx:78
Scalar & operator=(const Block &bl) DECAF_NOEXCEPT
Assign from arbitrary-length little-endian byte sequence in a Block.
Definition: point_255.hxx:154
decaf_255_scalar_t Wrapped
wrapped C type
Definition: point_255.hxx:81
bool operator==(const Scalar &q) const DECAF_NOEXCEPT
Compare in constant time.
Definition: point_255.hxx:220
Scalar(uint64_t w) DECAF_NOEXCEPT
Set to an unsigned word.
Definition: point_255.hxx:95
Scalar operator/(const Scalar &q) const
Return this/q.
Definition: point_255.hxx:208
Scalar(unsigned int w) DECAF_NOEXCEPT
Set to an unsigned word.
Definition: point_255.hxx:101
Scalar(const Wrapped &t=decaf_255_scalar_zero) DECAF_NOEXCEPT
Construct from decaf_scalar_t object.
Definition: point_255.hxx:113
Scalar & operator=(int w) DECAF_NOEXCEPT
Assign from signed int.
Definition: point_255.hxx:148
Scalar & operator-=(const Scalar &q) DECAF_NOEXCEPT
Subtract from this.
Definition: point_255.hxx:178
decaf_error_t DECAF_WARN_UNUSED inverse_noexcept(Scalar &r) const DECAF_NOEXCEPT
Invert with Fermat's Little Theorem (slow!).
Definition: point_255.hxx:203
Wrapped s
access to the underlying scalar object
Definition: point_255.hxx:87
Scalar(int w) DECAF_NOEXCEPT
Set to a signed word.
Definition: point_255.hxx:104
static decaf_error_t DECAF_WARN_UNUSED decode(Scalar &sc, const FixedBlock< SER_BYTES > buffer) DECAF_NOEXCEPT
Decode from correct-length little-endian byte sequence.
Definition: point_255.hxx:162
Scalar(const Block &buffer) DECAF_NOEXCEPT
Construct from arbitrary-length little-endian byte sequence.
Definition: point_255.hxx:119
Scalar & operator+=(const Scalar &q) DECAF_NOEXCEPT
Add to this.
Definition: point_255.hxx:172
Scalar operator-() const DECAF_NOEXCEPT
Negate.
Definition: point_255.hxx:187
bool operator!=(const Scalar &q) const DECAF_NOEXCEPT
Compare in constant time.
Definition: point_255.hxx:217
Scalar & operator=(int64_t w) DECAF_NOEXCEPT
Assign from signed int.
Definition: point_255.hxx:137
Scalar & operator=(const Scalar &x) DECAF_NOEXCEPT
Assignment.
Definition: point_255.hxx:130
Scalar & operator*=(const Scalar &q) DECAF_NOEXCEPT
Multiply into this.
Definition: point_255.hxx:184
Scalar inverse() const
Return 1/this.
Definition: point_255.hxx:192
Scalar & operator=(unsigned int w) DECAF_NOEXCEPT
Assign from unsigned int.
Definition: point_255.hxx:145
Scalar & operator/=(const Scalar &q)
Set this to this/q.
Definition: point_255.hxx:211
size_t ser_size() const DECAF_NOEXCEPT
Serializable instance.
Definition: point_255.hxx:122
Scalar half() const
Return half this scalar.
Definition: point_255.hxx:214
~Scalar() DECAF_NOEXCEPT
Destructor securely zeorizes the scalar.
Definition: point_255.hxx:151
static const size_t SER_BYTES
Size of a serialized element.
Definition: point_255.hxx:84
Scalar & operator=(uint64_t w) DECAF_NOEXCEPT
Assign from unsigned 64-bit integer.
Definition: point_255.hxx:133
Scalar(const Scalar &x) DECAF_NOEXCEPT
Copy constructor.
Definition: point_255.hxx:116
void serialize_into(unsigned char *buffer) const DECAF_NOEXCEPT
Serializable instance.
Definition: point_255.hxx:125
Scalar operator+(const Scalar &q) const DECAF_NOEXCEPT
Add.
Definition: point_255.hxx:169
Scalar(int64_t w) DECAF_NOEXCEPT
Set to a signed word.
Definition: point_255.hxx:98
Scalar operator*(const Scalar &q) const DECAF_NOEXCEPT
Multiply.
Definition: point_255.hxx:181
SecureBuffer direct_scalarmul(const FixedBlock< SER_BYTES > &in, decaf_bool_t allow_identity=DECAF_FALSE, decaf_bool_t short_circuit=DECAF_TRUE) const
Direct scalar multiplication.
decaf_error_t DECAF_WARN_UNUSED direct_scalarmul_noexcept(FixedBuffer< SER_BYTES > &out, const FixedBlock< SER_BYTES > &in, decaf_bool_t allow_identity=DECAF_FALSE, decaf_bool_t short_circuit=DECAF_TRUE) const DECAF_NOEXCEPT
Direct scalar multiplication.
Scalar(Rng &rng) DECAF_NOEXCEPT
Construct from RNG.
Definition: point_255.hxx:107
Prototype of a random number generator.
Definition: secure_buffer.hxx:138
Base class of objects which support serialization.
Definition: secure_buffer.hxx:89
void DECAF_API_VIS decaf_bzero(void *data, size_t size) DECAF_NONNULL
Overwrite data with zeros.
decaf_bool_t DECAF_API_VIS decaf_memeq(const void *data1, const void *data2, size_t size) DECAF_NONNULL DECAF_WARN_UNUSED
Compare two buffers, returning DECAF_TRUE if they are equal.
uint32_t decaf_bool_t
"Boolean" type, will be set to all-zero or all-one (i.e.
Definition: common.h:89
decaf_error_t
Another boolean type used to indicate success or failure.
Definition: common.h:120
@ DECAF_SUCCESS
The operation succeeded.
Definition: common.h:121
const uint8_t decaf_x25519_base_point[DECAF_X25519_PUBLIC_BYTES]
The base point for X25519 Diffie-Hellman.
Definition: decaf.c:66
A group of prime order p, based on Curve25519.
void DECAF_API_VIS decaf_255_point_mul_by_ratio_and_encode_like_eddsa(uint8_t enc[DECAF_EDDSA_25519_PUBLIC_BYTES], const decaf_255_point_t p) DECAF_NONNULL DECAF_NOINLINE
EdDSA point encoding.
#define DECAF_255_EDDSA_DECODE_RATIO
EdDSA decoding ratio.
Definition: ed255.h:62
decaf_error_t DECAF_API_VIS decaf_255_point_decode_like_eddsa_and_mul_by_ratio(decaf_255_point_t p, const uint8_t enc[DECAF_EDDSA_25519_PUBLIC_BYTES]) DECAF_NONNULL DECAF_NOINLINE
EdDSA point decoding.
#define DECAF_255_EDDSA_ENCODE_RATIO
EdDSA encoding ratio.
Definition: ed255.h:59
#define DECAF_EDDSA_25519_PUBLIC_BYTES
Number of bytes in an EdDSA public key.
Definition: ed255.h:27
Namespace for all C++ decaf objects.
Definition: decaf.hxx:22
Ristretto IsoEd25519
Alternative name for Ristretto, for backwards compatibility.
Definition: point_255.hxx:787
std::vector< unsigned char, SanitizingAllocator< unsigned char, 0 > > SecureBuffer
A variant of std::vector which securely zerozes its state when destructed.
Definition: secure_buffer.hxx:79
A group of prime order p, based on Curve25519.
void DECAF_API_VIS decaf_255_point_scalarmul(decaf_255_point_t scaled, const decaf_255_point_t base, const decaf_255_scalar_t scalar) DECAF_NONNULL DECAF_NOINLINE
Multiply a base point by a scalar: scaled = scalar*base.
decaf_error_t DECAF_API_VIS decaf_255_direct_scalarmul(uint8_t scaled[DECAF_255_SER_BYTES], const uint8_t base[DECAF_255_SER_BYTES], const decaf_255_scalar_t scalar, decaf_bool_t allow_identity, decaf_bool_t short_circuit) DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE
Multiply a base point by a scalar: scaled = scalar*base.
#define DECAF_255_INVERT_ELLIGATOR_WHICH_BITS
Number of bits in the "which" field of an elligator inverse.
Definition: point_255.h:53
void DECAF_API_VIS decaf_255_scalar_encode(unsigned char ser[DECAF_255_SCALAR_BYTES], const decaf_255_scalar_t s) DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE
Serialize a scalar to wire format.
decaf_error_t DECAF_API_VIS decaf_255_scalar_invert(decaf_255_scalar_t out, const decaf_255_scalar_t a) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE
Invert a scalar.
decaf_error_t DECAF_API_VIS decaf_255_invert_elligator_uniform(unsigned char recovered_hash[2 *DECAF_255_HASH_BYTES], const decaf_255_point_t pt, uint32_t which) DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED
Inverse of elligator-like hash to curve.
void DECAF_API_VIS decaf_255_point_double_scalarmul(decaf_255_point_t combo, const decaf_255_point_t base1, const decaf_255_scalar_t scalar1, const decaf_255_point_t base2, const decaf_255_scalar_t scalar2) DECAF_NONNULL DECAF_NOINLINE
Multiply two base points by two scalars: scaled = scalar1*base1 + scalar2*base2.
void DECAF_API_VIS decaf_255_point_encode(uint8_t ser[DECAF_255_SER_BYTES], const decaf_255_point_t pt) DECAF_NONNULL DECAF_NOINLINE
Encode a point as a sequence of bytes.
#define DECAF_255_SER_BYTES
Number of bytes in a serialized point.
Definition: point_255.h:42
struct decaf_255_precomputed_s decaf_255_precomputed_s
Precomputed table based on a point.
Definition: point_255.h:78
DECAF_API_VIS const struct decaf_255_precomputed_s * decaf_255_precomputed_base
Precomputed table of multiples of the base point on the curve.
void DECAF_API_VIS decaf_255_precompute(decaf_255_precomputed_s *a, const decaf_255_point_t b) DECAF_NONNULL DECAF_NOINLINE
Precompute a table for fast scalar multiplication.
decaf_error_t DECAF_API_VIS decaf_255_point_decode(decaf_255_point_t pt, const uint8_t ser[DECAF_255_SER_BYTES], decaf_bool_t allow_identity) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE
Decode a point from a sequence of bytes.
void DECAF_API_VIS decaf_255_scalar_add(decaf_255_scalar_t out, const decaf_255_scalar_t a, const decaf_255_scalar_t b) DECAF_NONNULL DECAF_NOINLINE
Add two scalars.
void DECAF_API_VIS decaf_255_point_debugging_pscale(decaf_255_point_t q, const decaf_255_point_t p, const unsigned char factor[DECAF_255_SER_BYTES]) DECAF_NONNULL DECAF_NOINLINE
Projectively scale a point, for debugging purposes.
void DECAF_API_VIS decaf_255_point_destroy(decaf_255_point_t point) DECAF_NONNULL
Securely erase a point by overwriting it with zeros.
struct decaf_255_point_s decaf_255_point_t[1]
Representation of a point on the elliptic curve.
decaf_bool_t DECAF_API_VIS decaf_255_scalar_eq(const decaf_255_scalar_t a, const decaf_255_scalar_t b) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE
Compare two scalars.
void DECAF_API_VIS decaf_x25519_derive_public_key(uint8_t out[DECAF_X25519_PUBLIC_BYTES], const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]) DECAF_NONNULL DECAF_NOINLINE
RFC 7748 Diffie-Hellman base point scalarmul.
struct decaf_255_scalar_s decaf_255_scalar_t[1]
Representation of an element of the scalar field.
decaf_error_t DECAF_API_VIS decaf_x25519(uint8_t shared[DECAF_X25519_PUBLIC_BYTES], const uint8_t base[DECAF_X25519_PUBLIC_BYTES], const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]) DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE
RFC 7748 Diffie-Hellman scalarmul, used to compute shared secrets.
void DECAF_API_VIS decaf_255_point_negate(decaf_255_point_t nega, const decaf_255_point_t a) DECAF_NONNULL
Negate a point to produce another point.
void DECAF_API_VIS decaf_255_scalar_destroy(decaf_255_scalar_t scalar) DECAF_NONNULL
Securely erase a scalar.
void DECAF_API_VIS decaf_255_scalar_set_unsigned(decaf_255_scalar_t out, uint64_t a) DECAF_NONNULL
Set a scalar to an unsigned 64-bit integer.
#define DECAF_X25519_PRIVATE_BYTES
Number of bytes in an x25519 private key.
Definition: point_255.h:65
void DECAF_API_VIS decaf_255_precomputed_scalarmul(decaf_255_point_t scaled, const decaf_255_precomputed_s *base, const decaf_255_scalar_t scalar) DECAF_NONNULL DECAF_NOINLINE
Multiply a precomputed base point by a scalar: scaled = scalar*base.
#define DECAF_X25519_PUBLIC_BYTES
Number of bytes in an x25519 public key.
Definition: point_255.h:62
void DECAF_API_VIS decaf_255_point_from_hash_uniform(decaf_255_point_t pt, const unsigned char hashed_data[2 *DECAF_255_HASH_BYTES]) DECAF_NONNULL DECAF_NOINLINE
Indifferentiable hash function encoding to curve.
#define DECAF_255_SCALAR_BYTES
Number of bytes in a serialized scalar.
Definition: point_255.h:50
#define DECAF_X25519_ENCODE_RATIO
X25519 encoding ratio.
Definition: point_255.h:59
void DECAF_API_VIS decaf_255_scalar_mul(decaf_255_scalar_t out, const decaf_255_scalar_t a, const decaf_255_scalar_t b) DECAF_NONNULL DECAF_NOINLINE
Multiply two scalars.
DECAF_API_VIS const decaf_255_point_t decaf_255_point_base
An arbitrarily-chosen base point on the curve.
void DECAF_API_VIS decaf_255_scalar_halve(decaf_255_scalar_t out, const decaf_255_scalar_t a) DECAF_NONNULL DECAF_NOINLINE
Halve a scalar.
void DECAF_API_VIS decaf_255_point_sub(decaf_255_point_t diff, const decaf_255_point_t a, const decaf_255_point_t b) DECAF_NONNULL
Subtract two points to produce a third point.
decaf_error_t DECAF_API_VIS decaf_255_scalar_decode(decaf_255_scalar_t out, const unsigned char ser[DECAF_255_SCALAR_BYTES]) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE
Read a scalar from wire format or from bytes.
void DECAF_API_VIS decaf_255_point_dual_scalarmul(decaf_255_point_t a1, decaf_255_point_t a2, const decaf_255_point_t base1, const decaf_255_scalar_t scalar1, const decaf_255_scalar_t scalar2) DECAF_NONNULL DECAF_NOINLINE
Multiply one base point by two scalars:
void DECAF_API_VIS decaf_255_point_debugging_torque(decaf_255_point_t q, const decaf_255_point_t p) DECAF_NONNULL DECAF_NOINLINE
Torque a point, for debugging purposes.
decaf_bool_t DECAF_API_VIS decaf_255_point_eq(const decaf_255_point_t a, const decaf_255_point_t b) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE
Test whether two points are equal.
DECAF_API_VIS const decaf_255_point_t decaf_255_point_identity
The identity (zero) point on the curve.
void DECAF_API_VIS decaf_255_scalar_sub(decaf_255_scalar_t out, const decaf_255_scalar_t a, const decaf_255_scalar_t b) DECAF_NONNULL DECAF_NOINLINE
Subtract two scalars.
void DECAF_API_VIS decaf_255_point_mul_by_ratio_and_encode_like_x25519(uint8_t out[DECAF_X25519_PUBLIC_BYTES], const decaf_255_point_t p) DECAF_NONNULL
Multiply a point by DECAF_X25519_ENCODE_RATIO, then encode it like RFC 7748.
decaf_bool_t DECAF_API_VIS decaf_255_point_valid(const decaf_255_point_t to_test) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE
Test that a point is valid, for debugging purposes.
DECAF_API_VIS const size_t decaf_255_sizeof_precomputed_s
Size and alignment of precomputed point tables.
decaf_error_t DECAF_API_VIS decaf_255_invert_elligator_nonuniform(unsigned char recovered_hash[DECAF_255_HASH_BYTES], const decaf_255_point_t pt, uint32_t which) DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED
Inverse of elligator-like hash to curve.
void DECAF_API_VIS decaf_255_point_add(decaf_255_point_t sum, const decaf_255_point_t a, const decaf_255_point_t b) DECAF_NONNULL
Add two points to produce a third point.
void DECAF_API_VIS decaf_255_point_double(decaf_255_point_t two_a, const decaf_255_point_t a) DECAF_NONNULL
Double a point.
#define DECAF_255_HASH_BYTES
Number of bytes in an elligated point.
Definition: point_255.h:47
void DECAF_API_VIS decaf_255_base_double_scalarmul_non_secret(decaf_255_point_t combo, const decaf_255_scalar_t scalar1, const decaf_255_point_t base2, const decaf_255_scalar_t scalar2) DECAF_NONNULL DECAF_NOINLINE
Multiply two base points by two scalars: scaled = scalar1*decaf_255_point_base + scalar2*base2.
DECAF_API_VIS const decaf_255_scalar_t decaf_255_scalar_zero
The scalar 0.
void DECAF_API_VIS decaf_255_scalar_decode_long(decaf_255_scalar_t out, const unsigned char *ser, size_t ser_len) DECAF_NONNULL DECAF_NOINLINE
Read a scalar from wire format or from bytes.
void DECAF_API_VIS decaf_255_point_from_hash_nonuniform(decaf_255_point_t pt, const unsigned char hashed_data[DECAF_255_HASH_BYTES]) DECAF_NONNULL DECAF_NOINLINE
Almost-Elligator-like hash to curve.
C++ self-zeroizing buffer.
Passed to constructors to avoid (conservative) initialization.
Definition: secure_buffer.hxx:133
X-only Diffie-Hellman ladder functions.
Definition: point_255.hxx:675
static void derive_public_key_noexcept(FixedBuffer< PUBLIC_BYTES > &out, const FixedBlock< PRIVATE_BYTES > &scalar) DECAF_NOEXCEPT
Calculate and return a public key into a fixed buffer; equivalent to shared_secret(base_point(),...
Definition: point_255.hxx:738
static const size_t PRIVATE_BYTES
Bytes in an X25519 private key.
Definition: point_255.hxx:681
static void generate_key_noexcept(FixedBuffer< PUBLIC_BYTES > &out, const FixedBlock< PRIVATE_BYTES > &scalar) DECAF_NOEXCEPT
Calculate and return a public key into a fixed buffer; equivalent to shared_secret(base_point(),...
Definition: point_255.hxx:751
static SecureBuffer DECAF_DEPRECATED("Renamed to derive_public_key") generate_key(const FixedBlock< PRIVATE_BYTES > &scalar)
Calculate and return a public key; equivalent to shared_secret(base_point(),scalar) but possibly fast...
Definition: point_255.hxx:714
static SecureBuffer shared_secret(const FixedBlock< PUBLIC_BYTES > &pk, const FixedBlock< PRIVATE_BYTES > &scalar)
Calculate and return a shared secret with public key.
Definition: point_255.hxx:689
static const size_t PUBLIC_BYTES
Bytes in an X25519 public key.
Definition: point_255.hxx:678
static decaf_error_t DECAF_WARN_UNUSED shared_secret_noexcept(FixedBuffer< PUBLIC_BYTES > &out, const FixedBlock< PUBLIC_BYTES > &pk, const FixedBlock< PRIVATE_BYTES > &scalar) DECAF_NOEXCEPT
Calculate and write into out a shared secret with public key, noexcept version.
Definition: point_255.hxx:702
static const FixedBlock< PUBLIC_BYTES > base_point() DECAF_NOEXCEPT
Base point for a scalar multiplication.
Definition: point_255.hxx:684
static SecureBuffer derive_public_key(const FixedBlock< PRIVATE_BYTES > &scalar)
Calculate and return a public key; equivalent to shared_secret(base_point(),scalar) but possibly fast...
Definition: point_255.hxx:726
Curve25519/Decaf instantiation of group.
Definition: point_255.hxx:55
static const char * name()
The name of the curve.
Definition: point_255.hxx:58
static const int REMOVED_COFACTOR
The curve's cofactor (removed, but useful for testing)
Definition: point_255.hxx:64
static const int FIELD_MODULUS_TYPE
Residue class of field modulus: p == this mod 2*(this-1)
Definition: point_255.hxx:67
static int bits()
The name of the curve.
Definition: point_255.hxx:61