4 * Core operations on curve 25519 required for the higher level modules.
8 * Copyright (c) 2007, 2013, 2014 Michele Bini
9 * Copyright (c) 2014 Mega Limited
10 * under the MIT License.
12 * Authors: Guy K. Kloss, Michele Bini
14 * You should have received a copy of the license along with this program.
17 var core = require('./core');
18 var utils = require('./utils');
21 * @exports jodid25519/curve255
22 * Legacy compatibility module for Michele Bini's previous curve255.js.
25 * Legacy compatibility module for Michele Bini's previous curve255.js.
28 * This code presents an API with all key formats as previously available
29 * from Michele Bini's curve255.js implementation.
34 function curve25519_raw(f, c) {
38 a = core.dbl(x_1, core.ONE());
39 q = [x_1, core.ONE()];
43 while (core.getbit(f, n) == 0) {
45 // For correct constant-time operation, bit 255 should always be
46 // set to 1 so the following 'while' loop is never entered.
57 var b = core.getbit(f, n);
58 r = core.sum(aq[0][0], aq[0][1], aq[1][0], aq[1][1], x_1);
59 s = core.dbl(aq[1 - b][0], aq[1 - b][1]);
66 q[1] = core.invmodp(q[1]);
67 q[0] = core.mulmodp(q[0], q[1]);
72 function curve25519b32(a, b) {
73 return _base32encode(curve25519(_base32decode(a),
77 function curve25519(f, c) {
82 f[15] = (f[15] & 0x7FFF) | 0x4000;
83 return curve25519_raw(f, c);
86 function _hexEncodeVector(k) {
87 var hexKey = utils.hexEncode(k);
88 // Pad with '0' at the front.
89 hexKey = new Array(64 + 1 - hexKey.length).join('0') + hexKey;
91 return hexKey.split(/(..)/).reverse().join('');
94 function _hexDecodeVector(v) {
95 // assert(length(x) == 64);
97 var hexKey = v.split(/(..)/).reverse().join('');
98 return utils.hexDecode(hexKey);
102 // Expose some functions to the outside through this name space.
105 * Computes the scalar product of a point on the curve 25519.
107 * This function is used for the DH key-exchange protocol.
109 * Before multiplication, some bit operations are applied to the
110 * private key to ensure it is a valid Curve25519 secret key.
111 * It is the user's responsibility to make sure that the private
112 * key is a uniformly random, secret value.
118 * Public point on the curve. If not given, the curve's base point is used.
120 * Key point resulting from scalar product.
122 ns.curve25519 = curve25519;
125 * Computes the scalar product of a point on the curve 25519.
127 * This variant does not make sure that the private key is valid.
128 * The user has the responsibility to ensure the private key is
129 * valid or that this results in a safe protocol. Unless you know
130 * exactly what you are doing, you should not use this variant,
131 * please use 'curve25519' instead.
137 * Public point on the curve. If not given, the curve's base point is used.
139 * Key point resulting from scalar product.
141 ns.curve25519_raw = curve25519_raw;
144 * Encodes the internal representation of a key to a canonical hex
147 * This is the format commonly used in other libraries and for
148 * test vectors, and is equivalent to the hex dump of the key in
149 * little-endian binary format.
153 * Array representation of key.
155 * Hexadecimal string representation of key.
157 ns.hexEncodeVector = _hexEncodeVector;
160 * Decodes a canonical hex representation of a key
161 * to an internally compatible array representation.
165 * Hexadecimal string representation of key.
167 * Array representation of key.
169 ns.hexDecodeVector = _hexDecodeVector;
172 * Encodes the internal representation of a key into a
173 * hexadecimal representation.
175 * This is a strict positional notation, most significant digit first.
179 * Array representation of key.
181 * Hexadecimal string representation of key.
183 ns.hexencode = utils.hexEncode;
186 * Decodes a hex representation of a key to an internally
187 * compatible array representation.
191 * Hexadecimal string representation of key.
193 * Array representation of key.
195 ns.hexdecode = utils.hexDecode;
198 * Encodes the internal representation of a key to a base32
203 * Array representation of key.
205 * Base32 string representation of key.
207 ns.base32encode = utils.base32encode;
210 * Decodes a base32 representation of a key to an internally
211 * compatible array representation.
215 * Base32 string representation of key.
217 * Array representation of key.
219 ns.base32decode = utils.base32decode;