1<?php
2
3if (class_exists('ParagonIE_Sodium_Core_X25519', false)) {
4 return;
5}
6
7/**
8 * Class ParagonIE_Sodium_Core_X25519
9 */
10abstract class ParagonIE_Sodium_Core_X25519 extends ParagonIE_Sodium_Core_Curve25519
11{
12 /**
13 * Alters the objects passed to this method in place.
14 *
15 * @internal You should not use this directly from another application
16 *
17 * @param ParagonIE_Sodium_Core_Curve25519_Fe $f
18 * @param ParagonIE_Sodium_Core_Curve25519_Fe $g
19 * @param int $b
20 * @return void
21 * @psalm-suppress MixedAssignment
22 */
23 public static function fe_cswap(
24 ParagonIE_Sodium_Core_Curve25519_Fe $f,
25 ParagonIE_Sodium_Core_Curve25519_Fe $g,
26 $b = 0
27 ) {
28 $b = -$b;
29 $x0 = ($f->e0 ^ $g->e0) & $b;
30 $x1 = ($f->e1 ^ $g->e1) & $b;
31 $x2 = ($f->e2 ^ $g->e2) & $b;
32 $x3 = ($f->e3 ^ $g->e3) & $b;
33 $x4 = ($f->e4 ^ $g->e4) & $b;
34 $x5 = ($f->e5 ^ $g->e5) & $b;
35 $x6 = ($f->e6 ^ $g->e6) & $b;
36 $x7 = ($f->e7 ^ $g->e7) & $b;
37 $x8 = ($f->e8 ^ $g->e8) & $b;
38 $x9 = ($f->e9 ^ $g->e9) & $b;
39 $f->e0 ^= $x0;
40 $f->e1 ^= $x1;
41 $f->e2 ^= $x2;
42 $f->e3 ^= $x3;
43 $f->e4 ^= $x4;
44 $f->e5 ^= $x5;
45 $f->e6 ^= $x6;
46 $f->e7 ^= $x7;
47 $f->e8 ^= $x8;
48 $f->e9 ^= $x9;
49 $g->e0 ^= $x0;
50 $g->e1 ^= $x1;
51 $g->e2 ^= $x2;
52 $g->e3 ^= $x3;
53 $g->e4 ^= $x4;
54 $g->e5 ^= $x5;
55 $g->e6 ^= $x6;
56 $g->e7 ^= $x7;
57 $g->e8 ^= $x8;
58 $g->e9 ^= $x9;
59 }
60
61 /**
62 * @internal You should not use this directly from another application
63 *
64 * @param ParagonIE_Sodium_Core_Curve25519_Fe $f
65 * @return ParagonIE_Sodium_Core_Curve25519_Fe
66 */
67 public static function fe_mul121666(ParagonIE_Sodium_Core_Curve25519_Fe $f)
68 {
69 $h0 = self::mul($f->e0, 121666, 17);
70 $h1 = self::mul($f->e1, 121666, 17);
71 $h2 = self::mul($f->e2, 121666, 17);
72 $h3 = self::mul($f->e3, 121666, 17);
73 $h4 = self::mul($f->e4, 121666, 17);
74 $h5 = self::mul($f->e5, 121666, 17);
75 $h6 = self::mul($f->e6, 121666, 17);
76 $h7 = self::mul($f->e7, 121666, 17);
77 $h8 = self::mul($f->e8, 121666, 17);
78 $h9 = self::mul($f->e9, 121666, 17);
79
80 $carry9 = ($h9 + (1 << 24)) >> 25;
81 $h0 += self::mul($carry9, 19, 5);
82 $h9 -= $carry9 << 25;
83
84 $carry1 = ($h1 + (1 << 24)) >> 25;
85 $h2 += $carry1;
86 $h1 -= $carry1 << 25;
87
88 $carry3 = ($h3 + (1 << 24)) >> 25;
89 $h4 += $carry3;
90 $h3 -= $carry3 << 25;
91
92 $carry5 = ($h5 + (1 << 24)) >> 25;
93 $h6 += $carry5;
94 $h5 -= $carry5 << 25;
95
96 $carry7 = ($h7 + (1 << 24)) >> 25;
97 $h8 += $carry7;
98 $h7 -= $carry7 << 25;
99
100
101 $carry0 = ($h0 + (1 << 25)) >> 26;
102 $h1 += $carry0;
103 $h0 -= $carry0 << 26;
104
105 $carry2 = ($h2 + (1 << 25)) >> 26;
106 $h3 += $carry2;
107 $h2 -= $carry2 << 26;
108
109 $carry4 = ($h4 + (1 << 25)) >> 26;
110 $h5 += $carry4;
111 $h4 -= $carry4 << 26;
112
113 $carry6 = ($h6 + (1 << 25)) >> 26;
114 $h7 += $carry6;
115 $h6 -= $carry6 << 26;
116
117 $carry8 = ($h8 + (1 << 25)) >> 26;
118 $h9 += $carry8;
119 $h8 -= $carry8 << 26;
120 return new ParagonIE_Sodium_Core_Curve25519_Fe($h0, $h1, $h2, $h3, $h4, $h5, $h6, $h7, $h8, $h9);
121 }
122
123 /**
124 * @internal You should not use this directly from another application
125 *
126 * Inline comments preceded by # are from libsodium's ref10 code.
127 *
128 * @param string $n
129 * @param string $p
130 * @return string
131 * @throws SodiumException
132 * @throws TypeError
133 */
134 public static function crypto_scalarmult_curve25519_ref10($n, $p)
135 {
136 # for (i = 0;i < 32;++i) e[i] = n[i];
137 $e = '' . $n;
138 # e[0] &= 248;
139 $e[0] = self::intToChr(
140 self::chrToInt($e[0]) & 248
141 );
142 # e[31] &= 127;
143 # e[31] |= 64;
144 $e[31] = self::intToChr(
145 (self::chrToInt($e[31]) & 127) | 64
146 );
147 # fe_frombytes(x1,p);
148 $x1 = self::fe_frombytes($p);
149 # fe_1(x2);
150 $x2 = self::fe_1();
151 # fe_0(z2);
152 $z2 = self::fe_0();
153 # fe_copy(x3,x1);
154 $x3 = self::fe_copy($x1);
155 # fe_1(z3);
156 $z3 = self::fe_1();
157
158 # swap = 0;
159 /** @var int $swap */
160 $swap = 0;
161
162 # for (pos = 254;pos >= 0;--pos) {
163 for ($pos = 254; $pos >= 0; --$pos) {
164 # b = e[pos / 8] >> (pos & 7);
165 /** @var int $b */
166 $b = self::chrToInt(
167 $e[(int) floor($pos / 8)]
168 ) >> ($pos & 7);
169 # b &= 1;
170 $b &= 1;
171 # swap ^= b;
172 $swap ^= $b;
173 # fe_cswap(x2,x3,swap);
174 self::fe_cswap($x2, $x3, $swap);
175 # fe_cswap(z2,z3,swap);
176 self::fe_cswap($z2, $z3, $swap);
177 # swap = b;
178 $swap = $b;
179 # fe_sub(tmp0,x3,z3);
180 $tmp0 = self::fe_sub($x3, $z3);
181 # fe_sub(tmp1,x2,z2);
182 $tmp1 = self::fe_sub($x2, $z2);
183
184 # fe_add(x2,x2,z2);
185 $x2 = self::fe_add($x2, $z2);
186
187 # fe_add(z2,x3,z3);
188 $z2 = self::fe_add($x3, $z3);
189
190 # fe_mul(z3,tmp0,x2);
191 $z3 = self::fe_mul($tmp0, $x2);
192
193 # fe_mul(z2,z2,tmp1);
194 $z2 = self::fe_mul($z2, $tmp1);
195
196 # fe_sq(tmp0,tmp1);
197 $tmp0 = self::fe_sq($tmp1);
198
199 # fe_sq(tmp1,x2);
200 $tmp1 = self::fe_sq($x2);
201
202 # fe_add(x3,z3,z2);
203 $x3 = self::fe_add($z3, $z2);
204
205 # fe_sub(z2,z3,z2);
206 $z2 = self::fe_sub($z3, $z2);
207
208 # fe_mul(x2,tmp1,tmp0);
209 $x2 = self::fe_mul($tmp1, $tmp0);
210
211 # fe_sub(tmp1,tmp1,tmp0);
212 $tmp1 = self::fe_sub($tmp1, $tmp0);
213
214 # fe_sq(z2,z2);
215 $z2 = self::fe_sq($z2);
216
217 # fe_mul121666(z3,tmp1);
218 $z3 = self::fe_mul121666($tmp1);
219
220 # fe_sq(x3,x3);
221 $x3 = self::fe_sq($x3);
222
223 # fe_add(tmp0,tmp0,z3);
224 $tmp0 = self::fe_add($tmp0, $z3);
225
226 # fe_mul(z3,x1,z2);
227 $z3 = self::fe_mul($x1, $z2);
228
229 # fe_mul(z2,tmp1,tmp0);
230 $z2 = self::fe_mul($tmp1, $tmp0);
231 }
232
233 # fe_cswap(x2,x3,swap);
234 self::fe_cswap($x2, $x3, $swap);
235
236 # fe_cswap(z2,z3,swap);
237 self::fe_cswap($z2, $z3, $swap);
238
239 # fe_invert(z2,z2);
240 $z2 = self::fe_invert($z2);
241
242 # fe_mul(x2,x2,z2);
243 $x2 = self::fe_mul($x2, $z2);
244 # fe_tobytes(q,x2);
245 return self::fe_tobytes($x2);
246 }
247
248 /**
249 * @internal You should not use this directly from another application
250 *
251 * @param ParagonIE_Sodium_Core_Curve25519_Fe $edwardsY
252 * @param ParagonIE_Sodium_Core_Curve25519_Fe $edwardsZ
253 * @return ParagonIE_Sodium_Core_Curve25519_Fe
254 */
255 public static function edwards_to_montgomery(
256 ParagonIE_Sodium_Core_Curve25519_Fe $edwardsY,
257 ParagonIE_Sodium_Core_Curve25519_Fe $edwardsZ
258 ) {
259 $tempX = self::fe_add($edwardsZ, $edwardsY);
260 $tempZ = self::fe_sub($edwardsZ, $edwardsY);
261 $tempZ = self::fe_invert($tempZ);
262 return self::fe_mul($tempX, $tempZ);
263 }
264
265 /**
266 * @internal You should not use this directly from another application
267 *
268 * @param string $n
269 * @return string
270 * @throws SodiumException
271 * @throws TypeError
272 */
273 public static function crypto_scalarmult_curve25519_ref10_base($n)
274 {
275 # for (i = 0;i < 32;++i) e[i] = n[i];
276 $e = '' . $n;
277
278 # e[0] &= 248;
279 $e[0] = self::intToChr(
280 self::chrToInt($e[0]) & 248
281 );
282
283 # e[31] &= 127;
284 # e[31] |= 64;
285 $e[31] = self::intToChr(
286 (self::chrToInt($e[31]) & 127) | 64
287 );
288
289 $A = self::ge_scalarmult_base($e);
290 if (
291 !($A->Y instanceof ParagonIE_Sodium_Core_Curve25519_Fe)
292 ||
293 !($A->Z instanceof ParagonIE_Sodium_Core_Curve25519_Fe)
294 ) {
295 throw new TypeError('Null points encountered');
296 }
297 $pk = self::edwards_to_montgomery($A->Y, $A->Z);
298 return self::fe_tobytes($pk);
299 }
300}
301