x25519 0.0.0 → 0.1.0

data/ext/x25519/ref10/pow225521.h

@@ -0,0 +1,160 @@
+
+/* qhasm: fe z1 */
+
+/* qhasm: fe z2 */
+
+/* qhasm: fe z8 */
+
+/* qhasm: fe z9 */
+
+/* qhasm: fe z11 */
+
+/* qhasm: fe z22 */
+
+/* qhasm: fe z_5_0 */
+
+/* qhasm: fe z_10_5 */
+
+/* qhasm: fe z_10_0 */
+
+/* qhasm: fe z_20_10 */
+
+/* qhasm: fe z_20_0 */
+
+/* qhasm: fe z_40_20 */
+
+/* qhasm: fe z_40_0 */
+
+/* qhasm: fe z_50_10 */
+
+/* qhasm: fe z_50_0 */
+
+/* qhasm: fe z_100_50 */
+
+/* qhasm: fe z_100_0 */
+
+/* qhasm: fe z_200_100 */
+
+/* qhasm: fe z_200_0 */
+
+/* qhasm: fe z_250_50 */
+
+/* qhasm: fe z_250_0 */
+
+/* qhasm: fe z_255_5 */
+
+/* qhasm: fe z_255_21 */
+
+/* qhasm: enter pow225521 */
+
+/* qhasm: z2 = z1^2^1 */
+/* asm 1: fe_sq(>z2=fe#1,<z1=fe#11); for (i = 1;i < 1;++i) fe_sq(>z2=fe#1,>z2=fe#1); */
+/* asm 2: fe_sq(>z2=t0,<z1=z); for (i = 1;i < 1;++i) fe_sq(>z2=t0,>z2=t0); */
+fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0);
+
+/* qhasm: z8 = z2^2^2 */
+/* asm 1: fe_sq(>z8=fe#2,<z2=fe#1); for (i = 1;i < 2;++i) fe_sq(>z8=fe#2,>z8=fe#2); */
+/* asm 2: fe_sq(>z8=t1,<z2=t0); for (i = 1;i < 2;++i) fe_sq(>z8=t1,>z8=t1); */
+fe_sq(t1,t0); for (i = 1;i < 2;++i) fe_sq(t1,t1);
+
+/* qhasm: z9 = z1*z8 */
+/* asm 1: fe_mul(>z9=fe#2,<z1=fe#11,<z8=fe#2); */
+/* asm 2: fe_mul(>z9=t1,<z1=z,<z8=t1); */
+fe_mul(t1,z,t1);
+
+/* qhasm: z11 = z2*z9 */
+/* asm 1: fe_mul(>z11=fe#1,<z2=fe#1,<z9=fe#2); */
+/* asm 2: fe_mul(>z11=t0,<z2=t0,<z9=t1); */
+fe_mul(t0,t0,t1);
+
+/* qhasm: z22 = z11^2^1 */
+/* asm 1: fe_sq(>z22=fe#3,<z11=fe#1); for (i = 1;i < 1;++i) fe_sq(>z22=fe#3,>z22=fe#3); */
+/* asm 2: fe_sq(>z22=t2,<z11=t0); for (i = 1;i < 1;++i) fe_sq(>z22=t2,>z22=t2); */
+fe_sq(t2,t0); for (i = 1;i < 1;++i) fe_sq(t2,t2);
+
+/* qhasm: z_5_0 = z9*z22 */
+/* asm 1: fe_mul(>z_5_0=fe#2,<z9=fe#2,<z22=fe#3); */
+/* asm 2: fe_mul(>z_5_0=t1,<z9=t1,<z22=t2); */
+fe_mul(t1,t1,t2);
+
+/* qhasm: z_10_5 = z_5_0^2^5 */
+/* asm 1: fe_sq(>z_10_5=fe#3,<z_5_0=fe#2); for (i = 1;i < 5;++i) fe_sq(>z_10_5=fe#3,>z_10_5=fe#3); */
+/* asm 2: fe_sq(>z_10_5=t2,<z_5_0=t1); for (i = 1;i < 5;++i) fe_sq(>z_10_5=t2,>z_10_5=t2); */
+fe_sq(t2,t1); for (i = 1;i < 5;++i) fe_sq(t2,t2);
+
+/* qhasm: z_10_0 = z_10_5*z_5_0 */
+/* asm 1: fe_mul(>z_10_0=fe#2,<z_10_5=fe#3,<z_5_0=fe#2); */
+/* asm 2: fe_mul(>z_10_0=t1,<z_10_5=t2,<z_5_0=t1); */
+fe_mul(t1,t2,t1);
+
+/* qhasm: z_20_10 = z_10_0^2^10 */
+/* asm 1: fe_sq(>z_20_10=fe#3,<z_10_0=fe#2); for (i = 1;i < 10;++i) fe_sq(>z_20_10=fe#3,>z_20_10=fe#3); */
+/* asm 2: fe_sq(>z_20_10=t2,<z_10_0=t1); for (i = 1;i < 10;++i) fe_sq(>z_20_10=t2,>z_20_10=t2); */
+fe_sq(t2,t1); for (i = 1;i < 10;++i) fe_sq(t2,t2);
+
+/* qhasm: z_20_0 = z_20_10*z_10_0 */
+/* asm 1: fe_mul(>z_20_0=fe#3,<z_20_10=fe#3,<z_10_0=fe#2); */
+/* asm 2: fe_mul(>z_20_0=t2,<z_20_10=t2,<z_10_0=t1); */
+fe_mul(t2,t2,t1);
+
+/* qhasm: z_40_20 = z_20_0^2^20 */
+/* asm 1: fe_sq(>z_40_20=fe#4,<z_20_0=fe#3); for (i = 1;i < 20;++i) fe_sq(>z_40_20=fe#4,>z_40_20=fe#4); */
+/* asm 2: fe_sq(>z_40_20=t3,<z_20_0=t2); for (i = 1;i < 20;++i) fe_sq(>z_40_20=t3,>z_40_20=t3); */
+fe_sq(t3,t2); for (i = 1;i < 20;++i) fe_sq(t3,t3);
+
+/* qhasm: z_40_0 = z_40_20*z_20_0 */
+/* asm 1: fe_mul(>z_40_0=fe#3,<z_40_20=fe#4,<z_20_0=fe#3); */
+/* asm 2: fe_mul(>z_40_0=t2,<z_40_20=t3,<z_20_0=t2); */
+fe_mul(t2,t3,t2);
+
+/* qhasm: z_50_10 = z_40_0^2^10 */
+/* asm 1: fe_sq(>z_50_10=fe#3,<z_40_0=fe#3); for (i = 1;i < 10;++i) fe_sq(>z_50_10=fe#3,>z_50_10=fe#3); */
+/* asm 2: fe_sq(>z_50_10=t2,<z_40_0=t2); for (i = 1;i < 10;++i) fe_sq(>z_50_10=t2,>z_50_10=t2); */
+fe_sq(t2,t2); for (i = 1;i < 10;++i) fe_sq(t2,t2);
+
+/* qhasm: z_50_0 = z_50_10*z_10_0 */
+/* asm 1: fe_mul(>z_50_0=fe#2,<z_50_10=fe#3,<z_10_0=fe#2); */
+/* asm 2: fe_mul(>z_50_0=t1,<z_50_10=t2,<z_10_0=t1); */
+fe_mul(t1,t2,t1);
+
+/* qhasm: z_100_50 = z_50_0^2^50 */
+/* asm 1: fe_sq(>z_100_50=fe#3,<z_50_0=fe#2); for (i = 1;i < 50;++i) fe_sq(>z_100_50=fe#3,>z_100_50=fe#3); */
+/* asm 2: fe_sq(>z_100_50=t2,<z_50_0=t1); for (i = 1;i < 50;++i) fe_sq(>z_100_50=t2,>z_100_50=t2); */
+fe_sq(t2,t1); for (i = 1;i < 50;++i) fe_sq(t2,t2);
+
+/* qhasm: z_100_0 = z_100_50*z_50_0 */
+/* asm 1: fe_mul(>z_100_0=fe#3,<z_100_50=fe#3,<z_50_0=fe#2); */
+/* asm 2: fe_mul(>z_100_0=t2,<z_100_50=t2,<z_50_0=t1); */
+fe_mul(t2,t2,t1);
+
+/* qhasm: z_200_100 = z_100_0^2^100 */
+/* asm 1: fe_sq(>z_200_100=fe#4,<z_100_0=fe#3); for (i = 1;i < 100;++i) fe_sq(>z_200_100=fe#4,>z_200_100=fe#4); */
+/* asm 2: fe_sq(>z_200_100=t3,<z_100_0=t2); for (i = 1;i < 100;++i) fe_sq(>z_200_100=t3,>z_200_100=t3); */
+fe_sq(t3,t2); for (i = 1;i < 100;++i) fe_sq(t3,t3);
+
+/* qhasm: z_200_0 = z_200_100*z_100_0 */
+/* asm 1: fe_mul(>z_200_0=fe#3,<z_200_100=fe#4,<z_100_0=fe#3); */
+/* asm 2: fe_mul(>z_200_0=t2,<z_200_100=t3,<z_100_0=t2); */
+fe_mul(t2,t3,t2);
+
+/* qhasm: z_250_50 = z_200_0^2^50 */
+/* asm 1: fe_sq(>z_250_50=fe#3,<z_200_0=fe#3); for (i = 1;i < 50;++i) fe_sq(>z_250_50=fe#3,>z_250_50=fe#3); */
+/* asm 2: fe_sq(>z_250_50=t2,<z_200_0=t2); for (i = 1;i < 50;++i) fe_sq(>z_250_50=t2,>z_250_50=t2); */
+fe_sq(t2,t2); for (i = 1;i < 50;++i) fe_sq(t2,t2);
+
+/* qhasm: z_250_0 = z_250_50*z_50_0 */
+/* asm 1: fe_mul(>z_250_0=fe#2,<z_250_50=fe#3,<z_50_0=fe#2); */
+/* asm 2: fe_mul(>z_250_0=t1,<z_250_50=t2,<z_50_0=t1); */
+fe_mul(t1,t2,t1);
+
+/* qhasm: z_255_5 = z_250_0^2^5 */
+/* asm 1: fe_sq(>z_255_5=fe#2,<z_250_0=fe#2); for (i = 1;i < 5;++i) fe_sq(>z_255_5=fe#2,>z_255_5=fe#2); */
+/* asm 2: fe_sq(>z_255_5=t1,<z_250_0=t1); for (i = 1;i < 5;++i) fe_sq(>z_255_5=t1,>z_255_5=t1); */
+fe_sq(t1,t1); for (i = 1;i < 5;++i) fe_sq(t1,t1);
+
+/* qhasm: z_255_21 = z_255_5*z11 */
+/* asm 1: fe_mul(>z_255_21=fe#12,<z_255_5=fe#2,<z11=fe#1); */
+/* asm 2: fe_mul(>z_255_21=out,<z_255_5=t1,<z11=t0); */
+fe_mul(out,t1,t0);
+
+/* qhasm: return */

data/ext/x25519/ref10/scalarmult.c

@@ -0,0 +1,46 @@
+#include "fe.h"
+
+int x25519_ref10_scalarmult(uint8_t *q, const uint8_t *n, const uint8_t *p)
+{
+  uint8_t e[32];
+  unsigned int i;
+  fe x1;
+  fe x2;
+  fe z2;
+  fe x3;
+  fe z3;
+  fe tmp0;
+  fe tmp1;
+  int pos;
+  unsigned int swap;
+  unsigned int b;
+
+  for (i = 0;i < 32;++i) e[i] = n[i];
+  e[0] &= 248;
+  e[31] &= 127;
+  e[31] |= 64;
+
+  fe_frombytes(x1,p);
+  fe_1(x2);
+  fe_0(z2);
+  fe_copy(x3,x1);
+  fe_1(z3);
+
+  swap = 0;
+  for (pos = 254;pos >= 0;--pos) {
+    b = e[pos / 8] >> (pos & 7);
+    b &= 1;
+    swap ^= b;
+    fe_cswap(x2,x3,swap);
+    fe_cswap(z2,z3,swap);
+    swap = b;
+#include "montgomery.h"
+  }
+  fe_cswap(x2,x3,swap);
+  fe_cswap(z2,z3,swap);
+
+  fe_invert(z2,z2);
+  fe_mul(x2,x2,z2);
+  fe_tobytes(q,x2);
+  return 0;
+}

data/ext/x25519/{fp25519_x64.c → rfc7748_precomputed/fp25519_x64.c}

@@ -2,27 +2,30 @@
  * Copyright (c) 2017 Armando Faz <armfazh@ic.unicamp.br>.
  * Institute of Computing.
  * University of Campinas, Brazil.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU Lesser General Public License as   
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
  * published by the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
-#include "random.h"
-#include "bytes.h"
 #include "fp25519_x64.h"
 
-void random_EltFp25519_1w_x64(uint64_t *A)
+int compare_bytes(uint8_t* A, uint8_t* B,unsigned int num_bytes)
 {
-	random_bytes((uint8_t*)A,SIZE_ELEMENT_BYTES);
-	A[3] &= ((uint64_t)1<<63)-1;
+	unsigned int i=0;
+	uint8_t ret=0;
+	for(i=0;i<num_bytes;i++)
+	{
+		ret += A[i]^B[i];
+	}
+	return ret;
 }
 
 int compare_EltFp25519_1w_x64(uint64_t *A, uint64_t *B)
@@ -30,11 +33,6 @@ int compare_EltFp25519_1w_x64(uint64_t *A, uint64_t *B)
 	return compare_bytes((uint8_t*)A,(uint8_t*)B,SIZE_ELEMENT_BYTES);
 }
 
-void print_EltFp25519_1w_x64(uint64_t *A)
-{
-	print_bytes((uint8_t*)A,SIZE_ELEMENT_BYTES);
-}
-
 /**
  *
  * @param c Two 512-bit products: c[0:7]=a[0:3]*b[0:3] and c[8:15]=a[4:7]*b[4:7]

data/ext/x25519/{fp25519_x64.h → rfc7748_precomputed/fp25519_x64.h}

@@ -2,14 +2,14 @@
  * Copyright (c) 2017 Armando Faz <armfazh@ic.unicamp.br>.
  * Institute of Computing.
  * University of Campinas, Brazil.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU Lesser General Public License as   
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
  * published by the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public License
@@ -34,8 +34,6 @@ typedef ALIGN uint64_t EltFp25519_1w_Buffer_x64[2*NUM_WORDS_ELTFP25519_X64];
 typedef ALIGN uint64_t EltFp25519_2w_x64[2*NUM_WORDS_ELTFP25519_X64];
 typedef ALIGN uint64_t EltFp25519_2w_Buffer_x64[4*NUM_WORDS_ELTFP25519_X64];
 
-void print_bytes(uint8_t * A,int num_bytes);
-
 /* Integer Arithmetic */
 void mul2_256x256_integer_x64(uint64_t *const c, uint64_t *const a, uint64_t *const b);
 void sqr2_256x256_integer_x64(uint64_t *const c, uint64_t *const a);
@@ -47,10 +45,8 @@ void red_EltFp25519_1w_x64(uint64_t *const c, uint64_t *const a);
 
 /* Prime Field Util */
 void random_EltFp25519_1w_x64(uint64_t *A);
-void print_EltFp25519_1w_x64(uint64_t *A);
 int compare_EltFp25519_1w_x64(uint64_t *A, uint64_t *B);
 void random_EltFp25519_2w_x64(uint64_t *A);
-void print_EltFp25519_2w(uint64_t *A);
 int compare_EltFp25519_2w(uint64_t *A, uint64_t *B);
 
 /* Prime Field Arithmetic */

data/ext/x25519/{bytes.h → rfc7748_precomputed/rfc7748_precomputed.h}

@@ -15,11 +15,19 @@
  * You should have received a copy of the GNU Lesser General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
-#ifndef BYTES_H
-#define BYTES_H
+#ifndef RFC7748_PRECOMPUTED_H
+#define RFC7748_PRECOMPUTED_H
 
 #include <stdint.h>
-void print_bytes(uint8_t * A, int num_bytes);
-int compare_bytes(uint8_t* A, uint8_t* B,unsigned int num_bytes);
 
-#endif /* BYTES_H */
+#define ALIGN_BYTES 32
+#ifdef __INTEL_COMPILER
+#define ALIGN __declspec(align(ALIGN_BYTES))
+#else
+#define ALIGN __attribute__ ((aligned (ALIGN_BYTES)))
+#endif
+
+#define X25519_KEYSIZE_BYTES 32
+typedef ALIGN uint8_t X25519_KEY[X25519_KEYSIZE_BYTES];
+
+#endif /* RFC7748_PRECOMPUTED_H */

data/ext/x25519/{x25519_x64.c → rfc7748_precomputed/x25519_x64.c}

@@ -2,32 +2,22 @@
  * Copyright (c) 2017 Armando Faz <armfazh@ic.unicamp.br>.
  * Institute of Computing.
  * University of Campinas, Brazil.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU Lesser General Public License as   
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
  * published by the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
-#include <fp25519_x64.h>
-#include <table_ladder_x25519.h>
-#include "rfc7748_precompted.h"
-#include "random.h"
-
-void print_X25519_key(argKey key)
-{
-	print_bytes(key,X25519_KEYSIZE_BYTES);
-}
-void random_X25519_key(argKey key)
-{
-	random_bytes(key,X25519_KEYSIZE_BYTES);
-}
+#include "fp25519_x64.h"
+#include "table_ladder_x25519.h"
+#include "rfc7748_precomputed.h"
 
 /****** Implementation of Montgomery Ladder Algorithm ************/
 static inline void cswap_x64(uint64_t bit, uint64_t *const px, uint64_t *const py)
@@ -42,7 +32,7 @@ static inline void cswap_x64(uint64_t bit, uint64_t *const px, uint64_t *const p
     }
 }
 
-static void x25519_shared_secret_x64(argKey shared, argKey session_key, argKey private_key)
+void x25519_rfc7748_precomputed_scalarmult(uint8_t *shared, uint8_t *private_key, uint8_t *session_key)
 {
 	ALIGN uint64_t buffer[4*NUM_WORDS_ELTFP25519_X64];
 	ALIGN uint64_t coordinates[4*NUM_WORDS_ELTFP25519_X64];
@@ -143,11 +133,15 @@ static void x25519_shared_secret_x64(argKey shared, argKey session_key, argKey p
 	private_key[0]  = (uint8_t)(save & 0xFF);
 }
 
-static void x25519_keygen_precmp_x64(argKey session_key, argKey private_key)
+void x25519_rfc7748_precomputed_scalarmult_base(uint8_t *session_key, uint8_t *private_key)
 {
 	ALIGN uint64_t buffer[4*NUM_WORDS_ELTFP25519_X64];
 	ALIGN uint64_t coordinates[4*NUM_WORDS_ELTFP25519_X64];
 	ALIGN uint64_t workspace[4*NUM_WORDS_ELTFP25519_X64];
+	const int ite[4] = {64,64,64,63};
+	const int q = 3;
+	uint64_t swap = 1;
+	uint64_t bit;
 	uint64_t save;
 
 	int i=0, j=0, k=0;
@@ -191,17 +185,13 @@ static void x25519_keygen_precmp_x64(argKey session_key, argKey private_key)
 	Ur2[0] = 0x7e94e1fec82faabd;
 
 	/* main-loop */
-    const int ite[4] = {64,64,64,63};
-	const int q = 3;
-    uint64_t swap = 1;
-
 	j = q;
 	for(i=0;i<NUM_WORDS_ELTFP25519_X64;i++)
 	{
 		while(j < ite[i])
 		{
             k = (64*i+j-q);
-			uint64_t bit = (key[i]>>j)&0x1;
+			bit = (key[i]>>j)&0x1;
 			swap = swap ^ bit;
 			cswap_x64(swap, Ur1, Ur2);
 			cswap_x64(swap, Zr1, Zr2);
@@ -239,6 +229,3 @@ static void x25519_keygen_precmp_x64(argKey session_key, argKey private_key)
     private_key[X25519_KEYSIZE_BYTES-1] = (uint8_t)((save>>16) & 0xFF);
     private_key[0]  = (uint8_t)(save & 0xFF);
 }
-
-const KeyGen X25519_KeyGen_x64 = x25519_keygen_precmp_x64;
-const Shared X25519_Shared_x64 = x25519_shared_secret_x64;

data/ext/x25519/x25519.c

@@ -0,0 +1,325 @@
+/* Ruby C extension providing bindings to the X25519 Diffie-Hellman algorithm */
+
+#define _POSIX_C_SOURCE 200809L
+#include <stdlib.h>
+
+#include "ruby.h"
+#include "x25519.h"
+
+/* The X25519::VERSION */
+#define GEM_VERSION "0.1.0"
+
+/* X25519 module method prototypes */
+static VALUE X25519_backend(VALUE self);
+static VALUE X25519_self_test(VALUE self);
+static VALUE X25519_diffie_hellman(VALUE self, VALUE public_key, VALUE secret_key);
+
+/* X25519::Scalar prototypes */
+static VALUE cX25519_Scalar_allocate(VALUE klass);
+static void cX25519_Scalar_mark(X25519_KEY *scalar);
+static void cX25519_Scalar_free(X25519_KEY *scalar);
+static VALUE cX25519_Scalar_generate(VALUE self);
+static VALUE cX25519_Scalar_initialize(VALUE self, VALUE bytes);
+static VALUE cX25519_Scalar_multiply_base(VALUE self);
+static VALUE cX25519_Scalar_multiply(VALUE self, VALUE montgomery_u);
+static VALUE cX25519_Scalar_to_bytes(VALUE self);
+
+/* X25519::MontgomeryU prototypes */
+static VALUE cX25519_MontgomeryU_allocate(VALUE klass);
+static void cX25519_MontgomeryU_mark(X25519_KEY *coord);
+static void cX25519_MontgomeryU_free(X25519_KEY *coord);
+static VALUE cX25519_MontgomeryU_initialize(VALUE self, VALUE bytes);
+static VALUE cX25519_MontgomeryU_to_bytes(VALUE self);
+
+static VALUE mX25519 = Qnil;
+static VALUE cX25519_Scalar  = Qnil;
+static VALUE cX25519_MontgomeryU = Qnil;
+
+/* Are we on a 4th gen Intel Core CPU architecture that supports the
+   rfc7748_precomputed backend? */
+static int use_rfc7748_precomputed = 0;
+
+/* Initialize the Ruby module */
+void Init_x25519()
+{
+    /* Test for support for the rfc7748_precomputed backend */
+    use_rfc7748_precomputed = check_4th_gen_intel_core_features();
+
+    /* Used for key generation */
+    rb_require("securerandom");
+
+    mX25519 = rb_define_module("X25519");
+    rb_define_const(mX25519, "VERSION", rb_str_new2(GEM_VERSION));
+    rb_define_singleton_method(mX25519, "backend", X25519_backend, 0);
+    rb_define_singleton_method(mX25519, "self_test", X25519_self_test, 0);
+    rb_define_singleton_method(mX25519, "diffie_hellman", X25519_diffie_hellman, 2);
+
+    cX25519_Scalar = rb_define_class_under(mX25519, "Scalar", rb_cObject);
+    rb_define_alloc_func(cX25519_Scalar, cX25519_Scalar_allocate);
+    rb_define_singleton_method(cX25519_Scalar, "generate", cX25519_Scalar_generate, 0);
+    rb_define_method(cX25519_Scalar, "initialize", cX25519_Scalar_initialize, 1);
+    rb_define_method(cX25519_Scalar, "multiply_base", cX25519_Scalar_multiply_base, 0);
+    rb_define_method(cX25519_Scalar, "public_key", cX25519_Scalar_multiply_base, 0);
+    rb_define_method(cX25519_Scalar, "multiply", cX25519_Scalar_multiply, 1);
+    rb_define_method(cX25519_Scalar, "diffie_hellman", cX25519_Scalar_multiply, 1);
+    rb_define_method(cX25519_Scalar, "to_bytes", cX25519_Scalar_to_bytes, 0);
+    rb_define_method(cX25519_Scalar, "to_str", cX25519_Scalar_to_bytes, 0);
+
+    cX25519_MontgomeryU = rb_define_class_under(mX25519, "MontgomeryU", rb_cObject);
+    rb_define_alloc_func(cX25519_MontgomeryU, cX25519_MontgomeryU_allocate);
+    rb_define_method(cX25519_MontgomeryU, "initialize", cX25519_MontgomeryU_initialize, 1);
+    rb_define_method(cX25519_MontgomeryU, "to_bytes", cX25519_MontgomeryU_to_bytes, 0);
+    rb_define_method(cX25519_MontgomeryU, "to_str", cX25519_MontgomeryU_to_bytes, 0);
+
+    /* Run the self-test on load to ensure everything is working */
+    rb_funcall(mX25519, rb_intern("self_test"), 0);
+}
+
+/* Return a symbol identifying the backend in use */
+static VALUE X25519_backend(VALUE self)
+{
+    switch(use_rfc7748_precomputed) {
+        case 1:
+            return ID2SYM(rb_intern("rfc7748_precomputed"));
+        case 0:
+            return ID2SYM(rb_intern("ref10"));
+        default:
+            rb_raise(rb_eRuntimeError, "invalid X25519 backend! (%d)", use_rfc7748_precomputed);
+    }
+}
+
+/* Perform an end-to-end test of the Ruby binding to ensure it's working correctly */
+static VALUE X25519_self_test(VALUE self)
+{
+    VALUE sk, pk, shared;
+
+    /* Test vectors from RFC 7748 */
+    X25519_KEY ietf_cfrg_key0 = {
+        0xa5,0x46,0xe3,0x6b,0xf0,0x52,0x7c,0x9d,
+        0x3b,0x16,0x15,0x4b,0x82,0x46,0x5e,0xdd,
+        0x62,0x14,0x4c,0x0a,0xc1,0xfc,0x5a,0x18,
+        0x50,0x6a,0x22,0x44,0xba,0x44,0x9a,0xc4
+    };
+
+    X25519_KEY ietf_cfrg_input_coord0 = {
+        0xe6,0xdb,0x68,0x67,0x58,0x30,0x30,0xdb,
+        0x35,0x94,0xc1,0xa4,0x24,0xb1,0x5f,0x7c,
+        0x72,0x66,0x24,0xec,0x26,0xb3,0x35,0x3b,
+        0x10,0xa9,0x03,0xa6,0xd0,0xab,0x1c,0x4c
+    };
+
+    X25519_KEY ietf_cfrg_output_coord0 = {
+        0xc3,0xda,0x55,0x37,0x9d,0xe9,0xc6,0x90,
+        0x8e,0x94,0xea,0x4d,0xf2,0x8d,0x08,0x4f,
+        0x32,0xec,0xcf,0x03,0x49,0x1c,0x71,0xf7,
+        0x54,0xb4,0x07,0x55,0x77,0xa2,0x85,0x52
+    };
+
+    sk = rb_str_new((const char *)&ietf_cfrg_key0, X25519_KEYSIZE_BYTES);
+    pk = rb_str_new((const char *)&ietf_cfrg_input_coord0, X25519_KEYSIZE_BYTES);
+
+    shared = rb_funcall(mX25519, rb_intern("diffie_hellman"), 2, sk, pk);
+
+    if(RSTRING_LEN(shared) != X25519_KEYSIZE_BYTES ||
+       memcmp(RSTRING_PTR(shared), ietf_cfrg_output_coord0, X25519_KEYSIZE_BYTES) != 0)
+    {
+        rb_raise(rb_eRuntimeError, "X25519 self-test failed!");
+    }
+
+    return Qtrue;
+}
+
+/* Compute Diffie-Hellman for the given key and Montgomery-u coordinate
+ * (i.e. variable base scalar multiplication) */
+static VALUE X25519_diffie_hellman(VALUE self, VALUE secret_key, VALUE public_key)
+{
+    VALUE scalar, coord, shared;
+
+    scalar = rb_class_new_instance(1, &secret_key, cX25519_Scalar);
+    coord  = rb_class_new_instance(1, &public_key, cX25519_MontgomeryU);
+    shared = rb_funcall(scalar, rb_intern("multiply"), 1, coord);
+
+    return rb_funcall(shared, rb_intern("to_bytes"), 0);
+}
+
+/********************************
+ * X25519::Scalar: private keys *
+ ********************************/
+
+static VALUE cX25519_Scalar_allocate(VALUE klass)
+{
+    X25519_KEY *scalar = NULL;
+
+    /* Ensure allocation with the correct (32-byte) memory alignent */
+    if(posix_memalign((void **)&scalar, ALIGN_BYTES, X25519_KEYSIZE_BYTES)) {
+        rb_fatal("x25519: can't allocate memory with posix_memalign()");
+    }
+
+    /* Avoid using unitialized memory */
+    memset(scalar, 0, X25519_KEYSIZE_BYTES);
+
+    return Data_Wrap_Struct(klass, cX25519_Scalar_mark, cX25519_Scalar_free, scalar);
+}
+
+static void cX25519_Scalar_mark(X25519_KEY *scalar)
+{
+}
+
+static void cX25519_Scalar_free(X25519_KEY *scalar)
+{
+    free(scalar);
+}
+
+/* Generate a random X25519 private scalar */
+static VALUE cX25519_Scalar_generate(VALUE self)
+{
+    VALUE rb_mSecureRandom, scalar_bytes;
+    rb_mSecureRandom = rb_const_get(rb_cObject, rb_intern("SecureRandom"));
+
+    scalar_bytes = rb_funcall(
+        rb_mSecureRandom,
+        rb_intern("random_bytes"),
+        1,
+        INT2NUM(X25519_KEYSIZE_BYTES)
+    );
+
+    return rb_class_new_instance(1, &scalar_bytes, self);
+}
+
+/* Create an X25519::Scalar from a String containing bytes */
+static VALUE cX25519_Scalar_initialize(VALUE self, VALUE bytes)
+{
+    X25519_KEY *scalar = NULL;
+    Data_Get_Struct(self, X25519_KEY, scalar);
+
+    StringValue(bytes);
+    if(RSTRING_LEN(bytes) != X25519_KEYSIZE_BYTES) {
+        rb_raise(
+            rb_eArgError,
+            "expected %d-byte scalar, got %ld",
+            X25519_KEYSIZE_BYTES,
+            RSTRING_LEN(bytes)
+        );
+    }
+
+    memcpy(scalar, RSTRING_PTR(bytes), X25519_KEYSIZE_BYTES);
+
+    return self;
+}
+
+/* Obtain a public key for an X25519 private scalar
+ * (i.e. fixed base scalar multiplication ) */
+static VALUE cX25519_Scalar_multiply_base(VALUE self)
+{
+    X25519_KEY *scalar = NULL, public_key;
+    VALUE public_key_str;
+
+    Data_Get_Struct(self, X25519_KEY, scalar);
+
+    /* Avoid using unitialized memory */
+    memset(&public_key, 0, X25519_KEYSIZE_BYTES);
+
+    /* Compute public key from private scalar using fixed-base scalar multiplication */
+    if(use_rfc7748_precomputed) {
+        x25519_rfc7748_precomputed_scalarmult_base(public_key, *scalar);
+    } else {
+        x25519_ref10_scalarmult_base(public_key, *scalar);
+    }
+
+    public_key_str = rb_str_new((const char *)&public_key, X25519_KEYSIZE_BYTES);
+    return rb_class_new_instance(1, &public_key_str, cX25519_MontgomeryU);
+}
+
+/* Obtain a public key for an X25519 private scalar
+ * (i.e. fixed base scalar multiplication ) */
+static VALUE cX25519_Scalar_multiply(VALUE self, VALUE montgomery_u)
+{
+    X25519_KEY *scalar = NULL, *coord = NULL, product;
+    VALUE product_str;
+
+    if(rb_obj_class(montgomery_u) != cX25519_MontgomeryU) {
+        rb_raise(rb_eTypeError, "wrong argument type (expected X25519::MontgomeryU)");
+    }
+
+    Data_Get_Struct(self, X25519_KEY, scalar);
+    Data_Get_Struct(montgomery_u, X25519_KEY, coord);
+
+    /* Avoid using unitialized memory */
+    memset(&product, 0, X25519_KEYSIZE_BYTES);
+
+    /* Compute the Diffie-Hellman shared secret */
+    if(use_rfc7748_precomputed) {
+        x25519_rfc7748_precomputed_scalarmult(product, *scalar, *coord);
+    } else {
+        x25519_ref10_scalarmult(product, *scalar, *coord);
+    }
+
+    product_str = rb_str_new((const char *)&product, X25519_KEYSIZE_BYTES);
+    return rb_class_new_instance(1, &product_str, cX25519_MontgomeryU);
+}
+
+/* Return a String containing the raw bytes of this scalar */
+static VALUE cX25519_Scalar_to_bytes(VALUE self)
+{
+    X25519_KEY *scalar = NULL;
+    Data_Get_Struct(self, X25519_KEY, scalar);
+
+    return rb_str_new((const char *)scalar, X25519_KEYSIZE_BYTES);;
+}
+
+/************************************
+ * X25519::MontgomeryU: public keys *
+ ************************************/
+
+static VALUE cX25519_MontgomeryU_allocate(VALUE klass)
+{
+    X25519_KEY *coord = NULL;
+
+    /* Ensure allocation with the correct (32-byte) memory alignent */
+    if(posix_memalign((void **)&coord, ALIGN_BYTES, X25519_KEYSIZE_BYTES)) {
+        rb_fatal("x25519: can't allocate memory with posix_memalign()");
+    }
+
+    /* Avoid using unitialized memory */
+    memset(coord, 0, X25519_KEYSIZE_BYTES);
+
+    return Data_Wrap_Struct(klass, cX25519_MontgomeryU_mark, cX25519_MontgomeryU_free, coord);
+}
+
+static void cX25519_MontgomeryU_mark(X25519_KEY *coord)
+{
+}
+
+static void cX25519_MontgomeryU_free(X25519_KEY *coord)
+{
+    free(coord);
+}
+
+static VALUE cX25519_MontgomeryU_initialize(VALUE self, VALUE bytes)
+{
+    X25519_KEY *coord = NULL;
+    Data_Get_Struct(self, X25519_KEY, coord);
+
+    StringValue(bytes);
+    if(RSTRING_LEN(bytes) != X25519_KEYSIZE_BYTES) {
+        rb_raise(
+            rb_eArgError,
+            "expected %d-byte scalar, got %ld",
+            X25519_KEYSIZE_BYTES,
+            RSTRING_LEN(bytes)
+        );
+    }
+
+    memcpy(coord, RSTRING_PTR(bytes), X25519_KEYSIZE_BYTES);
+
+    return self;
+}
+
+/* Return a String containing the raw bytes of this scalar */
+static VALUE cX25519_MontgomeryU_to_bytes(VALUE self)
+{
+    X25519_KEY *coord = NULL;
+    Data_Get_Struct(self, X25519_KEY, coord);
+
+    return rb_str_new((const char *)coord, X25519_KEYSIZE_BYTES);;
+}