Remove duplicated 448 in the names of various things

            for (k = 0; k < t; k++) {

                unsigned int bit = i + s * (k + j * t);

                if (bit < C448_448_SCALAR_BITS) {

                if (bit < C448_SCALAR_BITS) {

                    tab |=

                        (scalar1x->limb[bit / WBITS] >> (bit % WBITS) & 1) << k;

                }

}

void curve448_point_mul_by_ratio_and_encode_like_eddsa(

                                    uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES],

                                    uint8_t enc[EDDSA_448_PUBLIC_BYTES],

                                    const curve448_point_t p)

{

    gf_mul(x, y, z);

    /* Encode */

    enc[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0;

    enc[EDDSA_448_PRIVATE_BYTES - 1] = 0;

    gf_serialize(enc, x, 1);

    enc[C448_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t);

    enc[EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t);

    OPENSSL_cleanse(x, sizeof(x));

    OPENSSL_cleanse(y, sizeof(y));

c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(

                                curve448_point_t p,

                                const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES])

                                const uint8_t enc[EDDSA_448_PUBLIC_BYTES])

{

    uint8_t enc2[C448_EDDSA_448_PUBLIC_BYTES];

    uint8_t enc2[EDDSA_448_PUBLIC_BYTES];

    mask_t low;

    mask_t succ;

    memcpy(enc2, enc, sizeof(enc2));

    low = ~word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] & 0x80);

    enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80;

    low = ~word_is_zero(enc2[EDDSA_448_PRIVATE_BYTES - 1] & 0x80);

    enc2[EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80;

    succ = gf_deserialize(p->y, enc2, 1, 0);

#if 0 == 0

    succ &= word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1]);

    succ &= word_is_zero(enc2[EDDSA_448_PRIVATE_BYTES - 1]);

#endif

    gf_sqr(p->x, p->y);

    return c448_succeed_if(mask_to_bool(succ));

}

c448_error_t c448_x448(uint8_t out[X_PUBLIC_BYTES],

c448_error_t x448_int(uint8_t out[X_PUBLIC_BYTES],

                      const uint8_t base[X_PUBLIC_BYTES],

                      const uint8_t scalar[X_PRIVATE_BYTES])

{

    curve448_point_destroy(q);

}

void c448_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],

void x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],

                            const uint8_t scalar[X_PRIVATE_BYTES])

{

    /* Scalar conditioning */

    curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2));

    /* Compensate for the encoding ratio */

    for (i = 1; i < C448_X448_ENCODE_RATIO; i <<= 1) {

    for (i = 1; i < X448_ENCODE_RATIO; i <<= 1) {

        curve448_scalar_halve(the_scalar, the_scalar);

    }

    curve448_precomputed_scalarmul(p, curve448_precomputed_base, the_scalar);

                       const curve448_scalar_t scalar,

                       unsigned int table_bits)

{

    unsigned int table_size = C448_448_SCALAR_BITS / (table_bits + 1) + 3;

    unsigned int table_size = C448_SCALAR_BITS / (table_bits + 1) + 3;

    int position = table_size - 1; /* at the end */

    uint64_t current = scalar->limb[0] & 0xFFFF;

    uint32_t mask = (1 << (table_bits + 1)) - 1;

     * 1/5 op. Probably not worth it.

     */

    for (w = 1; w < (C448_448_SCALAR_BITS - 1) / 16 + 3; w++) {

        if (w < (C448_448_SCALAR_BITS - 1) / 16 + 1) {

    for (w = 1; w < (C448_SCALAR_BITS - 1) / 16 + 3; w++) {

        if (w < (C448_SCALAR_BITS - 1) / 16 + 1) {

            /* Refill the 16 high bits of current */

            current += (uint32_t)((scalar->limb[w / B_OVER_16]

                       >> (16 * (w %  B_OVER_16))) << 16);

{

    const int table_bits_var = C448_WNAF_VAR_TABLE_BITS,

        table_bits_pre = C448_WNAF_FIXED_TABLE_BITS;

    struct smvt_control control_var[C448_448_SCALAR_BITS /

    struct smvt_control control_var[C448_SCALAR_BITS /

                                    (C448_WNAF_VAR_TABLE_BITS + 1) + 3];

    struct smvt_control control_pre[C448_448_SCALAR_BITS /

    struct smvt_control control_pre[C448_SCALAR_BITS /

                                    (C448_WNAF_FIXED_TABLE_BITS + 1) + 3];

    int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);

    int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);

int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],

         const uint8_t peer_public_value[56])

{

    return c448_x448(out_shared_key, peer_public_value, private_key)

    return x448_int(out_shared_key, peer_public_value, private_key)

           == C448_SUCCESS;

}

void X448_public_from_private(uint8_t out_public_value[56],

                              const uint8_t private_key[56])

{

    c448_x448_derive_public_key(out_public_value, private_key);

    x448_derive_public_key(out_public_value, private_key);

}

#endif

/* Number of bytes in an EdDSA public key. */

# define C448_EDDSA_448_PUBLIC_BYTES 57

# define EDDSA_448_PUBLIC_BYTES 57

/* Number of bytes in an EdDSA private key. */

# define C448_EDDSA_448_PRIVATE_BYTES C448_EDDSA_448_PUBLIC_BYTES

# define EDDSA_448_PRIVATE_BYTES EDDSA_448_PUBLIC_BYTES

/* Number of bytes in an EdDSA private key. */

# define C448_EDDSA_448_SIGNATURE_BYTES (C448_EDDSA_448_PUBLIC_BYTES + \

                                         C448_EDDSA_448_PRIVATE_BYTES)

# define EDDSA_448_SIGNATURE_BYTES (EDDSA_448_PUBLIC_BYTES + \

                                    EDDSA_448_PRIVATE_BYTES)

/* EdDSA encoding ratio. */

# define C448_448_EDDSA_ENCODE_RATIO 4

# define C448_EDDSA_ENCODE_RATIO 4

/* EdDSA decoding ratio. */

# define C448_448_EDDSA_DECODE_RATIO (4 / 4)

# define C448_EDDSA_DECODE_RATIO (4 / 4)

/*

 * EdDSA key generation.  This function uses a different (non-Decaf) encoding.

 * privkey (in): The private key.

 */

c448_error_t c448_ed448_derive_public_key(

                        uint8_t pubkey [C448_EDDSA_448_PUBLIC_BYTES],

                        const uint8_t privkey [C448_EDDSA_448_PRIVATE_BYTES]);

                        uint8_t pubkey [EDDSA_448_PUBLIC_BYTES],

                        const uint8_t privkey [EDDSA_448_PRIVATE_BYTES]);

/*

 * EdDSA signing.

 * it harder to screw this up, but this C code gives you no seat belt.

 */

c448_error_t c448_ed448_sign(

                        uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],

                        const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],

                        const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],

                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],

                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],

                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],

                        const uint8_t *message, size_t message_len,

                        uint8_t prehashed, const uint8_t *context,

                        size_t context_len)

 * it harder to screw this up, but this C code gives you no seat belt.

 */

c448_error_t c448_ed448_sign_prehash(

                        uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],

                        const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],

                        const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],

                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],

                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],

                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],

                        const uint8_t hash[64],

                        const uint8_t *context,

                        size_t context_len)

 * it harder to screw this up, but this C code gives you no seat belt.

 */

c448_error_t c448_ed448_verify(const uint8_t

                                 signature[C448_EDDSA_448_SIGNATURE_BYTES],

                                 signature[EDDSA_448_SIGNATURE_BYTES],

                                 const uint8_t

                                 pubkey[C448_EDDSA_448_PUBLIC_BYTES],

                                 pubkey[EDDSA_448_PUBLIC_BYTES],

                                 const uint8_t *message, size_t message_len,

                                 uint8_t prehashed, const uint8_t *context,

                                 uint8_t context_len)

 * it harder to screw this up, but this C code gives you no seat belt.

 */

c448_error_t c448_ed448_verify_prehash(

                    const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],

                    const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],

                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],

                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],

                    const uint8_t hash[64],

                    const uint8_t *context,

                    uint8_t context_len)

/*

 * EdDSA point encoding.  Used internally, exposed externally.

 * Multiplies by C448_448_EDDSA_ENCODE_RATIO first.

 * Multiplies by C448_EDDSA_ENCODE_RATIO first.

 *

 * The multiplication is required because the EdDSA encoding represents

 * the cofactor information, but the Decaf encoding ignores it (which

 * EdDSA, the cofactor info must get cleared, because the intermediate

 * representation doesn't track it.

 *

 * The way we handle this is to multiply by C448_448_EDDSA_DECODE_RATIO when

 * decoding, and by C448_448_EDDSA_ENCODE_RATIO when encoding.  The product of

 * The way we handle this is to multiply by C448_EDDSA_DECODE_RATIO when

 * decoding, and by C448_EDDSA_ENCODE_RATIO when encoding.  The product of

 * these ratios is always exactly the cofactor 4, so the cofactor ends up

 * cleared one way or another.  But exactly how that shakes out depends on the

 * base points specified in RFC 8032.

 *

 * The upshot is that if you pass the Decaf/Ristretto base point to

 * this function, you will get C448_448_EDDSA_ENCODE_RATIO times the

 * this function, you will get C448_EDDSA_ENCODE_RATIO times the

 * EdDSA base point.

 *

 * enc (out): The encoded point.

 * p (in): The point.

 */

void curve448_point_mul_by_ratio_and_encode_like_eddsa(

                                    uint8_t enc [C448_EDDSA_448_PUBLIC_BYTES],

                                    uint8_t enc [EDDSA_448_PUBLIC_BYTES],

                                    const curve448_point_t p);

/*

 * EdDSA point decoding.  Multiplies by C448_448_EDDSA_DECODE_RATIO, and

 * EdDSA point decoding.  Multiplies by C448_EDDSA_DECODE_RATIO, and

 * ignores cofactor information.

 *

 * See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa

 */

c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(

                            curve448_point_t p,

                            const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]);

                            const uint8_t enc[EDDSA_448_PUBLIC_BYTES]);

/*

 * EdDSA to ECDH private key conversion

 * ed (in): The EdDSA private key

 */

c448_error_t c448_ed448_convert_private_key_to_x448(

                            uint8_t x[C448_X448_PRIVATE_BYTES],

                            const uint8_t ed[C448_EDDSA_448_PRIVATE_BYTES]);

                            uint8_t x[X448_PRIVATE_BYTES],

                            const uint8_t ed[EDDSA_448_PRIVATE_BYTES]);

#ifdef __cplusplus

} /* extern "C" */

    return C448_SUCCESS;

}

static void clamp(uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES])

static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])

{

    uint8_t hibit = (1 << 0) >> 1;

    /* Blarg */

    secret_scalar_ser[0] &= -COFACTOR;

    if (hibit == 0) {

        secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0;

        secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;

        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;

        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;

    } else {

        secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;

        secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;

        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;

        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] |= hibit;

    }

}

/* In this file because it uses the hash */

c448_error_t c448_ed448_convert_private_key_to_x448(

                            uint8_t x[C448_X448_PRIVATE_BYTES],

                            const uint8_t ed [C448_EDDSA_448_PRIVATE_BYTES])

                            uint8_t x[X448_PRIVATE_BYTES],

                            const uint8_t ed [EDDSA_448_PRIVATE_BYTES])

{

    /* pass the private key through oneshot_hash function */

    /* and keep the first C448_X448_PRIVATE_BYTES bytes */

    return oneshot_hash(x, C448_X448_PRIVATE_BYTES, ed,

                        C448_EDDSA_448_PRIVATE_BYTES);

    /* and keep the first X448_PRIVATE_BYTES bytes */

    return oneshot_hash(x, X448_PRIVATE_BYTES, ed,

                        EDDSA_448_PRIVATE_BYTES);

}

c448_error_t c448_ed448_derive_public_key(

                        uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],

                        const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES])

                        uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],

                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])

{

    /* only this much used for keygen */

    uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES];

    uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];

    curve448_scalar_t secret_scalar;

    unsigned int c;

    curve448_point_t p;

    if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,

                      C448_EDDSA_448_PRIVATE_BYTES))

                      EDDSA_448_PRIVATE_BYTES))

        return C448_FAILURE;

    clamp(secret_scalar_ser);

     * converted it effectively picks up a factor of 2 from the isogenies.  So

     * we might start at 2 instead of 1.

     */

    for (c = 1; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1)

    for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)

        curve448_scalar_halve(secret_scalar, secret_scalar);

    curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);

}

c448_error_t c448_ed448_sign(

                        uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],

                        const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],

                        const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],

                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],

                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],

                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],

                        const uint8_t *message, size_t message_len,

                        uint8_t prehashed, const uint8_t *context,

                        size_t context_len)

    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();

    c448_error_t ret = C448_FAILURE;

    curve448_scalar_t nonce_scalar;

    uint8_t nonce_point[C448_EDDSA_448_PUBLIC_BYTES] = { 0 };

    uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };

    unsigned int c;

    curve448_scalar_t challenge_scalar;

    {

        /* Schedule the secret key */

        struct {

            uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES];

            uint8_t seed[C448_EDDSA_448_PRIVATE_BYTES];

            uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];

            uint8_t seed[EDDSA_448_PRIVATE_BYTES];

        } __attribute__ ((packed)) expanded;

        if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey,

                          C448_EDDSA_448_PRIVATE_BYTES))

                          EDDSA_448_PRIVATE_BYTES))

            goto err;

        clamp(expanded.secret_scalar_ser);

        curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser,

    /* Decode the nonce */

    {

        uint8_t nonce[2 * C448_EDDSA_448_PRIVATE_BYTES];

        uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];

        if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))

            goto err;

        curve448_point_t p;

        curve448_scalar_halve(nonce_scalar_2, nonce_scalar);

        for (c = 2; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) {

        for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) {

            curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);

        }

    }

    {

        uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES];

        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        /* Compute the challenge */

        if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)

            || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))

            || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES)

            || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)

            || !EVP_DigestUpdate(hashctx, message, message_len)

            || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))

            goto err;

    curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);

    curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);

    OPENSSL_cleanse(signature, C448_EDDSA_448_SIGNATURE_BYTES);

    OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);

    memcpy(signature, nonce_point, sizeof(nonce_point));

    curve448_scalar_encode(&signature[C448_EDDSA_448_PUBLIC_BYTES],

    curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],

                           challenge_scalar);

    curve448_scalar_destroy(secret_scalar);

}

c448_error_t c448_ed448_sign_prehash(

                        uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],

                        const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],

                        const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],

                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],

                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],

                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],

                        const uint8_t hash[64], const uint8_t *context,

                        size_t context_len)

{

}

c448_error_t c448_ed448_verify(

                    const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],

                    const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],

                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],

                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],

                    const uint8_t *message, size_t message_len,

                    uint8_t prehashed, const uint8_t *context,

                    uint8_t context_len)

    {

        /* Compute the challenge */

        EVP_MD_CTX *hashctx = EVP_MD_CTX_new();

        uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES];

        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        if (hashctx == NULL

            || !hash_init_with_dom(hashctx, prehashed, 0, context, context_len)

            || !EVP_DigestUpdate(hashctx, signature,

                                 C448_EDDSA_448_PUBLIC_BYTES)

            || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES)

                                 EDDSA_448_PUBLIC_BYTES)

            || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)

            || !EVP_DigestUpdate(hashctx, message, message_len)

            || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {

            EVP_MD_CTX_free(hashctx);

                        challenge_scalar);

    curve448_scalar_decode_long(response_scalar,

                                &signature[C448_EDDSA_448_PUBLIC_BYTES],

                                C448_EDDSA_448_PRIVATE_BYTES);

                                &signature[EDDSA_448_PUBLIC_BYTES],

                                EDDSA_448_PRIVATE_BYTES);

    for (c = 1; c < C448_448_EDDSA_DECODE_RATIO; c <<= 1)

    for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1)

        curve448_scalar_add(response_scalar, response_scalar, response_scalar);

    /* pk_point = -c(x(P)) + (cx + k)G = kG */

}

c448_error_t c448_ed448_verify_prehash(

                    const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],

                    const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],

                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],

                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],

                    const uint8_t hash[64], const uint8_t *context,

                    uint8_t context_len)

{

extern "C" {

#endif

# define C448_448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1)

# define C448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1)

/* The number of bits in a scalar */

# define C448_448_SCALAR_BITS 446

# define C448_SCALAR_BITS 446

/* Number of bytes in a serialized scalar. */

# define C448_448_SCALAR_BYTES 56

# define C448_SCALAR_BYTES 56

/* X448 encoding ratio. */

# define C448_X448_ENCODE_RATIO 2

# define X448_ENCODE_RATIO 2

/* Number of bytes in an x448 public key */

# define C448_X448_PUBLIC_BYTES 56

# define X448_PUBLIC_BYTES 56

/* Number of bytes in an x448 private key */

# define C448_X448_PRIVATE_BYTES 56

# define X448_PRIVATE_BYTES 56

/* Twisted Edwards extended homogeneous coordinates */

typedef struct curve448_point_s {

/* Scalar is stored packed, because we don't need the speed. */

typedef struct curve448_scalar_s {

    c448_word_t limb[C448_448_SCALAR_LIMBS];

    c448_word_t limb[C448_SCALAR_LIMBS];

} curve448_scalar_t[1];

/* A scalar equal to 1. */

 */

__owur c448_error_t curve448_scalar_decode(

                            curve448_scalar_t out,

                            const unsigned char ser[C448_448_SCALAR_BYTES]);

                            const unsigned char ser[C448_SCALAR_BYTES]);

/*

 * Read a scalar from wire format or from bytes.  Reduces mod scalar prime.

 * ser (out): Serialized form of a scalar.

 * s (in): Deserialized scalar.

 */

void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES],

void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES],

                            const curve448_scalar_t s);

/*

 * C448_FAILURE: The scalarmul didn't succeed, because the base point is in a

 * small subgroup.

 */

__owur c448_error_t c448_x448(uint8_t out[C448_X448_PUBLIC_BYTES],

                              const uint8_t base[C448_X448_PUBLIC_BYTES],

                              const uint8_t scalar[C448_X448_PRIVATE_BYTES]);

__owur c448_error_t x448_int(uint8_t out[X448_PUBLIC_BYTES],

                             const uint8_t base[X448_PUBLIC_BYTES],

                             const uint8_t scalar[X448_PRIVATE_BYTES]);

/*

 * Multiply a point by C448_X448_ENCODE_RATIO, then encode it like RFC 7748.

 * Multiply a point by X448_ENCODE_RATIO, then encode it like RFC 7748.

 *

 * This function is mainly used internally, but is exported in case

 * it will be useful.

 *

 * As it happens, this aligns with the base point definitions; that is,

 * if you pass the Decaf/Ristretto base point to this function, the result

 * will be C448_X448_ENCODE_RATIO times the X448

 * will be X448_ENCODE_RATIO times the X448

 * base point.

 *

 * out (out): The scaled and encoded point.

 * p (in): The point to be scaled and encoded.

 */

void curve448_point_mul_by_ratio_and_encode_like_x448(

                                        uint8_t out[C448_X448_PUBLIC_BYTES],

                                        uint8_t out[X448_PUBLIC_BYTES],

                                        const curve448_point_t p);

/*

 * out (out): The scaled point base*scalar

 * scalar (in): The scalar to multiply by.

 */

void c448_x448_derive_public_key(

                                uint8_t out[C448_X448_PUBLIC_BYTES],

                                const uint8_t scalar[C448_X448_PRIVATE_BYTES]);

void x448_derive_public_key(uint8_t out[X448_PUBLIC_BYTES],

                            const uint8_t scalar[X448_PRIVATE_BYTES]);

/*

 * Multiply a precomputed base point by a scalar: out = scalar*base.