// PureNoise CryptoLib (c) 1997-2004, PureNoise Ltd Vaduz <www.cryptolib.com>

#include "channel.h"

// do not try to speed up key exchange by sending more data
// many instant messaging services will not allow large messages
// 512 bit keys can fit in one 80-letter SMS... let's keep it that way
// we also need room to expand keys painlessly

ecc_point * channel_new_keypair (unsigned long *sec, ecc_point *pub)
{
	unsigned long		i, y[ECC_WORDS + 3];	// Y coordinate in binary form (converted back from n-residue)
	
	for (;;)
	{
		big_rand (sec, ECC_WORDS);
		// could be bigger than ECC_ORDER in (2^ECC_BITS - ECC_ORDER) / ECC_ORDER = approx 1/4 cases
		// mod ECC_ORDER is not the right thing to do
		while (big_compare (sec, ECC_ORDER) >= 0) sec[ECC_WORDS] += rand32 ();
		for (i = 16; i; i--)
		{
			ecc_point_mult (sec, &ECC_XYZ, pub);			// sec * XYZ = epub.XYZ
			ecc_point_norm (pub);							// ECC_EPOINT_NORMALIZED just in case
			big_redc (pub->Y, y, ECC_PRIME, ECC_NDASH);		// all we need is to make sure the LSbit of the Y coordinate is 0
			if ((y[0] == ECC_WORDS) && ((y[1] & 1) == 0))	// an extra second for the key exchange saves fucking around with one bit risking to open more dangerous holes!
			{
				while (pub->X[0] < ECC_WORDS) pub->X[++(pub->X[0])] = 0;
				pub->X[pub->X[0]+1] = 0;					// public key must be exactly ECC_WORDS long [it won't hurt calculations anyway]
				return pub;									// keeping all Y's even to reduce traffic and headache of handling an extra bit
			}
			big_padd (sec, ECC_1, sec);						// sec++; faster than a new random number
			// what are the chances of an overflow here? < 1 / 2^507 ? ;) would you really worry?
		}
	}
}