dualcone 0.0.1

data/vendor/libhydrogen/impl/secretbox.h

@@ -0,0 +1,236 @@
+#define hydro_secretbox_IVBYTES 20
+#define hydro_secretbox_SIVBYTES 20
+#define hydro_secretbox_MACBYTES 16
+
+void
+hydro_secretbox_keygen(uint8_t key[hydro_secretbox_KEYBYTES])
+{
+    hydro_random_buf(key, hydro_secretbox_KEYBYTES);
+}
+
+static void
+hydro_secretbox_xor_enc(uint8_t buf[gimli_BLOCKBYTES], uint8_t *out, const uint8_t *in,
+                        size_t inlen)
+{
+    size_t i;
+    size_t leftover;
+
+    for (i = 0; i < inlen / gimli_RATE; i++) {
+        mem_xor2(&out[i * gimli_RATE], &in[i * gimli_RATE], buf, gimli_RATE);
+        memcpy(buf, &out[i * gimli_RATE], gimli_RATE);
+        gimli_core_u8(buf, gimli_TAG_PAYLOAD);
+    }
+    leftover = inlen % gimli_RATE;
+    if (leftover != 0) {
+        mem_xor2(&out[i * gimli_RATE], &in[i * gimli_RATE], buf, leftover);
+        mem_cpy(buf, &out[i * gimli_RATE], leftover);
+    }
+    gimli_pad_u8(buf, leftover, gimli_DOMAIN_AEAD);
+    gimli_core_u8(buf, gimli_TAG_PAYLOAD);
+}
+
+static void
+hydro_secretbox_xor_dec(uint8_t buf[gimli_BLOCKBYTES], uint8_t *out, const uint8_t *in,
+                        size_t inlen)
+{
+    size_t i;
+    size_t leftover;
+
+    for (i = 0; i < inlen / gimli_RATE; i++) {
+        mem_xor2(&out[i * gimli_RATE], &in[i * gimli_RATE], buf, gimli_RATE);
+        memcpy(buf, &in[i * gimli_RATE], gimli_RATE);
+        gimli_core_u8(buf, gimli_TAG_PAYLOAD);
+    }
+    leftover = inlen % gimli_RATE;
+    if (leftover != 0) {
+        mem_xor2(&out[i * gimli_RATE], &in[i * gimli_RATE], buf, leftover);
+        mem_cpy(buf, &in[i * gimli_RATE], leftover);
+    }
+    gimli_pad_u8(buf, leftover, gimli_DOMAIN_AEAD);
+    gimli_core_u8(buf, gimli_TAG_PAYLOAD);
+}
+
+static void
+hydro_secretbox_setup(uint8_t buf[gimli_BLOCKBYTES], uint64_t msg_id,
+                      const char    ctx[hydro_secretbox_CONTEXTBYTES],
+                      const uint8_t key[hydro_secretbox_KEYBYTES],
+                      const uint8_t iv[hydro_secretbox_IVBYTES], uint8_t key_tag)
+{
+    static const uint8_t prefix[] = { 6, 's', 'b', 'x', '2', '5', '6', 8 };
+    uint8_t              msg_id_le[8];
+
+    mem_zero(buf, gimli_BLOCKBYTES);
+    COMPILER_ASSERT(hydro_secretbox_CONTEXTBYTES == 8);
+    COMPILER_ASSERT(sizeof prefix + hydro_secretbox_CONTEXTBYTES <= gimli_RATE);
+    memcpy(buf, prefix, sizeof prefix);
+    memcpy(buf + sizeof prefix, ctx, hydro_secretbox_CONTEXTBYTES);
+    COMPILER_ASSERT(sizeof prefix + hydro_secretbox_CONTEXTBYTES == gimli_RATE);
+    gimli_core_u8(buf, gimli_TAG_HEADER);
+
+    COMPILER_ASSERT(hydro_secretbox_KEYBYTES == 2 * gimli_RATE);
+    mem_xor(buf, key, gimli_RATE);
+    gimli_core_u8(buf, key_tag);
+    mem_xor(buf, key + gimli_RATE, gimli_RATE);
+    gimli_core_u8(buf, key_tag);
+
+    COMPILER_ASSERT(hydro_secretbox_IVBYTES < gimli_RATE * 2);
+    buf[0] ^= hydro_secretbox_IVBYTES;
+    mem_xor(&buf[1], iv, gimli_RATE - 1);
+    gimli_core_u8(buf, gimli_TAG_HEADER);
+    mem_xor(buf, iv + gimli_RATE - 1, hydro_secretbox_IVBYTES - (gimli_RATE - 1));
+    STORE64_LE(msg_id_le, msg_id);
+    COMPILER_ASSERT(hydro_secretbox_IVBYTES - gimli_RATE + 8 <= gimli_RATE);
+    mem_xor(buf + hydro_secretbox_IVBYTES - gimli_RATE, msg_id_le, 8);
+    gimli_core_u8(buf, gimli_TAG_HEADER);
+}
+
+static void
+hydro_secretbox_final(uint8_t *buf, const uint8_t key[hydro_secretbox_KEYBYTES], uint8_t tag)
+{
+    COMPILER_ASSERT(hydro_secretbox_KEYBYTES == gimli_CAPACITY);
+    mem_xor(buf + gimli_RATE, key, hydro_secretbox_KEYBYTES);
+    gimli_core_u8(buf, tag);
+    mem_xor(buf + gimli_RATE, key, hydro_secretbox_KEYBYTES);
+    gimli_core_u8(buf, tag);
+}
+
+static int
+hydro_secretbox_encrypt_iv(uint8_t *c, const void *m_, size_t mlen, uint64_t msg_id,
+                           const char    ctx[hydro_secretbox_CONTEXTBYTES],
+                           const uint8_t key[hydro_secretbox_KEYBYTES],
+                           const uint8_t iv[hydro_secretbox_IVBYTES])
+{
+    _hydro_attr_aligned_(16) uint32_t state[gimli_BLOCKBYTES / 4];
+    uint8_t *                         buf = (uint8_t *) (void *) state;
+    const uint8_t *                   m   = (const uint8_t *) m_;
+    uint8_t *                         siv = &c[0];
+    uint8_t *                         mac = &c[hydro_secretbox_SIVBYTES];
+    uint8_t *                         ct  = &c[hydro_secretbox_SIVBYTES + hydro_secretbox_MACBYTES];
+    size_t                            i;
+    size_t                            leftover;
+
+    if (c == m) {
+        memmove(c + hydro_secretbox_HEADERBYTES, m, mlen);
+        m = c + hydro_secretbox_HEADERBYTES;
+    }
+
+    /* first pass: compute the SIV */
+
+    hydro_secretbox_setup(buf, msg_id, ctx, key, iv, gimli_TAG_KEY0);
+    for (i = 0; i < mlen / gimli_RATE; i++) {
+        mem_xor(buf, &m[i * gimli_RATE], gimli_RATE);
+        gimli_core_u8(buf, gimli_TAG_PAYLOAD);
+    }
+    leftover = mlen % gimli_RATE;
+    if (leftover != 0) {
+        mem_xor(buf, &m[i * gimli_RATE], leftover);
+    }
+    gimli_pad_u8(buf, leftover, gimli_DOMAIN_XOF);
+    gimli_core_u8(buf, gimli_TAG_PAYLOAD);
+
+    hydro_secretbox_final(buf, key, gimli_TAG_FINAL0);
+    COMPILER_ASSERT(hydro_secretbox_SIVBYTES <= gimli_CAPACITY);
+    memcpy(siv, buf + gimli_RATE, hydro_secretbox_SIVBYTES);
+
+    /* second pass: encrypt the message, mix the key, squeeze an extra block for
+     * the MAC */
+
+    COMPILER_ASSERT(hydro_secretbox_SIVBYTES == hydro_secretbox_IVBYTES);
+    hydro_secretbox_setup(buf, msg_id, ctx, key, siv, gimli_TAG_KEY);
+    hydro_secretbox_xor_enc(buf, ct, m, mlen);
+
+    hydro_secretbox_final(buf, key, gimli_TAG_FINAL);
+    COMPILER_ASSERT(hydro_secretbox_MACBYTES <= gimli_CAPACITY);
+    memcpy(mac, buf + gimli_RATE, hydro_secretbox_MACBYTES);
+
+    return 0;
+}
+
+void
+hydro_secretbox_probe_create(uint8_t probe[hydro_secretbox_PROBEBYTES], const uint8_t *c,
+                             size_t c_len, const char ctx[hydro_secretbox_CONTEXTBYTES],
+                             const uint8_t key[hydro_secretbox_KEYBYTES])
+{
+    const uint8_t *mac;
+
+    if (c_len < hydro_secretbox_HEADERBYTES) {
+        abort();
+    }
+    mac = &c[hydro_secretbox_SIVBYTES];
+    COMPILER_ASSERT(hydro_secretbox_CONTEXTBYTES >= hydro_hash_CONTEXTBYTES);
+    COMPILER_ASSERT(hydro_secretbox_KEYBYTES >= hydro_hash_KEYBYTES);
+    hydro_hash_hash(probe, hydro_secretbox_PROBEBYTES, mac, hydro_secretbox_MACBYTES, ctx, key);
+}
+
+int
+hydro_secretbox_probe_verify(const uint8_t probe[hydro_secretbox_PROBEBYTES], const uint8_t *c,
+                             size_t c_len, const char ctx[hydro_secretbox_CONTEXTBYTES],
+                             const uint8_t key[hydro_secretbox_KEYBYTES])
+{
+    uint8_t        computed_probe[hydro_secretbox_PROBEBYTES];
+    const uint8_t *mac;
+
+    if (c_len < hydro_secretbox_HEADERBYTES) {
+        return -1;
+    }
+    mac = &c[hydro_secretbox_SIVBYTES];
+    hydro_hash_hash(computed_probe, hydro_secretbox_PROBEBYTES, mac, hydro_secretbox_MACBYTES, ctx,
+                    key);
+    if (hydro_equal(computed_probe, probe, hydro_secretbox_PROBEBYTES) == 1) {
+        return 0;
+    }
+    hydro_memzero(computed_probe, hydro_secretbox_PROBEBYTES);
+    return -1;
+}
+
+int
+hydro_secretbox_encrypt(uint8_t *c, const void *m_, size_t mlen, uint64_t msg_id,
+                        const char    ctx[hydro_secretbox_CONTEXTBYTES],
+                        const uint8_t key[hydro_secretbox_KEYBYTES])
+{
+    uint8_t iv[hydro_secretbox_IVBYTES];
+
+    hydro_random_buf(iv, sizeof iv);
+
+    return hydro_secretbox_encrypt_iv(c, m_, mlen, msg_id, ctx, key, iv);
+}
+
+int
+hydro_secretbox_decrypt(void *m_, const uint8_t *c, size_t clen, uint64_t msg_id,
+                        const char    ctx[hydro_secretbox_CONTEXTBYTES],
+                        const uint8_t key[hydro_secretbox_KEYBYTES])
+{
+    _hydro_attr_aligned_(16) uint32_t state[gimli_BLOCKBYTES / 4];
+    uint32_t                          pub_mac[hydro_secretbox_MACBYTES / 4];
+    uint8_t *                         buf = (uint8_t *) (void *) state;
+    const uint8_t *                   siv;
+    const uint8_t *                   mac;
+    const uint8_t *                   ct;
+    uint8_t *                         m = (uint8_t *) m_;
+    size_t                            mlen;
+    uint32_t                          cv;
+
+    if (clen < hydro_secretbox_HEADERBYTES) {
+        return -1;
+    }
+    siv = &c[0];
+    mac = &c[hydro_secretbox_SIVBYTES];
+    ct  = &c[hydro_secretbox_SIVBYTES + hydro_secretbox_MACBYTES];
+
+    mlen = clen - hydro_secretbox_HEADERBYTES;
+    memcpy(pub_mac, mac, sizeof pub_mac);
+    COMPILER_ASSERT(hydro_secretbox_SIVBYTES == hydro_secretbox_IVBYTES);
+    hydro_secretbox_setup(buf, msg_id, ctx, key, siv, gimli_TAG_KEY);
+    hydro_secretbox_xor_dec(buf, m, ct, mlen);
+
+    hydro_secretbox_final(buf, key, gimli_TAG_FINAL);
+    COMPILER_ASSERT(hydro_secretbox_MACBYTES <= gimli_CAPACITY);
+    COMPILER_ASSERT(gimli_RATE % 4 == 0);
+    cv = hydro_mem_ct_cmp_u32(state + gimli_RATE / 4, pub_mac, hydro_secretbox_MACBYTES / 4);
+    hydro_mem_ct_zero_u32(state, gimli_BLOCKBYTES / 4);
+    if (cv != 0) {
+        mem_zero(m, mlen);
+        return -1;
+    }
+    return 0;
+}

data/vendor/libhydrogen/impl/sign.h

@@ -0,0 +1,207 @@
+#define hydro_sign_CHALLENGEBYTES 32
+#define hydro_sign_NONCEBYTES 32
+#define hydro_sign_PREHASHBYTES 64
+
+static void
+hydro_sign_p2(uint8_t sig[hydro_x25519_BYTES], const uint8_t challenge[hydro_sign_CHALLENGEBYTES],
+              const uint8_t eph_sk[hydro_x25519_BYTES], const uint8_t sk[hydro_x25519_BYTES])
+{
+    hydro_x25519_scalar_t scalar1, scalar2, scalar3;
+
+    COMPILER_ASSERT(hydro_sign_CHALLENGEBYTES == hydro_x25519_BYTES);
+    hydro_x25519_swapin(scalar1, eph_sk);
+    hydro_x25519_swapin(scalar2, sk);
+    hydro_x25519_swapin(scalar3, challenge);
+    hydro_x25519_sc_montmul(scalar1, scalar2, scalar3);
+    mem_zero(scalar2, sizeof scalar2);
+    hydro_x25519_sc_montmul(scalar2, scalar1, hydro_x25519_sc_r2);
+    hydro_x25519_swapout(sig, scalar2);
+}
+
+static void
+hydro_sign_challenge(uint8_t       challenge[hydro_sign_CHALLENGEBYTES],
+                     const uint8_t nonce[hydro_sign_NONCEBYTES],
+                     const uint8_t pk[hydro_sign_PUBLICKEYBYTES],
+                     const uint8_t prehash[hydro_sign_PREHASHBYTES])
+{
+    hydro_hash_state st;
+
+    hydro_hash_init(&st, (const char *) zero, NULL);
+    hydro_hash_update(&st, nonce, hydro_sign_NONCEBYTES);
+    hydro_hash_update(&st, pk, hydro_sign_PUBLICKEYBYTES);
+    hydro_hash_update(&st, prehash, hydro_sign_PREHASHBYTES);
+    hydro_hash_final(&st, challenge, hydro_sign_CHALLENGEBYTES);
+}
+
+static int
+hydro_sign_prehash(uint8_t csig[hydro_sign_BYTES], const uint8_t prehash[hydro_sign_PREHASHBYTES],
+                   const uint8_t sk[hydro_sign_SECRETKEYBYTES])
+{
+    hydro_hash_state st;
+    uint8_t          challenge[hydro_sign_CHALLENGEBYTES];
+    const uint8_t *  pk     = &sk[hydro_x25519_SECRETKEYBYTES];
+    uint8_t *        nonce  = &csig[0];
+    uint8_t *        sig    = &csig[hydro_sign_NONCEBYTES];
+    uint8_t *        eph_sk = sig;
+
+    hydro_random_buf(eph_sk, hydro_x25519_SECRETKEYBYTES);
+    COMPILER_ASSERT(hydro_x25519_SECRETKEYBYTES == hydro_hash_KEYBYTES);
+    hydro_hash_init(&st, (const char *) zero, sk);
+    hydro_hash_update(&st, eph_sk, hydro_x25519_SECRETKEYBYTES);
+    hydro_hash_update(&st, prehash, hydro_sign_PREHASHBYTES);
+    hydro_hash_final(&st, eph_sk, hydro_x25519_SECRETKEYBYTES);
+
+    hydro_x25519_scalarmult_base_uniform(nonce, eph_sk);
+    hydro_sign_challenge(challenge, nonce, pk, prehash);
+
+    COMPILER_ASSERT(hydro_sign_BYTES == hydro_sign_NONCEBYTES + hydro_x25519_SECRETKEYBYTES);
+    COMPILER_ASSERT(hydro_x25519_SECRETKEYBYTES <= hydro_sign_CHALLENGEBYTES);
+    hydro_sign_p2(sig, challenge, eph_sk, sk);
+
+    return 0;
+}
+
+static int
+hydro_sign_verify_core(hydro_x25519_fe xs[5], const hydro_x25519_limb_t *other1,
+                       const uint8_t other2[hydro_x25519_BYTES])
+{
+    hydro_x25519_limb_t *     z2 = xs[1], *x3 = xs[2], *z3 = xs[3];
+    hydro_x25519_fe           xo2;
+    const hydro_x25519_limb_t sixteen = 16;
+
+    hydro_x25519_swapin(xo2, other2);
+    memcpy(x3, other1, 2 * sizeof(hydro_x25519_fe));
+    hydro_x25519_ladder_part1(xs);
+
+    /* Here z2 = t2^2 */
+    hydro_x25519_mul1(z2, other1);
+    hydro_x25519_mul1(z2, other1 + hydro_x25519_NLIMBS);
+    hydro_x25519_mul1(z2, xo2);
+
+    hydro_x25519_mul(z2, z2, &sixteen, 1);
+
+    hydro_x25519_mul1(z3, xo2);
+    hydro_x25519_sub(z3, z3, x3);
+    hydro_x25519_sqr1(z3);
+
+    /* check equality */
+    hydro_x25519_sub(z3, z3, z2);
+
+    /* canon(z2): both sides are zero. canon(z3): the two sides are equal. */
+    /* Reject sigs where both sides are zero. */
+    return hydro_x25519_canon(z2) | ~hydro_x25519_canon(z3);
+}
+
+static int
+hydro_sign_verify_p2(const uint8_t sig[hydro_x25519_BYTES],
+                     const uint8_t challenge[hydro_sign_CHALLENGEBYTES],
+                     const uint8_t nonce[hydro_sign_NONCEBYTES],
+                     const uint8_t pk[hydro_x25519_BYTES])
+{
+    hydro_x25519_fe xs[7];
+
+    hydro_x25519_core(&xs[0], challenge, pk, 0);
+    hydro_x25519_core(&xs[2], sig, hydro_x25519_BASE_POINT, 0);
+
+    return hydro_sign_verify_core(&xs[2], xs[0], nonce);
+}
+
+static int
+hydro_sign_verify_challenge(const uint8_t csig[hydro_sign_BYTES],
+                            const uint8_t challenge[hydro_sign_CHALLENGEBYTES],
+                            const uint8_t pk[hydro_sign_PUBLICKEYBYTES])
+{
+    const uint8_t *nonce = &csig[0];
+    const uint8_t *sig   = &csig[hydro_sign_NONCEBYTES];
+
+    return hydro_sign_verify_p2(sig, challenge, nonce, pk);
+}
+
+void
+hydro_sign_keygen(hydro_sign_keypair *kp)
+{
+    uint8_t *pk_copy = &kp->sk[hydro_x25519_SECRETKEYBYTES];
+
+    COMPILER_ASSERT(hydro_sign_SECRETKEYBYTES ==
+                    hydro_x25519_SECRETKEYBYTES + hydro_x25519_PUBLICKEYBYTES);
+    COMPILER_ASSERT(hydro_sign_PUBLICKEYBYTES == hydro_x25519_PUBLICKEYBYTES);
+    hydro_random_buf(kp->sk, hydro_x25519_SECRETKEYBYTES);
+    hydro_x25519_scalarmult_base_uniform(kp->pk, kp->sk);
+    memcpy(pk_copy, kp->pk, hydro_x25519_PUBLICKEYBYTES);
+}
+
+void
+hydro_sign_keygen_deterministic(hydro_sign_keypair *kp, const uint8_t seed[hydro_sign_SEEDBYTES])
+{
+    uint8_t *pk_copy = &kp->sk[hydro_x25519_SECRETKEYBYTES];
+
+    COMPILER_ASSERT(hydro_sign_SEEDBYTES >= hydro_random_SEEDBYTES);
+    hydro_random_buf_deterministic(kp->sk, hydro_x25519_SECRETKEYBYTES, seed);
+    hydro_x25519_scalarmult_base_uniform(kp->pk, kp->sk);
+    memcpy(pk_copy, kp->pk, hydro_x25519_PUBLICKEYBYTES);
+}
+
+int
+hydro_sign_init(hydro_sign_state *state, const char ctx[hydro_sign_CONTEXTBYTES])
+{
+    return hydro_hash_init(&state->hash_st, ctx, NULL);
+}
+
+int
+hydro_sign_update(hydro_sign_state *state, const void *m_, size_t mlen)
+{
+    return hydro_hash_update(&state->hash_st, m_, mlen);
+}
+
+int
+hydro_sign_final_create(hydro_sign_state *state, uint8_t csig[hydro_sign_BYTES],
+                        const uint8_t sk[hydro_sign_SECRETKEYBYTES])
+{
+    uint8_t prehash[hydro_sign_PREHASHBYTES];
+
+    hydro_hash_final(&state->hash_st, prehash, sizeof prehash);
+
+    return hydro_sign_prehash(csig, prehash, sk);
+}
+
+int
+hydro_sign_final_verify(hydro_sign_state *state, const uint8_t csig[hydro_sign_BYTES],
+                        const uint8_t pk[hydro_sign_PUBLICKEYBYTES])
+{
+    uint8_t        challenge[hydro_sign_CHALLENGEBYTES];
+    uint8_t        prehash[hydro_sign_PREHASHBYTES];
+    const uint8_t *nonce = &csig[0];
+
+    hydro_hash_final(&state->hash_st, prehash, sizeof prehash);
+    hydro_sign_challenge(challenge, nonce, pk, prehash);
+
+    return hydro_sign_verify_challenge(csig, challenge, pk);
+}
+
+int
+hydro_sign_create(uint8_t csig[hydro_sign_BYTES], const void *m_, size_t mlen,
+                  const char    ctx[hydro_sign_CONTEXTBYTES],
+                  const uint8_t sk[hydro_sign_SECRETKEYBYTES])
+{
+    hydro_sign_state st;
+
+    if (hydro_sign_init(&st, ctx) != 0 || hydro_sign_update(&st, m_, mlen) != 0 ||
+        hydro_sign_final_create(&st, csig, sk) != 0) {
+        return -1;
+    }
+    return 0;
+}
+
+int
+hydro_sign_verify(const uint8_t csig[hydro_sign_BYTES], const void *m_, size_t mlen,
+                  const char    ctx[hydro_sign_CONTEXTBYTES],
+                  const uint8_t pk[hydro_sign_PUBLICKEYBYTES])
+{
+    hydro_sign_state st;
+
+    if (hydro_sign_init(&st, ctx) != 0 || hydro_sign_update(&st, m_, mlen) != 0 ||
+        hydro_sign_final_verify(&st, csig, pk) != 0) {
+        return -1;
+    }
+    return 0;
+}

data/vendor/libhydrogen/impl/x25519.h

@@ -0,0 +1,384 @@
+/*
+ * Based on Michael Hamburg's STROBE reference implementation.
+ * Copyright (c) 2015-2016 Cryptography Research, Inc.
+ * MIT License (MIT)
+ */
+
+#if defined(__GNUC__) && defined(__SIZEOF_INT128__)
+#define hydro_x25519_WBITS 64
+#else
+#define hydro_x25519_WBITS 32
+#endif
+
+#if hydro_x25519_WBITS == 64
+typedef uint64_t    hydro_x25519_limb_t;
+typedef __uint128_t hydro_x25519_dlimb_t;
+typedef __int128_t  hydro_x25519_sdlimb_t;
+#define hydro_x25519_eswap_limb(X) LOAD64_LE((const uint8_t *) &(X))
+#define hydro_x25519_LIMB(x) x##ull
+#elif hydro_x25519_WBITS == 32
+typedef uint32_t hydro_x25519_limb_t;
+typedef uint64_t hydro_x25519_dlimb_t;
+typedef int64_t  hydro_x25519_sdlimb_t;
+#define hydro_x25519_eswap_limb(X) LOAD32_LE((const uint8_t *) &(X))
+#define hydro_x25519_LIMB(x) (uint32_t)(x##ull), (uint32_t)((x##ull) >> 32)
+#else
+#error "Need to know hydro_x25519_WBITS"
+#endif
+
+#define hydro_x25519_NLIMBS (256 / hydro_x25519_WBITS)
+typedef hydro_x25519_limb_t hydro_x25519_fe[hydro_x25519_NLIMBS];
+
+typedef hydro_x25519_limb_t hydro_x25519_scalar_t[hydro_x25519_NLIMBS];
+
+static const hydro_x25519_limb_t hydro_x25519_MONTGOMERY_FACTOR =
+    (hydro_x25519_limb_t) 0xd2b51da312547e1bull;
+
+static const hydro_x25519_scalar_t hydro_x25519_sc_p = { hydro_x25519_LIMB(0x5812631a5cf5d3ed),
+                                                         hydro_x25519_LIMB(0x14def9dea2f79cd6),
+                                                         hydro_x25519_LIMB(0x0000000000000000),
+                                                         hydro_x25519_LIMB(0x1000000000000000) };
+
+static const hydro_x25519_scalar_t hydro_x25519_sc_r2 = { hydro_x25519_LIMB(0xa40611e3449c0f01),
+                                                          hydro_x25519_LIMB(0xd00e1ba768859347),
+                                                          hydro_x25519_LIMB(0xceec73d217f5be65),
+                                                          hydro_x25519_LIMB(0x0399411b7c309a3d) };
+
+static const uint8_t hydro_x25519_BASE_POINT[hydro_x25519_BYTES] = { 9 };
+
+static const hydro_x25519_limb_t hydro_x25519_a24[1] = { 121665 };
+
+static inline hydro_x25519_limb_t
+hydro_x25519_umaal(hydro_x25519_limb_t *carry, hydro_x25519_limb_t acc, hydro_x25519_limb_t mand,
+                   hydro_x25519_limb_t mier)
+{
+    hydro_x25519_dlimb_t tmp = (hydro_x25519_dlimb_t) mand * mier + acc + *carry;
+
+    *carry = tmp >> hydro_x25519_WBITS;
+    return (hydro_x25519_limb_t) tmp;
+}
+
+static inline hydro_x25519_limb_t
+hydro_x25519_adc(hydro_x25519_limb_t *carry, hydro_x25519_limb_t acc, hydro_x25519_limb_t mand)
+{
+    hydro_x25519_dlimb_t total = (hydro_x25519_dlimb_t) *carry + acc + mand;
+
+    *carry = total >> hydro_x25519_WBITS;
+    return (hydro_x25519_limb_t) total;
+}
+
+static inline hydro_x25519_limb_t
+hydro_x25519_adc0(hydro_x25519_limb_t *carry, hydro_x25519_limb_t acc)
+{
+    hydro_x25519_dlimb_t total = (hydro_x25519_dlimb_t) *carry + acc;
+
+    *carry = total >> hydro_x25519_WBITS;
+    return (hydro_x25519_limb_t) total;
+}
+
+static void
+hydro_x25519_propagate(hydro_x25519_fe x, hydro_x25519_limb_t over)
+{
+    hydro_x25519_limb_t carry;
+    int                 i;
+
+    over = x[hydro_x25519_NLIMBS - 1] >> (hydro_x25519_WBITS - 1) | over << 1;
+    x[hydro_x25519_NLIMBS - 1] &= ~((hydro_x25519_limb_t) 1 << (hydro_x25519_WBITS - 1));
+    carry = over * 19;
+    for (i = 0; i < hydro_x25519_NLIMBS; i++) {
+        x[i] = hydro_x25519_adc0(&carry, x[i]);
+    }
+}
+
+static void
+hydro_x25519_add(hydro_x25519_fe out, const hydro_x25519_fe a, const hydro_x25519_fe b)
+{
+    hydro_x25519_limb_t carry = 0;
+    int                 i;
+
+    for (i = 0; i < hydro_x25519_NLIMBS; i++) {
+        out[i] = hydro_x25519_adc(&carry, a[i], b[i]);
+    }
+    hydro_x25519_propagate(out, carry);
+}
+
+static void
+hydro_x25519_sub(hydro_x25519_fe out, const hydro_x25519_fe a, const hydro_x25519_fe b)
+{
+    hydro_x25519_sdlimb_t carry = -38;
+    int                   i;
+
+    for (i = 0; i < hydro_x25519_NLIMBS; i++) {
+        out[i] = (hydro_x25519_limb_t)(carry = carry + a[i] - b[i]);
+        carry >>= hydro_x25519_WBITS;
+    }
+    hydro_x25519_propagate(out, (hydro_x25519_limb_t)(1 + carry));
+}
+
+static void
+hydro_x25519_swapin(hydro_x25519_limb_t *x, const uint8_t *in)
+{
+    int i;
+
+    memcpy(x, in, sizeof(hydro_x25519_fe));
+    for (i = 0; i < hydro_x25519_NLIMBS; i++) {
+        x[i] = hydro_x25519_eswap_limb(x[i]);
+    }
+}
+
+static void
+hydro_x25519_swapout(uint8_t *out, hydro_x25519_limb_t *x)
+{
+    int i;
+
+    for (i = 0; i < hydro_x25519_NLIMBS; i++) {
+        x[i] = hydro_x25519_eswap_limb(x[i]);
+    }
+    memcpy(out, x, sizeof(hydro_x25519_fe));
+}
+
+static void
+hydro_x25519_mul(hydro_x25519_fe out, const hydro_x25519_fe a, const hydro_x25519_fe b, int nb)
+{
+    hydro_x25519_limb_t accum[2 * hydro_x25519_NLIMBS] = { 0 };
+    hydro_x25519_limb_t carry2;
+    int                 i, j;
+
+    for (i = 0; i < nb; i++) {
+        carry2                   = 0;
+        hydro_x25519_limb_t mand = b[i];
+        for (j = 0; j < hydro_x25519_NLIMBS; j++) {
+            accum[i + j] = hydro_x25519_umaal(&carry2, accum[i + j], mand, a[j]);
+        }
+        accum[i + j] = carry2;
+    }
+    carry2 = 0;
+    for (j = 0; j < hydro_x25519_NLIMBS; j++) {
+        const hydro_x25519_limb_t mand = 38;
+
+        out[j] = hydro_x25519_umaal(&carry2, accum[j], mand, accum[j + hydro_x25519_NLIMBS]);
+    }
+    hydro_x25519_propagate(out, carry2);
+}
+
+static void
+hydro_x25519_sqr(hydro_x25519_fe out, const hydro_x25519_fe a)
+{
+    hydro_x25519_mul(out, a, a, hydro_x25519_NLIMBS);
+}
+
+static void
+hydro_x25519_mul1(hydro_x25519_fe out, const hydro_x25519_fe a)
+{
+    hydro_x25519_mul(out, a, out, hydro_x25519_NLIMBS);
+}
+
+static void
+hydro_x25519_sqr1(hydro_x25519_fe a)
+{
+    hydro_x25519_mul1(a, a);
+}
+
+static void
+hydro_x25519_condswap(hydro_x25519_limb_t a[2 * hydro_x25519_NLIMBS],
+                      hydro_x25519_limb_t b[2 * hydro_x25519_NLIMBS], hydro_x25519_limb_t doswap)
+{
+    int i;
+
+    for (i = 0; i < 2 * hydro_x25519_NLIMBS; i++) {
+        hydro_x25519_limb_t xorv = (a[i] ^ b[i]) & doswap;
+        a[i] ^= xorv;
+        b[i] ^= xorv;
+    }
+}
+
+static int
+hydro_x25519_canon(hydro_x25519_fe x)
+{
+    hydro_x25519_sdlimb_t carry;
+    hydro_x25519_limb_t   carry0 = 19;
+    hydro_x25519_limb_t   res;
+    int                   i;
+
+    for (i = 0; i < hydro_x25519_NLIMBS; i++) {
+        x[i] = hydro_x25519_adc0(&carry0, x[i]);
+    }
+    hydro_x25519_propagate(x, carry0);
+    carry = -19;
+    res   = 0;
+    for (i = 0; i < hydro_x25519_NLIMBS; i++) {
+        res |= x[i] = (hydro_x25519_limb_t)(carry += x[i]);
+        carry >>= hydro_x25519_WBITS;
+    }
+    return ((hydro_x25519_dlimb_t) res - 1) >> hydro_x25519_WBITS;
+}
+
+static void
+hydro_x25519_ladder_part1(hydro_x25519_fe xs[5])
+{
+    hydro_x25519_limb_t *x2 = xs[0], *z2 = xs[1], *x3 = xs[2], *z3 = xs[3], *t1 = xs[4];
+
+    hydro_x25519_add(t1, x2, z2);              // t1 = A
+    hydro_x25519_sub(z2, x2, z2);              // z2 = B
+    hydro_x25519_add(x2, x3, z3);              // x2 = C
+    hydro_x25519_sub(z3, x3, z3);              // z3 = D
+    hydro_x25519_mul1(z3, t1);                 // z3 = DA
+    hydro_x25519_mul1(x2, z2);                 // x3 = BC
+    hydro_x25519_add(x3, z3, x2);              // x3 = DA+CB
+    hydro_x25519_sub(z3, z3, x2);              // z3 = DA-CB
+    hydro_x25519_sqr1(t1);                     // t1 = AA
+    hydro_x25519_sqr1(z2);                     // z2 = BB
+    hydro_x25519_sub(x2, t1, z2);              // x2 = E = AA-BB
+    hydro_x25519_mul(z2, x2, hydro_x25519_a24, // z2 = E*a24
+                     sizeof(hydro_x25519_a24) / sizeof(hydro_x25519_a24[0]));
+    hydro_x25519_add(z2, z2, t1); // z2 = E*a24 + AA
+}
+
+static void
+hydro_x25519_ladder_part2(hydro_x25519_fe xs[5], const hydro_x25519_fe x1)
+{
+    hydro_x25519_limb_t *x2 = xs[0], *z2 = xs[1], *x3 = xs[2], *z3 = xs[3], *t1 = xs[4];
+
+    hydro_x25519_sqr1(z3);        // z3 = (DA-CB)^2
+    hydro_x25519_mul1(z3, x1);    // z3 = x1 * (DA-CB)^2
+    hydro_x25519_sqr1(x3);        // x3 = (DA+CB)^2
+    hydro_x25519_mul1(z2, x2);    // z2 = AA*(E*a24+AA)
+    hydro_x25519_sub(x2, t1, x2); // x2 = BB again
+    hydro_x25519_mul1(x2, t1);    // x2 = AA*BB
+}
+
+static void
+hydro_x25519_core(hydro_x25519_fe xs[5], const uint8_t scalar[hydro_x25519_BYTES],
+                  const uint8_t *x1, bool clamp)
+{
+    hydro_x25519_limb_t  swap;
+    hydro_x25519_limb_t *x2 = xs[0], *x3 = xs[2], *z3 = xs[3];
+    hydro_x25519_fe      x1i;
+    int                  i;
+
+    hydro_x25519_swapin(x1i, x1);
+    x1   = (const uint8_t *) x1i;
+    swap = 0;
+    mem_zero(xs, 4 * sizeof(hydro_x25519_fe));
+    x2[0] = z3[0] = 1;
+    memcpy(x3, x1, sizeof(hydro_x25519_fe));
+    for (i = 255; i >= 0; i--) {
+        uint8_t             bytei = scalar[i / 8];
+        hydro_x25519_limb_t doswap;
+        hydro_x25519_fe     x1_dup;
+
+        if (clamp) {
+            if (i / 8 == 0) {
+                bytei &= ~7;
+            } else if (i / 8 == hydro_x25519_BYTES - 1) {
+                bytei &= 0x7F;
+                bytei |= 0x40;
+            }
+        }
+        doswap = 1U + ~(hydro_x25519_limb_t)((bytei >> (i % 8)) & 1);
+        hydro_x25519_condswap(x2, x3, swap ^ doswap);
+        swap = doswap;
+        hydro_x25519_ladder_part1(xs);
+        memcpy(x1_dup, x1, sizeof x1_dup);
+        hydro_x25519_ladder_part2(xs, x1_dup);
+    }
+    hydro_x25519_condswap(x2, x3, swap);
+}
+
+static int
+hydro_x25519_scalarmult(uint8_t       out[hydro_x25519_BYTES],
+                        const uint8_t scalar[hydro_x25519_SECRETKEYBYTES],
+                        const uint8_t x1[hydro_x25519_PUBLICKEYBYTES], bool clamp)
+{
+    hydro_x25519_fe      xs[5];
+    hydro_x25519_limb_t *x2, *z2, *z3;
+    hydro_x25519_limb_t *prev;
+    int                  i;
+    int                  ret;
+
+    hydro_x25519_core(xs, scalar, x1, clamp);
+
+    /* Precomputed inversion chain */
+    x2   = xs[0];
+    z2   = xs[1];
+    z3   = xs[3];
+    prev = z2;
+
+    /* Raise to the p-2 = 0x7f..ffeb */
+    for (i = 253; i >= 0; i--) {
+        hydro_x25519_sqr(z3, prev);
+        prev = z3;
+        if (i >= 8 || (0xeb >> i & 1)) {
+            hydro_x25519_mul1(z3, z2);
+        }
+    }
+
+    /* Here prev = z3 */
+    /* x2 /= z2 */
+    hydro_x25519_mul1(x2, z3);
+    ret = hydro_x25519_canon(x2);
+    hydro_x25519_swapout(out, x2);
+
+    if (clamp == 0) {
+        return 0;
+    }
+    return ret;
+}
+
+static inline int
+hydro_x25519_scalarmult_base(uint8_t       pk[hydro_x25519_PUBLICKEYBYTES],
+                             const uint8_t sk[hydro_x25519_SECRETKEYBYTES])
+{
+    return hydro_x25519_scalarmult(pk, sk, hydro_x25519_BASE_POINT, 1);
+}
+
+static inline void
+hydro_x25519_scalarmult_base_uniform(uint8_t       pk[hydro_x25519_PUBLICKEYBYTES],
+                                     const uint8_t sk[hydro_x25519_SECRETKEYBYTES])
+{
+    if (hydro_x25519_scalarmult(pk, sk, hydro_x25519_BASE_POINT, 0) != 0) {
+        abort();
+    }
+}
+
+static void
+hydro_x25519_sc_montmul(hydro_x25519_scalar_t out, const hydro_x25519_scalar_t a,
+                        const hydro_x25519_scalar_t b)
+{
+    hydro_x25519_limb_t hic = 0;
+    int                 i, j;
+
+    for (i = 0; i < hydro_x25519_NLIMBS; i++) {
+        hydro_x25519_limb_t carry = 0, carry2 = 0, mand = a[i],
+                            mand2 = hydro_x25519_MONTGOMERY_FACTOR;
+
+        for (j = 0; j < hydro_x25519_NLIMBS; j++) {
+            hydro_x25519_limb_t acc = out[j];
+
+            acc = hydro_x25519_umaal(&carry, acc, mand, b[j]);
+            if (j == 0) {
+                mand2 *= acc;
+            }
+            acc = hydro_x25519_umaal(&carry2, acc, mand2, hydro_x25519_sc_p[j]);
+            if (j > 0) {
+                out[j - 1] = acc;
+            }
+        }
+
+        /* Add two carry registers and high carry */
+        out[hydro_x25519_NLIMBS - 1] = hydro_x25519_adc(&hic, carry, carry2);
+    }
+
+    /* Reduce */
+    hydro_x25519_sdlimb_t scarry = 0;
+    for (i = 0; i < hydro_x25519_NLIMBS; i++) {
+        out[i] = (hydro_x25519_limb_t)(scarry = scarry + out[i] - hydro_x25519_sc_p[i]);
+        scarry >>= hydro_x25519_WBITS;
+    }
+    hydro_x25519_limb_t need_add = (hydro_x25519_limb_t) - (scarry + hic);
+
+    hydro_x25519_limb_t carry = 0;
+    for (i = 0; i < hydro_x25519_NLIMBS; i++) {
+        out[i] = hydro_x25519_umaal(&carry, out[i], need_add, hydro_x25519_sc_p[i]);
+    }
+}