ed25519_blake2b 0.1.1

data/ext/ed25519_blake2b/ed25519-donna-batchverify.h

@@ -0,0 +1,275 @@
+/*
+	Ed25519 batch verification
+*/
+
+#define max_batch_size 64
+#define heap_batch_size ((max_batch_size * 2) + 1)
+
+/* which limb is the 128th bit in? */
+static const size_t limb128bits = (128 + bignum256modm_bits_per_limb - 1) / bignum256modm_bits_per_limb;
+
+typedef size_t heap_index_t;
+
+typedef struct batch_heap_t {
+	unsigned char r[heap_batch_size][16]; /* 128 bit random values */
+	ge25519 points[heap_batch_size];
+	bignum256modm scalars[heap_batch_size];
+	heap_index_t heap[heap_batch_size];
+	size_t size;
+} batch_heap;
+
+/* swap two values in the heap */
+static void
+heap_swap(heap_index_t *heap, size_t a, size_t b) {
+	heap_index_t temp;
+	temp = heap[a];
+	heap[a] = heap[b];
+	heap[b] = temp;
+}
+
+/* add the scalar at the end of the list to the heap */
+static void
+heap_insert_next(batch_heap *heap) {
+	size_t node = heap->size, parent;
+	heap_index_t *pheap = heap->heap;
+	bignum256modm *scalars = heap->scalars;
+
+	/* insert at the bottom */
+	pheap[node] = (heap_index_t)node;
+
+	/* sift node up to its sorted spot */
+	parent = (node - 1) / 2;
+	while (node && lt256_modm_batch(scalars[pheap[parent]], scalars[pheap[node]], bignum256modm_limb_size - 1)) {
+		heap_swap(pheap, parent, node);
+		node = parent;
+		parent = (node - 1) / 2;
+	}
+	heap->size++;
+}
+
+/* update the heap when the root element is updated */
+static void
+heap_updated_root(batch_heap *heap, size_t limbsize) {
+	size_t node, parent, childr, childl;
+	heap_index_t *pheap = heap->heap;
+	bignum256modm *scalars = heap->scalars;
+
+	/* sift root to the bottom */
+	parent = 0;
+	node = 1;
+	childl = 1;
+	childr = 2;
+	while ((childr < heap->size)) {
+		node = lt256_modm_batch(scalars[pheap[childl]], scalars[pheap[childr]], limbsize) ? childr : childl;
+		heap_swap(pheap, parent, node);
+		parent = node;
+		childl = (parent * 2) + 1;
+		childr = childl + 1;
+	}
+
+	/* sift root back up to its sorted spot */
+	parent = (node - 1) / 2;
+	while (node && lte256_modm_batch(scalars[pheap[parent]], scalars[pheap[node]], limbsize)) {
+		heap_swap(pheap, parent, node);
+		node = parent;
+		parent = (node - 1) / 2;
+	}
+}
+
+/* build the heap with count elements, count must be >= 3 */
+static void
+heap_build(batch_heap *heap, size_t count) {
+	heap->heap[0] = 0;
+	heap->size = 0;
+	while (heap->size < count)
+		heap_insert_next(heap);
+}
+
+/* extend the heap to contain new_count elements */
+static void
+heap_extend(batch_heap *heap, size_t new_count) {
+	while (heap->size < new_count)
+		heap_insert_next(heap);
+}
+
+/* get the top 2 elements of the heap */
+static void
+heap_get_top2(batch_heap *heap, heap_index_t *max1, heap_index_t *max2, size_t limbsize) {
+	heap_index_t h0 = heap->heap[0], h1 = heap->heap[1], h2 = heap->heap[2];
+	if (lt256_modm_batch(heap->scalars[h1], heap->scalars[h2], limbsize))
+		h1 = h2;
+	*max1 = h0;
+	*max2 = h1;
+}
+
+/* */
+static void
+ge25519_multi_scalarmult_vartime_final(ge25519 *r, ge25519 *point, bignum256modm scalar) {
+	const bignum256modm_element_t topbit = ((bignum256modm_element_t)1 << (bignum256modm_bits_per_limb - 1));
+	size_t limb = limb128bits;
+	bignum256modm_element_t flag;
+
+	if (isone256_modm_batch(scalar)) {
+		/* this will happen most of the time after bos-carter */
+		*r = *point;
+		return;
+	} else if (iszero256_modm_batch(scalar)) {
+		/* this will only happen if all scalars == 0 */
+		memset(r, 0, sizeof(*r));
+		r->y[0] = 1;
+		r->z[0] = 1;
+		return;
+	}
+
+	*r = *point;
+
+	/* find the limb where first bit is set */
+	while (!scalar[limb])
+		limb--;
+
+	/* find the first bit */
+	flag = topbit;
+	while ((scalar[limb] & flag) == 0)
+		flag >>= 1;
+
+	/* exponentiate */
+	for (;;) {
+		ge25519_double(r, r);
+		if (scalar[limb] & flag)
+			ge25519_add(r, r, point);
+
+		flag >>= 1;
+		if (!flag) {
+			if (!limb--)
+				break;
+			flag = topbit;
+		}
+	}
+}
+
+/* count must be >= 5 */
+static void
+ge25519_multi_scalarmult_vartime(ge25519 *r, batch_heap *heap, size_t count) {
+	heap_index_t max1, max2;
+
+	/* start with the full limb size */
+	size_t limbsize = bignum256modm_limb_size - 1;
+
+	/* whether the heap has been extended to include the 128 bit scalars */
+	int extended = 0;
+
+	/* grab an odd number of scalars to build the heap, unknown limb sizes */
+	heap_build(heap, ((count + 1) / 2) | 1);
+
+	for (;;) {
+		heap_get_top2(heap, &max1, &max2, limbsize);
+
+		/* only one scalar remaining, we're done */
+		if (iszero256_modm_batch(heap->scalars[max2]))
+			break;
+
+		/* exhausted another limb? */
+		if (!heap->scalars[max1][limbsize])
+			limbsize -= 1;
+
+		/* can we extend to the 128 bit scalars? */
+		if (!extended && isatmost128bits256_modm_batch(heap->scalars[max1])) {
+			heap_extend(heap, count);
+			heap_get_top2(heap, &max1, &max2, limbsize);
+			extended = 1;
+		}
+
+		sub256_modm_batch(heap->scalars[max1], heap->scalars[max1], heap->scalars[max2], limbsize);
+		ge25519_add(&heap->points[max2], &heap->points[max2], &heap->points[max1]);
+		heap_updated_root(heap, limbsize);
+	}
+
+	ge25519_multi_scalarmult_vartime_final(r, &heap->points[max1], heap->scalars[max1]);
+}
+
+/* not actually used for anything other than testing */
+unsigned char batch_point_buffer[3][32];
+
+static int
+ge25519_is_neutral_vartime(const ge25519 *p) {
+	static const unsigned char zero[32] = {0};
+	unsigned char point_buffer[3][32];
+	curve25519_contract(point_buffer[0], p->x);
+	curve25519_contract(point_buffer[1], p->y);
+	curve25519_contract(point_buffer[2], p->z);
+	memcpy(batch_point_buffer[1], point_buffer[1], 32);
+	return (memcmp(point_buffer[0], zero, 32) == 0) && (memcmp(point_buffer[1], point_buffer[2], 32) == 0);
+}
+
+int
+ED25519_FN(ed25519_sign_open_batch) (const unsigned char **m, size_t *mlen, const unsigned char **pk, const unsigned char **RS, size_t num, int *valid) {
+	batch_heap ALIGN(16) batch;
+	ge25519 ALIGN(16) p;
+	bignum256modm *r_scalars;
+	size_t i, batchsize;
+	unsigned char hram[64];
+	int ret = 0;
+
+	for (i = 0; i < num; i++)
+		valid[i] = 1;
+
+	while (num > 3) {
+		batchsize = (num > max_batch_size) ? max_batch_size : num;
+
+		/* generate r (scalars[batchsize+1]..scalars[2*batchsize] */
+		ED25519_FN(ed25519_randombytes_unsafe) (batch.r, batchsize * 16);
+		r_scalars = &batch.scalars[batchsize + 1];
+		for (i = 0; i < batchsize; i++)
+			expand256_modm(r_scalars[i], batch.r[i], 16);
+
+		/* compute scalars[0] = ((r1s1 + r2s2 + ...)) */
+		for (i = 0; i < batchsize; i++) {
+			expand256_modm(batch.scalars[i], RS[i] + 32, 32);
+			mul256_modm(batch.scalars[i], batch.scalars[i], r_scalars[i]);
+		}
+		for (i = 1; i < batchsize; i++)
+			add256_modm(batch.scalars[0], batch.scalars[0], batch.scalars[i]);
+
+		/* compute scalars[1]..scalars[batchsize] as r[i]*H(R[i],A[i],m[i]) */
+		for (i = 0; i < batchsize; i++) {
+			ed25519_hram(hram, RS[i], pk[i], m[i], mlen[i]);
+			expand256_modm(batch.scalars[i+1], hram, 64);
+			mul256_modm(batch.scalars[i+1], batch.scalars[i+1], r_scalars[i]);
+		}
+
+		/* compute points */
+		batch.points[0] = ge25519_basepoint;
+		for (i = 0; i < batchsize; i++)
+			if (!ge25519_unpack_negative_vartime(&batch.points[i+1], pk[i]))
+				goto fallback;
+		for (i = 0; i < batchsize; i++)
+			if (!ge25519_unpack_negative_vartime(&batch.points[batchsize+i+1], RS[i]))
+				goto fallback;
+
+		ge25519_multi_scalarmult_vartime(&p, &batch, (batchsize * 2) + 1);
+		if (!ge25519_is_neutral_vartime(&p)) {
+			ret |= 2;
+
+			fallback:
+			for (i = 0; i < batchsize; i++) {
+				valid[i] = ED25519_FN(ed25519_sign_open) (m[i], mlen[i], pk[i], RS[i]) ? 0 : 1;
+				ret |= (valid[i] ^ 1);
+			}
+		}
+
+		m += batchsize;
+		mlen += batchsize;
+		pk += batchsize;
+		RS += batchsize;
+		num -= batchsize;
+		valid += batchsize;
+	}
+
+	for (i = 0; i < num; i++) {
+		valid[i] = ED25519_FN(ed25519_sign_open) (m[i], mlen[i], pk[i], RS[i]) ? 0 : 1;
+		ret |= (valid[i] ^ 1);
+	}
+
+	return ret;
+}
+

data/ext/ed25519_blake2b/ed25519-donna-impl-base.h

@@ -0,0 +1,364 @@
+/*
+	conversions
+*/
+
+DONNA_INLINE static void
+ge25519_p1p1_to_partial(ge25519 *r, const ge25519_p1p1 *p) {
+	curve25519_mul(r->x, p->x, p->t);
+	curve25519_mul(r->y, p->y, p->z);
+	curve25519_mul(r->z, p->z, p->t); 
+}
+
+DONNA_INLINE static void
+ge25519_p1p1_to_full(ge25519 *r, const ge25519_p1p1 *p) {
+	curve25519_mul(r->x, p->x, p->t);
+	curve25519_mul(r->y, p->y, p->z);
+	curve25519_mul(r->z, p->z, p->t); 
+	curve25519_mul(r->t, p->x, p->y); 
+}
+
+static void
+ge25519_full_to_pniels(ge25519_pniels *p, const ge25519 *r) {
+	curve25519_sub(p->ysubx, r->y, r->x);
+	curve25519_add(p->xaddy, r->y, r->x);
+	curve25519_copy(p->z, r->z);
+	curve25519_mul(p->t2d, r->t, ge25519_ec2d);
+}
+
+/*
+	adding & doubling
+*/
+
+static void
+ge25519_add_p1p1(ge25519_p1p1 *r, const ge25519 *p, const ge25519 *q) {
+	bignum25519 a,b,c,d,t,u;
+
+	curve25519_sub(a, p->y, p->x);
+	curve25519_add(b, p->y, p->x);
+	curve25519_sub(t, q->y, q->x);
+	curve25519_add(u, q->y, q->x);
+	curve25519_mul(a, a, t);
+	curve25519_mul(b, b, u);
+	curve25519_mul(c, p->t, q->t);
+	curve25519_mul(c, c, ge25519_ec2d);
+	curve25519_mul(d, p->z, q->z);
+	curve25519_add(d, d, d);
+	curve25519_sub(r->x, b, a);
+	curve25519_add(r->y, b, a);
+	curve25519_add_after_basic(r->z, d, c);
+	curve25519_sub_after_basic(r->t, d, c);
+}
+
+
+static void
+ge25519_double_p1p1(ge25519_p1p1 *r, const ge25519 *p) {
+	bignum25519 a,b,c;
+
+	curve25519_square(a, p->x);
+	curve25519_square(b, p->y);
+	curve25519_square(c, p->z);
+	curve25519_add_reduce(c, c, c);
+	curve25519_add(r->x, p->x, p->y);
+	curve25519_square(r->x, r->x);
+	curve25519_add(r->y, b, a);
+	curve25519_sub(r->z, b, a);
+	curve25519_sub_after_basic(r->x, r->x, r->y);
+	curve25519_sub_after_basic(r->t, c, r->z);
+}
+
+static void
+ge25519_nielsadd2_p1p1(ge25519_p1p1 *r, const ge25519 *p, const ge25519_niels *q, unsigned char signbit) {
+	const bignum25519 *qb = (const bignum25519 *)q;
+	bignum25519 *rb = (bignum25519 *)r;
+	bignum25519 a,b,c;
+
+	curve25519_sub(a, p->y, p->x);
+	curve25519_add(b, p->y, p->x);
+	curve25519_mul(a, a, qb[signbit]); /* x for +, y for - */
+	curve25519_mul(r->x, b, qb[signbit^1]); /* y for +, x for - */
+	curve25519_add(r->y, r->x, a);
+	curve25519_sub(r->x, r->x, a);
+	curve25519_mul(c, p->t, q->t2d);
+	curve25519_add_reduce(r->t, p->z, p->z);
+	curve25519_copy(r->z, r->t);
+	curve25519_add(rb[2+signbit], rb[2+signbit], c); /* z for +, t for - */
+	curve25519_sub(rb[2+(signbit^1)], rb[2+(signbit^1)], c); /* t for +, z for - */
+}
+
+static void
+ge25519_pnielsadd_p1p1(ge25519_p1p1 *r, const ge25519 *p, const ge25519_pniels *q, unsigned char signbit) {
+	const bignum25519 *qb = (const bignum25519 *)q;
+	bignum25519 *rb = (bignum25519 *)r;
+	bignum25519 a,b,c;
+
+	curve25519_sub(a, p->y, p->x);
+	curve25519_add(b, p->y, p->x);
+	curve25519_mul(a, a, qb[signbit]); /* ysubx for +, xaddy for - */
+	curve25519_mul(r->x, b, qb[signbit^1]); /* xaddy for +, ysubx for - */
+	curve25519_add(r->y, r->x, a);
+	curve25519_sub(r->x, r->x, a);
+	curve25519_mul(c, p->t, q->t2d);
+	curve25519_mul(r->t, p->z, q->z);
+	curve25519_add_reduce(r->t, r->t, r->t);
+	curve25519_copy(r->z, r->t);
+	curve25519_add(rb[2+signbit], rb[2+signbit], c); /* z for +, t for - */
+	curve25519_sub(rb[2+(signbit^1)], rb[2+(signbit^1)], c); /* t for +, z for - */
+}
+
+static void
+ge25519_double_partial(ge25519 *r, const ge25519 *p) {
+	ge25519_p1p1 t;
+	ge25519_double_p1p1(&t, p);
+	ge25519_p1p1_to_partial(r, &t);
+}
+
+static void
+ge25519_double(ge25519 *r, const ge25519 *p) {
+	ge25519_p1p1 t;
+	ge25519_double_p1p1(&t, p);
+	ge25519_p1p1_to_full(r, &t);
+}
+
+static void
+ge25519_add(ge25519 *r, const ge25519 *p,  const ge25519 *q) {
+	ge25519_p1p1 t;
+	ge25519_add_p1p1(&t, p, q);
+	ge25519_p1p1_to_full(r, &t);
+}
+
+static void
+ge25519_nielsadd2(ge25519 *r, const ge25519_niels *q) {
+	bignum25519 a,b,c,e,f,g,h;
+
+	curve25519_sub(a, r->y, r->x);
+	curve25519_add(b, r->y, r->x);
+	curve25519_mul(a, a, q->ysubx);
+	curve25519_mul(e, b, q->xaddy);
+	curve25519_add(h, e, a);
+	curve25519_sub(e, e, a);
+	curve25519_mul(c, r->t, q->t2d);
+	curve25519_add(f, r->z, r->z);
+	curve25519_add_after_basic(g, f, c);
+	curve25519_sub_after_basic(f, f, c);
+	curve25519_mul(r->x, e, f);
+	curve25519_mul(r->y, h, g);
+	curve25519_mul(r->z, g, f);
+	curve25519_mul(r->t, e, h);
+}
+
+static void
+ge25519_pnielsadd(ge25519_pniels *r, const ge25519 *p, const ge25519_pniels *q) {
+	bignum25519 a,b,c,x,y,z,t;
+
+	curve25519_sub(a, p->y, p->x);
+	curve25519_add(b, p->y, p->x);
+	curve25519_mul(a, a, q->ysubx);
+	curve25519_mul(x, b, q->xaddy);
+	curve25519_add(y, x, a);
+	curve25519_sub(x, x, a);
+	curve25519_mul(c, p->t, q->t2d);
+	curve25519_mul(t, p->z, q->z);
+	curve25519_add(t, t, t);
+	curve25519_add_after_basic(z, t, c);
+	curve25519_sub_after_basic(t, t, c);
+	curve25519_mul(r->xaddy, x, t);
+	curve25519_mul(r->ysubx, y, z);
+	curve25519_mul(r->z, z, t);
+	curve25519_mul(r->t2d, x, y);
+	curve25519_copy(y, r->ysubx);
+	curve25519_sub(r->ysubx, r->ysubx, r->xaddy);
+	curve25519_add(r->xaddy, r->xaddy, y);
+	curve25519_mul(r->t2d, r->t2d, ge25519_ec2d);
+}
+
+
+/*
+	pack & unpack
+*/
+
+static void
+ge25519_pack(unsigned char r[32], const ge25519 *p) {
+	bignum25519 tx, ty, zi;
+	unsigned char parity[32];
+	curve25519_recip(zi, p->z);
+	curve25519_mul(tx, p->x, zi);
+	curve25519_mul(ty, p->y, zi);
+	curve25519_contract(r, ty);
+	curve25519_contract(parity, tx);
+	r[31] ^= ((parity[0] & 1) << 7);
+}
+
+static int
+ge25519_unpack_negative_vartime(ge25519 *r, const unsigned char p[32]) {
+	static const unsigned char zero[32] = {0};
+	static const bignum25519 one = {1};
+	unsigned char parity = p[31] >> 7;
+	unsigned char check[32];
+	bignum25519 t, root, num, den, d3;
+
+	curve25519_expand(r->y, p);
+	curve25519_copy(r->z, one);
+	curve25519_square(num, r->y); /* x = y^2 */
+	curve25519_mul(den, num, ge25519_ecd); /* den = dy^2 */
+	curve25519_sub_reduce(num, num, r->z); /* x = y^1 - 1 */
+	curve25519_add(den, den, r->z); /* den = dy^2 + 1 */
+
+	/* Computation of sqrt(num/den) */
+	/* 1.: computation of num^((p-5)/8)*den^((7p-35)/8) = (num*den^7)^((p-5)/8) */
+	curve25519_square(t, den);
+	curve25519_mul(d3, t, den);
+	curve25519_square(r->x, d3);
+	curve25519_mul(r->x, r->x, den);
+	curve25519_mul(r->x, r->x, num);
+	curve25519_pow_two252m3(r->x, r->x);
+
+	/* 2. computation of r->x = num * den^3 * (num*den^7)^((p-5)/8) */
+	curve25519_mul(r->x, r->x, d3);
+	curve25519_mul(r->x, r->x, num);
+
+	/* 3. Check if either of the roots works: */
+	curve25519_square(t, r->x);
+	curve25519_mul(t, t, den);
+	curve25519_sub_reduce(root, t, num);
+	curve25519_contract(check, root);
+	if (!ed25519_verify(check, zero, 32)) {
+		curve25519_add_reduce(t, t, num);
+		curve25519_contract(check, t);
+		if (!ed25519_verify(check, zero, 32))
+			return 0;
+		curve25519_mul(r->x, r->x, ge25519_sqrtneg1);
+	}
+
+	curve25519_contract(check, r->x);
+	if ((check[0] & 1) == parity) {
+		curve25519_copy(t, r->x);
+		curve25519_neg(r->x, t);
+	}
+	curve25519_mul(r->t, r->x, r->y);
+	return 1;
+}
+
+
+/*
+	scalarmults
+*/
+
+#define S1_SWINDOWSIZE 5
+#define S1_TABLE_SIZE (1<<(S1_SWINDOWSIZE-2))
+#define S2_SWINDOWSIZE 7
+#define S2_TABLE_SIZE (1<<(S2_SWINDOWSIZE-2))
+
+/* computes [s1]p1 + [s2]basepoint */
+static void 
+ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256modm s1, const bignum256modm s2) {
+	signed char slide1[256], slide2[256];
+	ge25519_pniels pre1[S1_TABLE_SIZE];
+	ge25519 d1;
+	ge25519_p1p1 t;
+	int32_t i;
+
+	contract256_slidingwindow_modm(slide1, s1, S1_SWINDOWSIZE);
+	contract256_slidingwindow_modm(slide2, s2, S2_SWINDOWSIZE);
+
+	ge25519_double(&d1, p1);
+	ge25519_full_to_pniels(pre1, p1);
+	for (i = 0; i < S1_TABLE_SIZE - 1; i++)
+		ge25519_pnielsadd(&pre1[i+1], &d1, &pre1[i]);
+
+	/* set neutral */
+	memset(r, 0, sizeof(ge25519));
+	r->y[0] = 1;
+	r->z[0] = 1;
+
+	i = 255;
+	while ((i >= 0) && !(slide1[i] | slide2[i]))
+		i--;
+
+	for (; i >= 0; i--) {
+		ge25519_double_p1p1(&t, r);
+
+		if (slide1[i]) {
+			ge25519_p1p1_to_full(r, &t);
+			ge25519_pnielsadd_p1p1(&t, r, &pre1[abs(slide1[i]) / 2], (unsigned char)slide1[i] >> 7);
+		}
+
+		if (slide2[i]) {
+			ge25519_p1p1_to_full(r, &t);
+			ge25519_nielsadd2_p1p1(&t, r, &ge25519_niels_sliding_multiples[abs(slide2[i]) / 2], (unsigned char)slide2[i] >> 7);
+		}
+
+		ge25519_p1p1_to_partial(r, &t);
+	}
+}
+
+
+
+#if !defined(HAVE_GE25519_SCALARMULT_BASE_CHOOSE_NIELS)
+
+static uint32_t
+ge25519_windowb_equal(uint32_t b, uint32_t c) {
+	return ((b ^ c) - 1) >> 31;
+}
+
+static void
+ge25519_scalarmult_base_choose_niels(ge25519_niels *t, const uint8_t table[256][96], uint32_t pos, signed char b) {
+	bignum25519 neg;
+	uint32_t sign = (uint32_t)((unsigned char)b >> 7);
+	uint32_t mask = ~(sign - 1);
+	uint32_t u = (b + mask) ^ mask;
+	uint32_t i;
+
+	/* ysubx, xaddy, t2d in packed form. initialize to ysubx = 1, xaddy = 1, t2d = 0 */
+	uint8_t packed[96] = {0};
+	packed[0] = 1;
+	packed[32] = 1;
+
+	for (i = 0; i < 8; i++)
+		curve25519_move_conditional_bytes(packed, table[(pos * 8) + i], ge25519_windowb_equal(u, i + 1));
+
+	/* expand in to t */
+	curve25519_expand(t->ysubx, packed +  0);
+	curve25519_expand(t->xaddy, packed + 32);
+	curve25519_expand(t->t2d  , packed + 64);
+
+	/* adjust for sign */
+	curve25519_swap_conditional(t->ysubx, t->xaddy, sign);
+	curve25519_neg(neg, t->t2d);
+	curve25519_swap_conditional(t->t2d, neg, sign);
+}
+
+#endif /* HAVE_GE25519_SCALARMULT_BASE_CHOOSE_NIELS */
+
+
+/* computes [s]basepoint */
+static void
+ge25519_scalarmult_base_niels(ge25519 *r, const uint8_t basepoint_table[256][96], const bignum256modm s) {
+	signed char b[64];
+	uint32_t i;
+	ge25519_niels t;
+
+	contract256_window4_modm(b, s);
+
+	ge25519_scalarmult_base_choose_niels(&t, basepoint_table, 0, b[1]);
+	curve25519_sub_reduce(r->x, t.xaddy, t.ysubx);
+	curve25519_add_reduce(r->y, t.xaddy, t.ysubx);
+	memset(r->z, 0, sizeof(bignum25519));
+	curve25519_copy(r->t, t.t2d);
+	r->z[0] = 2;	
+	for (i = 3; i < 64; i += 2) {
+		ge25519_scalarmult_base_choose_niels(&t, basepoint_table, i / 2, b[i]);
+		ge25519_nielsadd2(r, &t);
+	}
+	ge25519_double_partial(r, r);
+	ge25519_double_partial(r, r);
+	ge25519_double_partial(r, r);
+	ge25519_double(r, r);
+	ge25519_scalarmult_base_choose_niels(&t, basepoint_table, 0, b[0]);
+	curve25519_mul(t.t2d, t.t2d, ge25519_ecd);
+	ge25519_nielsadd2(r, &t);
+	for(i = 2; i < 64; i += 2) {
+		ge25519_scalarmult_base_choose_niels(&t, basepoint_table, i / 2, b[i]);
+		ge25519_nielsadd2(r, &t);
+	}
+}
+