ed25519_blake2b 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (61) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +9 -0
  3. data/CODE_OF_CONDUCT.md +74 -0
  4. data/Gemfile +6 -0
  5. data/Gemfile.lock +23 -0
  6. data/LICENSE +21 -0
  7. data/README.md +39 -0
  8. data/Rakefile +13 -0
  9. data/bin/console +14 -0
  10. data/bin/setup +8 -0
  11. data/ed25519_blake2b.gemspec +31 -0
  12. data/ext/ed25519_blake2b/blake2-config.h +72 -0
  13. data/ext/ed25519_blake2b/blake2-impl.h +160 -0
  14. data/ext/ed25519_blake2b/blake2.h +195 -0
  15. data/ext/ed25519_blake2b/blake2b-load-sse2.h +68 -0
  16. data/ext/ed25519_blake2b/blake2b-load-sse41.h +402 -0
  17. data/ext/ed25519_blake2b/blake2b-ref.c +373 -0
  18. data/ext/ed25519_blake2b/blake2b-round.h +157 -0
  19. data/ext/ed25519_blake2b/curve25519-donna-32bit.h +579 -0
  20. data/ext/ed25519_blake2b/curve25519-donna-64bit.h +413 -0
  21. data/ext/ed25519_blake2b/curve25519-donna-helpers.h +67 -0
  22. data/ext/ed25519_blake2b/curve25519-donna-sse2.h +1112 -0
  23. data/ext/ed25519_blake2b/ed25519-donna-32bit-sse2.h +513 -0
  24. data/ext/ed25519_blake2b/ed25519-donna-32bit-tables.h +61 -0
  25. data/ext/ed25519_blake2b/ed25519-donna-64bit-sse2.h +436 -0
  26. data/ext/ed25519_blake2b/ed25519-donna-64bit-tables.h +53 -0
  27. data/ext/ed25519_blake2b/ed25519-donna-64bit-x86-32bit.h +435 -0
  28. data/ext/ed25519_blake2b/ed25519-donna-64bit-x86.h +351 -0
  29. data/ext/ed25519_blake2b/ed25519-donna-basepoint-table.h +259 -0
  30. data/ext/ed25519_blake2b/ed25519-donna-batchverify.h +275 -0
  31. data/ext/ed25519_blake2b/ed25519-donna-impl-base.h +364 -0
  32. data/ext/ed25519_blake2b/ed25519-donna-impl-sse2.h +390 -0
  33. data/ext/ed25519_blake2b/ed25519-donna-portable-identify.h +103 -0
  34. data/ext/ed25519_blake2b/ed25519-donna-portable.h +135 -0
  35. data/ext/ed25519_blake2b/ed25519-donna.h +115 -0
  36. data/ext/ed25519_blake2b/ed25519-hash-custom.c +28 -0
  37. data/ext/ed25519_blake2b/ed25519-hash-custom.h +30 -0
  38. data/ext/ed25519_blake2b/ed25519-hash.h +219 -0
  39. data/ext/ed25519_blake2b/ed25519-randombytes-custom.h +10 -0
  40. data/ext/ed25519_blake2b/ed25519-randombytes.h +91 -0
  41. data/ext/ed25519_blake2b/ed25519.c +150 -0
  42. data/ext/ed25519_blake2b/ed25519.h +30 -0
  43. data/ext/ed25519_blake2b/extconf.rb +3 -0
  44. data/ext/ed25519_blake2b/fuzz/README.md +173 -0
  45. data/ext/ed25519_blake2b/fuzz/build-nix.php +134 -0
  46. data/ext/ed25519_blake2b/fuzz/curve25519-ref10.c +1272 -0
  47. data/ext/ed25519_blake2b/fuzz/curve25519-ref10.h +8 -0
  48. data/ext/ed25519_blake2b/fuzz/ed25519-donna-sse2.c +3 -0
  49. data/ext/ed25519_blake2b/fuzz/ed25519-donna.c +1 -0
  50. data/ext/ed25519_blake2b/fuzz/ed25519-donna.h +34 -0
  51. data/ext/ed25519_blake2b/fuzz/ed25519-ref10.c +4647 -0
  52. data/ext/ed25519_blake2b/fuzz/ed25519-ref10.h +9 -0
  53. data/ext/ed25519_blake2b/fuzz/fuzz-curve25519.c +172 -0
  54. data/ext/ed25519_blake2b/fuzz/fuzz-ed25519.c +219 -0
  55. data/ext/ed25519_blake2b/modm-donna-32bit.h +469 -0
  56. data/ext/ed25519_blake2b/modm-donna-64bit.h +361 -0
  57. data/ext/ed25519_blake2b/rbext.c +25 -0
  58. data/ext/ed25519_blake2b/regression.h +1024 -0
  59. data/lib/ed25519_blake2b/ed25519_blake2b.rb +4 -0
  60. data/lib/ed25519_blake2b/version.rb +3 -0
  61. metadata +147 -0
@@ -0,0 +1,10 @@
1
+ /*
2
+ a custom randombytes must implement:
3
+
4
+ void ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len);
5
+
6
+ ed25519_randombytes_unsafe is used by the batch verification function
7
+ to create random scalars
8
+ */
9
+
10
+ void ed25519_randombytes_unsafe (void * out, size_t outlen);
@@ -0,0 +1,91 @@
1
+ #if defined(ED25519_TEST)
2
+ /*
3
+ ISAAC+ "variant", the paper is not clear on operator precedence and other
4
+ things. This is the "first in, first out" option!
5
+
6
+ Not threadsafe or securely initialized, only for deterministic testing
7
+ */
8
+ typedef struct isaacp_state_t {
9
+ uint32_t state[256];
10
+ unsigned char buffer[1024];
11
+ uint32_t a, b, c;
12
+ size_t left;
13
+ } isaacp_state;
14
+
15
+ #define isaacp_step(offset, mix) \
16
+ x = mm[i + offset]; \
17
+ a = (a ^ (mix)) + (mm[(i + offset + 128) & 0xff]); \
18
+ y = (a ^ b) + mm[(x >> 2) & 0xff]; \
19
+ mm[i + offset] = y; \
20
+ b = (x + a) ^ mm[(y >> 10) & 0xff]; \
21
+ U32TO8_LE(out + (i + offset) * 4, b);
22
+
23
+ static void
24
+ isaacp_mix(isaacp_state *st) {
25
+ uint32_t i, x, y;
26
+ uint32_t a = st->a, b = st->b, c = st->c;
27
+ uint32_t *mm = st->state;
28
+ unsigned char *out = st->buffer;
29
+
30
+ c = c + 1;
31
+ b = b + c;
32
+
33
+ for (i = 0; i < 256; i += 4) {
34
+ isaacp_step(0, ROTL32(a,13))
35
+ isaacp_step(1, ROTR32(a, 6))
36
+ isaacp_step(2, ROTL32(a, 2))
37
+ isaacp_step(3, ROTR32(a,16))
38
+ }
39
+
40
+ st->a = a;
41
+ st->b = b;
42
+ st->c = c;
43
+ st->left = 1024;
44
+ }
45
+
46
+ static void
47
+ isaacp_random(isaacp_state *st, void *p, size_t len) {
48
+ size_t use;
49
+ unsigned char *c = (unsigned char *)p;
50
+ while (len) {
51
+ use = (len > st->left) ? st->left : len;
52
+ memcpy(c, st->buffer + (sizeof(st->buffer) - st->left), use);
53
+
54
+ st->left -= use;
55
+ c += use;
56
+ len -= use;
57
+
58
+ if (!st->left)
59
+ isaacp_mix(st);
60
+ }
61
+ }
62
+
63
+ void
64
+ ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len) {
65
+ static int initialized = 0;
66
+ static isaacp_state rng;
67
+
68
+ if (!initialized) {
69
+ memset(&rng, 0, sizeof(rng));
70
+ isaacp_mix(&rng);
71
+ isaacp_mix(&rng);
72
+ initialized = 1;
73
+ }
74
+
75
+ isaacp_random(&rng, p, len);
76
+ }
77
+ #elif defined(ED25519_CUSTOMRNG)
78
+
79
+ #include "ed25519-randombytes-custom.h"
80
+
81
+ #else
82
+
83
+ #include <openssl/rand.h>
84
+
85
+ void
86
+ ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len) {
87
+
88
+ RAND_bytes(p, (int) len);
89
+
90
+ }
91
+ #endif
@@ -0,0 +1,150 @@
1
+ /*
2
+ Public domain by Andrew M. <liquidsun@gmail.com>
3
+
4
+ Ed25519 reference implementation using Ed25519-donna
5
+ */
6
+
7
+
8
+ /* define ED25519_SUFFIX to have it appended to the end of each public function */
9
+ #if !defined(ED25519_SUFFIX)
10
+ #define ED25519_SUFFIX
11
+ #endif
12
+
13
+ #define ED25519_FN3(fn,suffix) fn##suffix
14
+ #define ED25519_FN2(fn,suffix) ED25519_FN3(fn,suffix)
15
+ #define ED25519_FN(fn) ED25519_FN2(fn,ED25519_SUFFIX)
16
+
17
+ #include "ed25519-donna.h"
18
+ #include "ed25519.h"
19
+ #include "ed25519-randombytes.h"
20
+ #include "ed25519-hash.h"
21
+
22
+ /*
23
+ Generates a (extsk[0..31]) and aExt (extsk[32..63])
24
+ */
25
+
26
+ DONNA_INLINE static void
27
+ ed25519_extsk(hash_512bits extsk, const ed25519_secret_key sk) {
28
+ ed25519_hash(extsk, sk, 32);
29
+ extsk[0] &= 248;
30
+ extsk[31] &= 127;
31
+ extsk[31] |= 64;
32
+ }
33
+
34
+ static void
35
+ ed25519_hram(hash_512bits hram, const ed25519_signature RS, const ed25519_public_key pk, const unsigned char *m, size_t mlen) {
36
+ ed25519_hash_context ctx;
37
+ ed25519_hash_init(&ctx);
38
+ ed25519_hash_update(&ctx, RS, 32);
39
+ ed25519_hash_update(&ctx, pk, 32);
40
+ ed25519_hash_update(&ctx, m, mlen);
41
+ ed25519_hash_final(&ctx, hram);
42
+ }
43
+
44
+ void
45
+ ED25519_FN(ed25519_publickey) (const ed25519_secret_key sk, ed25519_public_key pk) {
46
+ bignum256modm a;
47
+ ge25519 ALIGN(16) A;
48
+ hash_512bits extsk;
49
+
50
+ /* A = aB */
51
+ ed25519_extsk(extsk, sk);
52
+ expand256_modm(a, extsk, 32);
53
+ ge25519_scalarmult_base_niels(&A, ge25519_niels_base_multiples, a);
54
+ ge25519_pack(pk, &A);
55
+ }
56
+
57
+
58
+ void
59
+ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS) {
60
+ ed25519_hash_context ctx;
61
+ bignum256modm r, S, a;
62
+ ge25519 ALIGN(16) R;
63
+ hash_512bits extsk, hashr, hram;
64
+
65
+ ed25519_extsk(extsk, sk);
66
+
67
+ /* r = H(aExt[32..64], m) */
68
+ ed25519_hash_init(&ctx);
69
+ ed25519_hash_update(&ctx, extsk + 32, 32);
70
+ ed25519_hash_update(&ctx, m, mlen);
71
+ ed25519_hash_final(&ctx, hashr);
72
+ expand256_modm(r, hashr, 64);
73
+
74
+ /* R = rB */
75
+ ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r);
76
+ ge25519_pack(RS, &R);
77
+
78
+ /* S = H(R,A,m).. */
79
+ ed25519_hram(hram, RS, pk, m, mlen);
80
+ expand256_modm(S, hram, 64);
81
+
82
+ /* S = H(R,A,m)a */
83
+ expand256_modm(a, extsk, 32);
84
+ mul256_modm(S, S, a);
85
+
86
+ /* S = (r + H(R,A,m)a) */
87
+ add256_modm(S, S, r);
88
+
89
+ /* S = (r + H(R,A,m)a) mod L */
90
+ contract256_modm(RS + 32, S);
91
+ }
92
+
93
+ int
94
+ ED25519_FN(ed25519_sign_open) (const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS) {
95
+ ge25519 ALIGN(16) R, A;
96
+ hash_512bits hash;
97
+ bignum256modm hram, S;
98
+ unsigned char checkR[32];
99
+
100
+ if ((RS[63] & 224) || !ge25519_unpack_negative_vartime(&A, pk))
101
+ return -1;
102
+
103
+ /* hram = H(R,A,m) */
104
+ ed25519_hram(hash, RS, pk, m, mlen);
105
+ expand256_modm(hram, hash, 64);
106
+
107
+ /* S */
108
+ expand256_modm(S, RS + 32, 32);
109
+
110
+ /* SB - H(R,A,m)A */
111
+ ge25519_double_scalarmult_vartime(&R, &A, hram, S);
112
+ ge25519_pack(checkR, &R);
113
+
114
+ /* check that R = SB - H(R,A,m)A */
115
+ return ed25519_verify(RS, checkR, 32) ? 0 : -1;
116
+ }
117
+
118
+ #include "ed25519-donna-batchverify.h"
119
+
120
+ /*
121
+ Fast Curve25519 basepoint scalar multiplication
122
+ */
123
+
124
+ void
125
+ ED25519_FN(curved25519_scalarmult_basepoint) (curved25519_key pk, const curved25519_key e) {
126
+ curved25519_key ec;
127
+ bignum256modm s;
128
+ bignum25519 ALIGN(16) yplusz, zminusy;
129
+ ge25519 ALIGN(16) p;
130
+ size_t i;
131
+
132
+ /* clamp */
133
+ for (i = 0; i < 32; i++) ec[i] = e[i];
134
+ ec[0] &= 248;
135
+ ec[31] &= 127;
136
+ ec[31] |= 64;
137
+
138
+ expand_raw256_modm(s, ec);
139
+
140
+ /* scalar * basepoint */
141
+ ge25519_scalarmult_base_niels(&p, ge25519_niels_base_multiples, s);
142
+
143
+ /* u = (y + z) / (z - y) */
144
+ curve25519_add(yplusz, p.y, p.z);
145
+ curve25519_sub(zminusy, p.z, p.y);
146
+ curve25519_recip(zminusy, zminusy);
147
+ curve25519_mul(yplusz, yplusz, zminusy);
148
+ curve25519_contract(pk, yplusz);
149
+ }
150
+
@@ -0,0 +1,30 @@
1
+ #ifndef ED25519_H
2
+ #define ED25519_H
3
+
4
+ #include <stdlib.h>
5
+
6
+ #if defined(__cplusplus)
7
+ extern "C" {
8
+ #endif
9
+
10
+ typedef unsigned char ed25519_signature[64];
11
+ typedef unsigned char ed25519_public_key[32];
12
+ typedef unsigned char ed25519_secret_key[32];
13
+
14
+ typedef unsigned char curved25519_key[32];
15
+
16
+ void ed25519_publickey(const ed25519_secret_key sk, ed25519_public_key pk);
17
+ int ed25519_sign_open(const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS);
18
+ void ed25519_sign(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS);
19
+
20
+ int ed25519_sign_open_batch(const unsigned char **m, size_t *mlen, const unsigned char **pk, const unsigned char **RS, size_t num, int *valid);
21
+
22
+ void ed25519_randombytes_unsafe(void *out, size_t count);
23
+
24
+ void curved25519_scalarmult_basepoint(curved25519_key pk, const curved25519_key e);
25
+
26
+ #if defined(__cplusplus)
27
+ }
28
+ #endif
29
+
30
+ #endif // ED25519_H
@@ -0,0 +1,3 @@
1
+ require 'mkmf'
2
+ $CFLAGS += ' -DED25519_CUSTOMHASH -Wall -Wextra -std=c99 -pedantic -Wno-long-long -Wunused-parameter'
3
+ create_makefile('ed25519_blake2b')
@@ -0,0 +1,173 @@
1
+ This code fuzzes ed25519-donna (and optionally ed25519-donna-sse2) against the ref10 implementations of
2
+ [curve25519](https://github.com/floodyberry/supercop/tree/master/crypto_scalarmult/curve25519/ref10) and
3
+ [ed25519](https://github.com/floodyberry/supercop/tree/master/crypto_sign/ed25519/ref10).
4
+
5
+ Curve25519 tests that generating a public key from a secret key
6
+
7
+ # Building
8
+
9
+ ## *nix + PHP
10
+
11
+ `php build-nix.php (required parameters) (optional parameters)`
12
+
13
+ Required parameters:
14
+
15
+ * `--function=[curve25519,ed25519]`
16
+ * `--bits=[32,64]`
17
+
18
+ Optional parameters:
19
+
20
+ * `--with-sse2`
21
+
22
+ Also fuzz against ed25519-donna-sse2
23
+ * `--with-openssl`
24
+
25
+ Build with OpenSSL's SHA-512.
26
+
27
+ Default: Reference SHA-512 implementation (slow!)
28
+
29
+ * `--compiler=[gcc,clang,icc]`
30
+
31
+ Default: gcc
32
+
33
+ * `--no-asm`
34
+
35
+ Do not use platform specific assembler
36
+
37
+
38
+ example:
39
+
40
+ php build-nix.php --bits=64 --function=ed25519 --with-sse2 --compiler=icc
41
+
42
+ ## Windows
43
+
44
+ Create a project with access to the ed25519 files.
45
+
46
+ If you are not using OpenSSL, add the `ED25519_REFHASH` define to the projects
47
+ "Properties/Preprocessor/Preprocessor Definitions" option
48
+
49
+ Add the following files to the project:
50
+
51
+ * `fuzz/curve25519-ref10.c`
52
+ * `fuzz/ed25519-ref10.c`
53
+ * `fuzz/ed25519-donna.c`
54
+ * `fuzz/ed25519-donna-sse2.c` (optional)
55
+ * `fuzz-[curve25519/ed25519].c` (depending on which you want to fuzz)
56
+
57
+ If you are also fuzzing against ed25519-donna-sse2, add the `ED25519_SSE2` define for `fuzz-[curve25519/ed25519].c` under
58
+ its "Properties/Preprocessor/Preprocessor Definitions" option.
59
+
60
+ # Running
61
+
62
+ If everything agrees, the program will only output occasional status dots (every 0x1000 passes)
63
+ and a 64bit progress count (every 0x20000 passes):
64
+
65
+ fuzzing: ref10 curved25519 curved25519-sse2
66
+
67
+ ................................ [0000000000020000]
68
+ ................................ [0000000000040000]
69
+ ................................ [0000000000060000]
70
+ ................................ [0000000000080000]
71
+ ................................ [00000000000a0000]
72
+ ................................ [00000000000c0000]
73
+
74
+ If any of the implementations do not agree with the ref10 implementation, the program will dump
75
+ the random data that was used, the data generated by the ref10 implementation, and diffs of the
76
+ ed25519-donna data against the ref10 data.
77
+
78
+ ## Example errors
79
+
80
+ These are example error dumps (with intentionally introduced errors).
81
+
82
+ ### Ed25519
83
+
84
+ Random data:
85
+
86
+ * sk, or Secret Key
87
+ * m, or Message
88
+
89
+ Generated data:
90
+
91
+ * pk, or Public Key
92
+ * sig, or Signature
93
+ * valid, or if the signature of the message is valid with the public key
94
+
95
+ Dump:
96
+
97
+ sk:
98
+ 0x3b,0xb7,0x17,0x7a,0x66,0xdc,0xb7,0x9a,0x90,0x25,0x07,0x99,0x96,0xf3,0x92,0xef,
99
+ 0x78,0xf8,0xad,0x6c,0x35,0x87,0x81,0x67,0x03,0xe6,0x95,0xba,0x06,0x18,0x7c,0x9c,
100
+
101
+ m:
102
+ 0x7c,0x8d,0x3d,0xe1,0x92,0xee,0x7a,0xb8,0x4d,0xc9,0xfb,0x02,0x34,0x1e,0x5a,0x91,
103
+ 0xee,0x01,0xa6,0xb8,0xab,0x37,0x3f,0x3d,0x6d,0xa2,0x47,0xe3,0x27,0x93,0x7c,0xb7,
104
+ 0x77,0x07,0xb6,0x88,0x41,0x22,0xf3,0x3f,0xce,0xcb,0x6b,0x3e,0x2b,0x23,0x68,0x7f,
105
+ 0x5b,0xb9,0xda,0x04,0xbb,0xae,0x42,0x50,0xf5,0xe9,0xc5,0x11,0xbd,0x52,0x76,0x98,
106
+ 0xf1,0x87,0x09,0xb9,0x89,0x0a,0x52,0x69,0x01,0xce,0xe0,0x4a,0xa6,0x46,0x5a,0xe1,
107
+ 0x63,0x14,0xe0,0x81,0x52,0xec,0xcd,0xcf,0x70,0x54,0x7d,0xa3,0x49,0x8b,0xf0,0x89,
108
+ 0x70,0x07,0x12,0x2a,0xd9,0xaa,0x16,0x01,0xb2,0x16,0x3a,0xbb,0xfc,0xfa,0x13,0x5b,
109
+ 0x69,0x83,0x92,0x70,0x95,0x76,0xa0,0x8e,0x16,0x79,0xcc,0xaa,0xb5,0x7c,0xf8,0x7a,
110
+
111
+ ref10:
112
+ pk:
113
+ 0x71,0xb0,0x5e,0x62,0x1b,0xe3,0xe7,0x36,0x91,0x8b,0xc0,0x13,0x36,0x0c,0xc9,0x04,
114
+ 0x16,0xf5,0xff,0x48,0x0c,0x83,0x6b,0x88,0x53,0xa2,0xc6,0x0f,0xf7,0xac,0x42,0x04,
115
+
116
+ sig:
117
+ 0x3e,0x05,0xc5,0x37,0x16,0x0b,0x29,0x30,0x89,0xa3,0xe7,0x83,0x08,0x16,0xdd,0x96,
118
+ 0x02,0xfa,0x0d,0x44,0x2c,0x43,0xaa,0x80,0x93,0x04,0x58,0x22,0x09,0xbf,0x11,0xa5,
119
+ 0xcc,0xa5,0x3c,0x9f,0xa0,0xa4,0x64,0x5a,0x4a,0xdb,0x20,0xfb,0xc7,0x9b,0xfd,0x3f,
120
+ 0x08,0xae,0xc4,0x3c,0x1e,0xd8,0xb6,0xb4,0xd2,0x6d,0x80,0x92,0xcb,0x71,0xf3,0x02,
121
+
122
+ valid: yes
123
+
124
+ ed25519-donna:
125
+ pk diff:
126
+ ____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,
127
+ ____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,
128
+
129
+ sig diff:
130
+ 0x2c,0xb9,0x25,0x14,0xd0,0x94,0xeb,0xfe,0x46,0x02,0xc2,0xe8,0xa3,0xeb,0xbf,0xb5,
131
+ 0x72,0x84,0xbf,0xc1,0x8a,0x32,0x30,0x99,0xf7,0x58,0xfe,0x06,0xa8,0xdc,0xdc,0xab,
132
+ 0xb5,0x57,0x03,0x33,0x87,0xce,0x54,0x55,0x6a,0x69,0x8a,0xc4,0xb7,0x2a,0xed,0x97,
133
+ 0xb4,0x68,0xe7,0x52,0x7a,0x07,0x55,0x3b,0xa2,0x94,0xd6,0x5e,0xa1,0x61,0x80,0x08,
134
+
135
+ valid: no
136
+
137
+ In this case, the generated public key matches, but the generated signature is completely
138
+ different and does not validate.
139
+
140
+ ### Curve25519
141
+
142
+ Random data:
143
+
144
+ * sk, or Secret Key
145
+
146
+ Generated data:
147
+
148
+ * pk, or Public Key
149
+
150
+ Dump:
151
+
152
+ sk:
153
+ 0x44,0xec,0x0b,0x0e,0xa2,0x0e,0x9c,0x5b,0x8c,0xce,0x7b,0x1d,0x68,0xae,0x0f,0x9e,
154
+ 0x81,0xe2,0x04,0x76,0xda,0x87,0xa4,0x9e,0xc9,0x4f,0x3b,0xf9,0xc3,0x89,0x63,0x70,
155
+
156
+
157
+ ref10:
158
+ 0x24,0x55,0x55,0xc0,0xf9,0x80,0xaf,0x02,0x43,0xee,0x8c,0x7f,0xc1,0xad,0x90,0x95,
159
+ 0x57,0x91,0x14,0x2e,0xf2,0x14,0x22,0x80,0xdd,0x4e,0x3c,0x85,0x71,0x84,0x8c,0x62,
160
+
161
+
162
+ curved25519 diff:
163
+ 0x12,0xd1,0x61,0x2b,0x16,0xb3,0xd8,0x29,0xf8,0xa3,0xba,0x70,0x4e,0x49,0x4f,0x43,
164
+ 0xa1,0x3c,0x6b,0x42,0x11,0x61,0xcc,0x30,0x87,0x73,0x46,0xfb,0x85,0xc7,0x9a,0x35,
165
+
166
+
167
+ curved25519-sse2 diff:
168
+ ____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,
169
+ ____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,
170
+
171
+
172
+ In this case, curved25519 is totally wrong, while curved25519-sse2 matches the reference
173
+ implementation.