ed25519_blake2b 0.1.1

data/ext/ed25519_blake2b/fuzz/ed25519-ref10.h

@@ -0,0 +1,9 @@
+#ifndef ED25519_REF10_H
+#define ED25519_REF10_H
+
+int crypto_sign_pk_ref10(unsigned char *pk,unsigned char *sk);
+int crypto_sign_ref10(unsigned char *sm,unsigned long long *smlen,const unsigned char *m,unsigned long long mlen,const unsigned char *sk);
+int crypto_sign_open_ref10(unsigned char *m,unsigned long long *mlen,const unsigned char *sm,unsigned long long smlen,const unsigned char *pk);
+
+#endif /* ED25519_REF10_H */
+

data/ext/ed25519_blake2b/fuzz/fuzz-curve25519.c

@@ -0,0 +1,172 @@
+#if defined(_WIN32)
+	#include <windows.h>
+	#include <wincrypt.h>
+	typedef unsigned int uint32_t;
+	typedef unsigned __int64 uint64_t;
+#else
+	#include <stdint.h>
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "ed25519-donna.h"
+#include "curve25519-ref10.h"
+
+static void
+print_diff(const char *desc, const unsigned char *a, const unsigned char *b, size_t len) {
+	size_t p = 0;
+	unsigned char diff;
+	printf("%s diff:\n", desc);
+	while (len--) {
+		diff = *a++ ^ *b++;
+		if (!diff)
+			printf("____,");
+		else
+			printf("0x%02x,", diff);
+		if ((++p & 15) == 0)
+			printf("\n");
+	}
+	printf("\n\n");
+}
+
+static void
+print_bytes(const char *desc, const unsigned char *bytes, size_t len) {
+	size_t p = 0;
+	printf("%s:\n", desc);
+	while (len--) {
+		printf("0x%02x,", *bytes++);
+		if ((++p & 15) == 0)
+			printf("\n");
+	}
+	printf("\n\n");
+}
+
+
+/* chacha20/12 prng */
+void
+prng(unsigned char *out, size_t bytes) {
+	static uint32_t state[16];
+	static int init = 0;
+	uint32_t x[16], t;
+	size_t i;
+
+	if (!init) {
+	#if defined(_WIN32)
+		HCRYPTPROV csp;
+		if (!CryptAcquireContext(&csp, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
+			printf("CryptAcquireContext failed\n");
+			exit(1);
+		}
+		if (!CryptGenRandom(csp, (DWORD)sizeof(state), (BYTE*)state)) {
+			printf("CryptGenRandom failed\n");
+			exit(1);
+		}
+		CryptReleaseContext(csp, 0);
+	#else
+		FILE *f = NULL;
+		f = fopen("/dev/urandom", "rb");
+		if (!f) {
+			printf("failed to open /dev/urandom\n");
+			exit(1);
+		}
+		if (fread(state, sizeof(state), 1, f) != 1) {
+			printf("read error on /dev/urandom\n");
+			exit(1);
+		}
+	#endif
+		init = 1;
+	}
+
+	while (bytes) {
+		for (i = 0; i < 16; i++) x[i] = state[i];
+
+		#define rotl32(x,k) ((x << k) | (x >> (32 - k)))
+		#define quarter(a,b,c,d) \
+			x[a] += x[b]; t = x[d]^x[a]; x[d] = rotl32(t,16); \
+			x[c] += x[d]; t = x[b]^x[c]; x[b] = rotl32(t,12); \
+			x[a] += x[b]; t = x[d]^x[a]; x[d] = rotl32(t, 8); \
+			x[c] += x[d]; t = x[b]^x[c]; x[b] = rotl32(t, 7);
+
+		for (i = 0; i < 12; i += 2) {
+			quarter( 0, 4, 8,12)
+			quarter( 1, 5, 9,13)
+			quarter( 2, 6,10,14)
+			quarter( 3, 7,11,15)
+			quarter( 0, 5,10,15)
+			quarter( 1, 6,11,12)
+			quarter( 2, 7, 8,13)
+			quarter( 3, 4, 9,14)
+		};
+
+		if (bytes <= 64) {
+			memcpy(out, x, bytes);
+			bytes = 0;
+		} else {
+			memcpy(out, x, 64);
+			bytes -= 64;
+			out += 64;
+		}
+
+		/* don't need a nonce, so last 4 words are the counter. 2^136 bytes can be generated */
+		if (!++state[12]) if (!++state[13]) if (!++state[14]) ++state[15];
+	}
+}
+
+
+
+int main() {
+	const size_t skmax = 1024;
+	static unsigned char sk[1024][32];
+	unsigned char pk[3][32];
+	unsigned char *skp;
+	size_t ski, pki, i;
+	uint64_t ctr;
+
+	printf("fuzzing: ");
+	printf(" ref10");
+	printf(" curved25519");
+#if defined(ED25519_SSE2)
+	printf(" curved25519-sse2");
+#endif
+	printf("\n\n");
+
+	for (ctr = 0, ski = skmax;;ctr++) {
+		if (ski == skmax) {
+			prng((unsigned char *)sk, sizeof(sk));
+			ski = 0;
+		}
+		skp = sk[ski++];
+
+		pki = 0;
+		crypto_scalarmult_base_ref10(pk[pki++], skp);
+		curved25519_scalarmult_basepoint(pk[pki++],  skp);
+		#if defined(ED25519_SSE2)
+			curved25519_scalarmult_basepoint_sse2(pk[pki++], skp);
+		#endif
+
+		for (i = 1; i < pki; i++) {
+			if (memcmp(pk[0], pk[i], 32) != 0) {
+				printf("\n\n");
+				print_bytes("sk",  skp, 32);
+				print_bytes("ref10", pk[0], 32);
+				print_diff("curved25519", pk[0], pk[1], 32);
+				#if defined(ED25519_SSE2)
+					print_diff("curved25519-sse2", pk[0], pk[2], 32);
+				#endif
+				exit(1);
+			}
+		}
+
+		if (ctr && (ctr % 0x1000 == 0)) {
+			printf(".");
+			if ((ctr % 0x20000) == 0) {
+				printf(" [");
+				for (i = 0; i < 8; i++)
+					printf("%02x", (unsigned char)(ctr >> ((7 - i) * 8)));
+				printf("]\n");
+			}
+		}
+	}
+}
+

data/ext/ed25519_blake2b/fuzz/fuzz-ed25519.c

@@ -0,0 +1,219 @@
+#if defined(_WIN32)
+	#include <windows.h>
+	#include <wincrypt.h>
+	typedef unsigned int uint32_t;
+#else
+	#include <stdint.h>
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "ed25519-donna.h"
+#include "ed25519-ref10.h"
+
+static void
+print_diff(const char *desc, const unsigned char *a, const unsigned char *b, size_t len) {
+	size_t p = 0;
+	unsigned char diff;
+	printf("%s diff:\n", desc);
+	while (len--) {
+		diff = *a++ ^ *b++;
+		if (!diff)
+			printf("____,");
+		else
+			printf("0x%02x,", diff);
+		if ((++p & 15) == 0)
+			printf("\n");
+	}
+	printf("\n");
+}
+
+static void
+print_bytes(const char *desc, const unsigned char *bytes, size_t len) {
+	size_t p = 0;
+	printf("%s:\n", desc);
+	while (len--) {
+		printf("0x%02x,", *bytes++);
+		if ((++p & 15) == 0)
+			printf("\n");
+	}
+	printf("\n");
+}
+
+
+/* chacha20/12 prng */
+void
+prng(unsigned char *out, size_t bytes) {
+	static uint32_t state[16];
+	static int init = 0;
+	uint32_t x[16], t;
+	size_t i;
+
+	if (!init) {
+	#if defined(_WIN32)
+		HCRYPTPROV csp = NULL;
+		if (!CryptAcquireContext(&csp, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
+			printf("CryptAcquireContext failed\n");
+			exit(1);
+		}
+		if (!CryptGenRandom(csp, (DWORD)sizeof(state), (BYTE*)state)) {
+			printf("CryptGenRandom failed\n");
+			exit(1);
+		}
+		CryptReleaseContext(csp, 0);
+	#else
+		FILE *f = NULL;
+		f = fopen("/dev/urandom", "rb");
+		if (!f) {
+			printf("failed to open /dev/urandom\n");
+			exit(1);
+		}
+		if (fread(state, sizeof(state), 1, f) != 1) {
+			printf("read error on /dev/urandom\n");
+			exit(1);
+		}
+	#endif
+		init = 1;
+	}
+
+	while (bytes) {
+		for (i = 0; i < 16; i++) x[i] = state[i];
+
+		#define rotl32(x,k) ((x << k) | (x >> (32 - k)))
+		#define quarter(a,b,c,d) \
+			x[a] += x[b]; t = x[d]^x[a]; x[d] = rotl32(t,16); \
+			x[c] += x[d]; t = x[b]^x[c]; x[b] = rotl32(t,12); \
+			x[a] += x[b]; t = x[d]^x[a]; x[d] = rotl32(t, 8); \
+			x[c] += x[d]; t = x[b]^x[c]; x[b] = rotl32(t, 7);
+
+		for (i = 0; i < 12; i += 2) {
+			quarter( 0, 4, 8,12)
+			quarter( 1, 5, 9,13)
+			quarter( 2, 6,10,14)
+			quarter( 3, 7,11,15)
+			quarter( 0, 5,10,15)
+			quarter( 1, 6,11,12)
+			quarter( 2, 7, 8,13)
+			quarter( 3, 4, 9,14)
+		};
+
+		if (bytes <= 64) {
+			memcpy(out, x, bytes);
+			bytes = 0;
+		} else {
+			memcpy(out, x, 64);
+			bytes -= 64;
+			out += 64;
+		}
+
+		/* don't need a nonce, so last 4 words are the counter. 2^136 bytes can be generated */
+		if (!++state[12]) if (!++state[13]) if (!++state[14]) ++state[15];
+	}
+}
+
+typedef struct random_data_t {
+	unsigned char sk[32];
+	unsigned char m[128];
+} random_data;
+
+typedef struct generated_data_t {
+	unsigned char pk[32];
+	unsigned char sig[64];
+	int valid;
+} generated_data;
+
+static void
+print_generated(const char *desc, generated_data *g) {
+	printf("%s:\n", desc);
+	print_bytes("pk", g->pk, 32);
+	print_bytes("sig", g->sig, 64);
+	printf("valid: %s\n\n", g->valid ? "no" : "yes");
+}
+
+static void
+print_generated_diff(const char *desc, const generated_data *base, generated_data *g) {
+	printf("%s:\n", desc);
+	print_diff("pk", base->pk, g->pk, 32);
+	print_diff("sig", base->sig, g->sig, 64);
+	printf("valid: %s\n\n", (base->valid == g->valid) ? "___" : (g->valid ? "no" : "yes"));
+}
+
+int main() {
+	const size_t rndmax = 128;
+	static random_data rnd[128];
+	static generated_data gen[3];
+	random_data *r;
+	generated_data *g;
+	unsigned long long dummylen;
+	unsigned char dummysk[64];
+	unsigned char dummymsg[2][128+64];
+	size_t rndi, geni, i, j;
+	uint64_t ctr;
+
+	printf("fuzzing: ");
+	printf(" ref10");
+	printf(" ed25519-donna");
+#if defined(ED25519_SSE2)
+	printf(" ed25519-donna-sse2");
+#endif
+	printf("\n\n");
+
+	for (ctr = 0, rndi = rndmax;;ctr++) {
+		if (rndi == rndmax) {
+			prng((unsigned char *)rnd, sizeof(rnd));
+			rndi = 0;
+		}
+		r = &rnd[rndi++];
+
+		/* ref10, lots of horrible gymnastics to work around the wonky api */
+		geni = 0;
+		g = &gen[geni++];
+		memcpy(dummysk, r->sk, 32); /* pk is appended to the sk, need to copy the sk to a larger buffer */
+		crypto_sign_pk_ref10(dummysk + 32, dummysk);
+		memcpy(g->pk, dummysk + 32, 32); 
+		crypto_sign_ref10(dummymsg[0], &dummylen, r->m, 128, dummysk);
+		memcpy(g->sig, dummymsg[0], 64); /* sig is placed in front of the signed message */
+		g->valid = crypto_sign_open_ref10(dummymsg[1], &dummylen, dummymsg[0], 128 + 64, g->pk);
+
+		/* ed25519-donna */
+		g = &gen[geni++];
+		ed25519_publickey(r->sk, g->pk);
+		ed25519_sign(r->m, 128, r->sk, g->pk, g->sig);
+		g->valid = ed25519_sign_open(r->m, 128, g->pk, g->sig);
+
+		#if defined(ED25519_SSE2)
+			/* ed25519-donna-sse2 */
+			g = &gen[geni++];
+			ed25519_publickey_sse2(r->sk, g->pk);
+			ed25519_sign_sse2(r->m, 128, r->sk, g->pk, g->sig);
+			g->valid = ed25519_sign_open_sse2(r->m, 128, g->pk, g->sig);
+		#endif
+
+		/* compare implementations 1..geni against the reference */
+		for (i = 1; i < geni; i++) {
+			if (memcmp(&gen[0], &gen[i], sizeof(generated_data)) != 0) {
+				printf("\n\n");
+				print_bytes("sk", r->sk, 32);
+				print_bytes("m", r->m, 128);
+				print_generated("ref10", &gen[0]);
+				print_generated_diff("ed25519-donna", &gen[0], &gen[1]);
+				#if defined(ED25519_SSE2)
+					print_generated_diff("ed25519-donna-sse2", &gen[0], &gen[2]);
+				#endif
+				exit(1);
+			}
+		}
+
+		/* print out status */
+		if (ctr && (ctr % 0x1000 == 0)) {
+			printf(".");
+			if ((ctr % 0x20000) == 0) {
+				printf(" [");
+				for (i = 0; i < 8; i++)
+					printf("%02x", (unsigned char)(ctr >> ((7 - i) * 8)));
+				printf("]\n");
+			}
+		}
+	}
+}

data/ext/ed25519_blake2b/modm-donna-32bit.h

@@ -0,0 +1,469 @@
+/*
+	Public domain by Andrew M. <liquidsun@gmail.com>
+*/
+
+
+/*
+	Arithmetic modulo the group order n = 2^252 +  27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989
+
+	k = 32
+	b = 1 << 8 = 256
+	m = 2^252 + 27742317777372353535851937790883648493 = 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed
+	mu = floor( b^(k*2) / m ) = 0xfffffffffffffffffffffffffffffffeb2106215d086329a7ed9ce5a30a2c131b
+*/
+
+#define bignum256modm_bits_per_limb 30
+#define bignum256modm_limb_size 9
+
+typedef uint32_t bignum256modm_element_t;
+typedef bignum256modm_element_t bignum256modm[9];
+
+static const bignum256modm modm_m = {
+	0x1cf5d3ed, 0x20498c69, 0x2f79cd65, 0x37be77a8,
+	0x00000014,	0x00000000, 0x00000000,	0x00000000,
+	0x00001000
+};
+
+static const bignum256modm modm_mu = {
+	0x0a2c131b, 0x3673968c, 0x06329a7e, 0x01885742,
+	0x3fffeb21, 0x3fffffff, 0x3fffffff, 0x3fffffff,
+	0x000fffff
+};
+
+static bignum256modm_element_t
+lt_modm(bignum256modm_element_t a, bignum256modm_element_t b) {
+	return (a - b) >> 31;
+}
+
+/* see HAC, Alg. 14.42 Step 4 */
+static void
+reduce256_modm(bignum256modm r) {
+	bignum256modm t;
+	bignum256modm_element_t b = 0, pb, mask;
+
+	/* t = r - m */
+	pb = 0;
+	pb += modm_m[0]; b = lt_modm(r[0], pb); t[0] = (r[0] - pb + (b << 30)); pb = b;
+	pb += modm_m[1]; b = lt_modm(r[1], pb); t[1] = (r[1] - pb + (b << 30)); pb = b;
+	pb += modm_m[2]; b = lt_modm(r[2], pb); t[2] = (r[2] - pb + (b << 30)); pb = b;
+	pb += modm_m[3]; b = lt_modm(r[3], pb); t[3] = (r[3] - pb + (b << 30)); pb = b;
+	pb += modm_m[4]; b = lt_modm(r[4], pb); t[4] = (r[4] - pb + (b << 30)); pb = b;
+	pb += modm_m[5]; b = lt_modm(r[5], pb); t[5] = (r[5] - pb + (b << 30)); pb = b;
+	pb += modm_m[6]; b = lt_modm(r[6], pb); t[6] = (r[6] - pb + (b << 30)); pb = b;
+	pb += modm_m[7]; b = lt_modm(r[7], pb); t[7] = (r[7] - pb + (b << 30)); pb = b;
+	pb += modm_m[8]; b = lt_modm(r[8], pb); t[8] = (r[8] - pb + (b << 16));
+
+	/* keep r if r was smaller than m */
+	mask = b - 1;
+	r[0] ^= mask & (r[0] ^ t[0]);
+	r[1] ^= mask & (r[1] ^ t[1]);
+	r[2] ^= mask & (r[2] ^ t[2]);
+	r[3] ^= mask & (r[3] ^ t[3]);
+	r[4] ^= mask & (r[4] ^ t[4]);
+	r[5] ^= mask & (r[5] ^ t[5]);
+	r[6] ^= mask & (r[6] ^ t[6]);
+	r[7] ^= mask & (r[7] ^ t[7]);
+	r[8] ^= mask & (r[8] ^ t[8]);
+}
+
+/*
+	Barrett reduction,  see HAC, Alg. 14.42
+
+	Instead of passing in x, pre-process in to q1 and r1 for efficiency
+*/
+static void
+barrett_reduce256_modm(bignum256modm r, const bignum256modm q1, const bignum256modm r1) {
+	bignum256modm q3, r2;
+	uint64_t c;
+	bignum256modm_element_t f, b, pb;
+
+	/* q1 = x >> 248 = 264 bits = 9 30 bit elements
+	   q2 = mu * q1
+	   q3 = (q2 / 256(32+1)) = q2 / (2^8)^(32+1) = q2 >> 264 */
+	c  = mul32x32_64(modm_mu[0], q1[7]) + mul32x32_64(modm_mu[1], q1[6]) + mul32x32_64(modm_mu[2], q1[5]) + mul32x32_64(modm_mu[3], q1[4]) + mul32x32_64(modm_mu[4], q1[3]) + mul32x32_64(modm_mu[5], q1[2]) + mul32x32_64(modm_mu[6], q1[1]) + mul32x32_64(modm_mu[7], q1[0]); 
+	c >>= 30;
+	c += mul32x32_64(modm_mu[0], q1[8]) + mul32x32_64(modm_mu[1], q1[7]) + mul32x32_64(modm_mu[2], q1[6]) + mul32x32_64(modm_mu[3], q1[5]) + mul32x32_64(modm_mu[4], q1[4]) + mul32x32_64(modm_mu[5], q1[3]) + mul32x32_64(modm_mu[6], q1[2]) + mul32x32_64(modm_mu[7], q1[1]) + mul32x32_64(modm_mu[8], q1[0]);
+	f = (bignum256modm_element_t)c; q3[0] = (f >> 24) & 0x3f; c >>= 30;
+	c += mul32x32_64(modm_mu[1], q1[8]) + mul32x32_64(modm_mu[2], q1[7]) + mul32x32_64(modm_mu[3], q1[6]) + mul32x32_64(modm_mu[4], q1[5]) + mul32x32_64(modm_mu[5], q1[4]) + mul32x32_64(modm_mu[6], q1[3]) + mul32x32_64(modm_mu[7], q1[2]) + mul32x32_64(modm_mu[8], q1[1]);
+	f = (bignum256modm_element_t)c; q3[0] |= (f << 6) & 0x3fffffff; q3[1] = (f >> 24) & 0x3f; c >>= 30;
+	c += mul32x32_64(modm_mu[2], q1[8]) + mul32x32_64(modm_mu[3], q1[7]) + mul32x32_64(modm_mu[4], q1[6]) + mul32x32_64(modm_mu[5], q1[5]) + mul32x32_64(modm_mu[6], q1[4]) + mul32x32_64(modm_mu[7], q1[3]) + mul32x32_64(modm_mu[8], q1[2]);
+	f = (bignum256modm_element_t)c; q3[1] |= (f << 6) & 0x3fffffff; q3[2] = (f >> 24) & 0x3f; c >>= 30;
+	c += mul32x32_64(modm_mu[3], q1[8]) + mul32x32_64(modm_mu[4], q1[7]) + mul32x32_64(modm_mu[5], q1[6]) + mul32x32_64(modm_mu[6], q1[5]) + mul32x32_64(modm_mu[7], q1[4]) + mul32x32_64(modm_mu[8], q1[3]);
+	f = (bignum256modm_element_t)c; q3[2] |= (f << 6) & 0x3fffffff; q3[3] = (f >> 24) & 0x3f; c >>= 30;
+	c += mul32x32_64(modm_mu[4], q1[8]) + mul32x32_64(modm_mu[5], q1[7]) + mul32x32_64(modm_mu[6], q1[6]) + mul32x32_64(modm_mu[7], q1[5]) + mul32x32_64(modm_mu[8], q1[4]);
+	f = (bignum256modm_element_t)c; q3[3] |= (f << 6) & 0x3fffffff; q3[4] = (f >> 24) & 0x3f; c >>= 30;
+	c += mul32x32_64(modm_mu[5], q1[8]) + mul32x32_64(modm_mu[6], q1[7]) + mul32x32_64(modm_mu[7], q1[6]) + mul32x32_64(modm_mu[8], q1[5]);
+	f = (bignum256modm_element_t)c; q3[4] |= (f << 6) & 0x3fffffff; q3[5] = (f >> 24) & 0x3f; c >>= 30;
+	c += mul32x32_64(modm_mu[6], q1[8]) + mul32x32_64(modm_mu[7], q1[7]) + mul32x32_64(modm_mu[8], q1[6]);
+	f = (bignum256modm_element_t)c; q3[5] |= (f << 6) & 0x3fffffff; q3[6] = (f >> 24) & 0x3f; c >>= 30;
+	c += mul32x32_64(modm_mu[7], q1[8]) + mul32x32_64(modm_mu[8], q1[7]);
+	f = (bignum256modm_element_t)c; q3[6] |= (f << 6) & 0x3fffffff; q3[7] = (f >> 24) & 0x3f; c >>= 30;
+	c += mul32x32_64(modm_mu[8], q1[8]);
+	f = (bignum256modm_element_t)c; q3[7] |= (f << 6) & 0x3fffffff; q3[8] = (bignum256modm_element_t)(c >> 24);
+
+	/* r1 = (x mod 256^(32+1)) = x mod (2^8)(31+1) = x & ((1 << 264) - 1)
+	   r2 = (q3 * m) mod (256^(32+1)) = (q3 * m) & ((1 << 264) - 1) */
+	c = mul32x32_64(modm_m[0], q3[0]);
+	r2[0] = (bignum256modm_element_t)(c & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(modm_m[0], q3[1]) + mul32x32_64(modm_m[1], q3[0]);
+	r2[1] = (bignum256modm_element_t)(c & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(modm_m[0], q3[2]) + mul32x32_64(modm_m[1], q3[1]) + mul32x32_64(modm_m[2], q3[0]);
+	r2[2] = (bignum256modm_element_t)(c & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(modm_m[0], q3[3]) + mul32x32_64(modm_m[1], q3[2]) + mul32x32_64(modm_m[2], q3[1]) + mul32x32_64(modm_m[3], q3[0]);
+	r2[3] = (bignum256modm_element_t)(c & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(modm_m[0], q3[4]) + mul32x32_64(modm_m[1], q3[3]) + mul32x32_64(modm_m[2], q3[2]) + mul32x32_64(modm_m[3], q3[1]) + mul32x32_64(modm_m[4], q3[0]);
+	r2[4] = (bignum256modm_element_t)(c & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(modm_m[0], q3[5]) + mul32x32_64(modm_m[1], q3[4]) + mul32x32_64(modm_m[2], q3[3]) + mul32x32_64(modm_m[3], q3[2]) + mul32x32_64(modm_m[4], q3[1]) + mul32x32_64(modm_m[5], q3[0]);
+	r2[5] = (bignum256modm_element_t)(c & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(modm_m[0], q3[6]) + mul32x32_64(modm_m[1], q3[5]) + mul32x32_64(modm_m[2], q3[4]) + mul32x32_64(modm_m[3], q3[3]) + mul32x32_64(modm_m[4], q3[2]) + mul32x32_64(modm_m[5], q3[1]) + mul32x32_64(modm_m[6], q3[0]);
+	r2[6] = (bignum256modm_element_t)(c & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(modm_m[0], q3[7]) + mul32x32_64(modm_m[1], q3[6]) + mul32x32_64(modm_m[2], q3[5]) + mul32x32_64(modm_m[3], q3[4]) + mul32x32_64(modm_m[4], q3[3]) + mul32x32_64(modm_m[5], q3[2]) + mul32x32_64(modm_m[6], q3[1]) + mul32x32_64(modm_m[7], q3[0]);
+	r2[7] = (bignum256modm_element_t)(c & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(modm_m[0], q3[8]) + mul32x32_64(modm_m[1], q3[7]) + mul32x32_64(modm_m[2], q3[6]) + mul32x32_64(modm_m[3], q3[5]) + mul32x32_64(modm_m[4], q3[4]) + mul32x32_64(modm_m[5], q3[3]) + mul32x32_64(modm_m[6], q3[2]) + mul32x32_64(modm_m[7], q3[1]) + mul32x32_64(modm_m[8], q3[0]);
+	r2[8] = (bignum256modm_element_t)(c & 0xffffff);
+
+	/* r = r1 - r2
+	   if (r < 0) r += (1 << 264) */
+	pb = 0;
+	pb += r2[0]; b = lt_modm(r1[0], pb); r[0] = (r1[0] - pb + (b << 30)); pb = b;
+	pb += r2[1]; b = lt_modm(r1[1], pb); r[1] = (r1[1] - pb + (b << 30)); pb = b;
+	pb += r2[2]; b = lt_modm(r1[2], pb); r[2] = (r1[2] - pb + (b << 30)); pb = b;
+	pb += r2[3]; b = lt_modm(r1[3], pb); r[3] = (r1[3] - pb + (b << 30)); pb = b;
+	pb += r2[4]; b = lt_modm(r1[4], pb); r[4] = (r1[4] - pb + (b << 30)); pb = b;
+	pb += r2[5]; b = lt_modm(r1[5], pb); r[5] = (r1[5] - pb + (b << 30)); pb = b;
+	pb += r2[6]; b = lt_modm(r1[6], pb); r[6] = (r1[6] - pb + (b << 30)); pb = b;
+	pb += r2[7]; b = lt_modm(r1[7], pb); r[7] = (r1[7] - pb + (b << 30)); pb = b;
+	pb += r2[8]; b = lt_modm(r1[8], pb); r[8] = (r1[8] - pb + (b << 24));
+
+	reduce256_modm(r);
+	reduce256_modm(r);
+}
+
+/* addition modulo m */
+static void
+add256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) {
+	bignum256modm_element_t c;
+
+	c  = x[0] + y[0]; r[0] = c & 0x3fffffff; c >>= 30;
+	c += x[1] + y[1]; r[1] = c & 0x3fffffff; c >>= 30;
+	c += x[2] + y[2]; r[2] = c & 0x3fffffff; c >>= 30;
+	c += x[3] + y[3]; r[3] = c & 0x3fffffff; c >>= 30;
+	c += x[4] + y[4]; r[4] = c & 0x3fffffff; c >>= 30;
+	c += x[5] + y[5]; r[5] = c & 0x3fffffff; c >>= 30;
+	c += x[6] + y[6]; r[6] = c & 0x3fffffff; c >>= 30;
+	c += x[7] + y[7]; r[7] = c & 0x3fffffff; c >>= 30;
+	c += x[8] + y[8]; r[8] = c;
+
+	reduce256_modm(r);
+}
+
+/* multiplication modulo m */
+static void 
+mul256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) {
+	bignum256modm r1, q1;
+	uint64_t c;
+	bignum256modm_element_t f;
+
+	/* r1 = (x mod 256^(32+1)) = x mod (2^8)(31+1) = x & ((1 << 264) - 1)
+	   q1 = x >> 248 = 264 bits = 9 30 bit elements */
+	c = mul32x32_64(x[0], y[0]);
+	f = (bignum256modm_element_t)c; r1[0] = (f & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(x[0], y[1]) + mul32x32_64(x[1], y[0]);
+	f = (bignum256modm_element_t)c; r1[1] = (f & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(x[0], y[2]) + mul32x32_64(x[1], y[1]) + mul32x32_64(x[2], y[0]);
+	f = (bignum256modm_element_t)c; r1[2] = (f & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(x[0], y[3]) + mul32x32_64(x[1], y[2]) + mul32x32_64(x[2], y[1]) + mul32x32_64(x[3], y[0]);
+	f = (bignum256modm_element_t)c; r1[3] = (f & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(x[0], y[4]) + mul32x32_64(x[1], y[3]) + mul32x32_64(x[2], y[2]) + mul32x32_64(x[3], y[1]) + mul32x32_64(x[4], y[0]);
+	f = (bignum256modm_element_t)c; r1[4] = (f & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(x[0], y[5]) + mul32x32_64(x[1], y[4]) + mul32x32_64(x[2], y[3]) + mul32x32_64(x[3], y[2]) + mul32x32_64(x[4], y[1]) + mul32x32_64(x[5], y[0]);
+	f = (bignum256modm_element_t)c; r1[5] = (f & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(x[0], y[6]) + mul32x32_64(x[1], y[5]) + mul32x32_64(x[2], y[4]) + mul32x32_64(x[3], y[3]) + mul32x32_64(x[4], y[2]) + mul32x32_64(x[5], y[1]) + mul32x32_64(x[6], y[0]);
+	f = (bignum256modm_element_t)c; r1[6] = (f & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(x[0], y[7]) + mul32x32_64(x[1], y[6]) + mul32x32_64(x[2], y[5]) + mul32x32_64(x[3], y[4]) + mul32x32_64(x[4], y[3]) + mul32x32_64(x[5], y[2]) + mul32x32_64(x[6], y[1]) + mul32x32_64(x[7], y[0]);
+	f = (bignum256modm_element_t)c; r1[7] = (f & 0x3fffffff); c >>= 30;
+	c += mul32x32_64(x[0], y[8]) + mul32x32_64(x[1], y[7]) + mul32x32_64(x[2], y[6]) + mul32x32_64(x[3], y[5]) + mul32x32_64(x[4], y[4]) + mul32x32_64(x[5], y[3]) + mul32x32_64(x[6], y[2]) + mul32x32_64(x[7], y[1]) + mul32x32_64(x[8], y[0]);
+	f = (bignum256modm_element_t)c; r1[8] = (f & 0x00ffffff); q1[0] = (f >> 8) & 0x3fffff; c >>= 30;
+	c += mul32x32_64(x[1], y[8]) + mul32x32_64(x[2], y[7]) + mul32x32_64(x[3], y[6]) + mul32x32_64(x[4], y[5]) + mul32x32_64(x[5], y[4]) + mul32x32_64(x[6], y[3]) + mul32x32_64(x[7], y[2]) + mul32x32_64(x[8], y[1]);
+	f = (bignum256modm_element_t)c; q1[0] = (q1[0] | (f << 22)) & 0x3fffffff; q1[1] = (f >> 8) & 0x3fffff; c >>= 30;	
+	c += mul32x32_64(x[2], y[8]) + mul32x32_64(x[3], y[7]) + mul32x32_64(x[4], y[6]) + mul32x32_64(x[5], y[5]) + mul32x32_64(x[6], y[4]) + mul32x32_64(x[7], y[3]) + mul32x32_64(x[8], y[2]);
+	f = (bignum256modm_element_t)c; q1[1] = (q1[1] | (f << 22)) & 0x3fffffff; q1[2] = (f >> 8) & 0x3fffff; c >>= 30;	
+	c += mul32x32_64(x[3], y[8]) + mul32x32_64(x[4], y[7]) + mul32x32_64(x[5], y[6]) + mul32x32_64(x[6], y[5]) + mul32x32_64(x[7], y[4]) + mul32x32_64(x[8], y[3]);
+	f = (bignum256modm_element_t)c; q1[2] = (q1[2] | (f << 22)) & 0x3fffffff; q1[3] = (f >> 8) & 0x3fffff; c >>= 30;	
+	c += mul32x32_64(x[4], y[8]) + mul32x32_64(x[5], y[7]) + mul32x32_64(x[6], y[6]) + mul32x32_64(x[7], y[5]) + mul32x32_64(x[8], y[4]);
+	f = (bignum256modm_element_t)c; q1[3] = (q1[3] | (f << 22)) & 0x3fffffff; q1[4] = (f >> 8) & 0x3fffff; c >>= 30;	
+	c += mul32x32_64(x[5], y[8]) + mul32x32_64(x[6], y[7]) + mul32x32_64(x[7], y[6]) + mul32x32_64(x[8], y[5]);
+	f = (bignum256modm_element_t)c; q1[4] = (q1[4] | (f << 22)) & 0x3fffffff; q1[5] = (f >> 8) & 0x3fffff; c >>= 30;
+	c += mul32x32_64(x[6], y[8]) + mul32x32_64(x[7], y[7]) + mul32x32_64(x[8], y[6]);
+	f = (bignum256modm_element_t)c; q1[5] = (q1[5] | (f << 22)) & 0x3fffffff; q1[6] = (f >> 8) & 0x3fffff; c >>= 30;
+	c += mul32x32_64(x[7], y[8]) + mul32x32_64(x[8], y[7]);
+	f = (bignum256modm_element_t)c; q1[6] = (q1[6] | (f << 22)) & 0x3fffffff; q1[7] = (f >> 8) & 0x3fffff; c >>= 30;
+	c += mul32x32_64(x[8], y[8]);
+	f = (bignum256modm_element_t)c; q1[7] = (q1[7] | (f << 22)) & 0x3fffffff; q1[8] = (f >> 8) & 0x3fffff;
+
+	barrett_reduce256_modm(r, q1, r1);
+}
+
+static void
+expand256_modm(bignum256modm out, const unsigned char *in, size_t len) {
+	unsigned char work[64] = {0};
+	bignum256modm_element_t x[16];
+	bignum256modm q1;
+
+	memcpy(work, in, len);
+	x[0] = U8TO32_LE(work +  0);
+	x[1] = U8TO32_LE(work +  4);
+	x[2] = U8TO32_LE(work +  8);
+	x[3] = U8TO32_LE(work + 12);
+	x[4] = U8TO32_LE(work + 16);
+	x[5] = U8TO32_LE(work + 20);
+	x[6] = U8TO32_LE(work + 24);
+	x[7] = U8TO32_LE(work + 28);
+	x[8] = U8TO32_LE(work + 32);
+	x[9] = U8TO32_LE(work + 36);
+	x[10] = U8TO32_LE(work + 40);
+	x[11] = U8TO32_LE(work + 44);
+	x[12] = U8TO32_LE(work + 48);
+	x[13] = U8TO32_LE(work + 52);
+	x[14] = U8TO32_LE(work + 56);
+	x[15] = U8TO32_LE(work + 60);
+
+	/* r1 = (x mod 256^(32+1)) = x mod (2^8)(31+1) = x & ((1 << 264) - 1) */
+	out[0] = (                         x[0]) & 0x3fffffff;
+	out[1] = ((x[ 0] >> 30) | (x[ 1] <<  2)) & 0x3fffffff;
+	out[2] = ((x[ 1] >> 28) | (x[ 2] <<  4)) & 0x3fffffff;
+	out[3] = ((x[ 2] >> 26) | (x[ 3] <<  6)) & 0x3fffffff;
+	out[4] = ((x[ 3] >> 24) | (x[ 4] <<  8)) & 0x3fffffff;
+	out[5] = ((x[ 4] >> 22) | (x[ 5] << 10)) & 0x3fffffff;
+	out[6] = ((x[ 5] >> 20) | (x[ 6] << 12)) & 0x3fffffff;
+	out[7] = ((x[ 6] >> 18) | (x[ 7] << 14)) & 0x3fffffff;
+	out[8] = ((x[ 7] >> 16) | (x[ 8] << 16)) & 0x00ffffff;
+
+	/* 8*31 = 248 bits, no need to reduce */
+	if (len < 32)
+		return;
+
+	/* q1 = x >> 248 = 264 bits = 9 30 bit elements */
+	q1[0] = ((x[ 7] >> 24) | (x[ 8] <<  8)) & 0x3fffffff;
+	q1[1] = ((x[ 8] >> 22) | (x[ 9] << 10)) & 0x3fffffff;
+	q1[2] = ((x[ 9] >> 20) | (x[10] << 12)) & 0x3fffffff;
+	q1[3] = ((x[10] >> 18) | (x[11] << 14)) & 0x3fffffff;
+	q1[4] = ((x[11] >> 16) | (x[12] << 16)) & 0x3fffffff;
+	q1[5] = ((x[12] >> 14) | (x[13] << 18)) & 0x3fffffff;
+	q1[6] = ((x[13] >> 12) | (x[14] << 20)) & 0x3fffffff;
+	q1[7] = ((x[14] >> 10) | (x[15] << 22)) & 0x3fffffff;
+	q1[8] = ((x[15] >>  8)                );	
+
+	barrett_reduce256_modm(out, q1, out);
+}
+
+static void
+expand_raw256_modm(bignum256modm out, const unsigned char in[32]) {
+	bignum256modm_element_t x[8];
+
+	x[0] = U8TO32_LE(in +  0);
+	x[1] = U8TO32_LE(in +  4);
+	x[2] = U8TO32_LE(in +  8);
+	x[3] = U8TO32_LE(in + 12);
+	x[4] = U8TO32_LE(in + 16);
+	x[5] = U8TO32_LE(in + 20);
+	x[6] = U8TO32_LE(in + 24);
+	x[7] = U8TO32_LE(in + 28);
+
+	out[0] = (                         x[0]) & 0x3fffffff;
+	out[1] = ((x[ 0] >> 30) | (x[ 1] <<  2)) & 0x3fffffff;
+	out[2] = ((x[ 1] >> 28) | (x[ 2] <<  4)) & 0x3fffffff;
+	out[3] = ((x[ 2] >> 26) | (x[ 3] <<  6)) & 0x3fffffff;
+	out[4] = ((x[ 3] >> 24) | (x[ 4] <<  8)) & 0x3fffffff;
+	out[5] = ((x[ 4] >> 22) | (x[ 5] << 10)) & 0x3fffffff;
+	out[6] = ((x[ 5] >> 20) | (x[ 6] << 12)) & 0x3fffffff;
+	out[7] = ((x[ 6] >> 18) | (x[ 7] << 14)) & 0x3fffffff;
+	out[8] = ((x[ 7] >> 16)                ) & 0x0000ffff;
+}
+
+static void
+contract256_modm(unsigned char out[32], const bignum256modm in) {
+	U32TO8_LE(out +  0, (in[0]      ) | (in[1] << 30));
+	U32TO8_LE(out +  4, (in[1] >>  2) | (in[2] << 28));
+	U32TO8_LE(out +  8, (in[2] >>  4) | (in[3] << 26));
+	U32TO8_LE(out + 12, (in[3] >>  6) | (in[4] << 24));
+	U32TO8_LE(out + 16, (in[4] >>  8) | (in[5] << 22));
+	U32TO8_LE(out + 20, (in[5] >> 10) | (in[6] << 20));
+	U32TO8_LE(out + 24, (in[6] >> 12) | (in[7] << 18));
+	U32TO8_LE(out + 28, (in[7] >> 14) | (in[8] << 16));
+}
+
+
+
+static void
+contract256_window4_modm(signed char r[64], const bignum256modm in) {
+	char carry;
+	signed char *quads = r;
+	bignum256modm_element_t i, j, v;
+
+	for (i = 0; i < 8; i += 2) {
+		v = in[i];
+		for (j = 0; j < 7; j++) {
+			*quads++ = (v & 15);
+			v >>= 4;
+		}
+		v |= (in[i+1] << 2);
+		for (j = 0; j < 8; j++) {
+			*quads++ = (v & 15);
+			v >>= 4;
+		}
+	}
+	v = in[8];
+	*quads++ = (v & 15); v >>= 4;
+	*quads++ = (v & 15); v >>= 4;
+	*quads++ = (v & 15); v >>= 4;
+	*quads++ = (v & 15); v >>= 4;
+
+	/* making it signed */
+	carry = 0;
+	for(i = 0; i < 63; i++) {
+		r[i] += carry;
+		r[i+1] += (r[i] >> 4);
+		r[i] &= 15;
+		carry = (r[i] >> 3);
+		r[i] -= (carry << 4);
+	}
+	r[63] += carry;
+}
+
+static void
+contract256_slidingwindow_modm(signed char r[256], const bignum256modm s, int windowsize) {
+	int i,j,k,b;
+	int m = (1 << (windowsize - 1)) - 1, soplen = 256;
+	signed char *bits = r;
+	bignum256modm_element_t v;
+
+	/* first put the binary expansion into r  */
+	for (i = 0; i < 8; i++) {
+		v = s[i];
+		for (j = 0; j < 30; j++, v >>= 1)
+			*bits++ = (v & 1);
+	}
+	v = s[8];
+	for (j = 0; j < 16; j++, v >>= 1)
+		*bits++ = (v & 1);
+
+	/* Making it sliding window */
+	for (j = 0; j < soplen; j++) {
+		if (!r[j])
+			continue;
+
+		for (b = 1; (b < (soplen - j)) && (b <= 6); b++) {
+			if ((r[j] + (r[j + b] << b)) <= m) {
+				r[j] += r[j + b] << b;
+				r[j + b] = 0;
+			} else if ((r[j] - (r[j + b] << b)) >= -m) {
+				r[j] -= r[j + b] << b;
+				for (k = j + b; k < soplen; k++) {
+					if (!r[k]) {
+						r[k] = 1;
+						break;
+					}
+					r[k] = 0;
+				}
+			} else if (r[j + b]) {
+				break;
+			}
+		}
+	}
+}
+
+
+/*
+	helpers for batch verifcation, are allowed to be vartime
+*/
+
+/* out = a - b, a must be larger than b */
+static void
+sub256_modm_batch(bignum256modm out, const bignum256modm a, const bignum256modm b, size_t limbsize) {
+	size_t i = 0;
+	bignum256modm_element_t carry = 0;
+	switch (limbsize) {
+		case 8: out[i] = (a[i] - b[i]) - carry; carry = (out[i] >> 31); out[i] &= 0x3fffffff; i++;
+		case 7: out[i] = (a[i] - b[i]) - carry; carry = (out[i] >> 31); out[i] &= 0x3fffffff; i++;
+		case 6: out[i] = (a[i] - b[i]) - carry; carry = (out[i] >> 31); out[i] &= 0x3fffffff; i++;
+		case 5: out[i] = (a[i] - b[i]) - carry; carry = (out[i] >> 31); out[i] &= 0x3fffffff; i++;
+		case 4: out[i] = (a[i] - b[i]) - carry; carry = (out[i] >> 31); out[i] &= 0x3fffffff; i++;
+		case 3: out[i] = (a[i] - b[i]) - carry; carry = (out[i] >> 31); out[i] &= 0x3fffffff; i++;
+		case 2: out[i] = (a[i] - b[i]) - carry; carry = (out[i] >> 31); out[i] &= 0x3fffffff; i++;
+		case 1: out[i] = (a[i] - b[i]) - carry; carry = (out[i] >> 31); out[i] &= 0x3fffffff; i++;
+		case 0: 
+		default: out[i] = (a[i] - b[i]) - carry;
+	}
+}
+
+
+/* is a < b */
+static int
+lt256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) {
+	switch (limbsize) {
+		case 8: if (a[8] > b[8]) return 0; if (a[8] < b[8]) return 1;
+		case 7: if (a[7] > b[7]) return 0; if (a[7] < b[7]) return 1;
+		case 6: if (a[6] > b[6]) return 0; if (a[6] < b[6]) return 1;
+		case 5: if (a[5] > b[5]) return 0; if (a[5] < b[5]) return 1;
+		case 4: if (a[4] > b[4]) return 0; if (a[4] < b[4]) return 1;
+		case 3: if (a[3] > b[3]) return 0; if (a[3] < b[3]) return 1;
+		case 2: if (a[2] > b[2]) return 0; if (a[2] < b[2]) return 1;
+		case 1: if (a[1] > b[1]) return 0; if (a[1] < b[1]) return 1;
+		case 0: if (a[0] > b[0]) return 0; if (a[0] < b[0]) return 1;
+	}
+	return 0;
+}
+
+/* is a <= b */
+static int
+lte256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) {
+	switch (limbsize) {
+		case 8: if (a[8] > b[8]) return 0; if (a[8] < b[8]) return 1;
+		case 7: if (a[7] > b[7]) return 0; if (a[7] < b[7]) return 1;
+		case 6: if (a[6] > b[6]) return 0; if (a[6] < b[6]) return 1;
+		case 5: if (a[5] > b[5]) return 0; if (a[5] < b[5]) return 1;
+		case 4: if (a[4] > b[4]) return 0; if (a[4] < b[4]) return 1;
+		case 3: if (a[3] > b[3]) return 0; if (a[3] < b[3]) return 1;
+		case 2: if (a[2] > b[2]) return 0; if (a[2] < b[2]) return 1;
+		case 1: if (a[1] > b[1]) return 0; if (a[1] < b[1]) return 1;
+		case 0: if (a[0] > b[0]) return 0; if (a[0] < b[0]) return 1;
+	}
+	return 1;
+}
+
+
+/* is a == 0 */
+static int
+iszero256_modm_batch(const bignum256modm a) {
+	size_t i;
+	for (i = 0; i < 9; i++)
+		if (a[i])
+			return 0;
+	return 1;
+}
+
+/* is a == 1 */
+static int
+isone256_modm_batch(const bignum256modm a) {
+	size_t i;
+	if (a[0] != 1)
+		return 0;
+	for (i = 1; i < 9; i++)
+		if (a[i])
+			return 0;
+	return 1;
+}
+
+/* can a fit in to (at most) 128 bits */
+static int
+isatmost128bits256_modm_batch(const bignum256modm a) {
+	uint32_t mask =
+		((a[8]             )  | /*  16 */
+		 (a[7]             )  | /*  46 */
+		 (a[6]             )  | /*  76 */
+		 (a[5]             )  | /* 106 */
+		 (a[4] & 0x3fffff00));  /* 128 */
+
+	return (mask == 0);
+}