rbnacl-libsodium 0.4.5a

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sc_reduce.c

@@ -0,0 +1,275 @@
+#include "sc.h"
+#include "crypto_int64.h"
+#include "crypto_uint32.h"
+#include "crypto_uint64.h"
+
+static crypto_uint64 load_3(const unsigned char *in)
+{
+  crypto_uint64 result;
+  result = (crypto_uint64) in[0];
+  result |= ((crypto_uint64) in[1]) << 8;
+  result |= ((crypto_uint64) in[2]) << 16;
+  return result;
+}
+
+static crypto_uint64 load_4(const unsigned char *in)
+{
+  crypto_uint64 result;
+  result = (crypto_uint64) in[0];
+  result |= ((crypto_uint64) in[1]) << 8;
+  result |= ((crypto_uint64) in[2]) << 16;
+  result |= ((crypto_uint64) in[3]) << 24;
+  return result;
+}
+
+/*
+Input:
+  s[0]+256*s[1]+...+256^63*s[63] = s
+
+Output:
+  s[0]+256*s[1]+...+256^31*s[31] = s mod l
+  where l = 2^252 + 27742317777372353535851937790883648493.
+  Overwrites s in place.
+*/
+
+void sc_reduce(unsigned char *s)
+{
+  crypto_int64 s0 = 2097151 & load_3(s);
+  crypto_int64 s1 = 2097151 & (load_4(s + 2) >> 5);
+  crypto_int64 s2 = 2097151 & (load_3(s + 5) >> 2);
+  crypto_int64 s3 = 2097151 & (load_4(s + 7) >> 7);
+  crypto_int64 s4 = 2097151 & (load_4(s + 10) >> 4);
+  crypto_int64 s5 = 2097151 & (load_3(s + 13) >> 1);
+  crypto_int64 s6 = 2097151 & (load_4(s + 15) >> 6);
+  crypto_int64 s7 = 2097151 & (load_3(s + 18) >> 3);
+  crypto_int64 s8 = 2097151 & load_3(s + 21);
+  crypto_int64 s9 = 2097151 & (load_4(s + 23) >> 5);
+  crypto_int64 s10 = 2097151 & (load_3(s + 26) >> 2);
+  crypto_int64 s11 = 2097151 & (load_4(s + 28) >> 7);
+  crypto_int64 s12 = 2097151 & (load_4(s + 31) >> 4);
+  crypto_int64 s13 = 2097151 & (load_3(s + 34) >> 1);
+  crypto_int64 s14 = 2097151 & (load_4(s + 36) >> 6);
+  crypto_int64 s15 = 2097151 & (load_3(s + 39) >> 3);
+  crypto_int64 s16 = 2097151 & load_3(s + 42);
+  crypto_int64 s17 = 2097151 & (load_4(s + 44) >> 5);
+  crypto_int64 s18 = 2097151 & (load_3(s + 47) >> 2);
+  crypto_int64 s19 = 2097151 & (load_4(s + 49) >> 7);
+  crypto_int64 s20 = 2097151 & (load_4(s + 52) >> 4);
+  crypto_int64 s21 = 2097151 & (load_3(s + 55) >> 1);
+  crypto_int64 s22 = 2097151 & (load_4(s + 57) >> 6);
+  crypto_int64 s23 = (load_4(s + 60) >> 3);
+  crypto_int64 carry0;
+  crypto_int64 carry1;
+  crypto_int64 carry2;
+  crypto_int64 carry3;
+  crypto_int64 carry4;
+  crypto_int64 carry5;
+  crypto_int64 carry6;
+  crypto_int64 carry7;
+  crypto_int64 carry8;
+  crypto_int64 carry9;
+  crypto_int64 carry10;
+  crypto_int64 carry11;
+  crypto_int64 carry12;
+  crypto_int64 carry13;
+  crypto_int64 carry14;
+  crypto_int64 carry15;
+  crypto_int64 carry16;
+
+  s11 += s23 * 666643;
+  s12 += s23 * 470296;
+  s13 += s23 * 654183;
+  s14 -= s23 * 997805;
+  s15 += s23 * 136657;
+  s16 -= s23 * 683901;
+
+
+  s10 += s22 * 666643;
+  s11 += s22 * 470296;
+  s12 += s22 * 654183;
+  s13 -= s22 * 997805;
+  s14 += s22 * 136657;
+  s15 -= s22 * 683901;
+
+
+  s9 += s21 * 666643;
+  s10 += s21 * 470296;
+  s11 += s21 * 654183;
+  s12 -= s21 * 997805;
+  s13 += s21 * 136657;
+  s14 -= s21 * 683901;
+
+
+  s8 += s20 * 666643;
+  s9 += s20 * 470296;
+  s10 += s20 * 654183;
+  s11 -= s20 * 997805;
+  s12 += s20 * 136657;
+  s13 -= s20 * 683901;
+
+
+  s7 += s19 * 666643;
+  s8 += s19 * 470296;
+  s9 += s19 * 654183;
+  s10 -= s19 * 997805;
+  s11 += s19 * 136657;
+  s12 -= s19 * 683901;
+
+
+  s6 += s18 * 666643;
+  s7 += s18 * 470296;
+  s8 += s18 * 654183;
+  s9 -= s18 * 997805;
+  s10 += s18 * 136657;
+  s11 -= s18 * 683901;
+
+
+  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
+  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
+  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
+  carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
+  carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
+  carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
+
+  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
+  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
+  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
+  carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
+  carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
+
+  s5 += s17 * 666643;
+  s6 += s17 * 470296;
+  s7 += s17 * 654183;
+  s8 -= s17 * 997805;
+  s9 += s17 * 136657;
+  s10 -= s17 * 683901;
+
+
+  s4 += s16 * 666643;
+  s5 += s16 * 470296;
+  s6 += s16 * 654183;
+  s7 -= s16 * 997805;
+  s8 += s16 * 136657;
+  s9 -= s16 * 683901;
+
+
+  s3 += s15 * 666643;
+  s4 += s15 * 470296;
+  s5 += s15 * 654183;
+  s6 -= s15 * 997805;
+  s7 += s15 * 136657;
+  s8 -= s15 * 683901;
+
+
+  s2 += s14 * 666643;
+  s3 += s14 * 470296;
+  s4 += s14 * 654183;
+  s5 -= s14 * 997805;
+  s6 += s14 * 136657;
+  s7 -= s14 * 683901;
+
+
+  s1 += s13 * 666643;
+  s2 += s13 * 470296;
+  s3 += s13 * 654183;
+  s4 -= s13 * 997805;
+  s5 += s13 * 136657;
+  s6 -= s13 * 683901;
+
+
+  s0 += s12 * 666643;
+  s1 += s12 * 470296;
+  s2 += s12 * 654183;
+  s3 -= s12 * 997805;
+  s4 += s12 * 136657;
+  s5 -= s12 * 683901;
+  s12 = 0;
+
+  carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
+  carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
+  carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
+  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
+  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
+  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
+
+  carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
+  carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
+  carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
+  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
+  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
+  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
+
+  s0 += s12 * 666643;
+  s1 += s12 * 470296;
+  s2 += s12 * 654183;
+  s3 -= s12 * 997805;
+  s4 += s12 * 136657;
+  s5 -= s12 * 683901;
+  s12 = 0;
+
+  carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
+  carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
+  carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
+  carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
+  carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
+  carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21;
+  carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21;
+  carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21;
+  carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21;
+  carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21;
+  carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21;
+  carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21;
+
+  s0 += s12 * 666643;
+  s1 += s12 * 470296;
+  s2 += s12 * 654183;
+  s3 -= s12 * 997805;
+  s4 += s12 * 136657;
+  s5 -= s12 * 683901;
+
+
+  carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
+  carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
+  carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
+  carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
+  carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
+  carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21;
+  carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21;
+  carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21;
+  carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21;
+  carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21;
+  carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21;
+
+  s[0] = s0 >> 0;
+  s[1] = s0 >> 8;
+  s[2] = (s0 >> 16) | (s1 << 5);
+  s[3] = s1 >> 3;
+  s[4] = s1 >> 11;
+  s[5] = (s1 >> 19) | (s2 << 2);
+  s[6] = s2 >> 6;
+  s[7] = (s2 >> 14) | (s3 << 7);
+  s[8] = s3 >> 1;
+  s[9] = s3 >> 9;
+  s[10] = (s3 >> 17) | (s4 << 4);
+  s[11] = s4 >> 4;
+  s[12] = s4 >> 12;
+  s[13] = (s4 >> 20) | (s5 << 1);
+  s[14] = s5 >> 7;
+  s[15] = (s5 >> 15) | (s6 << 6);
+  s[16] = s6 >> 2;
+  s[17] = s6 >> 10;
+  s[18] = (s6 >> 18) | (s7 << 3);
+  s[19] = s7 >> 5;
+  s[20] = s7 >> 13;
+  s[21] = s8 >> 0;
+  s[22] = s8 >> 8;
+  s[23] = (s8 >> 16) | (s9 << 5);
+  s[24] = s9 >> 3;
+  s[25] = s9 >> 11;
+  s[26] = (s9 >> 19) | (s10 << 2);
+  s[27] = s10 >> 6;
+  s[28] = (s10 >> 14) | (s11 << 7);
+  s[29] = s11 >> 1;
+  s[30] = s11 >> 9;
+  s[31] = s11 >> 17;
+}

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sign.c

@@ -0,0 +1,38 @@
+#include "api.h"
+#include "crypto_hash_sha512.h"
+#include "ge.h"
+#include "sc.h"
+
+int crypto_sign(
+  unsigned char *sm,unsigned long long *smlen,
+  const unsigned char *m,unsigned long long mlen,
+  const unsigned char *sk
+)
+{
+  unsigned char az[64];
+  unsigned char r[64];
+  unsigned char hram[64];
+  ge_p3 R;
+  unsigned long long i;
+
+  crypto_hash_sha512(az,sk,32);
+  az[0] &= 248;
+  az[31] &= 63;
+  az[31] |= 64;
+
+  *smlen = mlen + 64;
+  for (i = 0;i < mlen;++i) sm[64 + i] = m[i];
+  for (i = 0;i < 32;++i) sm[32 + i] = az[32 + i];
+  crypto_hash_sha512(r,sm + 32,mlen + 32);
+  for (i = 0;i < 32;++i) sm[32 + i] = sk[32 + i];
+
+  sc_reduce(r);
+  ge_scalarmult_base(&R,r);
+  ge_p3_tobytes(sm,&R);
+
+  crypto_hash_sha512(hram,sm,mlen + 64);
+  sc_reduce(hram);
+  sc_muladd(sm + 32,hram,az,r);
+
+  return 0;
+}

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sqrtm1.h

@@ -0,0 +1 @@
+-32595792,-7943725,9377950,3500415,12389472,-272473,-25146209,-2005654,326686,11406482

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c

@@ -0,0 +1,26 @@
+#include "crypto_sign_ed25519.h"
+
+size_t
+crypto_sign_ed25519_bytes(void) {
+    return crypto_sign_ed25519_BYTES;
+}
+
+size_t
+crypto_sign_ed25519_seedbytes(void) {
+    return crypto_sign_ed25519_SEEDBYTES;
+}
+
+size_t
+crypto_sign_ed25519_publickeybytes(void) {
+    return crypto_sign_ed25519_PUBLICKEYBYTES;
+}
+
+size_t
+crypto_sign_ed25519_secretkeybytes(void) {
+    return crypto_sign_ed25519_SECRETKEYBYTES;
+}
+
+const char *
+crypto_sign_ed25519_primitive(void) {
+    return "ed25519";
+}

data/vendor/libsodium/src/libsodium/crypto_sign/edwards25519sha512batch/ref/api.h

@@ -0,0 +1,13 @@
+
+#include "crypto_sign_edwards25519sha512batch.h"
+
+#define crypto_sign crypto_sign_edwards25519sha512batch
+#define crypto_sign_open crypto_sign_edwards25519sha512batch_open
+#define crypto_sign_keypair crypto_sign_edwards25519sha512batch_keypair
+#define crypto_sign_BYTES crypto_sign_edwards25519sha512batch_BYTES
+#define crypto_sign_PUBLICKEYBYTES crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES
+#define crypto_sign_SECRETKEYBYTES crypto_sign_edwards25519sha512batch_SECRETKEYBYTES
+#define crypto_sign_PRIMITIVE "edwards25519sha512batch"
+#define crypto_sign_IMPLEMENTATION crypto_sign_edwards25519sha512batch_IMPLEMENTATION
+#define crypto_sign_VERSION crypto_sign_edwards25519sha512batch_VERSION
+

data/vendor/libsodium/src/libsodium/crypto_sign/edwards25519sha512batch/ref/fe25519.h

@@ -0,0 +1,54 @@
+#ifndef FE25519_H
+#define FE25519_H
+
+#define fe25519 crypto_sign_edwards25519sha512batch_fe25519
+#define fe25519_unpack crypto_sign_edwards25519sha512batch_fe25519_unpack
+#define fe25519_pack crypto_sign_edwards25519sha512batch_fe25519_pack
+#define fe25519_cmov crypto_sign_edwards25519sha512batch_fe25519_cmov
+#define fe25519_setone crypto_sign_edwards25519sha512batch_fe25519_setone
+#define fe25519_setzero crypto_sign_edwards25519sha512batch_fe25519_setzero
+#define fe25519_neg crypto_sign_edwards25519sha512batch_fe25519_neg
+#define fe25519_getparity crypto_sign_edwards25519sha512batch_fe25519_getparity
+#define fe25519_add crypto_sign_edwards25519sha512batch_fe25519_add
+#define fe25519_sub crypto_sign_edwards25519sha512batch_fe25519_sub
+#define fe25519_mul crypto_sign_edwards25519sha512batch_fe25519_mul
+#define fe25519_square crypto_sign_edwards25519sha512batch_fe25519_square
+#define fe25519_pow crypto_sign_edwards25519sha512batch_fe25519_pow
+#define fe25519_sqrt_vartime crypto_sign_edwards25519sha512batch_fe25519_sqrt_vartime
+#define fe25519_invert crypto_sign_edwards25519sha512batch_fe25519_invert
+
+#include "crypto_uint32.h"
+
+typedef struct {
+  crypto_uint32 v[32];
+} fe25519;
+
+void fe25519_unpack(fe25519 *r, const unsigned char x[32]);
+
+void fe25519_pack(unsigned char r[32], const fe25519 *x);
+
+void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b);
+
+void fe25519_setone(fe25519 *r);
+
+void fe25519_setzero(fe25519 *r);
+
+void fe25519_neg(fe25519 *r, const fe25519 *x);
+
+unsigned char fe25519_getparity(const fe25519 *x);
+
+void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y);
+
+void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y);
+
+void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y);
+
+void fe25519_square(fe25519 *r, const fe25519 *x);
+
+void fe25519_pow(fe25519 *r, const fe25519 *x, const unsigned char *e);
+
+int fe25519_sqrt_vartime(fe25519 *r, const fe25519 *x, unsigned char parity);
+
+void fe25519_invert(fe25519 *r, const fe25519 *x);
+
+#endif

data/vendor/libsodium/src/libsodium/crypto_sign/edwards25519sha512batch/ref/fe25519_edwards25519sha512batch.c

@@ -0,0 +1,348 @@
+#include "fe25519.h"
+
+#define WINDOWSIZE 4 /* Should be 1,2, or 4 */
+#define WINDOWMASK ((1<<WINDOWSIZE)-1)
+
+static void reduce_add_sub(fe25519 *r)
+{
+  crypto_uint32 t;
+  int i,rep;
+
+  for(rep=0;rep<4;rep++)
+  {
+    t = r->v[31] >> 7;
+    r->v[31] &= 127;
+    t *= 19;
+    r->v[0] += t;
+    for(i=0;i<31;i++)
+    {
+      t = r->v[i] >> 8;
+      r->v[i+1] += t;
+      r->v[i] &= 255;
+    }
+  }
+}
+
+static void reduce_mul(fe25519 *r)
+{
+  crypto_uint32 t;
+  int i,rep;
+
+  for(rep=0;rep<2;rep++)
+  {
+    t = r->v[31] >> 7;
+    r->v[31] &= 127;
+    t *= 19;
+    r->v[0] += t;
+    for(i=0;i<31;i++)
+    {
+      t = r->v[i] >> 8;
+      r->v[i+1] += t;
+      r->v[i] &= 255;
+    }
+  }
+}
+
+/* reduction modulo 2^255-19 */
+static void freeze(fe25519 *r)
+{
+  int i;
+  unsigned int m = (r->v[31] == 127);
+  for(i=30;i>1;i--)
+    m *= (r->v[i] == 255);
+  m *= (r->v[0] >= 237);
+
+  r->v[31] -= m*127;
+  for(i=30;i>0;i--)
+    r->v[i] -= m*255;
+  r->v[0] -= m*237;
+}
+
+/*freeze input before calling isone*/
+static int isone(const fe25519 *x)
+{
+  int i;
+  int r = (x->v[0] == 1);
+  for(i=1;i<32;i++)
+    r *= (x->v[i] == 0);
+  return r;
+}
+
+/*freeze input before calling iszero*/
+static int iszero(const fe25519 *x)
+{
+  int i;
+  int r = (x->v[0] == 0);
+  for(i=1;i<32;i++)
+    r *= (x->v[i] == 0);
+  return r;
+}
+
+
+static int issquare(const fe25519 *x)
+{
+  unsigned char e[32] = {0xf6,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x3f}; /* (p-1)/2 */
+  fe25519 t;
+
+  fe25519_pow(&t,x,e);
+  freeze(&t);
+  return isone(&t) || iszero(&t);
+}
+
+void fe25519_unpack(fe25519 *r, const unsigned char x[32])
+{
+  int i;
+  for(i=0;i<32;i++) r->v[i] = x[i];
+  r->v[31] &= 127;
+}
+
+/* Assumes input x being reduced mod 2^255 */
+void fe25519_pack(unsigned char r[32], const fe25519 *x)
+{
+  int i;
+  unsigned int m;
+  for(i=0;i<32;i++)
+    r[i] = x->v[i];
+
+  /* freeze byte array */
+  m = (r[31] == 127); /* XXX: some compilers might use branches; fix */
+  for(i=30;i>1;i--)
+    m *= (r[i] == 255);
+  m *= (r[0] >= 237);
+  r[31] -= m*127;
+  for(i=30;i>0;i--)
+    r[i] -= m*255;
+  r[0] -= m*237;
+}
+
+void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b)
+{
+  unsigned char nb = 1-b;
+  int i;
+  for(i=0;i<32;i++) r->v[i] = nb * r->v[i] + b * x->v[i];
+}
+
+unsigned char fe25519_getparity(const fe25519 *x)
+{
+  fe25519 t;
+  int i;
+  for(i=0;i<32;i++) t.v[i] = x->v[i];
+  freeze(&t);
+  return t.v[0] & 1;
+}
+
+void fe25519_setone(fe25519 *r)
+{
+  int i;
+  r->v[0] = 1;
+  for(i=1;i<32;i++) r->v[i]=0;
+}
+
+void fe25519_setzero(fe25519 *r)
+{
+  int i;
+  for(i=0;i<32;i++) r->v[i]=0;
+}
+
+void fe25519_neg(fe25519 *r, const fe25519 *x)
+{
+  fe25519 t;
+  int i;
+  for(i=0;i<32;i++) t.v[i]=x->v[i];
+  fe25519_setzero(r);
+  fe25519_sub(r, r, &t);
+}
+
+void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y)
+{
+  int i;
+  for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
+  reduce_add_sub(r);
+}
+
+void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y)
+{
+  int i;
+  crypto_uint32 t[32];
+  t[0] = x->v[0] + 0x1da;
+  t[31] = x->v[31] + 0xfe;
+  for(i=1;i<31;i++) t[i] = x->v[i] + 0x1fe;
+  for(i=0;i<32;i++) r->v[i] = t[i] - y->v[i];
+  reduce_add_sub(r);
+}
+
+void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y)
+{
+  int i,j;
+  crypto_uint32 t[63];
+  for(i=0;i<63;i++)t[i] = 0;
+
+  for(i=0;i<32;i++)
+    for(j=0;j<32;j++)
+      t[i+j] += x->v[i] * y->v[j];
+
+  for(i=32;i<63;i++)
+    r->v[i-32] = t[i-32] + 38*t[i];
+  r->v[31] = t[31]; /* result now in r[0]...r[31] */
+
+  reduce_mul(r);
+}
+
+void fe25519_square(fe25519 *r, const fe25519 *x)
+{
+  fe25519_mul(r, x, x);
+}
+
+/*XXX: Make constant time! */
+void fe25519_pow(fe25519 *r, const fe25519 *x, const unsigned char *e)
+{
+  /*
+  fe25519 g;
+  fe25519_setone(&g);
+  int i;
+  unsigned char j;
+  for(i=32;i>0;i--)
+  {
+    for(j=128;j>0;j>>=1)
+    {
+      fe25519_square(&g,&g);
+      if(e[i-1] & j)
+        fe25519_mul(&g,&g,x);
+    }
+  }
+  for(i=0;i<32;i++) r->v[i] = g.v[i];
+  */
+  fe25519 g;
+  int i,j,k;
+  fe25519 t;
+  unsigned char w;
+  fe25519 pre[(1 << WINDOWSIZE)];
+
+  fe25519_setone(&g);
+
+  // Precomputation
+  fe25519_setone(pre);
+  pre[1] = *x;
+  for(i=2;i<(1<<WINDOWSIZE);i+=2)
+  {
+    fe25519_square(pre+i, pre+i/2);
+    fe25519_mul(pre+i+1, pre+i, pre+1);
+  }
+
+  // Fixed-window scalar multiplication
+  for(i=32;i>0;i--)
+  {
+    for(j=8-WINDOWSIZE;j>=0;j-=WINDOWSIZE)
+    {
+      for(k=0;k<WINDOWSIZE;k++)
+        fe25519_square(&g, &g);
+      // Cache-timing resistant loading of precomputed value:
+      w = (e[i-1]>>j) & WINDOWMASK;
+      t = pre[0];
+      for(k=1;k<(1<<WINDOWSIZE);k++)
+        fe25519_cmov(&t, &pre[k], k==w);
+      fe25519_mul(&g, &g, &t);
+    }
+  }
+  *r = g;
+}
+
+/* Return 0 on success, 1 otherwise */
+int fe25519_sqrt_vartime(fe25519 *r, const fe25519 *x, unsigned char parity)
+{
+  unsigned char e[32] = {0xfb,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x1f}; /* (p-1)/4 */
+  unsigned char e2[32] = {0xfe,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x0f}; /* (p+3)/8 */
+  unsigned char e3[32] = {0xfd,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x0f}; /* (p-5)/8 */
+  fe25519 p = {{0}};
+  fe25519 d;
+  int i;
+
+  /* See HAC, Alg. 3.37 */
+  if (!issquare(x)) return -1;
+  fe25519_pow(&d,x,e);
+  freeze(&d);
+  if(isone(&d))
+    fe25519_pow(r,x,e2);
+  else
+  {
+    for(i=0;i<32;i++)
+      d.v[i] = 4*x->v[i];
+    fe25519_pow(&d,&d,e3);
+    for(i=0;i<32;i++)
+      r->v[i] = 2*x->v[i];
+    fe25519_mul(r,r,&d);
+  }
+  freeze(r);
+  if((r->v[0] & 1) != (parity & 1))
+  {
+    fe25519_sub(r,&p,r);
+  }
+  return 0;
+}
+
+void fe25519_invert(fe25519 *r, const fe25519 *x)
+{
+        fe25519 z2;
+        fe25519 z9;
+        fe25519 z11;
+        fe25519 z2_5_0;
+        fe25519 z2_10_0;
+        fe25519 z2_20_0;
+        fe25519 z2_50_0;
+        fe25519 z2_100_0;
+        fe25519 t0;
+        fe25519 t1;
+        int i;
+
+        /* 2 */ fe25519_square(&z2,x);
+        /* 4 */ fe25519_square(&t1,&z2);
+        /* 8 */ fe25519_square(&t0,&t1);
+        /* 9 */ fe25519_mul(&z9,&t0,x);
+        /* 11 */ fe25519_mul(&z11,&z9,&z2);
+        /* 22 */ fe25519_square(&t0,&z11);
+        /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t0,&z9);
+
+        /* 2^6 - 2^1 */ fe25519_square(&t0,&z2_5_0);
+        /* 2^7 - 2^2 */ fe25519_square(&t1,&t0);
+        /* 2^8 - 2^3 */ fe25519_square(&t0,&t1);
+        /* 2^9 - 2^4 */ fe25519_square(&t1,&t0);
+        /* 2^10 - 2^5 */ fe25519_square(&t0,&t1);
+        /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t0,&z2_5_0);
+
+        /* 2^11 - 2^1 */ fe25519_square(&t0,&z2_10_0);
+        /* 2^12 - 2^2 */ fe25519_square(&t1,&t0);
+        /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
+        /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t1,&z2_10_0);
+
+        /* 2^21 - 2^1 */ fe25519_square(&t0,&z2_20_0);
+        /* 2^22 - 2^2 */ fe25519_square(&t1,&t0);
+        /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
+        /* 2^40 - 2^0 */ fe25519_mul(&t0,&t1,&z2_20_0);
+
+        /* 2^41 - 2^1 */ fe25519_square(&t1,&t0);
+        /* 2^42 - 2^2 */ fe25519_square(&t0,&t1);
+        /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
+        /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t0,&z2_10_0);
+
+        /* 2^51 - 2^1 */ fe25519_square(&t0,&z2_50_0);
+        /* 2^52 - 2^2 */ fe25519_square(&t1,&t0);
+        /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
+        /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t1,&z2_50_0);
+
+        /* 2^101 - 2^1 */ fe25519_square(&t1,&z2_100_0);
+        /* 2^102 - 2^2 */ fe25519_square(&t0,&t1);
+        /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
+        /* 2^200 - 2^0 */ fe25519_mul(&t1,&t0,&z2_100_0);
+
+        /* 2^201 - 2^1 */ fe25519_square(&t0,&t1);
+        /* 2^202 - 2^2 */ fe25519_square(&t1,&t0);
+        /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
+        /* 2^250 - 2^0 */ fe25519_mul(&t0,&t1,&z2_50_0);
+
+        /* 2^251 - 2^1 */ fe25519_square(&t1,&t0);
+        /* 2^252 - 2^2 */ fe25519_square(&t0,&t1);
+        /* 2^253 - 2^3 */ fe25519_square(&t1,&t0);
+        /* 2^254 - 2^4 */ fe25519_square(&t0,&t1);
+        /* 2^255 - 2^5 */ fe25519_square(&t1,&t0);
+        /* 2^255 - 21 */ fe25519_mul(r,&t1,&z11);
+}