RubyGems - rbnacl-libsodium - Versions diffs - 1.0.11 → 1.0.13 - Mend

rbnacl-libsodium 1.0.11 → 1.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (465) hide show

data/vendor/libsodium/src/libsodium/crypto_box/curve25519xsalsa20poly1305/box_curve25519xsalsa20poly1305.c ADDED

@@ -0,0 +1,150 @@
+#include <string.h>
+#include "crypto_box_curve25519xsalsa20poly1305.h"
+#include "crypto_core_hsalsa20.h"
+#include "crypto_hash_sha512.h"
+#include "crypto_scalarmult_curve25519.h"
+#include "crypto_secretbox_xsalsa20poly1305.h"
+#include "randombytes.h"
+#include "utils.h"
+int
+crypto_box_curve25519xsalsa20poly1305_seed_keypair(unsigned char *pk,
+                                                   unsigned char *sk,
+                                                   const unsigned char *seed)
+{
+    unsigned char hash[64];
+    crypto_hash_sha512(hash, seed, 32);
+    memcpy(sk, hash, 32);
+    sodium_memzero(hash, sizeof hash);
+    return crypto_scalarmult_curve25519_base(pk, sk);
+}
+int
+crypto_box_curve25519xsalsa20poly1305_keypair(unsigned char *pk,
+                                              unsigned char *sk)
+{
+    randombytes_buf(sk, 32);
+    return crypto_scalarmult_curve25519_base(pk, sk);
+}
+int
+crypto_box_curve25519xsalsa20poly1305_beforenm(unsigned char *k,
+                                               const unsigned char *pk,
+                                               const unsigned char *sk)
+{
+    static const unsigned char zero[16] = { 0 };
+    unsigned char s[32];
+    if (crypto_scalarmult_curve25519(s, sk, pk) != 0) {
+        return -1;
+    }
+    return crypto_core_hsalsa20(k, zero, s, NULL);
+}
+int
+crypto_box_curve25519xsalsa20poly1305_afternm(unsigned char *c,
+                                              const unsigned char *m,
+                                              unsigned long long mlen,
+                                              const unsigned char *n,
+                                              const unsigned char *k)
+{
+    return crypto_secretbox_xsalsa20poly1305(c, m, mlen, n, k);
+}
+int
+crypto_box_curve25519xsalsa20poly1305_open_afternm(unsigned char *m,
+                                                   const unsigned char *c,
+                                                   unsigned long long clen,
+                                                   const unsigned char *n,
+                                                   const unsigned char *k)
+{
+    return crypto_secretbox_xsalsa20poly1305_open(m, c, clen, n, k);
+}
+int
+crypto_box_curve25519xsalsa20poly1305(unsigned char *c, const unsigned char *m,
+                                      unsigned long long   mlen,
+                                      const unsigned char *n,
+                                      const unsigned char *pk,
+                                      const unsigned char *sk)
+{
+    unsigned char k[crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES];
+    int           ret;
+    if (crypto_box_curve25519xsalsa20poly1305_beforenm(k, pk, sk) != 0) {
+        return -1;
+    }
+    ret = crypto_box_curve25519xsalsa20poly1305_afternm(c, m, mlen, n, k);
+    sodium_memzero(k, sizeof k);
+    return ret;
+}
+int
+crypto_box_curve25519xsalsa20poly1305_open(
+    unsigned char *m, const unsigned char *c, unsigned long long clen,
+    const unsigned char *n, const unsigned char *pk, const unsigned char *sk)
+{
+    unsigned char k[crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES];
+    int           ret;
+    if (crypto_box_curve25519xsalsa20poly1305_beforenm(k, pk, sk) != 0) {
+        return -1;
+    }
+    ret = crypto_box_curve25519xsalsa20poly1305_open_afternm(m, c, clen, n, k);
+    sodium_memzero(k, sizeof k);
+    return ret;
+}
+size_t
+crypto_box_curve25519xsalsa20poly1305_seedbytes(void)
+{
+    return crypto_box_curve25519xsalsa20poly1305_SEEDBYTES;
+}
+size_t
+crypto_box_curve25519xsalsa20poly1305_publickeybytes(void)
+{
+    return crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES;
+}
+size_t
+crypto_box_curve25519xsalsa20poly1305_secretkeybytes(void)
+{
+    return crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES;
+}
+size_t
+crypto_box_curve25519xsalsa20poly1305_beforenmbytes(void)
+{
+    return crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES;
+}
+size_t
+crypto_box_curve25519xsalsa20poly1305_noncebytes(void)
+{
+    return crypto_box_curve25519xsalsa20poly1305_NONCEBYTES;
+}
+size_t
+crypto_box_curve25519xsalsa20poly1305_zerobytes(void)
+{
+    return crypto_box_curve25519xsalsa20poly1305_ZEROBYTES;
+}
+size_t
+crypto_box_curve25519xsalsa20poly1305_boxzerobytes(void)
+{
+    return crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES;
+}
+size_t
+crypto_box_curve25519xsalsa20poly1305_macbytes(void)
+{
+    return crypto_box_curve25519xsalsa20poly1305_MACBYTES;
+}

data/vendor/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c CHANGED

@@ -1,12 +1,15 @@
 #include <stddef.h>
 #include <stdint.h>
 #include <string.h>
 #include "crypto_verify_32.h"
 #include "private/curve25519_ref10.h"
-static uint64_t load_3(const unsigned char *in)
+static inline uint64_t
+load_3(const unsigned char *in)
 {
     uint64_t result;
     result = (uint64_t) in[0];
     result |= ((uint64_t) in[1]) << 8;
     result |= ((uint64_t) in[2]) << 16;
@@ -14,9 +17,11 @@ static uint64_t load_3(const unsigned char *in)
     return result;
 }
-static uint64_t load_4(const unsigned char *in)
+static inline uint64_t
+load_4(const unsigned char *in)
 {
     uint64_t result;
     result = (uint64_t) in[0];
     result |= ((uint64_t) in[1]) << 8;
     result |= ((uint64_t) in[2]) << 16;
@@ -29,7 +34,8 @@ static uint64_t load_4(const unsigned char *in)
  h = 0
  */
-void fe_0(fe h)
+void
+fe_0(fe h)
 {
     memset(&h[0], 0, 10 * sizeof h[0]);
 }
@@ -38,7 +44,8 @@ void fe_0(fe h)
  h = 1
  */
-void fe_1(fe h)
+void
+fe_1(fe h)
 {
     h[0] = 1;
     h[1] = 0;
@@ -57,7 +64,8 @@ void fe_1(fe h)
  |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  */
-void fe_add(fe h,const fe f,const fe g)
+void
+fe_add(fe h, const fe f, const fe g)
 {
     int32_t f0 = f[0];
     int32_t f1 = f[1];
@@ -69,6 +77,7 @@ void fe_add(fe h,const fe f,const fe g)
     int32_t f7 = f[7];
     int32_t f8 = f[8];
     int32_t f9 = f[9];
     int32_t g0 = g[0];
     int32_t g1 = g[1];
     int32_t g2 = g[2];
@@ -79,6 +88,7 @@ void fe_add(fe h,const fe f,const fe g)
     int32_t g7 = g[7];
     int32_t g8 = g[8];
     int32_t g9 = g[9];
     int32_t h0 = f0 + g0;
     int32_t h1 = f1 + g1;
     int32_t h2 = f2 + g2;
@@ -89,6 +99,7 @@ void fe_add(fe h,const fe f,const fe g)
     int32_t h7 = f7 + g7;
     int32_t h8 = f8 + g8;
     int32_t h9 = f9 + g9;
     h[0] = h0;
     h[1] = h1;
     h[2] = h2;
@@ -108,7 +119,8 @@ void fe_add(fe h,const fe f,const fe g)
  Preconditions: b in {0,1}.
  */
-void fe_cmov(fe f,const fe g,unsigned int b)
+void
+fe_cmov(fe f, const fe g, unsigned int b)
 {
     int32_t f0 = f[0];
     int32_t f1 = f[1];
@@ -120,6 +132,7 @@ void fe_cmov(fe f,const fe g,unsigned int b)
     int32_t f7 = f[7];
     int32_t f8 = f[8];
     int32_t f9 = f[9];
     int32_t g0 = g[0];
     int32_t g1 = g[1];
     int32_t g2 = g[2];
@@ -130,6 +143,7 @@ void fe_cmov(fe f,const fe g,unsigned int b)
     int32_t g7 = g[7];
     int32_t g8 = g[8];
     int32_t g9 = g[9];
     int32_t x0 = f0 ^ g0;
     int32_t x1 = f1 ^ g1;
     int32_t x2 = f2 ^ g2;
@@ -140,7 +154,8 @@ void fe_cmov(fe f,const fe g,unsigned int b)
     int32_t x7 = f7 ^ g7;
     int32_t x8 = f8 ^ g8;
     int32_t x9 = f9 ^ g9;
-    b = (unsigned int) (- (int) b);
+    b = (unsigned int) (-(int) b);
     x0 &= b;
     x1 &= b;
     x2 &= b;
@@ -167,7 +182,8 @@ void fe_cmov(fe f,const fe g,unsigned int b)
  h = f
  */
-void fe_copy(fe h,const fe f)
+void
+fe_copy(fe h, const fe f)
 {
     int32_t f0 = f[0];
     int32_t f1 = f[1];
@@ -179,6 +195,7 @@ void fe_copy(fe h,const fe f)
     int32_t f7 = f[7];
     int32_t f8 = f[8];
     int32_t f9 = f[9];
     h[0] = f0;
     h[1] = f1;
     h[2] = f2;
@@ -195,7 +212,8 @@ void fe_copy(fe h,const fe f)
  Ignores top bit of h.
  */
-void fe_frombytes(fe h,const unsigned char *s)
+void
+fe_frombytes(fe h, const unsigned char *s)
 {
     int64_t h0 = load_4(s);
     int64_t h1 = load_3(s + 4) << 6;
@@ -207,6 +225,7 @@ void fe_frombytes(fe h,const unsigned char *s)
     int64_t h7 = load_3(s + 23) << 5;
     int64_t h8 = load_3(s + 26) << 4;
     int64_t h9 = (load_3(s + 29) & 8388607) << 2;
     int64_t carry0;
     int64_t carry1;
     int64_t carry2;
@@ -218,17 +237,37 @@ void fe_frombytes(fe h,const unsigned char *s)
     int64_t carry8;
     int64_t carry9;
-    carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25);
-    carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25);
-    carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25);
-    carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25);
-    carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25);
-    carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26);
-    carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26);
-    carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26);
-    carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26);
+    carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
+    h0 += carry9 * 19;
+    h9 -= carry9 * ((uint64_t) 1L << 25);
+    carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
+    h2 += carry1;
+    h1 -= carry1 * ((uint64_t) 1L << 25);
+    carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
+    h4 += carry3;
+    h3 -= carry3 * ((uint64_t) 1L << 25);
+    carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
+    h6 += carry5;
+    h5 -= carry5 * ((uint64_t) 1L << 25);
+    carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
+    h8 += carry7;
+    h7 -= carry7 * ((uint64_t) 1L << 25);
+    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
+    h1 += carry0;
+    h0 -= carry0 * ((uint64_t) 1L << 26);
+    carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
+    h3 += carry2;
+    h2 -= carry2 * ((uint64_t) 1L << 26);
+    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
+    h5 += carry4;
+    h4 -= carry4 * ((uint64_t) 1L << 26);
+    carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
+    h7 += carry6;
+    h6 -= carry6 * ((uint64_t) 1L << 26);
+    carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
+    h9 += carry8;
+    h8 -= carry8 * ((uint64_t) 1L << 26);
     h[0] = (int32_t) h0;
     h[1] = (int32_t) h1;
@@ -267,7 +306,8 @@ void fe_frombytes(fe h,const unsigned char *s)
  so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
  */
-void fe_tobytes(unsigned char *s,const fe h)
+void
+fe_tobytes(unsigned char *s, const fe h)
 {
     int32_t h0 = h[0];
     int32_t h1 = h[1];
@@ -279,6 +319,7 @@ void fe_tobytes(unsigned char *s,const fe h)
     int32_t h7 = h[7];
     int32_t h8 = h[8];
     int32_t h9 = h[9];
     int32_t q;
     int32_t carry0;
     int32_t carry1;
@@ -307,16 +348,35 @@ void fe_tobytes(unsigned char *s,const fe h)
     h0 += 19 * q;
     /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
-    carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 * ((uint32_t) 1L << 26);
-    carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 * ((uint32_t) 1L << 25);
-    carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 * ((uint32_t) 1L << 26);
-    carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 * ((uint32_t) 1L << 25);
-    carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 * ((uint32_t) 1L << 26);
-    carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 * ((uint32_t) 1L << 25);
-    carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 * ((uint32_t) 1L << 26);
-    carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 * ((uint32_t) 1L << 25);
-    carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 * ((uint32_t) 1L << 26);
-    carry9 = h9 >> 25;               h9 -= carry9 * ((uint32_t) 1L << 25);
+    carry0 = h0 >> 26;
+    h1 += carry0;
+    h0 -= carry0 * ((uint32_t) 1L << 26);
+    carry1 = h1 >> 25;
+    h2 += carry1;
+    h1 -= carry1 * ((uint32_t) 1L << 25);
+    carry2 = h2 >> 26;
+    h3 += carry2;
+    h2 -= carry2 * ((uint32_t) 1L << 26);
+    carry3 = h3 >> 25;
+    h4 += carry3;
+    h3 -= carry3 * ((uint32_t) 1L << 25);
+    carry4 = h4 >> 26;
+    h5 += carry4;
+    h4 -= carry4 * ((uint32_t) 1L << 26);
+    carry5 = h5 >> 25;
+    h6 += carry5;
+    h5 -= carry5 * ((uint32_t) 1L << 25);
+    carry6 = h6 >> 26;
+    h7 += carry6;
+    h6 -= carry6 * ((uint32_t) 1L << 26);
+    carry7 = h7 >> 25;
+    h8 += carry7;
+    h7 -= carry7 * ((uint32_t) 1L << 25);
+    carry8 = h8 >> 26;
+    h9 += carry8;
+    h8 -= carry8 * ((uint32_t) 1L << 26);
+    carry9 = h9 >> 25;
+    h9 -= carry9 * ((uint32_t) 1L << 25);
     /* h10 = carry9 */
     /*
@@ -326,16 +386,16 @@ void fe_tobytes(unsigned char *s,const fe h)
      Goal: Output h0+...+2^230 h9.
      */
-    s[0] = h0 >> 0;
-    s[1] = h0 >> 8;
-    s[2] = h0 >> 16;
-    s[3] = (h0 >> 24) | (h1 * ((uint32_t) 1 << 2));
-    s[4] = h1 >> 6;
-    s[5] = h1 >> 14;
-    s[6] = (h1 >> 22) | (h2 * ((uint32_t) 1 << 3));
-    s[7] = h2 >> 5;
-    s[8] = h2 >> 13;
-    s[9] = (h2 >> 21) | (h3 * ((uint32_t) 1 << 5));
+    s[0]  = h0 >> 0;
+    s[1]  = h0 >> 8;
+    s[2]  = h0 >> 16;
+    s[3]  = (h0 >> 24) | (h1 * ((uint32_t) 1 << 2));
+    s[4]  = h1 >> 6;
+    s[5]  = h1 >> 14;
+    s[6]  = (h1 >> 22) | (h2 * ((uint32_t) 1 << 3));
+    s[7]  = h2 >> 5;
+    s[8]  = h2 >> 13;
+    s[9]  = (h2 >> 21) | (h3 * ((uint32_t) 1 << 5));
     s[10] = h3 >> 3;
     s[11] = h3 >> 11;
     s[12] = (h3 >> 19) | (h4 * ((uint32_t) 1 << 6));
@@ -368,10 +428,12 @@ void fe_tobytes(unsigned char *s,const fe h)
  |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  */
-int fe_isnegative(const fe f)
+int
+fe_isnegative(const fe f)
 {
     unsigned char s[32];
-    fe_tobytes(s,f);
+    fe_tobytes(s, f);
     return s[0] & 1;
 }
@@ -386,12 +448,14 @@ int fe_isnegative(const fe f)
 static unsigned char zero[32];
-int fe_isnonzero(const fe f)
+int
+fe_isnonzero(const fe f)
 {
     unsigned char s[32];
-    fe_tobytes(s,f);
-    return crypto_verify_32(s,zero);
+    fe_tobytes(s, f);
+    return crypto_verify_32(s, zero);
 }
 /*
@@ -426,7 +490,8 @@ int fe_isnonzero(const fe f)
  With tighter constraints on inputs can squeeze carries into int32.
  */
-void fe_mul(fe h,const fe f,const fe g)
+void
+fe_mul(fe h, const fe f, const fe g)
 {
     int32_t f0 = f[0];
     int32_t f1 = f[1];
@@ -438,6 +503,7 @@ void fe_mul(fe h,const fe f,const fe g)
     int32_t f7 = f[7];
     int32_t f8 = f[8];
     int32_t f9 = f[9];
     int32_t g0 = g[0];
     int32_t g1 = g[1];
     int32_t g2 = g[2];
@@ -448,6 +514,7 @@ void fe_mul(fe h,const fe f,const fe g)
     int32_t g7 = g[7];
     int32_t g8 = g[8];
     int32_t g9 = g[9];
     int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
     int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
     int32_t g3_19 = 19 * g3;
@@ -457,121 +524,134 @@ void fe_mul(fe h,const fe f,const fe g)
     int32_t g7_19 = 19 * g7;
     int32_t g8_19 = 19 * g8;
     int32_t g9_19 = 19 * g9;
-    int32_t f1_2 = 2 * f1;
-    int32_t f3_2 = 2 * f3;
-    int32_t f5_2 = 2 * f5;
-    int32_t f7_2 = 2 * f7;
-    int32_t f9_2 = 2 * f9;
-    int64_t f0g0    = f0   * (int64_t) g0;
-    int64_t f0g1    = f0   * (int64_t) g1;
-    int64_t f0g2    = f0   * (int64_t) g2;
-    int64_t f0g3    = f0   * (int64_t) g3;
-    int64_t f0g4    = f0   * (int64_t) g4;
-    int64_t f0g5    = f0   * (int64_t) g5;
-    int64_t f0g6    = f0   * (int64_t) g6;
-    int64_t f0g7    = f0   * (int64_t) g7;
-    int64_t f0g8    = f0   * (int64_t) g8;
-    int64_t f0g9    = f0   * (int64_t) g9;
-    int64_t f1g0    = f1   * (int64_t) g0;
+    int32_t f1_2  = 2 * f1;
+    int32_t f3_2  = 2 * f3;
+    int32_t f5_2  = 2 * f5;
+    int32_t f7_2  = 2 * f7;
+    int32_t f9_2  = 2 * f9;
+    int64_t f0g0    = f0 * (int64_t) g0;
+    int64_t f0g1    = f0 * (int64_t) g1;
+    int64_t f0g2    = f0 * (int64_t) g2;
+    int64_t f0g3    = f0 * (int64_t) g3;
+    int64_t f0g4    = f0 * (int64_t) g4;
+    int64_t f0g5    = f0 * (int64_t) g5;
+    int64_t f0g6    = f0 * (int64_t) g6;
+    int64_t f0g7    = f0 * (int64_t) g7;
+    int64_t f0g8    = f0 * (int64_t) g8;
+    int64_t f0g9    = f0 * (int64_t) g9;
+    int64_t f1g0    = f1 * (int64_t) g0;
     int64_t f1g1_2  = f1_2 * (int64_t) g1;
-    int64_t f1g2    = f1   * (int64_t) g2;
+    int64_t f1g2    = f1 * (int64_t) g2;
     int64_t f1g3_2  = f1_2 * (int64_t) g3;
-    int64_t f1g4    = f1   * (int64_t) g4;
+    int64_t f1g4    = f1 * (int64_t) g4;
     int64_t f1g5_2  = f1_2 * (int64_t) g5;
-    int64_t f1g6    = f1   * (int64_t) g6;
+    int64_t f1g6    = f1 * (int64_t) g6;
     int64_t f1g7_2  = f1_2 * (int64_t) g7;
-    int64_t f1g8    = f1   * (int64_t) g8;
+    int64_t f1g8    = f1 * (int64_t) g8;
     int64_t f1g9_38 = f1_2 * (int64_t) g9_19;
-    int64_t f2g0    = f2   * (int64_t) g0;
-    int64_t f2g1    = f2   * (int64_t) g1;
-    int64_t f2g2    = f2   * (int64_t) g2;
-    int64_t f2g3    = f2   * (int64_t) g3;
-    int64_t f2g4    = f2   * (int64_t) g4;
-    int64_t f2g5    = f2   * (int64_t) g5;
-    int64_t f2g6    = f2   * (int64_t) g6;
-    int64_t f2g7    = f2   * (int64_t) g7;
-    int64_t f2g8_19 = f2   * (int64_t) g8_19;
-    int64_t f2g9_19 = f2   * (int64_t) g9_19;
-    int64_t f3g0    = f3   * (int64_t) g0;
+    int64_t f2g0    = f2 * (int64_t) g0;
+    int64_t f2g1    = f2 * (int64_t) g1;
+    int64_t f2g2    = f2 * (int64_t) g2;
+    int64_t f2g3    = f2 * (int64_t) g3;
+    int64_t f2g4    = f2 * (int64_t) g4;
+    int64_t f2g5    = f2 * (int64_t) g5;
+    int64_t f2g6    = f2 * (int64_t) g6;
+    int64_t f2g7    = f2 * (int64_t) g7;
+    int64_t f2g8_19 = f2 * (int64_t) g8_19;
+    int64_t f2g9_19 = f2 * (int64_t) g9_19;
+    int64_t f3g0    = f3 * (int64_t) g0;
     int64_t f3g1_2  = f3_2 * (int64_t) g1;
-    int64_t f3g2    = f3   * (int64_t) g2;
+    int64_t f3g2    = f3 * (int64_t) g2;
     int64_t f3g3_2  = f3_2 * (int64_t) g3;
-    int64_t f3g4    = f3   * (int64_t) g4;
+    int64_t f3g4    = f3 * (int64_t) g4;
     int64_t f3g5_2  = f3_2 * (int64_t) g5;
-    int64_t f3g6    = f3   * (int64_t) g6;
+    int64_t f3g6    = f3 * (int64_t) g6;
     int64_t f3g7_38 = f3_2 * (int64_t) g7_19;
-    int64_t f3g8_19 = f3   * (int64_t) g8_19;
+    int64_t f3g8_19 = f3 * (int64_t) g8_19;
     int64_t f3g9_38 = f3_2 * (int64_t) g9_19;
-    int64_t f4g0    = f4   * (int64_t) g0;
-    int64_t f4g1    = f4   * (int64_t) g1;
-    int64_t f4g2    = f4   * (int64_t) g2;
-    int64_t f4g3    = f4   * (int64_t) g3;
-    int64_t f4g4    = f4   * (int64_t) g4;
-    int64_t f4g5    = f4   * (int64_t) g5;
-    int64_t f4g6_19 = f4   * (int64_t) g6_19;
-    int64_t f4g7_19 = f4   * (int64_t) g7_19;
-    int64_t f4g8_19 = f4   * (int64_t) g8_19;
-    int64_t f4g9_19 = f4   * (int64_t) g9_19;
-    int64_t f5g0    = f5   * (int64_t) g0;
+    int64_t f4g0    = f4 * (int64_t) g0;
+    int64_t f4g1    = f4 * (int64_t) g1;
+    int64_t f4g2    = f4 * (int64_t) g2;
+    int64_t f4g3    = f4 * (int64_t) g3;
+    int64_t f4g4    = f4 * (int64_t) g4;
+    int64_t f4g5    = f4 * (int64_t) g5;
+    int64_t f4g6_19 = f4 * (int64_t) g6_19;
+    int64_t f4g7_19 = f4 * (int64_t) g7_19;
+    int64_t f4g8_19 = f4 * (int64_t) g8_19;
+    int64_t f4g9_19 = f4 * (int64_t) g9_19;
+    int64_t f5g0    = f5 * (int64_t) g0;
     int64_t f5g1_2  = f5_2 * (int64_t) g1;
-    int64_t f5g2    = f5   * (int64_t) g2;
+    int64_t f5g2    = f5 * (int64_t) g2;
     int64_t f5g3_2  = f5_2 * (int64_t) g3;
-    int64_t f5g4    = f5   * (int64_t) g4;
+    int64_t f5g4    = f5 * (int64_t) g4;
     int64_t f5g5_38 = f5_2 * (int64_t) g5_19;
-    int64_t f5g6_19 = f5   * (int64_t) g6_19;
+    int64_t f5g6_19 = f5 * (int64_t) g6_19;
     int64_t f5g7_38 = f5_2 * (int64_t) g7_19;
-    int64_t f5g8_19 = f5   * (int64_t) g8_19;
+    int64_t f5g8_19 = f5 * (int64_t) g8_19;
     int64_t f5g9_38 = f5_2 * (int64_t) g9_19;
-    int64_t f6g0    = f6   * (int64_t) g0;
-    int64_t f6g1    = f6   * (int64_t) g1;
-    int64_t f6g2    = f6   * (int64_t) g2;
-    int64_t f6g3    = f6   * (int64_t) g3;
-    int64_t f6g4_19 = f6   * (int64_t) g4_19;
-    int64_t f6g5_19 = f6   * (int64_t) g5_19;
-    int64_t f6g6_19 = f6   * (int64_t) g6_19;
-    int64_t f6g7_19 = f6   * (int64_t) g7_19;
-    int64_t f6g8_19 = f6   * (int64_t) g8_19;
-    int64_t f6g9_19 = f6   * (int64_t) g9_19;
-    int64_t f7g0    = f7   * (int64_t) g0;
+    int64_t f6g0    = f6 * (int64_t) g0;
+    int64_t f6g1    = f6 * (int64_t) g1;
+    int64_t f6g2    = f6 * (int64_t) g2;
+    int64_t f6g3    = f6 * (int64_t) g3;
+    int64_t f6g4_19 = f6 * (int64_t) g4_19;
+    int64_t f6g5_19 = f6 * (int64_t) g5_19;
+    int64_t f6g6_19 = f6 * (int64_t) g6_19;
+    int64_t f6g7_19 = f6 * (int64_t) g7_19;
+    int64_t f6g8_19 = f6 * (int64_t) g8_19;
+    int64_t f6g9_19 = f6 * (int64_t) g9_19;
+    int64_t f7g0    = f7 * (int64_t) g0;
     int64_t f7g1_2  = f7_2 * (int64_t) g1;
-    int64_t f7g2    = f7   * (int64_t) g2;
+    int64_t f7g2    = f7 * (int64_t) g2;
     int64_t f7g3_38 = f7_2 * (int64_t) g3_19;
-    int64_t f7g4_19 = f7   * (int64_t) g4_19;
+    int64_t f7g4_19 = f7 * (int64_t) g4_19;
     int64_t f7g5_38 = f7_2 * (int64_t) g5_19;
-    int64_t f7g6_19 = f7   * (int64_t) g6_19;
+    int64_t f7g6_19 = f7 * (int64_t) g6_19;
     int64_t f7g7_38 = f7_2 * (int64_t) g7_19;
-    int64_t f7g8_19 = f7   * (int64_t) g8_19;
+    int64_t f7g8_19 = f7 * (int64_t) g8_19;
     int64_t f7g9_38 = f7_2 * (int64_t) g9_19;
-    int64_t f8g0    = f8   * (int64_t) g0;
-    int64_t f8g1    = f8   * (int64_t) g1;
-    int64_t f8g2_19 = f8   * (int64_t) g2_19;
-    int64_t f8g3_19 = f8   * (int64_t) g3_19;
-    int64_t f8g4_19 = f8   * (int64_t) g4_19;
-    int64_t f8g5_19 = f8   * (int64_t) g5_19;
-    int64_t f8g6_19 = f8   * (int64_t) g6_19;
-    int64_t f8g7_19 = f8   * (int64_t) g7_19;
-    int64_t f8g8_19 = f8   * (int64_t) g8_19;
-    int64_t f8g9_19 = f8   * (int64_t) g9_19;
-    int64_t f9g0    = f9   * (int64_t) g0;
+    int64_t f8g0    = f8 * (int64_t) g0;
+    int64_t f8g1    = f8 * (int64_t) g1;
+    int64_t f8g2_19 = f8 * (int64_t) g2_19;
+    int64_t f8g3_19 = f8 * (int64_t) g3_19;
+    int64_t f8g4_19 = f8 * (int64_t) g4_19;
+    int64_t f8g5_19 = f8 * (int64_t) g5_19;
+    int64_t f8g6_19 = f8 * (int64_t) g6_19;
+    int64_t f8g7_19 = f8 * (int64_t) g7_19;
+    int64_t f8g8_19 = f8 * (int64_t) g8_19;
+    int64_t f8g9_19 = f8 * (int64_t) g9_19;
+    int64_t f9g0    = f9 * (int64_t) g0;
     int64_t f9g1_38 = f9_2 * (int64_t) g1_19;
-    int64_t f9g2_19 = f9   * (int64_t) g2_19;
+    int64_t f9g2_19 = f9 * (int64_t) g2_19;
     int64_t f9g3_38 = f9_2 * (int64_t) g3_19;
-    int64_t f9g4_19 = f9   * (int64_t) g4_19;
+    int64_t f9g4_19 = f9 * (int64_t) g4_19;
     int64_t f9g5_38 = f9_2 * (int64_t) g5_19;
-    int64_t f9g6_19 = f9   * (int64_t) g6_19;
+    int64_t f9g6_19 = f9 * (int64_t) g6_19;
     int64_t f9g7_38 = f9_2 * (int64_t) g7_19;
-    int64_t f9g8_19 = f9   * (int64_t) g8_19;
+    int64_t f9g8_19 = f9 * (int64_t) g8_19;
     int64_t f9g9_38 = f9_2 * (int64_t) g9_19;
-    int64_t h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38;
-    int64_t h1 = f0g1+f1g0   +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19;
-    int64_t h2 = f0g2+f1g1_2 +f2g0   +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38;
-    int64_t h3 = f0g3+f1g2   +f2g1   +f3g0   +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19;
-    int64_t h4 = f0g4+f1g3_2 +f2g2   +f3g1_2 +f4g0   +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38;
-    int64_t h5 = f0g5+f1g4   +f2g3   +f3g2   +f4g1   +f5g0   +f6g9_19+f7g8_19+f8g7_19+f9g6_19;
-    int64_t h6 = f0g6+f1g5_2 +f2g4   +f3g3_2 +f4g2   +f5g1_2 +f6g0   +f7g9_38+f8g8_19+f9g7_38;
-    int64_t h7 = f0g7+f1g6   +f2g5   +f3g4   +f4g3   +f5g2   +f6g1   +f7g0   +f8g9_19+f9g8_19;
-    int64_t h8 = f0g8+f1g7_2 +f2g6   +f3g5_2 +f4g4   +f5g3_2 +f6g2   +f7g1_2 +f8g0   +f9g9_38;
-    int64_t h9 = f0g9+f1g8   +f2g7   +f3g6   +f4g5   +f5g4   +f6g3   +f7g2   +f8g1   +f9g0   ;
+    int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 +
+                 f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38;
+    int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 +
+                 f7g4_19 + f8g3_19 + f9g2_19;
+    int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 +
+                 f7g5_38 + f8g4_19 + f9g3_38;
+    int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 +
+                 f7g6_19 + f8g5_19 + f9g4_19;
+    int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 +
+                 f7g7_38 + f8g6_19 + f9g5_38;
+    int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 +
+                 f8g7_19 + f9g6_19;
+    int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 +
+                 f7g9_38 + f8g8_19 + f9g7_38;
+    int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 +
+                 f8g9_19 + f9g8_19;
+    int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 +
+                 f8g0 + f9g9_38;
+    int64_t h9 =
+        f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0;
     int64_t carry0;
     int64_t carry1;
     int64_t carry2;
@@ -590,46 +670,70 @@ void fe_mul(fe h,const fe f,const fe g)
      i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
      */
-    carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26);
-    carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26);
+    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
+    h1 += carry0;
+    h0 -= carry0 * ((uint64_t) 1L << 26);
+    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
+    h5 += carry4;
+    h4 -= carry4 * ((uint64_t) 1L << 26);
     /* |h0| <= 2^25 */
     /* |h4| <= 2^25 */
     /* |h1| <= 1.71*2^59 */
     /* |h5| <= 1.71*2^59 */
-    carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25);
-    carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25);
+    carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
+    h2 += carry1;
+    h1 -= carry1 * ((uint64_t) 1L << 25);
+    carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
+    h6 += carry5;
+    h5 -= carry5 * ((uint64_t) 1L << 25);
     /* |h1| <= 2^24; from now on fits into int32 */
     /* |h5| <= 2^24; from now on fits into int32 */
     /* |h2| <= 1.41*2^60 */
     /* |h6| <= 1.41*2^60 */
-    carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26);
-    carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26);
+    carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
+    h3 += carry2;
+    h2 -= carry2 * ((uint64_t) 1L << 26);
+    carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
+    h7 += carry6;
+    h6 -= carry6 * ((uint64_t) 1L << 26);
     /* |h2| <= 2^25; from now on fits into int32 unchanged */
     /* |h6| <= 2^25; from now on fits into int32 unchanged */
     /* |h3| <= 1.71*2^59 */
     /* |h7| <= 1.71*2^59 */
-    carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25);
-    carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25);
+    carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
+    h4 += carry3;
+    h3 -= carry3 * ((uint64_t) 1L << 25);
+    carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
+    h8 += carry7;
+    h7 -= carry7 * ((uint64_t) 1L << 25);
     /* |h3| <= 2^24; from now on fits into int32 unchanged */
     /* |h7| <= 2^24; from now on fits into int32 unchanged */
     /* |h4| <= 1.72*2^34 */
     /* |h8| <= 1.41*2^60 */
-    carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26);
+    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
+    h5 += carry4;
+    h4 -= carry4 * ((uint64_t) 1L << 26);
+    carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
+    h9 += carry8;
+    h8 -= carry8 * ((uint64_t) 1L << 26);
     /* |h4| <= 2^25; from now on fits into int32 unchanged */
     /* |h8| <= 2^25; from now on fits into int32 unchanged */
     /* |h5| <= 1.01*2^24 */
     /* |h9| <= 1.71*2^59 */
-    carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25);
+    carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
+    h0 += carry9 * 19;
+    h9 -= carry9 * ((uint64_t) 1L << 25);
     /* |h9| <= 2^24; from now on fits into int32 unchanged */
     /* |h0| <= 1.1*2^39 */
-    carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26);
+    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
+    h1 += carry0;
+    h0 -= carry0 * ((uint64_t) 1L << 26);
     /* |h0| <= 2^25; from now on fits into int32 unchanged */
     /* |h1| <= 1.01*2^24 */
@@ -655,7 +759,8 @@ void fe_mul(fe h,const fe f,const fe g)
  |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  */
-void fe_neg(fe h,const fe f)
+void
+fe_neg(fe h, const fe f)
 {
     int32_t f0 = f[0];
     int32_t f1 = f[1];
@@ -667,6 +772,7 @@ void fe_neg(fe h,const fe f)
     int32_t f7 = f[7];
     int32_t f8 = f[8];
     int32_t f9 = f[9];
     int32_t h0 = -f0;
     int32_t h1 = -f1;
     int32_t h2 = -f2;
@@ -677,6 +783,7 @@ void fe_neg(fe h,const fe f)
     int32_t h7 = -f7;
     int32_t h8 = -f8;
     int32_t h9 = -f9;
     h[0] = h0;
     h[1] = h1;
     h[2] = h2;
@@ -704,7 +811,8 @@ void fe_neg(fe h,const fe f)
  See fe_mul.c for discussion of implementation strategy.
  */
-void fe_sq(fe h,const fe f)
+void
+fe_sq(fe h, const fe f)
 {
     int32_t f0 = f[0];
     int32_t f1 = f[1];
@@ -716,20 +824,22 @@ void fe_sq(fe h,const fe f)
     int32_t f7 = f[7];
     int32_t f8 = f[8];
     int32_t f9 = f[9];
-    int32_t f0_2 = 2 * f0;
-    int32_t f1_2 = 2 * f1;
-    int32_t f2_2 = 2 * f2;
-    int32_t f3_2 = 2 * f3;
-    int32_t f4_2 = 2 * f4;
-    int32_t f5_2 = 2 * f5;
-    int32_t f6_2 = 2 * f6;
-    int32_t f7_2 = 2 * f7;
+    int32_t f0_2  = 2 * f0;
+    int32_t f1_2  = 2 * f1;
+    int32_t f2_2  = 2 * f2;
+    int32_t f3_2  = 2 * f3;
+    int32_t f4_2  = 2 * f4;
+    int32_t f5_2  = 2 * f5;
+    int32_t f6_2  = 2 * f6;
+    int32_t f7_2  = 2 * f7;
     int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
     int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
     int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
     int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
     int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
-    int64_t f0f0    = f0   * (int64_t) f0;
+    int64_t f0f0    = f0 * (int64_t) f0;
     int64_t f0f1_2  = f0_2 * (int64_t) f1;
     int64_t f0f2_2  = f0_2 * (int64_t) f2;
     int64_t f0f3_2  = f0_2 * (int64_t) f3;
@@ -748,14 +858,14 @@ void fe_sq(fe h,const fe f)
     int64_t f1f7_4  = f1_2 * (int64_t) f7_2;
     int64_t f1f8_2  = f1_2 * (int64_t) f8;
     int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
-    int64_t f2f2    = f2   * (int64_t) f2;
+    int64_t f2f2    = f2 * (int64_t) f2;
     int64_t f2f3_2  = f2_2 * (int64_t) f3;
     int64_t f2f4_2  = f2_2 * (int64_t) f4;
     int64_t f2f5_2  = f2_2 * (int64_t) f5;
     int64_t f2f6_2  = f2_2 * (int64_t) f6;
     int64_t f2f7_2  = f2_2 * (int64_t) f7;
     int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
-    int64_t f2f9_38 = f2   * (int64_t) f9_38;
+    int64_t f2f9_38 = f2 * (int64_t) f9_38;
     int64_t f3f3_2  = f3_2 * (int64_t) f3;
     int64_t f3f4_2  = f3_2 * (int64_t) f4;
     int64_t f3f5_4  = f3_2 * (int64_t) f5_2;
@@ -763,37 +873,39 @@ void fe_sq(fe h,const fe f)
     int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
     int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
     int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
-    int64_t f4f4    = f4   * (int64_t) f4;
+    int64_t f4f4    = f4 * (int64_t) f4;
     int64_t f4f5_2  = f4_2 * (int64_t) f5;
     int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
-    int64_t f4f7_38 = f4   * (int64_t) f7_38;
+    int64_t f4f7_38 = f4 * (int64_t) f7_38;
     int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
-    int64_t f4f9_38 = f4   * (int64_t) f9_38;
-    int64_t f5f5_38 = f5   * (int64_t) f5_38;
+    int64_t f4f9_38 = f4 * (int64_t) f9_38;
+    int64_t f5f5_38 = f5 * (int64_t) f5_38;
     int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
     int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
     int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
     int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
-    int64_t f6f6_19 = f6   * (int64_t) f6_19;
-    int64_t f6f7_38 = f6   * (int64_t) f7_38;
+    int64_t f6f6_19 = f6 * (int64_t) f6_19;
+    int64_t f6f7_38 = f6 * (int64_t) f7_38;
     int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
-    int64_t f6f9_38 = f6   * (int64_t) f9_38;
-    int64_t f7f7_38 = f7   * (int64_t) f7_38;
+    int64_t f6f9_38 = f6 * (int64_t) f9_38;
+    int64_t f7f7_38 = f7 * (int64_t) f7_38;
     int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
     int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
-    int64_t f8f8_19 = f8   * (int64_t) f8_19;
-    int64_t f8f9_38 = f8   * (int64_t) f9_38;
-    int64_t f9f9_38 = f9   * (int64_t) f9_38;
-    int64_t h0 = f0f0  +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38;
-    int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38;
-    int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19;
-    int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38;
-    int64_t h4 = f0f4_2+f1f3_4 +f2f2   +f5f9_76+f6f8_38+f7f7_38;
-    int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38;
-    int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19;
-    int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38;
-    int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4   +f9f9_38;
-    int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2;
+    int64_t f8f8_19 = f8 * (int64_t) f8_19;
+    int64_t f8f9_38 = f8 * (int64_t) f9_38;
+    int64_t f9f9_38 = f9 * (int64_t) f9_38;
+    int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
+    int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
+    int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
+    int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
+    int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
+    int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
+    int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
+    int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
+    int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
+    int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
     int64_t carry0;
     int64_t carry1;
     int64_t carry2;
@@ -805,24 +917,48 @@ void fe_sq(fe h,const fe f)
     int64_t carry8;
     int64_t carry9;
-    carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26);
-    carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25);
-    carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25);
-    carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26);
-    carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26);
-    carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25);
-    carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25);
-    carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26);
-    carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25);
-    carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26);
+    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
+    h1 += carry0;
+    h0 -= carry0 * ((uint64_t) 1L << 26);
+    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
+    h5 += carry4;
+    h4 -= carry4 * ((uint64_t) 1L << 26);
+    carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
+    h2 += carry1;
+    h1 -= carry1 * ((uint64_t) 1L << 25);
+    carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
+    h6 += carry5;
+    h5 -= carry5 * ((uint64_t) 1L << 25);
+    carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
+    h3 += carry2;
+    h2 -= carry2 * ((uint64_t) 1L << 26);
+    carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
+    h7 += carry6;
+    h6 -= carry6 * ((uint64_t) 1L << 26);
+    carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
+    h4 += carry3;
+    h3 -= carry3 * ((uint64_t) 1L << 25);
+    carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
+    h8 += carry7;
+    h7 -= carry7 * ((uint64_t) 1L << 25);
+    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
+    h5 += carry4;
+    h4 -= carry4 * ((uint64_t) 1L << 26);
+    carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
+    h9 += carry8;
+    h8 -= carry8 * ((uint64_t) 1L << 26);
+    carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
+    h0 += carry9 * 19;
+    h9 -= carry9 * ((uint64_t) 1L << 25);
+    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
+    h1 += carry0;
+    h0 -= carry0 * ((uint64_t) 1L << 26);
     h[0] = (int32_t) h0;
     h[1] = (int32_t) h1;
@@ -851,7 +987,8 @@ void fe_sq(fe h,const fe f)
  See fe_mul.c for discussion of implementation strategy.
  */
-void fe_sq2(fe h,const fe f)
+void
+fe_sq2(fe h, const fe f)
 {
     int32_t f0 = f[0];
     int32_t f1 = f[1];
@@ -863,20 +1000,22 @@ void fe_sq2(fe h,const fe f)
     int32_t f7 = f[7];
     int32_t f8 = f[8];
     int32_t f9 = f[9];
-    int32_t f0_2 = 2 * f0;
-    int32_t f1_2 = 2 * f1;
-    int32_t f2_2 = 2 * f2;
-    int32_t f3_2 = 2 * f3;
-    int32_t f4_2 = 2 * f4;
-    int32_t f5_2 = 2 * f5;
-    int32_t f6_2 = 2 * f6;
-    int32_t f7_2 = 2 * f7;
+    int32_t f0_2  = 2 * f0;
+    int32_t f1_2  = 2 * f1;
+    int32_t f2_2  = 2 * f2;
+    int32_t f3_2  = 2 * f3;
+    int32_t f4_2  = 2 * f4;
+    int32_t f5_2  = 2 * f5;
+    int32_t f6_2  = 2 * f6;
+    int32_t f7_2  = 2 * f7;
     int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
     int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
     int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
     int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
     int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
-    int64_t f0f0    = f0   * (int64_t) f0;
+    int64_t f0f0    = f0 * (int64_t) f0;
     int64_t f0f1_2  = f0_2 * (int64_t) f1;
     int64_t f0f2_2  = f0_2 * (int64_t) f2;
     int64_t f0f3_2  = f0_2 * (int64_t) f3;
@@ -895,14 +1034,14 @@ void fe_sq2(fe h,const fe f)
     int64_t f1f7_4  = f1_2 * (int64_t) f7_2;
     int64_t f1f8_2  = f1_2 * (int64_t) f8;
     int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
-    int64_t f2f2    = f2   * (int64_t) f2;
+    int64_t f2f2    = f2 * (int64_t) f2;
     int64_t f2f3_2  = f2_2 * (int64_t) f3;
     int64_t f2f4_2  = f2_2 * (int64_t) f4;
     int64_t f2f5_2  = f2_2 * (int64_t) f5;
     int64_t f2f6_2  = f2_2 * (int64_t) f6;
     int64_t f2f7_2  = f2_2 * (int64_t) f7;
     int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
-    int64_t f2f9_38 = f2   * (int64_t) f9_38;
+    int64_t f2f9_38 = f2 * (int64_t) f9_38;
     int64_t f3f3_2  = f3_2 * (int64_t) f3;
     int64_t f3f4_2  = f3_2 * (int64_t) f4;
     int64_t f3f5_4  = f3_2 * (int64_t) f5_2;
@@ -910,37 +1049,39 @@ void fe_sq2(fe h,const fe f)
     int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
     int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
     int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
-    int64_t f4f4    = f4   * (int64_t) f4;
+    int64_t f4f4    = f4 * (int64_t) f4;
     int64_t f4f5_2  = f4_2 * (int64_t) f5;
     int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
-    int64_t f4f7_38 = f4   * (int64_t) f7_38;
+    int64_t f4f7_38 = f4 * (int64_t) f7_38;
     int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
-    int64_t f4f9_38 = f4   * (int64_t) f9_38;
-    int64_t f5f5_38 = f5   * (int64_t) f5_38;
+    int64_t f4f9_38 = f4 * (int64_t) f9_38;
+    int64_t f5f5_38 = f5 * (int64_t) f5_38;
     int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
     int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
     int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
     int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
-    int64_t f6f6_19 = f6   * (int64_t) f6_19;
-    int64_t f6f7_38 = f6   * (int64_t) f7_38;
+    int64_t f6f6_19 = f6 * (int64_t) f6_19;
+    int64_t f6f7_38 = f6 * (int64_t) f7_38;
     int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
-    int64_t f6f9_38 = f6   * (int64_t) f9_38;
-    int64_t f7f7_38 = f7   * (int64_t) f7_38;
+    int64_t f6f9_38 = f6 * (int64_t) f9_38;
+    int64_t f7f7_38 = f7 * (int64_t) f7_38;
     int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
     int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
-    int64_t f8f8_19 = f8   * (int64_t) f8_19;
-    int64_t f8f9_38 = f8   * (int64_t) f9_38;
-    int64_t f9f9_38 = f9   * (int64_t) f9_38;
-    int64_t h0 = f0f0  +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38;
-    int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38;
-    int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19;
-    int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38;
-    int64_t h4 = f0f4_2+f1f3_4 +f2f2   +f5f9_76+f6f8_38+f7f7_38;
-    int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38;
-    int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19;
-    int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38;
-    int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4   +f9f9_38;
-    int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2;
+    int64_t f8f8_19 = f8 * (int64_t) f8_19;
+    int64_t f8f9_38 = f8 * (int64_t) f9_38;
+    int64_t f9f9_38 = f9 * (int64_t) f9_38;
+    int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
+    int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
+    int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
+    int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
+    int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
+    int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
+    int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
+    int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
+    int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
+    int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
     int64_t carry0;
     int64_t carry1;
     int64_t carry2;
@@ -963,24 +1104,48 @@ void fe_sq2(fe h,const fe f)
     h8 += h8;
     h9 += h9;
-    carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26);
-    carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25);
-    carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25);
-    carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26);
-    carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26);
-    carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25);
-    carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25);
-    carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26);
-    carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25);
-    carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26);
+    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
+    h1 += carry0;
+    h0 -= carry0 * ((uint64_t) 1L << 26);
+    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
+    h5 += carry4;
+    h4 -= carry4 * ((uint64_t) 1L << 26);
+    carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
+    h2 += carry1;
+    h1 -= carry1 * ((uint64_t) 1L << 25);
+    carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
+    h6 += carry5;
+    h5 -= carry5 * ((uint64_t) 1L << 25);
+    carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
+    h3 += carry2;
+    h2 -= carry2 * ((uint64_t) 1L << 26);
+    carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
+    h7 += carry6;
+    h6 -= carry6 * ((uint64_t) 1L << 26);
+    carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
+    h4 += carry3;
+    h3 -= carry3 * ((uint64_t) 1L << 25);
+    carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
+    h8 += carry7;
+    h7 -= carry7 * ((uint64_t) 1L << 25);
+    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
+    h5 += carry4;
+    h4 -= carry4 * ((uint64_t) 1L << 26);
+    carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
+    h9 += carry8;
+    h8 -= carry8 * ((uint64_t) 1L << 26);
+    carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
+    h0 += carry9 * 19;
+    h9 -= carry9 * ((uint64_t) 1L << 25);
+    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
+    h1 += carry0;
+    h0 -= carry0 * ((uint64_t) 1L << 26);
     h[0] = (int32_t) h0;
     h[1] = (int32_t) h1;
@@ -994,12 +1159,13 @@ void fe_sq2(fe h,const fe f)
     h[9] = (int32_t) h9;
 }
-void fe_invert(fe out,const fe z)
+void
+fe_invert(fe out, const fe z)
 {
-    fe t0;
-    fe t1;
-    fe t2;
-    fe t3;
+    fe  t0;
+    fe  t1;
+    fe  t2;
+    fe  t3;
     int i;
     fe_sq(t0, z);
@@ -1051,11 +1217,12 @@ void fe_invert(fe out,const fe z)
     fe_mul(out, t1, t0);
 }
-void fe_pow22523(fe out,const fe z)
+void
+fe_pow22523(fe out, const fe z)
 {
-    fe t0;
-    fe t1;
-    fe t2;
+    fe  t0;
+    fe  t1;
+    fe  t2;
     int i;
     fe_sq(t0, z);
@@ -1117,7 +1284,8 @@ void fe_pow22523(fe out,const fe z)
  |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  */
-void fe_sub(fe h,const fe f,const fe g)
+void
+fe_sub(fe h, const fe f, const fe g)
 {
     int32_t f0 = f[0];
     int32_t f1 = f[1];
@@ -1139,6 +1307,7 @@ void fe_sub(fe h,const fe f,const fe g)
     int32_t g7 = g[7];
     int32_t g8 = g[8];
     int32_t g9 = g[9];
     int32_t h0 = f0 - g0;
     int32_t h1 = f1 - g1;
     int32_t h2 = f2 - g2;
@@ -1149,6 +1318,7 @@ void fe_sub(fe h,const fe f,const fe g)
     int32_t h7 = f7 - g7;
     int32_t h8 = f8 - g8;
     int32_t h9 = f9 - g9;
     h[0] = h0;
     h[1] = h1;
     h[2] = h2;
@@ -1165,7 +1335,8 @@ void fe_sub(fe h,const fe f,const fe g)
  r = p + q
  */
-void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
+void
+ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q)
 {
     fe t0;
@@ -1182,53 +1353,63 @@ void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
     fe_sub(r->T, t0, r->T);
 }
-static void slide(signed char *r,const unsigned char *a)
+static void
+slide(signed char *r, const unsigned char *a)
 {
     int i;
     int b;
     int k;
+    int ribs;
+    int cmp;
-    for (i = 0;i < 256;++i)
+    for (i = 0; i < 256; ++i) {
         r[i] = 1 & (a[i >> 3] >> (i & 7));
-    for (i = 0;i < 256;++i)
+    }
+    for (i = 0; i < 256; ++i) {
         if (r[i]) {
-            for (b = 1;b <= 6 && i + b < 256;++b) {
+            for (b = 1; b <= 6 && i + b < 256; ++b) {
                 if (r[i + b]) {
-                    if (r[i] + (r[i + b] << b) <= 15) {
-                        r[i] += r[i + b] << b; r[i + b] = 0;
-                    } else if (r[i] - (r[i + b] << b) >= -15) {
-                        r[i] -= r[i + b] << b;
-                        for (k = i + b;k < 256;++k) {
-                            if (!r[k]) {
-                                r[k] = 1;
-                                break;
+                    ribs = r[i + b] << b;
+                    cmp = r[i] + ribs;
+                    if (cmp <= 15) {
+                        r[i] = cmp;
+                        r[i + b] = 0;
+                    } else {
+                        cmp = r[i] - ribs;
+                        if (cmp >= -15) {
+                            r[i] = cmp;
+                            for (k = i + b; k < 256; ++k) {
+                                if (!r[k]) {
+                                    r[k] = 1;
+                                    break;
+                                }
+                                r[k] = 0;
                             }
-                            r[k] = 0;
+                        } else {
+                            break;
                         }
-                    } else
-                        break;
+                    }
                 }
             }
         }
+    }
 }
 static const ge_precomp Bi[8] = {
 #include "base2.h"
 };
-/* 37095705934669439343138083508754565189542113879843219016388785533085940283555 */
-static const fe d = {
-    -10913610,13857413,-15372611,6949391,114729,-8787816,-6275908,-3247719,-18696448,-12055116
-};
+/* 37095705934669439343138083508754565189542113879843219016388785533085940283555
+ */
+static const fe d = { -10913610, 13857413, -15372611, 6949391,   114729,
+                      -8787816,  -6275908, -3247719,  -18696448, -12055116 };
 /* sqrt(-1) */
-static const fe sqrtm1 = {
-    -32595792,-7943725,9377950,3500415,12389472,-272473,-25146209,-2005654,326686,11406482
-};
+static const fe sqrtm1 = { -32595792, -7943725,  9377950,  3500415, 12389472,
+                           -272473,   -25146209, -2005654, 326686,  11406482 };
-int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s)
+int
+ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s)
 {
     fe u;
     fe v;
@@ -1236,38 +1417,38 @@ int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s)
     fe vxx;
     fe check;
-    fe_frombytes(h->Y,s);
+    fe_frombytes(h->Y, s);
     fe_1(h->Z);
-    fe_sq(u,h->Y);
-    fe_mul(v,u,d);
-    fe_sub(u,u,h->Z);       /* u = y^2-1 */
-    fe_add(v,v,h->Z);       /* v = dy^2+1 */
-    fe_sq(v3,v);
-    fe_mul(v3,v3,v);        /* v3 = v^3 */
-    fe_sq(h->X,v3);
-    fe_mul(h->X,h->X,v);
-    fe_mul(h->X,h->X,u);    /* x = uv^7 */
-    fe_pow22523(h->X,h->X); /* x = (uv^7)^((q-5)/8) */
-    fe_mul(h->X,h->X,v3);
-    fe_mul(h->X,h->X,u);    /* x = uv^3(uv^7)^((q-5)/8) */
-    fe_sq(vxx,h->X);
-    fe_mul(vxx,vxx,v);
-    fe_sub(check,vxx,u);    /* vx^2-u */
+    fe_sq(u, h->Y);
+    fe_mul(v, u, d);
+    fe_sub(u, u, h->Z); /* u = y^2-1 */
+    fe_add(v, v, h->Z); /* v = dy^2+1 */
+    fe_sq(v3, v);
+    fe_mul(v3, v3, v); /* v3 = v^3 */
+    fe_sq(h->X, v3);
+    fe_mul(h->X, h->X, v);
+    fe_mul(h->X, h->X, u); /* x = uv^7 */
+    fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
+    fe_mul(h->X, h->X, v3);
+    fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
+    fe_sq(vxx, h->X);
+    fe_mul(vxx, vxx, v);
+    fe_sub(check, vxx, u); /* vx^2-u */
     if (fe_isnonzero(check)) {
-        fe_add(check,vxx,u);  /* vx^2+u */
+        fe_add(check, vxx, u); /* vx^2+u */
         if (fe_isnonzero(check)) {
             return -1;
         }
-        fe_mul(h->X,h->X,sqrtm1);
+        fe_mul(h->X, h->X, sqrtm1);
     }
     if (fe_isnegative(h->X) == (s[31] >> 7)) {
-        fe_neg(h->X,h->X);
+        fe_neg(h->X, h->X);
     }
-    fe_mul(h->T,h->X,h->Y);
+    fe_mul(h->T, h->X, h->Y);
     return 0;
 }
@@ -1276,7 +1457,8 @@ int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s)
  r = p + q
  */
-void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
+void
+ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
 {
     fe t0;
@@ -1296,7 +1478,8 @@ void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
  r = p - q
  */
-void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
+void
+ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
 {
     fe t0;
@@ -1316,26 +1499,29 @@ void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
  r = p
  */
-extern void ge_p1p1_to_p2(ge_p2 *r,const ge_p1p1 *p)
+extern void
+ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p)
 {
-    fe_mul(r->X,p->X,p->T);
-    fe_mul(r->Y,p->Y,p->Z);
-    fe_mul(r->Z,p->Z,p->T);
+    fe_mul(r->X, p->X, p->T);
+    fe_mul(r->Y, p->Y, p->Z);
+    fe_mul(r->Z, p->Z, p->T);
 }
 /*
  r = p
  */
-extern void ge_p1p1_to_p3(ge_p3 *r,const ge_p1p1 *p)
+extern void
+ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p)
 {
-    fe_mul(r->X,p->X,p->T);
-    fe_mul(r->Y,p->Y,p->Z);
-    fe_mul(r->Z,p->Z,p->T);
-    fe_mul(r->T,p->X,p->Y);
+    fe_mul(r->X, p->X, p->T);
+    fe_mul(r->Y, p->Y, p->Z);
+    fe_mul(r->Z, p->Z, p->T);
+    fe_mul(r->T, p->X, p->Y);
 }
-void ge_p2_0(ge_p2 *h)
+void
+ge_p2_0(ge_p2 *h)
 {
     fe_0(h->X);
     fe_1(h->Y);
@@ -1346,7 +1532,8 @@ void ge_p2_0(ge_p2 *h)
  r = 2 * p
  */
-void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p)
+void
+ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p)
 {
     fe t0;
@@ -1361,7 +1548,8 @@ void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p)
     fe_sub(r->T, r->T, r->Z);
 }
-void ge_p3_0(ge_p3 *h)
+void
+ge_p3_0(ge_p3 *h)
 {
     fe_0(h->X);
     fe_1(h->Y);
@@ -1373,40 +1561,44 @@ void ge_p3_0(ge_p3 *h)
  r = p
  */
-/* 2 * d = 16295367250680780974490674513165176452449235426866156013048779062215315747161 */
-static const fe d2 = {
-    -21827239,-5839606,-30745221,13898782,229458,15978800,-12551817,-6495438,29715968,9444199
-};
+/* 2 * d =
+ * 16295367250680780974490674513165176452449235426866156013048779062215315747161
+ */
+static const fe d2 = { -21827239, -5839606,  -30745221, 13898782, 229458,
+                       15978800,  -12551817, -6495438,  29715968, 9444199 };
-extern void ge_p3_to_cached(ge_cached *r,const ge_p3 *p)
+extern void
+ge_p3_to_cached(ge_cached *r, const ge_p3 *p)
 {
-    fe_add(r->YplusX,p->Y,p->X);
-    fe_sub(r->YminusX,p->Y,p->X);
-    fe_copy(r->Z,p->Z);
-    fe_mul(r->T2d,p->T,d2);
+    fe_add(r->YplusX, p->Y, p->X);
+    fe_sub(r->YminusX, p->Y, p->X);
+    fe_copy(r->Z, p->Z);
+    fe_mul(r->T2d, p->T, d2);
 }
 /*
  r = p
  */
-extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p)
+extern void
+ge_p3_to_p2(ge_p2 *r, const ge_p3 *p)
 {
-    fe_copy(r->X,p->X);
-    fe_copy(r->Y,p->Y);
-    fe_copy(r->Z,p->Z);
+    fe_copy(r->X, p->X);
+    fe_copy(r->Y, p->Y);
+    fe_copy(r->Z, p->Z);
 }
-void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
+void
+ge_p3_tobytes(unsigned char *s, const ge_p3 *h)
 {
     fe recip;
     fe x;
     fe y;
-    fe_invert(recip,h->Z);
-    fe_mul(x,h->X,recip);
-    fe_mul(y,h->Y,recip);
-    fe_tobytes(s,y);
+    fe_invert(recip, h->Z);
+    fe_mul(x, h->X, recip);
+    fe_mul(y, h->Y, recip);
+    fe_tobytes(s, y);
     s[31] ^= fe_isnegative(x) << 7;
 }
@@ -1414,45 +1606,53 @@ void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
  r = 2 * p
  */
-void ge_p3_dbl(ge_p1p1 *r,const ge_p3 *p)
+void
+ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p)
 {
     ge_p2 q;
-    ge_p3_to_p2(&q,p);
-    ge_p2_dbl(r,&q);
+    ge_p3_to_p2(&q, p);
+    ge_p2_dbl(r, &q);
 }
-void ge_precomp_0(ge_precomp *h)
+void
+ge_precomp_0(ge_precomp *h)
 {
     fe_1(h->yplusx);
     fe_1(h->yminusx);
     fe_0(h->xy2d);
 }
-static unsigned char equal(signed char b,signed char c)
+static unsigned char
+equal(signed char b, signed char c)
 {
     unsigned char ub = b;
     unsigned char uc = c;
-    unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */
-    uint32_t y = x; /* 0: yes; 1..255: no */
-    y -= 1; /* 4294967295: yes; 0..254: no */
+    unsigned char x  = ub ^ uc; /* 0: yes; 1..255: no */
+    uint32_t      y  = x;       /* 0: yes; 1..255: no */
+    y -= 1;   /* 4294967295: yes; 0..254: no */
     y >>= 31; /* 1: yes; 0: no */
     return y;
 }
-static unsigned char negative(signed char b)
+static unsigned char
+negative(signed char b)
 {
-    uint64_t x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */
+    uint64_t x =
+        b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */
     x >>= 63; /* 1: yes; 0: no */
     return x;
 }
-static void cmov(ge_precomp *t,const ge_precomp *u,unsigned char b)
+static void
+cmov(ge_precomp *t, const ge_precomp *u, unsigned char b)
 {
-    fe_cmov(t->yplusx,u->yplusx,b);
-    fe_cmov(t->yminusx,u->yminusx,b);
-    fe_cmov(t->xy2d,u->xy2d,b);
+    fe_cmov(t->yplusx, u->yplusx, b);
+    fe_cmov(t->yminusx, u->yminusx, b);
+    fe_cmov(t->xy2d, u->xy2d, b);
 }
 /* base[i][j] = (j+1)*256^i*B */
@@ -1460,32 +1660,34 @@ static const ge_precomp base[32][8] = {
 #include "base.h"
 };
-static void ge_select(ge_precomp *t,int pos,signed char b)
+static void
+ge_select(ge_precomp *t, int pos, signed char b)
 {
-    ge_precomp minust;
+    ge_precomp    minust;
     unsigned char bnegative = negative(b);
-    unsigned char babs = b - (((-bnegative) & b) * ((signed char) 1 << 1));
+    unsigned char babs      = b - (((-bnegative) & b) * ((signed char) 1 << 1));
     ge_precomp_0(t);
-    cmov(t,&base[pos][0],equal(babs,1));
-    cmov(t,&base[pos][1],equal(babs,2));
-    cmov(t,&base[pos][2],equal(babs,3));
-    cmov(t,&base[pos][3],equal(babs,4));
-    cmov(t,&base[pos][4],equal(babs,5));
-    cmov(t,&base[pos][5],equal(babs,6));
-    cmov(t,&base[pos][6],equal(babs,7));
-    cmov(t,&base[pos][7],equal(babs,8));
-    fe_copy(minust.yplusx,t->yminusx);
-    fe_copy(minust.yminusx,t->yplusx);
-    fe_neg(minust.xy2d,t->xy2d);
-    cmov(t,&minust,bnegative);
+    cmov(t, &base[pos][0], equal(babs, 1));
+    cmov(t, &base[pos][1], equal(babs, 2));
+    cmov(t, &base[pos][2], equal(babs, 3));
+    cmov(t, &base[pos][3], equal(babs, 4));
+    cmov(t, &base[pos][4], equal(babs, 5));
+    cmov(t, &base[pos][5], equal(babs, 6));
+    cmov(t, &base[pos][6], equal(babs, 7));
+    cmov(t, &base[pos][7], equal(babs, 8));
+    fe_copy(minust.yplusx, t->yminusx);
+    fe_copy(minust.yminusx, t->yplusx);
+    fe_neg(minust.xy2d, t->xy2d);
+    cmov(t, &minust, bnegative);
 }
 /*
  r = p - q
  */
-void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
+void
+ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q)
 {
     fe t0;
@@ -1502,16 +1704,17 @@ void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
     fe_add(r->T, t0, r->T);
 }
-void ge_tobytes(unsigned char *s,const ge_p2 *h)
+void
+ge_tobytes(unsigned char *s, const ge_p2 *h)
 {
     fe recip;
     fe x;
     fe y;
-    fe_invert(recip,h->Z);
-    fe_mul(x,h->X,recip);
-    fe_mul(y,h->Y,recip);
-    fe_tobytes(s,y);
+    fe_invert(recip, h->Z);
+    fe_mul(x, h->X, recip);
+    fe_mul(y, h->Y, recip);
+    fe_tobytes(s, y);
     s[31] ^= fe_isnegative(x) << 7;
 }
@@ -1531,110 +1734,146 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h)
  B is the Ed25519 base point (x,4/5) with x positive.
  */
-void ge_double_scalarmult_vartime(ge_p2 *r,const unsigned char *a,const ge_p3 *A,const unsigned char *b)
+void
+ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A,
+                             const unsigned char *b)
 {
     signed char aslide[256];
     signed char bslide[256];
-    ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
-    ge_p1p1 t;
-    ge_p3 u;
-    ge_p3 A2;
-    int i;
-    slide(aslide,a);
-    slide(bslide,b);
-    ge_p3_to_cached(&Ai[0],A);
-    ge_p3_dbl(&t,A); ge_p1p1_to_p3(&A2,&t);
-    ge_add(&t,&A2,&Ai[0]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[1],&u);
-    ge_add(&t,&A2,&Ai[1]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[2],&u);
-    ge_add(&t,&A2,&Ai[2]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[3],&u);
-    ge_add(&t,&A2,&Ai[3]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[4],&u);
-    ge_add(&t,&A2,&Ai[4]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[5],&u);
-    ge_add(&t,&A2,&Ai[5]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[6],&u);
-    ge_add(&t,&A2,&Ai[6]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[7],&u);
+    ge_cached   Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
+    ge_p1p1     t;
+    ge_p3       u;
+    ge_p3       A2;
+    int         i;
+    slide(aslide, a);
+    slide(bslide, b);
+    ge_p3_to_cached(&Ai[0], A);
+    ge_p3_dbl(&t, A);
+    ge_p1p1_to_p3(&A2, &t);
+    ge_add(&t, &A2, &Ai[0]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[1], &u);
+    ge_add(&t, &A2, &Ai[1]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[2], &u);
+    ge_add(&t, &A2, &Ai[2]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[3], &u);
+    ge_add(&t, &A2, &Ai[3]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[4], &u);
+    ge_add(&t, &A2, &Ai[4]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[5], &u);
+    ge_add(&t, &A2, &Ai[5]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[6], &u);
+    ge_add(&t, &A2, &Ai[6]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[7], &u);
     ge_p2_0(r);
-    for (i = 255;i >= 0;--i) {
-        if (aslide[i] || bslide[i]) break;
+    for (i = 255; i >= 0; --i) {
+        if (aslide[i] || bslide[i])
+            break;
     }
-    for (;i >= 0;--i) {
-        ge_p2_dbl(&t,r);
+    for (; i >= 0; --i) {
+        ge_p2_dbl(&t, r);
         if (aslide[i] > 0) {
-            ge_p1p1_to_p3(&u,&t);
-            ge_add(&t,&u,&Ai[aslide[i]/2]);
+            ge_p1p1_to_p3(&u, &t);
+            ge_add(&t, &u, &Ai[aslide[i] / 2]);
         } else if (aslide[i] < 0) {
-            ge_p1p1_to_p3(&u,&t);
-            ge_sub(&t,&u,&Ai[(-aslide[i])/2]);
+            ge_p1p1_to_p3(&u, &t);
+            ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
         }
         if (bslide[i] > 0) {
-            ge_p1p1_to_p3(&u,&t);
-            ge_madd(&t,&u,&Bi[bslide[i]/2]);
+            ge_p1p1_to_p3(&u, &t);
+            ge_madd(&t, &u, &Bi[bslide[i] / 2]);
         } else if (bslide[i] < 0) {
-            ge_p1p1_to_p3(&u,&t);
-            ge_msub(&t,&u,&Bi[(-bslide[i])/2]);
+            ge_p1p1_to_p3(&u, &t);
+            ge_msub(&t, &u, &Bi[(-bslide[i]) / 2]);
         }
-        ge_p1p1_to_p2(r,&t);
+        ge_p1p1_to_p2(r, &t);
     }
 }
-void ge_scalarmult_vartime(ge_p3 *r,const unsigned char *a,const ge_p3 *A)
+void
+ge_scalarmult_vartime(ge_p3 *r, const unsigned char *a, const ge_p3 *A)
 {
     signed char aslide[256];
-    ge_cached Ai[8];
-    ge_p1p1 t;
-    ge_p3 u;
-    ge_p3 A2;
-    int i;
-    slide(aslide,a);
-    ge_p3_to_cached(&Ai[0],A);
-    ge_p3_dbl(&t,A); ge_p1p1_to_p3(&A2,&t);
-    ge_add(&t,&A2,&Ai[0]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[1],&u);
-    ge_add(&t,&A2,&Ai[1]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[2],&u);
-    ge_add(&t,&A2,&Ai[2]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[3],&u);
-    ge_add(&t,&A2,&Ai[3]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[4],&u);
-    ge_add(&t,&A2,&Ai[4]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[5],&u);
-    ge_add(&t,&A2,&Ai[5]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[6],&u);
-    ge_add(&t,&A2,&Ai[6]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[7],&u);
+    ge_cached   Ai[8];
+    ge_p1p1     t;
+    ge_p3       u;
+    ge_p3       A2;
+    int         i;
+    slide(aslide, a);
+    ge_p3_to_cached(&Ai[0], A);
+    ge_p3_dbl(&t, A);
+    ge_p1p1_to_p3(&A2, &t);
+    ge_add(&t, &A2, &Ai[0]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[1], &u);
+    ge_add(&t, &A2, &Ai[1]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[2], &u);
+    ge_add(&t, &A2, &Ai[2]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[3], &u);
+    ge_add(&t, &A2, &Ai[3]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[4], &u);
+    ge_add(&t, &A2, &Ai[4]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[5], &u);
+    ge_add(&t, &A2, &Ai[5]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[6], &u);
+    ge_add(&t, &A2, &Ai[6]);
+    ge_p1p1_to_p3(&u, &t);
+    ge_p3_to_cached(&Ai[7], &u);
     ge_p3_0(r);
-    for (i = 255;i >= 0;--i) {
-        if (aslide[i]) break;
+    for (i = 255; i >= 0; --i) {
+        if (aslide[i])
+            break;
     }
-    for (;i >= 0;--i) {
-        ge_p3_dbl(&t,r);
+    for (; i >= 0; --i) {
+        ge_p3_dbl(&t, r);
         if (aslide[i] > 0) {
-            ge_p1p1_to_p3(&u,&t);
-            ge_add(&t,&u,&Ai[aslide[i]/2]);
+            ge_p1p1_to_p3(&u, &t);
+            ge_add(&t, &u, &Ai[aslide[i] / 2]);
         } else if (aslide[i] < 0) {
-            ge_p1p1_to_p3(&u,&t);
-            ge_sub(&t,&u,&Ai[(-aslide[i])/2]);
+            ge_p1p1_to_p3(&u, &t);
+            ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
         }
-        ge_p1p1_to_p3(r,&t);
+        ge_p1p1_to_p3(r, &t);
     }
 }
-void ge_scalarmult_base(ge_p3 *h,const unsigned char *a)
+void
+ge_scalarmult_base(ge_p3 *h, const unsigned char *a)
 {
     signed char e[64];
     signed char carry;
-    ge_p1p1 r;
-    ge_p2 s;
-    ge_precomp t;
-    int i;
+    ge_p1p1     r;
+    ge_p2       s;
+    ge_precomp  t;
+    int         i;
-    for (i = 0;i < 32;++i) {
+    for (i = 0; i < 32; ++i) {
         e[2 * i + 0] = (a[i] >> 0) & 15;
         e[2 * i + 1] = (a[i] >> 4) & 15;
     }
@@ -1642,7 +1881,7 @@ void ge_scalarmult_base(ge_p3 *h,const unsigned char *a)
     /* e[63] is between 0 and 7 */
     carry = 0;
-    for (i = 0;i < 63;++i) {
+    for (i = 0; i < 63; ++i) {
         e[i] += carry;
         carry = e[i] + 8;
         carry >>= 4;
@@ -1652,19 +1891,25 @@ void ge_scalarmult_base(ge_p3 *h,const unsigned char *a)
     /* each e[i] is between -8 and 8 */
     ge_p3_0(h);
-    for (i = 1;i < 64;i += 2) {
-        ge_select(&t,i / 2,e[i]);
-        ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r);
+    for (i = 1; i < 64; i += 2) {
+        ge_select(&t, i / 2, e[i]);
+        ge_madd(&r, h, &t);
+        ge_p1p1_to_p3(h, &r);
     }
-    ge_p3_dbl(&r,h);  ge_p1p1_to_p2(&s,&r);
-    ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
-    ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
-    ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r);
-    for (i = 0;i < 64;i += 2) {
-        ge_select(&t,i / 2,e[i]);
-        ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r);
+    ge_p3_dbl(&r, h);
+    ge_p1p1_to_p2(&s, &r);
+    ge_p2_dbl(&r, &s);
+    ge_p1p1_to_p2(&s, &r);
+    ge_p2_dbl(&r, &s);
+    ge_p1p1_to_p2(&s, &r);
+    ge_p2_dbl(&r, &s);
+    ge_p1p1_to_p3(h, &r);
+    for (i = 0; i < 64; i += 2) {
+        ge_select(&t, i / 2, e[i]);
+        ge_madd(&r, h, &t);
+        ge_p1p1_to_p3(h, &r);
     }
 }
@@ -1679,44 +1924,49 @@ void ge_scalarmult_base(ge_p3 *h,const unsigned char *a)
  where l = 2^252 + 27742317777372353535851937790883648493.
  */
-void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,const unsigned char *c)
+void
+sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b,
+          const unsigned char *c)
 {
-    int64_t a0 = 2097151 & load_3(a);
-    int64_t a1 = 2097151 & (load_4(a + 2) >> 5);
-    int64_t a2 = 2097151 & (load_3(a + 5) >> 2);
-    int64_t a3 = 2097151 & (load_4(a + 7) >> 7);
-    int64_t a4 = 2097151 & (load_4(a + 10) >> 4);
-    int64_t a5 = 2097151 & (load_3(a + 13) >> 1);
-    int64_t a6 = 2097151 & (load_4(a + 15) >> 6);
-    int64_t a7 = 2097151 & (load_3(a + 18) >> 3);
-    int64_t a8 = 2097151 & load_3(a + 21);
-    int64_t a9 = 2097151 & (load_4(a + 23) >> 5);
+    int64_t a0  = 2097151 & load_3(a);
+    int64_t a1  = 2097151 & (load_4(a + 2) >> 5);
+    int64_t a2  = 2097151 & (load_3(a + 5) >> 2);
+    int64_t a3  = 2097151 & (load_4(a + 7) >> 7);
+    int64_t a4  = 2097151 & (load_4(a + 10) >> 4);
+    int64_t a5  = 2097151 & (load_3(a + 13) >> 1);
+    int64_t a6  = 2097151 & (load_4(a + 15) >> 6);
+    int64_t a7  = 2097151 & (load_3(a + 18) >> 3);
+    int64_t a8  = 2097151 & load_3(a + 21);
+    int64_t a9  = 2097151 & (load_4(a + 23) >> 5);
     int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
     int64_t a11 = (load_4(a + 28) >> 7);
-    int64_t b0 = 2097151 & load_3(b);
-    int64_t b1 = 2097151 & (load_4(b + 2) >> 5);
-    int64_t b2 = 2097151 & (load_3(b + 5) >> 2);
-    int64_t b3 = 2097151 & (load_4(b + 7) >> 7);
-    int64_t b4 = 2097151 & (load_4(b + 10) >> 4);
-    int64_t b5 = 2097151 & (load_3(b + 13) >> 1);
-    int64_t b6 = 2097151 & (load_4(b + 15) >> 6);
-    int64_t b7 = 2097151 & (load_3(b + 18) >> 3);
-    int64_t b8 = 2097151 & load_3(b + 21);
-    int64_t b9 = 2097151 & (load_4(b + 23) >> 5);
+    int64_t b0  = 2097151 & load_3(b);
+    int64_t b1  = 2097151 & (load_4(b + 2) >> 5);
+    int64_t b2  = 2097151 & (load_3(b + 5) >> 2);
+    int64_t b3  = 2097151 & (load_4(b + 7) >> 7);
+    int64_t b4  = 2097151 & (load_4(b + 10) >> 4);
+    int64_t b5  = 2097151 & (load_3(b + 13) >> 1);
+    int64_t b6  = 2097151 & (load_4(b + 15) >> 6);
+    int64_t b7  = 2097151 & (load_3(b + 18) >> 3);
+    int64_t b8  = 2097151 & load_3(b + 21);
+    int64_t b9  = 2097151 & (load_4(b + 23) >> 5);
     int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
     int64_t b11 = (load_4(b + 28) >> 7);
-    int64_t c0 = 2097151 & load_3(c);
-    int64_t c1 = 2097151 & (load_4(c + 2) >> 5);
-    int64_t c2 = 2097151 & (load_3(c + 5) >> 2);
-    int64_t c3 = 2097151 & (load_4(c + 7) >> 7);
-    int64_t c4 = 2097151 & (load_4(c + 10) >> 4);
-    int64_t c5 = 2097151 & (load_3(c + 13) >> 1);
-    int64_t c6 = 2097151 & (load_4(c + 15) >> 6);
-    int64_t c7 = 2097151 & (load_3(c + 18) >> 3);
-    int64_t c8 = 2097151 & load_3(c + 21);
-    int64_t c9 = 2097151 & (load_4(c + 23) >> 5);
+    int64_t c0  = 2097151 & load_3(c);
+    int64_t c1  = 2097151 & (load_4(c + 2) >> 5);
+    int64_t c2  = 2097151 & (load_3(c + 5) >> 2);
+    int64_t c3  = 2097151 & (load_4(c + 7) >> 7);
+    int64_t c4  = 2097151 & (load_4(c + 10) >> 4);
+    int64_t c5  = 2097151 & (load_3(c + 13) >> 1);
+    int64_t c6  = 2097151 & (load_4(c + 15) >> 6);
+    int64_t c7  = 2097151 & (load_3(c + 18) >> 3);
+    int64_t c8  = 2097151 & load_3(c + 21);
+    int64_t c9  = 2097151 & (load_4(c + 23) >> 5);
     int64_t c10 = 2097151 & (load_3(c + 26) >> 2);
     int64_t c11 = (load_4(c + 28) >> 7);
     int64_t s0;
     int64_t s1;
     int64_t s2;
@@ -1741,6 +1991,7 @@ void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co
     int64_t s21;
     int64_t s22;
     int64_t s23;
     int64_t carry0;
     int64_t carry1;
     int64_t carry2;
@@ -1765,55 +2016,112 @@ void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co
     int64_t carry21;
     int64_t carry22;
-    s0 = c0 + a0*b0;
-    s1 = c1 + a0*b1 + a1*b0;
-    s2 = c2 + a0*b2 + a1*b1 + a2*b0;
-    s3 = c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0;
-    s4 = c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0;
-    s5 = c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0;
-    s6 = c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0;
-    s7 = c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0;
-    s8 = c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0;
-    s9 = c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0;
-    s10 = c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0;
-    s11 = c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0;
-    s12 = a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1;
-    s13 = a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2;
-    s14 = a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3;
-    s15 = a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4;
-    s16 = a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5;
-    s17 = a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6;
-    s18 = a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7;
-    s19 = a8*b11 + a9*b10 + a10*b9 + a11*b8;
-    s20 = a9*b11 + a10*b10 + a11*b9;
-    s21 = a10*b11 + a11*b10;
-    s22 = a11*b11;
+    s0 = c0 + a0 * b0;
+    s1 = c1 + a0 * b1 + a1 * b0;
+    s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
+    s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
+    s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
+    s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
+    s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 +
+         a6 * b0;
+    s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 +
+         a6 * b1 + a7 * b0;
+    s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 +
+         a6 * b2 + a7 * b1 + a8 * b0;
+    s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 +
+         a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
+    s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 +
+          a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
+    s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 +
+          a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
+    s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 +
+          a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
+    s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 +
+          a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
+    s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 +
+          a9 * b5 + a10 * b4 + a11 * b3;
+    s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 +
+          a10 * b5 + a11 * b4;
+    s16 =
+        a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
+    s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
+    s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
+    s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
+    s20 = a9 * b11 + a10 * b10 + a11 * b9;
+    s21 = a10 * b11 + a11 * b10;
+    s22 = a11 * b11;
     s23 = 0;
-    carry0 = (s0 + (int64_t) (1L << 20)) >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry2 = (s2 + (int64_t) (1L << 20)) >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry4 = (s4 + (int64_t) (1L << 20)) >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry12 = (s12 + (int64_t) (1L << 20)) >> 21; s13 += carry12; s12 -= carry12 * ((uint64_t) 1L << 21);
-    carry14 = (s14 + (int64_t) (1L << 20)) >> 21; s15 += carry14; s14 -= carry14 * ((uint64_t) 1L << 21);
-    carry16 = (s16 + (int64_t) (1L << 20)) >> 21; s17 += carry16; s16 -= carry16 * ((uint64_t) 1L << 21);
-    carry18 = (s18 + (int64_t) (1L << 20)) >> 21; s19 += carry18; s18 -= carry18 * ((uint64_t) 1L << 21);
-    carry20 = (s20 + (int64_t) (1L << 20)) >> 21; s21 += carry20; s20 -= carry20 * ((uint64_t) 1L << 21);
-    carry22 = (s22 + (int64_t) (1L << 20)) >> 21; s23 += carry22; s22 -= carry22 * ((uint64_t) 1L << 21);
-    carry1 = (s1 + (int64_t) (1L << 20)) >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry3 = (s3 + (int64_t) (1L << 20)) >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry5 = (s5 + (int64_t) (1L << 20)) >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21);
-    carry13 = (s13 + (int64_t) (1L << 20)) >> 21; s14 += carry13; s13 -= carry13 * ((uint64_t) 1L << 21);
-    carry15 = (s15 + (int64_t) (1L << 20)) >> 21; s16 += carry15; s15 -= carry15 * ((uint64_t) 1L << 21);
-    carry17 = (s17 + (int64_t) (1L << 20)) >> 21; s18 += carry17; s17 -= carry17 * ((uint64_t) 1L << 21);
-    carry19 = (s19 + (int64_t) (1L << 20)) >> 21; s20 += carry19; s19 -= carry19 * ((uint64_t) 1L << 21);
-    carry21 = (s21 + (int64_t) (1L << 20)) >> 21; s22 += carry21; s21 -= carry21 * ((uint64_t) 1L << 21);
+    carry0 = (s0 + (int64_t)(1L << 20)) >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry2 = (s2 + (int64_t)(1L << 20)) >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry4 = (s4 + (int64_t)(1L << 20)) >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry6 = (s6 + (int64_t)(1L << 20)) >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry8 = (s8 + (int64_t)(1L << 20)) >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry10 = (s10 + (int64_t)(1L << 20)) >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    carry12 = (s12 + (int64_t)(1L << 20)) >> 21;
+    s13 += carry12;
+    s12 -= carry12 * ((uint64_t) 1L << 21);
+    carry14 = (s14 + (int64_t)(1L << 20)) >> 21;
+    s15 += carry14;
+    s14 -= carry14 * ((uint64_t) 1L << 21);
+    carry16 = (s16 + (int64_t)(1L << 20)) >> 21;
+    s17 += carry16;
+    s16 -= carry16 * ((uint64_t) 1L << 21);
+    carry18 = (s18 + (int64_t)(1L << 20)) >> 21;
+    s19 += carry18;
+    s18 -= carry18 * ((uint64_t) 1L << 21);
+    carry20 = (s20 + (int64_t)(1L << 20)) >> 21;
+    s21 += carry20;
+    s20 -= carry20 * ((uint64_t) 1L << 21);
+    carry22 = (s22 + (int64_t)(1L << 20)) >> 21;
+    s23 += carry22;
+    s22 -= carry22 * ((uint64_t) 1L << 21);
+    carry1 = (s1 + (int64_t)(1L << 20)) >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry3 = (s3 + (int64_t)(1L << 20)) >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry5 = (s5 + (int64_t)(1L << 20)) >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry7 = (s7 + (int64_t)(1L << 20)) >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry9 = (s9 + (int64_t)(1L << 20)) >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry11 = (s11 + (int64_t)(1L << 20)) >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
+    carry13 = (s13 + (int64_t)(1L << 20)) >> 21;
+    s14 += carry13;
+    s13 -= carry13 * ((uint64_t) 1L << 21);
+    carry15 = (s15 + (int64_t)(1L << 20)) >> 21;
+    s16 += carry15;
+    s15 -= carry15 * ((uint64_t) 1L << 21);
+    carry17 = (s17 + (int64_t)(1L << 20)) >> 21;
+    s18 += carry17;
+    s17 -= carry17 * ((uint64_t) 1L << 21);
+    carry19 = (s19 + (int64_t)(1L << 20)) >> 21;
+    s20 += carry19;
+    s19 -= carry19 * ((uint64_t) 1L << 21);
+    carry21 = (s21 + (int64_t)(1L << 20)) >> 21;
+    s22 += carry21;
+    s21 -= carry21 * ((uint64_t) 1L << 21);
     s11 += s23 * 666643;
     s12 += s23 * 470296;
@@ -1857,18 +2165,40 @@ void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co
     s10 += s18 * 136657;
     s11 -= s18 * 683901;
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry12 = (s12 + (int64_t) (1L << 20)) >> 21; s13 += carry12; s12 -= carry12 * ((uint64_t) 1L << 21);
-    carry14 = (s14 + (int64_t) (1L << 20)) >> 21; s15 += carry14; s14 -= carry14 * ((uint64_t) 1L << 21);
-    carry16 = (s16 + (int64_t) (1L << 20)) >> 21; s17 += carry16; s16 -= carry16 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21);
-    carry13 = (s13 + (int64_t) (1L << 20)) >> 21; s14 += carry13; s13 -= carry13 * ((uint64_t) 1L << 21);
-    carry15 = (s15 + (int64_t) (1L << 20)) >> 21; s16 += carry15; s15 -= carry15 * ((uint64_t) 1L << 21);
+    carry6 = (s6 + (int64_t)(1L << 20)) >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry8 = (s8 + (int64_t)(1L << 20)) >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry10 = (s10 + (int64_t)(1L << 20)) >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    carry12 = (s12 + (int64_t)(1L << 20)) >> 21;
+    s13 += carry12;
+    s12 -= carry12 * ((uint64_t) 1L << 21);
+    carry14 = (s14 + (int64_t)(1L << 20)) >> 21;
+    s15 += carry14;
+    s14 -= carry14 * ((uint64_t) 1L << 21);
+    carry16 = (s16 + (int64_t)(1L << 20)) >> 21;
+    s17 += carry16;
+    s16 -= carry16 * ((uint64_t) 1L << 21);
+    carry7 = (s7 + (int64_t)(1L << 20)) >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry9 = (s9 + (int64_t)(1L << 20)) >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry11 = (s11 + (int64_t)(1L << 20)) >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
+    carry13 = (s13 + (int64_t)(1L << 20)) >> 21;
+    s14 += carry13;
+    s13 -= carry13 * ((uint64_t) 1L << 21);
+    carry15 = (s15 + (int64_t)(1L << 20)) >> 21;
+    s16 += carry15;
+    s15 -= carry15 * ((uint64_t) 1L << 21);
     s5 += s17 * 666643;
     s6 += s17 * 470296;
@@ -1913,19 +2243,43 @@ void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co
     s5 -= s12 * 683901;
     s12 = 0;
-    carry0 = (s0 + (int64_t) (1L << 20)) >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry2 = (s2 + (int64_t) (1L << 20)) >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry4 = (s4 + (int64_t) (1L << 20)) >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry1 = (s1 + (int64_t) (1L << 20)) >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry3 = (s3 + (int64_t) (1L << 20)) >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry5 = (s5 + (int64_t) (1L << 20)) >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21);
+    carry0 = (s0 + (int64_t)(1L << 20)) >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry2 = (s2 + (int64_t)(1L << 20)) >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry4 = (s4 + (int64_t)(1L << 20)) >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry6 = (s6 + (int64_t)(1L << 20)) >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry8 = (s8 + (int64_t)(1L << 20)) >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry10 = (s10 + (int64_t)(1L << 20)) >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    carry1 = (s1 + (int64_t)(1L << 20)) >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry3 = (s3 + (int64_t)(1L << 20)) >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry5 = (s5 + (int64_t)(1L << 20)) >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry7 = (s7 + (int64_t)(1L << 20)) >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry9 = (s9 + (int64_t)(1L << 20)) >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry11 = (s11 + (int64_t)(1L << 20)) >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
     s0 += s12 * 666643;
     s1 += s12 * 470296;
@@ -1935,18 +2289,42 @@ void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co
     s5 -= s12 * 683901;
     s12 = 0;
-    carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21);
+    carry0 = s0 >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry1 = s1 >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry2 = s2 >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry3 = s3 >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry4 = s4 >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry5 = s5 >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry6 = s6 >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry7 = s7 >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry8 = s8 >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry9 = s9 >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry10 = s10 >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    carry11 = s11 >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
     s0 += s12 * 666643;
     s1 += s12 * 470296;
@@ -1955,28 +2333,50 @@ void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co
     s4 += s12 * 136657;
     s5 -= s12 * 683901;
-    carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21);
-    s[0] = s0 >> 0;
-    s[1] = s0 >> 8;
-    s[2] = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
-    s[3] = s1 >> 3;
-    s[4] = s1 >> 11;
-    s[5] = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
-    s[6] = s2 >> 6;
-    s[7] = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
-    s[8] = s3 >> 1;
-    s[9] = s3 >> 9;
+    carry0 = s0 >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry1 = s1 >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry2 = s2 >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry3 = s3 >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry4 = s4 >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry5 = s5 >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry6 = s6 >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry7 = s7 >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry8 = s8 >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry9 = s9 >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry10 = s10 >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    s[0]  = s0 >> 0;
+    s[1]  = s0 >> 8;
+    s[2]  = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
+    s[3]  = s1 >> 3;
+    s[4]  = s1 >> 11;
+    s[5]  = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
+    s[6]  = s2 >> 6;
+    s[7]  = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
+    s[8]  = s3 >> 1;
+    s[9]  = s3 >> 9;
     s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4));
     s[11] = s4 >> 4;
     s[12] = s4 >> 12;
@@ -2011,18 +2411,19 @@ void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co
  Overwrites s in place.
  */
-void sc_reduce(unsigned char *s)
+void
+sc_reduce(unsigned char *s)
 {
-    int64_t s0 = 2097151 & load_3(s);
-    int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
-    int64_t s2 = 2097151 & (load_3(s + 5) >> 2);
-    int64_t s3 = 2097151 & (load_4(s + 7) >> 7);
-    int64_t s4 = 2097151 & (load_4(s + 10) >> 4);
-    int64_t s5 = 2097151 & (load_3(s + 13) >> 1);
-    int64_t s6 = 2097151 & (load_4(s + 15) >> 6);
-    int64_t s7 = 2097151 & (load_3(s + 18) >> 3);
-    int64_t s8 = 2097151 & load_3(s + 21);
-    int64_t s9 = 2097151 & (load_4(s + 23) >> 5);
+    int64_t s0  = 2097151 & load_3(s);
+    int64_t s1  = 2097151 & (load_4(s + 2) >> 5);
+    int64_t s2  = 2097151 & (load_3(s + 5) >> 2);
+    int64_t s3  = 2097151 & (load_4(s + 7) >> 7);
+    int64_t s4  = 2097151 & (load_4(s + 10) >> 4);
+    int64_t s5  = 2097151 & (load_3(s + 13) >> 1);
+    int64_t s6  = 2097151 & (load_4(s + 15) >> 6);
+    int64_t s7  = 2097151 & (load_3(s + 18) >> 3);
+    int64_t s8  = 2097151 & load_3(s + 21);
+    int64_t s9  = 2097151 & (load_4(s + 23) >> 5);
     int64_t s10 = 2097151 & (load_3(s + 26) >> 2);
     int64_t s11 = 2097151 & (load_4(s + 28) >> 7);
     int64_t s12 = 2097151 & (load_4(s + 31) >> 4);
@@ -2037,6 +2438,7 @@ void sc_reduce(unsigned char *s)
     int64_t s21 = 2097151 & (load_3(s + 55) >> 1);
     int64_t s22 = 2097151 & (load_4(s + 57) >> 6);
     int64_t s23 = (load_4(s + 60) >> 3);
     int64_t carry0;
     int64_t carry1;
     int64_t carry2;
@@ -2097,18 +2499,40 @@ void sc_reduce(unsigned char *s)
     s10 += s18 * 136657;
     s11 -= s18 * 683901;
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry12 = (s12 + (int64_t) (1L << 20)) >> 21; s13 += carry12; s12 -= carry12 * ((uint64_t) 1L << 21);
-    carry14 = (s14 + (int64_t) (1L << 20)) >> 21; s15 += carry14; s14 -= carry14 * ((uint64_t) 1L << 21);
-    carry16 = (s16 + (int64_t) (1L << 20)) >> 21; s17 += carry16; s16 -= carry16 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21);
-    carry13 = (s13 + (int64_t) (1L << 20)) >> 21; s14 += carry13; s13 -= carry13 * ((uint64_t) 1L << 21);
-    carry15 = (s15 + (int64_t) (1L << 20)) >> 21; s16 += carry15; s15 -= carry15 * ((uint64_t) 1L << 21);
+    carry6 = (s6 + (int64_t)(1L << 20)) >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry8 = (s8 + (int64_t)(1L << 20)) >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry10 = (s10 + (int64_t)(1L << 20)) >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    carry12 = (s12 + (int64_t)(1L << 20)) >> 21;
+    s13 += carry12;
+    s12 -= carry12 * ((uint64_t) 1L << 21);
+    carry14 = (s14 + (int64_t)(1L << 20)) >> 21;
+    s15 += carry14;
+    s14 -= carry14 * ((uint64_t) 1L << 21);
+    carry16 = (s16 + (int64_t)(1L << 20)) >> 21;
+    s17 += carry16;
+    s16 -= carry16 * ((uint64_t) 1L << 21);
+    carry7 = (s7 + (int64_t)(1L << 20)) >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry9 = (s9 + (int64_t)(1L << 20)) >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry11 = (s11 + (int64_t)(1L << 20)) >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
+    carry13 = (s13 + (int64_t)(1L << 20)) >> 21;
+    s14 += carry13;
+    s13 -= carry13 * ((uint64_t) 1L << 21);
+    carry15 = (s15 + (int64_t)(1L << 20)) >> 21;
+    s16 += carry15;
+    s15 -= carry15 * ((uint64_t) 1L << 21);
     s5 += s17 * 666643;
     s6 += s17 * 470296;
@@ -2153,19 +2577,43 @@ void sc_reduce(unsigned char *s)
     s5 -= s12 * 683901;
     s12 = 0;
-    carry0 = (s0 + (int64_t) (1L << 20)) >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry2 = (s2 + (int64_t) (1L << 20)) >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry4 = (s4 + (int64_t) (1L << 20)) >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry1 = (s1 + (int64_t) (1L << 20)) >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry3 = (s3 + (int64_t) (1L << 20)) >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry5 = (s5 + (int64_t) (1L << 20)) >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21);
+    carry0 = (s0 + (int64_t)(1L << 20)) >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry2 = (s2 + (int64_t)(1L << 20)) >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry4 = (s4 + (int64_t)(1L << 20)) >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry6 = (s6 + (int64_t)(1L << 20)) >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry8 = (s8 + (int64_t)(1L << 20)) >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry10 = (s10 + (int64_t)(1L << 20)) >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    carry1 = (s1 + (int64_t)(1L << 20)) >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry3 = (s3 + (int64_t)(1L << 20)) >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry5 = (s5 + (int64_t)(1L << 20)) >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry7 = (s7 + (int64_t)(1L << 20)) >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry9 = (s9 + (int64_t)(1L << 20)) >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry11 = (s11 + (int64_t)(1L << 20)) >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
     s0 += s12 * 666643;
     s1 += s12 * 470296;
@@ -2175,18 +2623,42 @@ void sc_reduce(unsigned char *s)
     s5 -= s12 * 683901;
     s12 = 0;
-    carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21);
+    carry0 = s0 >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry1 = s1 >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry2 = s2 >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry3 = s3 >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry4 = s4 >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry5 = s5 >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry6 = s6 >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry7 = s7 >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry8 = s8 >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry9 = s9 >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry10 = s10 >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    carry11 = s11 >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
     s0 += s12 * 666643;
     s1 += s12 * 470296;
@@ -2195,28 +2667,50 @@ void sc_reduce(unsigned char *s)
     s4 += s12 * 136657;
     s5 -= s12 * 683901;
-    carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21);
-    s[0] = s0 >> 0;
-    s[1] = s0 >> 8;
-    s[2] = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
-    s[3] = s1 >> 3;
-    s[4] = s1 >> 11;
-    s[5] = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
-    s[6] = s2 >> 6;
-    s[7] = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
-    s[8] = s3 >> 1;
-    s[9] = s3 >> 9;
+    carry0 = s0 >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry1 = s1 >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry2 = s2 >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry3 = s3 >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry4 = s4 >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry5 = s5 >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry6 = s6 >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry7 = s7 >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry8 = s8 >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry9 = s9 >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry10 = s10 >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    s[0]  = s0 >> 0;
+    s[1]  = s0 >> 8;
+    s[2]  = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
+    s[3]  = s1 >> 3;
+    s[4]  = s1 >> 11;
+    s[5]  = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
+    s[6]  = s2 >> 6;
+    s[7]  = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
+    s[8]  = s3 >> 1;
+    s[9]  = s3 >> 9;
     s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4));
     s[11] = s4 >> 4;
     s[12] = s4 >> 12;