rbnacl-libsodium 1.0.15.1 → 1.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (157) hide show
  1. checksums.yaml +4 -4
  2. data/.travis.yml +4 -6
  3. data/CHANGES.md +50 -42
  4. data/Gemfile +1 -1
  5. data/README.md +3 -1
  6. data/Rakefile +46 -0
  7. data/ext/rbnacl/extconf.rb +16 -1
  8. data/lib/rbnacl/libsodium.rb +16 -8
  9. data/lib/rbnacl/libsodium/version.rb +1 -1
  10. data/rbnacl-libsodium.gemspec +3 -0
  11. data/vendor/libsodium/AUTHORS +20 -5
  12. data/vendor/libsodium/ChangeLog +25 -0
  13. data/vendor/libsodium/Makefile.in +3 -1
  14. data/vendor/libsodium/README.markdown +2 -1
  15. data/vendor/libsodium/aclocal.m4 +1 -0
  16. data/vendor/libsodium/autom4te.cache/output.1 +836 -123
  17. data/vendor/libsodium/autom4te.cache/output.4 +21342 -0
  18. data/vendor/libsodium/autom4te.cache/requests +801 -554
  19. data/vendor/libsodium/autom4te.cache/traces.1 +717 -596
  20. data/vendor/libsodium/autom4te.cache/traces.4 +4355 -0
  21. data/vendor/libsodium/builds/Makefile.in +3 -1
  22. data/vendor/libsodium/builds/msvc/resource.h +1 -1
  23. data/vendor/libsodium/builds/msvc/resource.rc +2 -2
  24. data/vendor/libsodium/builds/msvc/version.h +2 -2
  25. data/vendor/libsodium/builds/msvc/vs2010/libsodium/libsodium.vcxproj +17 -8
  26. data/vendor/libsodium/builds/msvc/vs2010/libsodium/libsodium.vcxproj.filters +60 -24
  27. data/vendor/libsodium/builds/msvc/vs2012/libsodium/libsodium.vcxproj +17 -8
  28. data/vendor/libsodium/builds/msvc/vs2012/libsodium/libsodium.vcxproj.filters +60 -24
  29. data/vendor/libsodium/builds/msvc/vs2013/libsodium/libsodium.vcxproj +17 -8
  30. data/vendor/libsodium/builds/msvc/vs2013/libsodium/libsodium.vcxproj.filters +60 -24
  31. data/vendor/libsodium/builds/msvc/vs2015/libsodium/libsodium.vcxproj +17 -8
  32. data/vendor/libsodium/builds/msvc/vs2015/libsodium/libsodium.vcxproj.filters +60 -24
  33. data/vendor/libsodium/builds/msvc/vs2017/libsodium/libsodium.vcxproj +17 -8
  34. data/vendor/libsodium/builds/msvc/vs2017/libsodium/libsodium.vcxproj.filters +60 -24
  35. data/vendor/libsodium/configure +834 -121
  36. data/vendor/libsodium/configure.ac +55 -13
  37. data/vendor/libsodium/contrib/Findsodium.cmake +22 -3
  38. data/vendor/libsodium/contrib/Makefile.in +3 -1
  39. data/vendor/libsodium/dist-build/Makefile.in +3 -1
  40. data/vendor/libsodium/dist-build/android-build.sh +2 -2
  41. data/vendor/libsodium/dist-build/emscripten-symbols.def +38 -26
  42. data/vendor/libsodium/dist-build/emscripten.sh +23 -8
  43. data/vendor/libsodium/dist-build/msys2-win32.sh +1 -1
  44. data/vendor/libsodium/dist-build/msys2-win64.sh +1 -1
  45. data/vendor/libsodium/libsodium.vcxproj +17 -8
  46. data/vendor/libsodium/libsodium.vcxproj.filters +41 -14
  47. data/vendor/libsodium/m4/ax_tls.m4 +74 -0
  48. data/vendor/libsodium/msvc-scripts/Makefile.in +3 -1
  49. data/vendor/libsodium/msvc-scripts/process.bat +2 -2
  50. data/vendor/libsodium/packaging/dotnet-core/README.md +5 -5
  51. data/vendor/libsodium/packaging/dotnet-core/prepare.py +7 -7
  52. data/vendor/libsodium/packaging/nuget/package.config +1 -1
  53. data/vendor/libsodium/regen-msvc/libsodium.vcxproj +326 -0
  54. data/vendor/libsodium/regen-msvc/libsodium.vcxproj.filters +23 -0
  55. data/vendor/libsodium/regen-msvc/libsodium.vcxproj.filters.tpl +35 -0
  56. data/vendor/libsodium/regen-msvc/libsodium.vcxproj.tpl +93 -0
  57. data/vendor/libsodium/regen-msvc/regen-msvc.py +136 -0
  58. data/vendor/libsodium/regen-msvc/tl_libsodium.vcxproj.filters.tpl +23 -0
  59. data/vendor/libsodium/regen-msvc/tl_libsodium.vcxproj.tpl +331 -0
  60. data/vendor/libsodium/src/Makefile.in +3 -1
  61. data/vendor/libsodium/src/libsodium/Makefile.am +40 -24
  62. data/vendor/libsodium/src/libsodium/Makefile.in +238 -180
  63. data/vendor/libsodium/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c +10 -2
  64. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/core_ed25519.c +79 -0
  65. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c +2031 -0
  66. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_25_5/base.h +1344 -0
  67. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_25_5/base2.h +40 -0
  68. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_25_5/constants.h +20 -0
  69. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_25_5/fe.h +220 -0
  70. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_51/base.h +1344 -0
  71. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_51/base2.h +40 -0
  72. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_51/constants.h +21 -0
  73. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_51/fe.h +116 -0
  74. data/vendor/libsodium/src/libsodium/crypto_generichash/blake2b/ref/blake2.h +1 -1
  75. data/vendor/libsodium/src/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-ref.c +2 -1
  76. data/vendor/libsodium/src/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c +14 -82
  77. data/vendor/libsodium/src/libsodium/crypto_generichash/blake2b/ref/generichash_blake2b.c +1 -0
  78. data/vendor/libsodium/src/libsodium/crypto_hash/sha256/cp/hash_sha256_cp.c +3 -3
  79. data/vendor/libsodium/src/libsodium/crypto_hash/sha512/cp/hash_sha512_cp.c +3 -3
  80. data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna64.h +1 -7
  81. data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/onetimeauth_poly1305.c +1 -0
  82. data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c +0 -6
  83. data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.c +19 -92
  84. data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.h +72 -4
  85. data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.c +5 -1
  86. data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.h +1 -1
  87. data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c +10 -7
  88. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c +108 -231
  89. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.h +1 -1
  90. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/curve25519_sandy2x.c +27 -27
  91. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_invert.c +2 -1
  92. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe_frombytes_sandy2x.c +6 -3
  93. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.c +3 -11
  94. data/vendor/libsodium/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c +86 -0
  95. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/keypair.c +28 -26
  96. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c +32 -30
  97. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/open.c +14 -115
  98. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sign.c +56 -13
  99. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/{ed25519_ref10.h → sign_ed25519_ref10.h} +2 -5
  100. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/sign_ed25519.c +1 -1
  101. data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/stream_chacha20.c +1 -0
  102. data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/stream_salsa20.c +1 -0
  103. data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/xmm6int/u8.h +1 -1
  104. data/vendor/libsodium/src/libsodium/include/Makefile.am +2 -0
  105. data/vendor/libsodium/src/libsodium/include/Makefile.in +13 -9
  106. data/vendor/libsodium/src/libsodium/include/sodium.h +2 -0
  107. data/vendor/libsodium/src/libsodium/include/sodium/crypto_core_ed25519.h +37 -0
  108. data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult.h +8 -0
  109. data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult_curve25519.h +8 -0
  110. data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult_ed25519.h +41 -0
  111. data/vendor/libsodium/src/libsodium/include/sodium/private/common.h +18 -0
  112. data/vendor/libsodium/src/libsodium/include/sodium/private/ed25519_ref10.h +125 -0
  113. data/vendor/libsodium/src/libsodium/include/sodium/private/ed25519_ref10_fe_25_5.h +1050 -0
  114. data/vendor/libsodium/src/libsodium/include/sodium/private/ed25519_ref10_fe_51.h +518 -0
  115. data/vendor/libsodium/src/libsodium/include/sodium/runtime.h +3 -0
  116. data/vendor/libsodium/src/libsodium/include/sodium/utils.h +3 -0
  117. data/vendor/libsodium/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c +182 -102
  118. data/vendor/libsodium/src/libsodium/sodium/core.c +30 -2
  119. data/vendor/libsodium/src/libsodium/sodium/runtime.c +14 -0
  120. data/vendor/libsodium/src/libsodium/sodium/utils.c +46 -0
  121. data/vendor/libsodium/test/Makefile.in +3 -1
  122. data/vendor/libsodium/test/default/Makefile.am +16 -0
  123. data/vendor/libsodium/test/default/Makefile.in +71 -23
  124. data/vendor/libsodium/test/default/aead_aes256gcm.c +1 -1
  125. data/vendor/libsodium/test/default/cmptest.h +4 -0
  126. data/vendor/libsodium/test/default/core3.c +44 -4
  127. data/vendor/libsodium/test/default/core3.exp +2 -0
  128. data/vendor/libsodium/test/default/core4.c +1 -1
  129. data/vendor/libsodium/test/default/core_ed25519.c +151 -0
  130. data/vendor/libsodium/test/default/core_ed25519.exp +1 -0
  131. data/vendor/libsodium/test/default/ed25519_convert.c +9 -1
  132. data/vendor/libsodium/test/default/index.html.tpl +17 -3
  133. data/vendor/libsodium/test/default/kdf.c +4 -2
  134. data/vendor/libsodium/test/default/metamorphic.c +8 -8
  135. data/vendor/libsodium/test/default/misuse.c +29 -1
  136. data/vendor/libsodium/test/default/pwhash_argon2i.c +9 -3
  137. data/vendor/libsodium/test/default/pwhash_argon2i.exp +2 -2
  138. data/vendor/libsodium/test/default/pwhash_argon2id.c +7 -2
  139. data/vendor/libsodium/test/default/pwhash_argon2id.exp +2 -2
  140. data/vendor/libsodium/test/default/scalarmult.c +0 -2
  141. data/vendor/libsodium/test/default/scalarmult.exp +0 -1
  142. data/vendor/libsodium/test/default/scalarmult_ed25519.c +90 -0
  143. data/vendor/libsodium/test/default/scalarmult_ed25519.exp +1 -0
  144. data/vendor/libsodium/test/default/secretbox_easy2.c +1 -1
  145. data/vendor/libsodium/test/default/secretstream.c +52 -3
  146. data/vendor/libsodium/test/default/sign.c +16 -0
  147. data/vendor/libsodium/test/default/sodium_core.c +1 -0
  148. data/vendor/libsodium/test/default/sodium_utils.c +2 -1
  149. data/vendor/libsodium/test/default/xchacha20.c +2 -1
  150. metadata +63 -12
  151. data/vendor/libsodium/src/libsodium/crypto_core/curve25519/ref10/base.h +0 -1344
  152. data/vendor/libsodium/src/libsodium/crypto_core/curve25519/ref10/base2.h +0 -40
  153. data/vendor/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c +0 -2797
  154. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c +0 -545
  155. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.h +0 -10
  156. data/vendor/libsodium/src/libsodium/include/sodium/private/curve25519_ref10.h +0 -132
  157. data/vendor/libsodium/test/default/index-wasm.html.tpl +0 -118
data/vendor/libsodium/src/libsodium/crypto_core/curve25519/ref10/base2.h DELETED
@@ -1,40 +0,0 @@
1
- {
2
- { 25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605 },
3
- { -12545711,934262,-2722910,3049990,-727428,9406986,12720692,5043384,19500929,-15469378 },
4
- { -8738181,4489570,9688441,-14785194,10184609,-12363380,29287919,11864899,-24514362,-4438546 },
5
- },
6
- {
7
- { 15636291,-9688557,24204773,-7912398,616977,-16685262,27787600,-14772189,28944400,-1550024 },
8
- { 16568933,4717097,-11556148,-1102322,15682896,-11807043,16354577,-11775962,7689662,11199574 },
9
- { 30464156,-5976125,-11779434,-15670865,23220365,15915852,7512774,10017326,-17749093,-9920357 },
10
- },
11
- {
12
- { 10861363,11473154,27284546,1981175,-30064349,12577861,32867885,14515107,-15438304,10819380 },
13
- { 4708026,6336745,20377586,9066809,-11272109,6594696,-25653668,12483688,-12668491,5581306 },
14
- { 19563160,16186464,-29386857,4097519,10237984,-4348115,28542350,13850243,-23678021,-15815942 },
15
- },
16
- {
17
- { 5153746,9909285,1723747,-2777874,30523605,5516873,19480852,5230134,-23952439,-15175766 },
18
- { -30269007,-3463509,7665486,10083793,28475525,1649722,20654025,16520125,30598449,7715701 },
19
- { 28881845,14381568,9657904,3680757,-20181635,7843316,-31400660,1370708,29794553,-1409300 },
20
- },
21
- {
22
- { -22518993,-6692182,14201702,-8745502,-23510406,8844726,18474211,-1361450,-13062696,13821877 },
23
- { -6455177,-7839871,3374702,-4740862,-27098617,-10571707,31655028,-7212327,18853322,-14220951 },
24
- { 4566830,-12963868,-28974889,-12240689,-7602672,-2830569,-8514358,-10431137,2207753,-3209784 },
25
- },
26
- {
27
- { -25154831,-4185821,29681144,7868801,-6854661,-9423865,-12437364,-663000,-31111463,-16132436 },
28
- { 25576264,-2703214,7349804,-11814844,16472782,9300885,3844789,15725684,171356,6466918 },
29
- { 23103977,13316479,9739013,-16149481,817875,-15038942,8965339,-14088058,-30714912,16193877 },
30
- },
31
- {
32
- { -33521811,3180713,-2394130,14003687,-16903474,-16270840,17238398,4729455,-18074513,9256800 },
33
- { -25182317,-4174131,32336398,5036987,-21236817,11360617,22616405,9761698,-19827198,630305 },
34
- { -13720693,2639453,-24237460,-7406481,9494427,-5774029,-6554551,-15960994,-2449256,-14291300 },
35
- },
36
- {
37
- { -3151181,-5046075,9282714,6866145,-31907062,-863023,-18940575,15033784,25105118,-7894876 },
38
- { -24326370,15950226,-31801215,-14592823,-11662737,-5090925,1573892,-2625887,2198790,-15804619 },
39
- { -3099351,10324967,-2241613,7453183,-5446979,-2735503,-13812022,-16236442,-32461234,-12290683 },
40
- },
data/vendor/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c DELETED
@@ -1,2797 +0,0 @@
1
- #include <stddef.h>
2
- #include <stdint.h>
3
- #include <string.h>
4
-
5
- #include "crypto_verify_32.h"
6
- #include "private/curve25519_ref10.h"
7
-
8
- static inline uint64_t
9
- load_3(const unsigned char *in)
10
- {
11
- uint64_t result;
12
-
13
- result = (uint64_t) in[0];
14
- result |= ((uint64_t) in[1]) << 8;
15
- result |= ((uint64_t) in[2]) << 16;
16
-
17
- return result;
18
- }
19
-
20
- static inline uint64_t
21
- load_4(const unsigned char *in)
22
- {
23
- uint64_t result;
24
-
25
- result = (uint64_t) in[0];
26
- result |= ((uint64_t) in[1]) << 8;
27
- result |= ((uint64_t) in[2]) << 16;
28
- result |= ((uint64_t) in[3]) << 24;
29
-
30
- return result;
31
- }
32
-
33
- /*
34
- h = 0
35
- */
36
-
37
- void
38
- fe_0(fe h)
39
- {
40
- memset(&h[0], 0, 10 * sizeof h[0]);
41
- }
42
-
43
- /*
44
- h = 1
45
- */
46
-
47
- void
48
- fe_1(fe h)
49
- {
50
- h[0] = 1;
51
- h[1] = 0;
52
- memset(&h[2], 0, 8 * sizeof h[0]);
53
- }
54
-
55
- /*
56
- h = f + g
57
- Can overlap h with f or g.
58
- *
59
- Preconditions:
60
- |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
61
- |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
62
- *
63
- Postconditions:
64
- |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
65
- */
66
-
67
- void
68
- fe_add(fe h, const fe f, const fe g)
69
- {
70
- int32_t f0 = f[0];
71
- int32_t f1 = f[1];
72
- int32_t f2 = f[2];
73
- int32_t f3 = f[3];
74
- int32_t f4 = f[4];
75
- int32_t f5 = f[5];
76
- int32_t f6 = f[6];
77
- int32_t f7 = f[7];
78
- int32_t f8 = f[8];
79
- int32_t f9 = f[9];
80
-
81
- int32_t g0 = g[0];
82
- int32_t g1 = g[1];
83
- int32_t g2 = g[2];
84
- int32_t g3 = g[3];
85
- int32_t g4 = g[4];
86
- int32_t g5 = g[5];
87
- int32_t g6 = g[6];
88
- int32_t g7 = g[7];
89
- int32_t g8 = g[8];
90
- int32_t g9 = g[9];
91
-
92
- int32_t h0 = f0 + g0;
93
- int32_t h1 = f1 + g1;
94
- int32_t h2 = f2 + g2;
95
- int32_t h3 = f3 + g3;
96
- int32_t h4 = f4 + g4;
97
- int32_t h5 = f5 + g5;
98
- int32_t h6 = f6 + g6;
99
- int32_t h7 = f7 + g7;
100
- int32_t h8 = f8 + g8;
101
- int32_t h9 = f9 + g9;
102
-
103
- h[0] = h0;
104
- h[1] = h1;
105
- h[2] = h2;
106
- h[3] = h3;
107
- h[4] = h4;
108
- h[5] = h5;
109
- h[6] = h6;
110
- h[7] = h7;
111
- h[8] = h8;
112
- h[9] = h9;
113
- }
114
-
115
- /*
116
- Replace (f,g) with (g,g) if b == 1;
117
- replace (f,g) with (f,g) if b == 0.
118
- *
119
- Preconditions: b in {0,1}.
120
- */
121
-
122
- static void
123
- fe_cmov(fe f, const fe g, unsigned int b)
124
- {
125
- int32_t f0 = f[0];
126
- int32_t f1 = f[1];
127
- int32_t f2 = f[2];
128
- int32_t f3 = f[3];
129
- int32_t f4 = f[4];
130
- int32_t f5 = f[5];
131
- int32_t f6 = f[6];
132
- int32_t f7 = f[7];
133
- int32_t f8 = f[8];
134
- int32_t f9 = f[9];
135
-
136
- int32_t g0 = g[0];
137
- int32_t g1 = g[1];
138
- int32_t g2 = g[2];
139
- int32_t g3 = g[3];
140
- int32_t g4 = g[4];
141
- int32_t g5 = g[5];
142
- int32_t g6 = g[6];
143
- int32_t g7 = g[7];
144
- int32_t g8 = g[8];
145
- int32_t g9 = g[9];
146
-
147
- int32_t x0 = f0 ^ g0;
148
- int32_t x1 = f1 ^ g1;
149
- int32_t x2 = f2 ^ g2;
150
- int32_t x3 = f3 ^ g3;
151
- int32_t x4 = f4 ^ g4;
152
- int32_t x5 = f5 ^ g5;
153
- int32_t x6 = f6 ^ g6;
154
- int32_t x7 = f7 ^ g7;
155
- int32_t x8 = f8 ^ g8;
156
- int32_t x9 = f9 ^ g9;
157
-
158
- b = (unsigned int) (-(int) b);
159
- x0 &= b;
160
- x1 &= b;
161
- x2 &= b;
162
- x3 &= b;
163
- x4 &= b;
164
- x5 &= b;
165
- x6 &= b;
166
- x7 &= b;
167
- x8 &= b;
168
- x9 &= b;
169
- f[0] = f0 ^ x0;
170
- f[1] = f1 ^ x1;
171
- f[2] = f2 ^ x2;
172
- f[3] = f3 ^ x3;
173
- f[4] = f4 ^ x4;
174
- f[5] = f5 ^ x5;
175
- f[6] = f6 ^ x6;
176
- f[7] = f7 ^ x7;
177
- f[8] = f8 ^ x8;
178
- f[9] = f9 ^ x9;
179
- }
180
-
181
- /*
182
- h = f
183
- */
184
-
185
- void
186
- fe_copy(fe h, const fe f)
187
- {
188
- int32_t f0 = f[0];
189
- int32_t f1 = f[1];
190
- int32_t f2 = f[2];
191
- int32_t f3 = f[3];
192
- int32_t f4 = f[4];
193
- int32_t f5 = f[5];
194
- int32_t f6 = f[6];
195
- int32_t f7 = f[7];
196
- int32_t f8 = f[8];
197
- int32_t f9 = f[9];
198
-
199
- h[0] = f0;
200
- h[1] = f1;
201
- h[2] = f2;
202
- h[3] = f3;
203
- h[4] = f4;
204
- h[5] = f5;
205
- h[6] = f6;
206
- h[7] = f7;
207
- h[8] = f8;
208
- h[9] = f9;
209
- }
210
-
211
- /*
212
- Ignores top bit of h.
213
- */
214
-
215
- void
216
- fe_frombytes(fe h, const unsigned char *s)
217
- {
218
- int64_t h0 = load_4(s);
219
- int64_t h1 = load_3(s + 4) << 6;
220
- int64_t h2 = load_3(s + 7) << 5;
221
- int64_t h3 = load_3(s + 10) << 3;
222
- int64_t h4 = load_3(s + 13) << 2;
223
- int64_t h5 = load_4(s + 16);
224
- int64_t h6 = load_3(s + 20) << 7;
225
- int64_t h7 = load_3(s + 23) << 5;
226
- int64_t h8 = load_3(s + 26) << 4;
227
- int64_t h9 = (load_3(s + 29) & 8388607) << 2;
228
-
229
- int64_t carry0;
230
- int64_t carry1;
231
- int64_t carry2;
232
- int64_t carry3;
233
- int64_t carry4;
234
- int64_t carry5;
235
- int64_t carry6;
236
- int64_t carry7;
237
- int64_t carry8;
238
- int64_t carry9;
239
-
240
- carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
241
- h0 += carry9 * 19;
242
- h9 -= carry9 * ((uint64_t) 1L << 25);
243
- carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
244
- h2 += carry1;
245
- h1 -= carry1 * ((uint64_t) 1L << 25);
246
- carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
247
- h4 += carry3;
248
- h3 -= carry3 * ((uint64_t) 1L << 25);
249
- carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
250
- h6 += carry5;
251
- h5 -= carry5 * ((uint64_t) 1L << 25);
252
- carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
253
- h8 += carry7;
254
- h7 -= carry7 * ((uint64_t) 1L << 25);
255
-
256
- carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
257
- h1 += carry0;
258
- h0 -= carry0 * ((uint64_t) 1L << 26);
259
- carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
260
- h3 += carry2;
261
- h2 -= carry2 * ((uint64_t) 1L << 26);
262
- carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
263
- h5 += carry4;
264
- h4 -= carry4 * ((uint64_t) 1L << 26);
265
- carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
266
- h7 += carry6;
267
- h6 -= carry6 * ((uint64_t) 1L << 26);
268
- carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
269
- h9 += carry8;
270
- h8 -= carry8 * ((uint64_t) 1L << 26);
271
-
272
- h[0] = (int32_t) h0;
273
- h[1] = (int32_t) h1;
274
- h[2] = (int32_t) h2;
275
- h[3] = (int32_t) h3;
276
- h[4] = (int32_t) h4;
277
- h[5] = (int32_t) h5;
278
- h[6] = (int32_t) h6;
279
- h[7] = (int32_t) h7;
280
- h[8] = (int32_t) h8;
281
- h[9] = (int32_t) h9;
282
- }
283
-
284
- /*
285
- Preconditions:
286
- |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
287
- *
288
- Write p=2^255-19; q=floor(h/p).
289
- Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
290
- *
291
- Proof:
292
- Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
293
- Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
294
- *
295
- Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
296
- Then 0<y<1.
297
- *
298
- Write r=h-pq.
299
- Have 0<=r<=p-1=2^255-20.
300
- Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
301
- *
302
- Write x=r+19(2^-255)r+y.
303
- Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
304
- *
305
- Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
306
- so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
307
- */
308
-
309
- void
310
- fe_tobytes(unsigned char *s, const fe h)
311
- {
312
- int32_t h0 = h[0];
313
- int32_t h1 = h[1];
314
- int32_t h2 = h[2];
315
- int32_t h3 = h[3];
316
- int32_t h4 = h[4];
317
- int32_t h5 = h[5];
318
- int32_t h6 = h[6];
319
- int32_t h7 = h[7];
320
- int32_t h8 = h[8];
321
- int32_t h9 = h[9];
322
-
323
- int32_t q;
324
- int32_t carry0;
325
- int32_t carry1;
326
- int32_t carry2;
327
- int32_t carry3;
328
- int32_t carry4;
329
- int32_t carry5;
330
- int32_t carry6;
331
- int32_t carry7;
332
- int32_t carry8;
333
- int32_t carry9;
334
-
335
- q = (19 * h9 + ((uint32_t) 1L << 24)) >> 25;
336
- q = (h0 + q) >> 26;
337
- q = (h1 + q) >> 25;
338
- q = (h2 + q) >> 26;
339
- q = (h3 + q) >> 25;
340
- q = (h4 + q) >> 26;
341
- q = (h5 + q) >> 25;
342
- q = (h6 + q) >> 26;
343
- q = (h7 + q) >> 25;
344
- q = (h8 + q) >> 26;
345
- q = (h9 + q) >> 25;
346
-
347
- /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
348
- h0 += 19 * q;
349
- /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
350
-
351
- carry0 = h0 >> 26;
352
- h1 += carry0;
353
- h0 -= carry0 * ((uint32_t) 1L << 26);
354
- carry1 = h1 >> 25;
355
- h2 += carry1;
356
- h1 -= carry1 * ((uint32_t) 1L << 25);
357
- carry2 = h2 >> 26;
358
- h3 += carry2;
359
- h2 -= carry2 * ((uint32_t) 1L << 26);
360
- carry3 = h3 >> 25;
361
- h4 += carry3;
362
- h3 -= carry3 * ((uint32_t) 1L << 25);
363
- carry4 = h4 >> 26;
364
- h5 += carry4;
365
- h4 -= carry4 * ((uint32_t) 1L << 26);
366
- carry5 = h5 >> 25;
367
- h6 += carry5;
368
- h5 -= carry5 * ((uint32_t) 1L << 25);
369
- carry6 = h6 >> 26;
370
- h7 += carry6;
371
- h6 -= carry6 * ((uint32_t) 1L << 26);
372
- carry7 = h7 >> 25;
373
- h8 += carry7;
374
- h7 -= carry7 * ((uint32_t) 1L << 25);
375
- carry8 = h8 >> 26;
376
- h9 += carry8;
377
- h8 -= carry8 * ((uint32_t) 1L << 26);
378
- carry9 = h9 >> 25;
379
- h9 -= carry9 * ((uint32_t) 1L << 25);
380
- /* h10 = carry9 */
381
-
382
- /*
383
- Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
384
- Have h0+...+2^230 h9 between 0 and 2^255-1;
385
- evidently 2^255 h10-2^255 q = 0.
386
- Goal: Output h0+...+2^230 h9.
387
- */
388
-
389
- s[0] = h0 >> 0;
390
- s[1] = h0 >> 8;
391
- s[2] = h0 >> 16;
392
- s[3] = (h0 >> 24) | (h1 * ((uint32_t) 1 << 2));
393
- s[4] = h1 >> 6;
394
- s[5] = h1 >> 14;
395
- s[6] = (h1 >> 22) | (h2 * ((uint32_t) 1 << 3));
396
- s[7] = h2 >> 5;
397
- s[8] = h2 >> 13;
398
- s[9] = (h2 >> 21) | (h3 * ((uint32_t) 1 << 5));
399
- s[10] = h3 >> 3;
400
- s[11] = h3 >> 11;
401
- s[12] = (h3 >> 19) | (h4 * ((uint32_t) 1 << 6));
402
- s[13] = h4 >> 2;
403
- s[14] = h4 >> 10;
404
- s[15] = h4 >> 18;
405
- s[16] = h5 >> 0;
406
- s[17] = h5 >> 8;
407
- s[18] = h5 >> 16;
408
- s[19] = (h5 >> 24) | (h6 * ((uint32_t) 1 << 1));
409
- s[20] = h6 >> 7;
410
- s[21] = h6 >> 15;
411
- s[22] = (h6 >> 23) | (h7 * ((uint32_t) 1 << 3));
412
- s[23] = h7 >> 5;
413
- s[24] = h7 >> 13;
414
- s[25] = (h7 >> 21) | (h8 * ((uint32_t) 1 << 4));
415
- s[26] = h8 >> 4;
416
- s[27] = h8 >> 12;
417
- s[28] = (h8 >> 20) | (h9 * ((uint32_t) 1 << 6));
418
- s[29] = h9 >> 2;
419
- s[30] = h9 >> 10;
420
- s[31] = h9 >> 18;
421
- }
422
-
423
- /*
424
- return 1 if f is in {1,3,5,...,q-2}
425
- return 0 if f is in {0,2,4,...,q-1}
426
- *
427
- Preconditions:
428
- |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
429
- */
430
-
431
- static int
432
- fe_isnegative(const fe f)
433
- {
434
- unsigned char s[32];
435
-
436
- fe_tobytes(s, f);
437
-
438
- return s[0] & 1;
439
- }
440
-
441
- /*
442
- return 1 if f == 0
443
- return 0 if f != 0
444
- *
445
- Preconditions:
446
- |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
447
- */
448
-
449
- static unsigned char zero[32];
450
-
451
- int
452
- fe_isnonzero(const fe f)
453
- {
454
- unsigned char s[32];
455
-
456
- fe_tobytes(s, f);
457
-
458
- return crypto_verify_32(s, zero);
459
- }
460
-
461
- /*
462
- h = f * g
463
- Can overlap h with f or g.
464
- *
465
- Preconditions:
466
- |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
467
- |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
468
- *
469
- Postconditions:
470
- |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
471
- */
472
-
473
- /*
474
- Notes on implementation strategy:
475
- *
476
- Using schoolbook multiplication.
477
- Karatsuba would save a little in some cost models.
478
- *
479
- Most multiplications by 2 and 19 are 32-bit precomputations;
480
- cheaper than 64-bit postcomputations.
481
- *
482
- There is one remaining multiplication by 19 in the carry chain;
483
- one *19 precomputation can be merged into this,
484
- but the resulting data flow is considerably less clean.
485
- *
486
- There are 12 carries below.
487
- 10 of them are 2-way parallelizable and vectorizable.
488
- Can get away with 11 carries, but then data flow is much deeper.
489
- *
490
- With tighter constraints on inputs can squeeze carries into int32.
491
- */
492
-
493
- void
494
- fe_mul(fe h, const fe f, const fe g)
495
- {
496
- int32_t f0 = f[0];
497
- int32_t f1 = f[1];
498
- int32_t f2 = f[2];
499
- int32_t f3 = f[3];
500
- int32_t f4 = f[4];
501
- int32_t f5 = f[5];
502
- int32_t f6 = f[6];
503
- int32_t f7 = f[7];
504
- int32_t f8 = f[8];
505
- int32_t f9 = f[9];
506
-
507
- int32_t g0 = g[0];
508
- int32_t g1 = g[1];
509
- int32_t g2 = g[2];
510
- int32_t g3 = g[3];
511
- int32_t g4 = g[4];
512
- int32_t g5 = g[5];
513
- int32_t g6 = g[6];
514
- int32_t g7 = g[7];
515
- int32_t g8 = g[8];
516
- int32_t g9 = g[9];
517
-
518
- int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
519
- int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
520
- int32_t g3_19 = 19 * g3;
521
- int32_t g4_19 = 19 * g4;
522
- int32_t g5_19 = 19 * g5;
523
- int32_t g6_19 = 19 * g6;
524
- int32_t g7_19 = 19 * g7;
525
- int32_t g8_19 = 19 * g8;
526
- int32_t g9_19 = 19 * g9;
527
- int32_t f1_2 = 2 * f1;
528
- int32_t f3_2 = 2 * f3;
529
- int32_t f5_2 = 2 * f5;
530
- int32_t f7_2 = 2 * f7;
531
- int32_t f9_2 = 2 * f9;
532
-
533
- int64_t f0g0 = f0 * (int64_t) g0;
534
- int64_t f0g1 = f0 * (int64_t) g1;
535
- int64_t f0g2 = f0 * (int64_t) g2;
536
- int64_t f0g3 = f0 * (int64_t) g3;
537
- int64_t f0g4 = f0 * (int64_t) g4;
538
- int64_t f0g5 = f0 * (int64_t) g5;
539
- int64_t f0g6 = f0 * (int64_t) g6;
540
- int64_t f0g7 = f0 * (int64_t) g7;
541
- int64_t f0g8 = f0 * (int64_t) g8;
542
- int64_t f0g9 = f0 * (int64_t) g9;
543
- int64_t f1g0 = f1 * (int64_t) g0;
544
- int64_t f1g1_2 = f1_2 * (int64_t) g1;
545
- int64_t f1g2 = f1 * (int64_t) g2;
546
- int64_t f1g3_2 = f1_2 * (int64_t) g3;
547
- int64_t f1g4 = f1 * (int64_t) g4;
548
- int64_t f1g5_2 = f1_2 * (int64_t) g5;
549
- int64_t f1g6 = f1 * (int64_t) g6;
550
- int64_t f1g7_2 = f1_2 * (int64_t) g7;
551
- int64_t f1g8 = f1 * (int64_t) g8;
552
- int64_t f1g9_38 = f1_2 * (int64_t) g9_19;
553
- int64_t f2g0 = f2 * (int64_t) g0;
554
- int64_t f2g1 = f2 * (int64_t) g1;
555
- int64_t f2g2 = f2 * (int64_t) g2;
556
- int64_t f2g3 = f2 * (int64_t) g3;
557
- int64_t f2g4 = f2 * (int64_t) g4;
558
- int64_t f2g5 = f2 * (int64_t) g5;
559
- int64_t f2g6 = f2 * (int64_t) g6;
560
- int64_t f2g7 = f2 * (int64_t) g7;
561
- int64_t f2g8_19 = f2 * (int64_t) g8_19;
562
- int64_t f2g9_19 = f2 * (int64_t) g9_19;
563
- int64_t f3g0 = f3 * (int64_t) g0;
564
- int64_t f3g1_2 = f3_2 * (int64_t) g1;
565
- int64_t f3g2 = f3 * (int64_t) g2;
566
- int64_t f3g3_2 = f3_2 * (int64_t) g3;
567
- int64_t f3g4 = f3 * (int64_t) g4;
568
- int64_t f3g5_2 = f3_2 * (int64_t) g5;
569
- int64_t f3g6 = f3 * (int64_t) g6;
570
- int64_t f3g7_38 = f3_2 * (int64_t) g7_19;
571
- int64_t f3g8_19 = f3 * (int64_t) g8_19;
572
- int64_t f3g9_38 = f3_2 * (int64_t) g9_19;
573
- int64_t f4g0 = f4 * (int64_t) g0;
574
- int64_t f4g1 = f4 * (int64_t) g1;
575
- int64_t f4g2 = f4 * (int64_t) g2;
576
- int64_t f4g3 = f4 * (int64_t) g3;
577
- int64_t f4g4 = f4 * (int64_t) g4;
578
- int64_t f4g5 = f4 * (int64_t) g5;
579
- int64_t f4g6_19 = f4 * (int64_t) g6_19;
580
- int64_t f4g7_19 = f4 * (int64_t) g7_19;
581
- int64_t f4g8_19 = f4 * (int64_t) g8_19;
582
- int64_t f4g9_19 = f4 * (int64_t) g9_19;
583
- int64_t f5g0 = f5 * (int64_t) g0;
584
- int64_t f5g1_2 = f5_2 * (int64_t) g1;
585
- int64_t f5g2 = f5 * (int64_t) g2;
586
- int64_t f5g3_2 = f5_2 * (int64_t) g3;
587
- int64_t f5g4 = f5 * (int64_t) g4;
588
- int64_t f5g5_38 = f5_2 * (int64_t) g5_19;
589
- int64_t f5g6_19 = f5 * (int64_t) g6_19;
590
- int64_t f5g7_38 = f5_2 * (int64_t) g7_19;
591
- int64_t f5g8_19 = f5 * (int64_t) g8_19;
592
- int64_t f5g9_38 = f5_2 * (int64_t) g9_19;
593
- int64_t f6g0 = f6 * (int64_t) g0;
594
- int64_t f6g1 = f6 * (int64_t) g1;
595
- int64_t f6g2 = f6 * (int64_t) g2;
596
- int64_t f6g3 = f6 * (int64_t) g3;
597
- int64_t f6g4_19 = f6 * (int64_t) g4_19;
598
- int64_t f6g5_19 = f6 * (int64_t) g5_19;
599
- int64_t f6g6_19 = f6 * (int64_t) g6_19;
600
- int64_t f6g7_19 = f6 * (int64_t) g7_19;
601
- int64_t f6g8_19 = f6 * (int64_t) g8_19;
602
- int64_t f6g9_19 = f6 * (int64_t) g9_19;
603
- int64_t f7g0 = f7 * (int64_t) g0;
604
- int64_t f7g1_2 = f7_2 * (int64_t) g1;
605
- int64_t f7g2 = f7 * (int64_t) g2;
606
- int64_t f7g3_38 = f7_2 * (int64_t) g3_19;
607
- int64_t f7g4_19 = f7 * (int64_t) g4_19;
608
- int64_t f7g5_38 = f7_2 * (int64_t) g5_19;
609
- int64_t f7g6_19 = f7 * (int64_t) g6_19;
610
- int64_t f7g7_38 = f7_2 * (int64_t) g7_19;
611
- int64_t f7g8_19 = f7 * (int64_t) g8_19;
612
- int64_t f7g9_38 = f7_2 * (int64_t) g9_19;
613
- int64_t f8g0 = f8 * (int64_t) g0;
614
- int64_t f8g1 = f8 * (int64_t) g1;
615
- int64_t f8g2_19 = f8 * (int64_t) g2_19;
616
- int64_t f8g3_19 = f8 * (int64_t) g3_19;
617
- int64_t f8g4_19 = f8 * (int64_t) g4_19;
618
- int64_t f8g5_19 = f8 * (int64_t) g5_19;
619
- int64_t f8g6_19 = f8 * (int64_t) g6_19;
620
- int64_t f8g7_19 = f8 * (int64_t) g7_19;
621
- int64_t f8g8_19 = f8 * (int64_t) g8_19;
622
- int64_t f8g9_19 = f8 * (int64_t) g9_19;
623
- int64_t f9g0 = f9 * (int64_t) g0;
624
- int64_t f9g1_38 = f9_2 * (int64_t) g1_19;
625
- int64_t f9g2_19 = f9 * (int64_t) g2_19;
626
- int64_t f9g3_38 = f9_2 * (int64_t) g3_19;
627
- int64_t f9g4_19 = f9 * (int64_t) g4_19;
628
- int64_t f9g5_38 = f9_2 * (int64_t) g5_19;
629
- int64_t f9g6_19 = f9 * (int64_t) g6_19;
630
- int64_t f9g7_38 = f9_2 * (int64_t) g7_19;
631
- int64_t f9g8_19 = f9 * (int64_t) g8_19;
632
- int64_t f9g9_38 = f9_2 * (int64_t) g9_19;
633
-
634
- int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 +
635
- f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38;
636
- int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 +
637
- f7g4_19 + f8g3_19 + f9g2_19;
638
- int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 +
639
- f7g5_38 + f8g4_19 + f9g3_38;
640
- int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 +
641
- f7g6_19 + f8g5_19 + f9g4_19;
642
- int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 +
643
- f7g7_38 + f8g6_19 + f9g5_38;
644
- int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 +
645
- f8g7_19 + f9g6_19;
646
- int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 +
647
- f7g9_38 + f8g8_19 + f9g7_38;
648
- int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 +
649
- f8g9_19 + f9g8_19;
650
- int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 +
651
- f8g0 + f9g9_38;
652
- int64_t h9 =
653
- f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0;
654
-
655
- int64_t carry0;
656
- int64_t carry1;
657
- int64_t carry2;
658
- int64_t carry3;
659
- int64_t carry4;
660
- int64_t carry5;
661
- int64_t carry6;
662
- int64_t carry7;
663
- int64_t carry8;
664
- int64_t carry9;
665
-
666
- /*
667
- |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
668
- i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
669
- |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
670
- i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
671
- */
672
-
673
- carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
674
- h1 += carry0;
675
- h0 -= carry0 * ((uint64_t) 1L << 26);
676
- carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
677
- h5 += carry4;
678
- h4 -= carry4 * ((uint64_t) 1L << 26);
679
- /* |h0| <= 2^25 */
680
- /* |h4| <= 2^25 */
681
- /* |h1| <= 1.71*2^59 */
682
- /* |h5| <= 1.71*2^59 */
683
-
684
- carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
685
- h2 += carry1;
686
- h1 -= carry1 * ((uint64_t) 1L << 25);
687
- carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
688
- h6 += carry5;
689
- h5 -= carry5 * ((uint64_t) 1L << 25);
690
- /* |h1| <= 2^24; from now on fits into int32 */
691
- /* |h5| <= 2^24; from now on fits into int32 */
692
- /* |h2| <= 1.41*2^60 */
693
- /* |h6| <= 1.41*2^60 */
694
-
695
- carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
696
- h3 += carry2;
697
- h2 -= carry2 * ((uint64_t) 1L << 26);
698
- carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
699
- h7 += carry6;
700
- h6 -= carry6 * ((uint64_t) 1L << 26);
701
- /* |h2| <= 2^25; from now on fits into int32 unchanged */
702
- /* |h6| <= 2^25; from now on fits into int32 unchanged */
703
- /* |h3| <= 1.71*2^59 */
704
- /* |h7| <= 1.71*2^59 */
705
-
706
- carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
707
- h4 += carry3;
708
- h3 -= carry3 * ((uint64_t) 1L << 25);
709
- carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
710
- h8 += carry7;
711
- h7 -= carry7 * ((uint64_t) 1L << 25);
712
- /* |h3| <= 2^24; from now on fits into int32 unchanged */
713
- /* |h7| <= 2^24; from now on fits into int32 unchanged */
714
- /* |h4| <= 1.72*2^34 */
715
- /* |h8| <= 1.41*2^60 */
716
-
717
- carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
718
- h5 += carry4;
719
- h4 -= carry4 * ((uint64_t) 1L << 26);
720
- carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
721
- h9 += carry8;
722
- h8 -= carry8 * ((uint64_t) 1L << 26);
723
- /* |h4| <= 2^25; from now on fits into int32 unchanged */
724
- /* |h8| <= 2^25; from now on fits into int32 unchanged */
725
- /* |h5| <= 1.01*2^24 */
726
- /* |h9| <= 1.71*2^59 */
727
-
728
- carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
729
- h0 += carry9 * 19;
730
- h9 -= carry9 * ((uint64_t) 1L << 25);
731
- /* |h9| <= 2^24; from now on fits into int32 unchanged */
732
- /* |h0| <= 1.1*2^39 */
733
-
734
- carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
735
- h1 += carry0;
736
- h0 -= carry0 * ((uint64_t) 1L << 26);
737
- /* |h0| <= 2^25; from now on fits into int32 unchanged */
738
- /* |h1| <= 1.01*2^24 */
739
-
740
- h[0] = (int32_t) h0;
741
- h[1] = (int32_t) h1;
742
- h[2] = (int32_t) h2;
743
- h[3] = (int32_t) h3;
744
- h[4] = (int32_t) h4;
745
- h[5] = (int32_t) h5;
746
- h[6] = (int32_t) h6;
747
- h[7] = (int32_t) h7;
748
- h[8] = (int32_t) h8;
749
- h[9] = (int32_t) h9;
750
- }
751
-
752
- /*
753
- h = -f
754
- *
755
- Preconditions:
756
- |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
757
- *
758
- Postconditions:
759
- |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
760
- */
761
-
762
- static void
763
- fe_neg(fe h, const fe f)
764
- {
765
- int32_t f0 = f[0];
766
- int32_t f1 = f[1];
767
- int32_t f2 = f[2];
768
- int32_t f3 = f[3];
769
- int32_t f4 = f[4];
770
- int32_t f5 = f[5];
771
- int32_t f6 = f[6];
772
- int32_t f7 = f[7];
773
- int32_t f8 = f[8];
774
- int32_t f9 = f[9];
775
-
776
- int32_t h0 = -f0;
777
- int32_t h1 = -f1;
778
- int32_t h2 = -f2;
779
- int32_t h3 = -f3;
780
- int32_t h4 = -f4;
781
- int32_t h5 = -f5;
782
- int32_t h6 = -f6;
783
- int32_t h7 = -f7;
784
- int32_t h8 = -f8;
785
- int32_t h9 = -f9;
786
-
787
- h[0] = h0;
788
- h[1] = h1;
789
- h[2] = h2;
790
- h[3] = h3;
791
- h[4] = h4;
792
- h[5] = h5;
793
- h[6] = h6;
794
- h[7] = h7;
795
- h[8] = h8;
796
- h[9] = h9;
797
- }
798
-
799
- /*
800
- h = f * f
801
- Can overlap h with f.
802
- *
803
- Preconditions:
804
- |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
805
- *
806
- Postconditions:
807
- |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
808
- */
809
-
810
- /*
811
- See fe_mul.c for discussion of implementation strategy.
812
- */
813
-
814
- void
815
- fe_sq(fe h, const fe f)
816
- {
817
- int32_t f0 = f[0];
818
- int32_t f1 = f[1];
819
- int32_t f2 = f[2];
820
- int32_t f3 = f[3];
821
- int32_t f4 = f[4];
822
- int32_t f5 = f[5];
823
- int32_t f6 = f[6];
824
- int32_t f7 = f[7];
825
- int32_t f8 = f[8];
826
- int32_t f9 = f[9];
827
-
828
- int32_t f0_2 = 2 * f0;
829
- int32_t f1_2 = 2 * f1;
830
- int32_t f2_2 = 2 * f2;
831
- int32_t f3_2 = 2 * f3;
832
- int32_t f4_2 = 2 * f4;
833
- int32_t f5_2 = 2 * f5;
834
- int32_t f6_2 = 2 * f6;
835
- int32_t f7_2 = 2 * f7;
836
- int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
837
- int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
838
- int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
839
- int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
840
- int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
841
-
842
- int64_t f0f0 = f0 * (int64_t) f0;
843
- int64_t f0f1_2 = f0_2 * (int64_t) f1;
844
- int64_t f0f2_2 = f0_2 * (int64_t) f2;
845
- int64_t f0f3_2 = f0_2 * (int64_t) f3;
846
- int64_t f0f4_2 = f0_2 * (int64_t) f4;
847
- int64_t f0f5_2 = f0_2 * (int64_t) f5;
848
- int64_t f0f6_2 = f0_2 * (int64_t) f6;
849
- int64_t f0f7_2 = f0_2 * (int64_t) f7;
850
- int64_t f0f8_2 = f0_2 * (int64_t) f8;
851
- int64_t f0f9_2 = f0_2 * (int64_t) f9;
852
- int64_t f1f1_2 = f1_2 * (int64_t) f1;
853
- int64_t f1f2_2 = f1_2 * (int64_t) f2;
854
- int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
855
- int64_t f1f4_2 = f1_2 * (int64_t) f4;
856
- int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
857
- int64_t f1f6_2 = f1_2 * (int64_t) f6;
858
- int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
859
- int64_t f1f8_2 = f1_2 * (int64_t) f8;
860
- int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
861
- int64_t f2f2 = f2 * (int64_t) f2;
862
- int64_t f2f3_2 = f2_2 * (int64_t) f3;
863
- int64_t f2f4_2 = f2_2 * (int64_t) f4;
864
- int64_t f2f5_2 = f2_2 * (int64_t) f5;
865
- int64_t f2f6_2 = f2_2 * (int64_t) f6;
866
- int64_t f2f7_2 = f2_2 * (int64_t) f7;
867
- int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
868
- int64_t f2f9_38 = f2 * (int64_t) f9_38;
869
- int64_t f3f3_2 = f3_2 * (int64_t) f3;
870
- int64_t f3f4_2 = f3_2 * (int64_t) f4;
871
- int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
872
- int64_t f3f6_2 = f3_2 * (int64_t) f6;
873
- int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
874
- int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
875
- int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
876
- int64_t f4f4 = f4 * (int64_t) f4;
877
- int64_t f4f5_2 = f4_2 * (int64_t) f5;
878
- int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
879
- int64_t f4f7_38 = f4 * (int64_t) f7_38;
880
- int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
881
- int64_t f4f9_38 = f4 * (int64_t) f9_38;
882
- int64_t f5f5_38 = f5 * (int64_t) f5_38;
883
- int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
884
- int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
885
- int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
886
- int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
887
- int64_t f6f6_19 = f6 * (int64_t) f6_19;
888
- int64_t f6f7_38 = f6 * (int64_t) f7_38;
889
- int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
890
- int64_t f6f9_38 = f6 * (int64_t) f9_38;
891
- int64_t f7f7_38 = f7 * (int64_t) f7_38;
892
- int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
893
- int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
894
- int64_t f8f8_19 = f8 * (int64_t) f8_19;
895
- int64_t f8f9_38 = f8 * (int64_t) f9_38;
896
- int64_t f9f9_38 = f9 * (int64_t) f9_38;
897
-
898
- int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
899
- int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
900
- int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
901
- int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
902
- int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
903
- int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
904
- int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
905
- int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
906
- int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
907
- int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
908
-
909
- int64_t carry0;
910
- int64_t carry1;
911
- int64_t carry2;
912
- int64_t carry3;
913
- int64_t carry4;
914
- int64_t carry5;
915
- int64_t carry6;
916
- int64_t carry7;
917
- int64_t carry8;
918
- int64_t carry9;
919
-
920
- carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
921
- h1 += carry0;
922
- h0 -= carry0 * ((uint64_t) 1L << 26);
923
- carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
924
- h5 += carry4;
925
- h4 -= carry4 * ((uint64_t) 1L << 26);
926
-
927
- carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
928
- h2 += carry1;
929
- h1 -= carry1 * ((uint64_t) 1L << 25);
930
- carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
931
- h6 += carry5;
932
- h5 -= carry5 * ((uint64_t) 1L << 25);
933
-
934
- carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
935
- h3 += carry2;
936
- h2 -= carry2 * ((uint64_t) 1L << 26);
937
- carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
938
- h7 += carry6;
939
- h6 -= carry6 * ((uint64_t) 1L << 26);
940
-
941
- carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
942
- h4 += carry3;
943
- h3 -= carry3 * ((uint64_t) 1L << 25);
944
- carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
945
- h8 += carry7;
946
- h7 -= carry7 * ((uint64_t) 1L << 25);
947
-
948
- carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
949
- h5 += carry4;
950
- h4 -= carry4 * ((uint64_t) 1L << 26);
951
- carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
952
- h9 += carry8;
953
- h8 -= carry8 * ((uint64_t) 1L << 26);
954
-
955
- carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
956
- h0 += carry9 * 19;
957
- h9 -= carry9 * ((uint64_t) 1L << 25);
958
-
959
- carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
960
- h1 += carry0;
961
- h0 -= carry0 * ((uint64_t) 1L << 26);
962
-
963
- h[0] = (int32_t) h0;
964
- h[1] = (int32_t) h1;
965
- h[2] = (int32_t) h2;
966
- h[3] = (int32_t) h3;
967
- h[4] = (int32_t) h4;
968
- h[5] = (int32_t) h5;
969
- h[6] = (int32_t) h6;
970
- h[7] = (int32_t) h7;
971
- h[8] = (int32_t) h8;
972
- h[9] = (int32_t) h9;
973
- }
974
-
975
- /*
976
- h = 2 * f * f
977
- Can overlap h with f.
978
- *
979
- Preconditions:
980
- |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
981
- *
982
- Postconditions:
983
- |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
984
- */
985
-
986
- /*
987
- See fe_mul.c for discussion of implementation strategy.
988
- */
989
-
990
- static void
991
- fe_sq2(fe h, const fe f)
992
- {
993
- int32_t f0 = f[0];
994
- int32_t f1 = f[1];
995
- int32_t f2 = f[2];
996
- int32_t f3 = f[3];
997
- int32_t f4 = f[4];
998
- int32_t f5 = f[5];
999
- int32_t f6 = f[6];
1000
- int32_t f7 = f[7];
1001
- int32_t f8 = f[8];
1002
- int32_t f9 = f[9];
1003
-
1004
- int32_t f0_2 = 2 * f0;
1005
- int32_t f1_2 = 2 * f1;
1006
- int32_t f2_2 = 2 * f2;
1007
- int32_t f3_2 = 2 * f3;
1008
- int32_t f4_2 = 2 * f4;
1009
- int32_t f5_2 = 2 * f5;
1010
- int32_t f6_2 = 2 * f6;
1011
- int32_t f7_2 = 2 * f7;
1012
- int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
1013
- int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
1014
- int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
1015
- int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
1016
- int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
1017
-
1018
- int64_t f0f0 = f0 * (int64_t) f0;
1019
- int64_t f0f1_2 = f0_2 * (int64_t) f1;
1020
- int64_t f0f2_2 = f0_2 * (int64_t) f2;
1021
- int64_t f0f3_2 = f0_2 * (int64_t) f3;
1022
- int64_t f0f4_2 = f0_2 * (int64_t) f4;
1023
- int64_t f0f5_2 = f0_2 * (int64_t) f5;
1024
- int64_t f0f6_2 = f0_2 * (int64_t) f6;
1025
- int64_t f0f7_2 = f0_2 * (int64_t) f7;
1026
- int64_t f0f8_2 = f0_2 * (int64_t) f8;
1027
- int64_t f0f9_2 = f0_2 * (int64_t) f9;
1028
- int64_t f1f1_2 = f1_2 * (int64_t) f1;
1029
- int64_t f1f2_2 = f1_2 * (int64_t) f2;
1030
- int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
1031
- int64_t f1f4_2 = f1_2 * (int64_t) f4;
1032
- int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
1033
- int64_t f1f6_2 = f1_2 * (int64_t) f6;
1034
- int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
1035
- int64_t f1f8_2 = f1_2 * (int64_t) f8;
1036
- int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
1037
- int64_t f2f2 = f2 * (int64_t) f2;
1038
- int64_t f2f3_2 = f2_2 * (int64_t) f3;
1039
- int64_t f2f4_2 = f2_2 * (int64_t) f4;
1040
- int64_t f2f5_2 = f2_2 * (int64_t) f5;
1041
- int64_t f2f6_2 = f2_2 * (int64_t) f6;
1042
- int64_t f2f7_2 = f2_2 * (int64_t) f7;
1043
- int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
1044
- int64_t f2f9_38 = f2 * (int64_t) f9_38;
1045
- int64_t f3f3_2 = f3_2 * (int64_t) f3;
1046
- int64_t f3f4_2 = f3_2 * (int64_t) f4;
1047
- int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
1048
- int64_t f3f6_2 = f3_2 * (int64_t) f6;
1049
- int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
1050
- int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
1051
- int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
1052
- int64_t f4f4 = f4 * (int64_t) f4;
1053
- int64_t f4f5_2 = f4_2 * (int64_t) f5;
1054
- int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
1055
- int64_t f4f7_38 = f4 * (int64_t) f7_38;
1056
- int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
1057
- int64_t f4f9_38 = f4 * (int64_t) f9_38;
1058
- int64_t f5f5_38 = f5 * (int64_t) f5_38;
1059
- int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
1060
- int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
1061
- int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
1062
- int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
1063
- int64_t f6f6_19 = f6 * (int64_t) f6_19;
1064
- int64_t f6f7_38 = f6 * (int64_t) f7_38;
1065
- int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
1066
- int64_t f6f9_38 = f6 * (int64_t) f9_38;
1067
- int64_t f7f7_38 = f7 * (int64_t) f7_38;
1068
- int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
1069
- int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
1070
- int64_t f8f8_19 = f8 * (int64_t) f8_19;
1071
- int64_t f8f9_38 = f8 * (int64_t) f9_38;
1072
- int64_t f9f9_38 = f9 * (int64_t) f9_38;
1073
-
1074
- int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
1075
- int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
1076
- int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
1077
- int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
1078
- int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
1079
- int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
1080
- int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
1081
- int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
1082
- int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
1083
- int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
1084
-
1085
- int64_t carry0;
1086
- int64_t carry1;
1087
- int64_t carry2;
1088
- int64_t carry3;
1089
- int64_t carry4;
1090
- int64_t carry5;
1091
- int64_t carry6;
1092
- int64_t carry7;
1093
- int64_t carry8;
1094
- int64_t carry9;
1095
-
1096
- h0 += h0;
1097
- h1 += h1;
1098
- h2 += h2;
1099
- h3 += h3;
1100
- h4 += h4;
1101
- h5 += h5;
1102
- h6 += h6;
1103
- h7 += h7;
1104
- h8 += h8;
1105
- h9 += h9;
1106
-
1107
- carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
1108
- h1 += carry0;
1109
- h0 -= carry0 * ((uint64_t) 1L << 26);
1110
- carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
1111
- h5 += carry4;
1112
- h4 -= carry4 * ((uint64_t) 1L << 26);
1113
-
1114
- carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
1115
- h2 += carry1;
1116
- h1 -= carry1 * ((uint64_t) 1L << 25);
1117
- carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
1118
- h6 += carry5;
1119
- h5 -= carry5 * ((uint64_t) 1L << 25);
1120
-
1121
- carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
1122
- h3 += carry2;
1123
- h2 -= carry2 * ((uint64_t) 1L << 26);
1124
- carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
1125
- h7 += carry6;
1126
- h6 -= carry6 * ((uint64_t) 1L << 26);
1127
-
1128
- carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
1129
- h4 += carry3;
1130
- h3 -= carry3 * ((uint64_t) 1L << 25);
1131
- carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
1132
- h8 += carry7;
1133
- h7 -= carry7 * ((uint64_t) 1L << 25);
1134
-
1135
- carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
1136
- h5 += carry4;
1137
- h4 -= carry4 * ((uint64_t) 1L << 26);
1138
- carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
1139
- h9 += carry8;
1140
- h8 -= carry8 * ((uint64_t) 1L << 26);
1141
-
1142
- carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
1143
- h0 += carry9 * 19;
1144
- h9 -= carry9 * ((uint64_t) 1L << 25);
1145
-
1146
- carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
1147
- h1 += carry0;
1148
- h0 -= carry0 * ((uint64_t) 1L << 26);
1149
-
1150
- h[0] = (int32_t) h0;
1151
- h[1] = (int32_t) h1;
1152
- h[2] = (int32_t) h2;
1153
- h[3] = (int32_t) h3;
1154
- h[4] = (int32_t) h4;
1155
- h[5] = (int32_t) h5;
1156
- h[6] = (int32_t) h6;
1157
- h[7] = (int32_t) h7;
1158
- h[8] = (int32_t) h8;
1159
- h[9] = (int32_t) h9;
1160
- }
1161
-
1162
- void
1163
- fe_invert(fe out, const fe z)
1164
- {
1165
- fe t0;
1166
- fe t1;
1167
- fe t2;
1168
- fe t3;
1169
- int i;
1170
-
1171
- fe_sq(t0, z);
1172
- fe_sq(t1, t0);
1173
- fe_sq(t1, t1);
1174
- fe_mul(t1, z, t1);
1175
- fe_mul(t0, t0, t1);
1176
- fe_sq(t2, t0);
1177
- fe_mul(t1, t1, t2);
1178
- fe_sq(t2, t1);
1179
- for (i = 1; i < 5; ++i) {
1180
- fe_sq(t2, t2);
1181
- }
1182
- fe_mul(t1, t2, t1);
1183
- fe_sq(t2, t1);
1184
- for (i = 1; i < 10; ++i) {
1185
- fe_sq(t2, t2);
1186
- }
1187
- fe_mul(t2, t2, t1);
1188
- fe_sq(t3, t2);
1189
- for (i = 1; i < 20; ++i) {
1190
- fe_sq(t3, t3);
1191
- }
1192
- fe_mul(t2, t3, t2);
1193
- fe_sq(t2, t2);
1194
- for (i = 1; i < 10; ++i) {
1195
- fe_sq(t2, t2);
1196
- }
1197
- fe_mul(t1, t2, t1);
1198
- fe_sq(t2, t1);
1199
- for (i = 1; i < 50; ++i) {
1200
- fe_sq(t2, t2);
1201
- }
1202
- fe_mul(t2, t2, t1);
1203
- fe_sq(t3, t2);
1204
- for (i = 1; i < 100; ++i) {
1205
- fe_sq(t3, t3);
1206
- }
1207
- fe_mul(t2, t3, t2);
1208
- fe_sq(t2, t2);
1209
- for (i = 1; i < 50; ++i) {
1210
- fe_sq(t2, t2);
1211
- }
1212
- fe_mul(t1, t2, t1);
1213
- fe_sq(t1, t1);
1214
- for (i = 1; i < 5; ++i) {
1215
- fe_sq(t1, t1);
1216
- }
1217
- fe_mul(out, t1, t0);
1218
- }
1219
-
1220
- static void
1221
- fe_pow22523(fe out, const fe z)
1222
- {
1223
- fe t0;
1224
- fe t1;
1225
- fe t2;
1226
- int i;
1227
-
1228
- fe_sq(t0, z);
1229
- fe_sq(t1, t0);
1230
- fe_sq(t1, t1);
1231
- fe_mul(t1, z, t1);
1232
- fe_mul(t0, t0, t1);
1233
- fe_sq(t0, t0);
1234
- fe_mul(t0, t1, t0);
1235
- fe_sq(t1, t0);
1236
- for (i = 1; i < 5; ++i) {
1237
- fe_sq(t1, t1);
1238
- }
1239
- fe_mul(t0, t1, t0);
1240
- fe_sq(t1, t0);
1241
- for (i = 1; i < 10; ++i) {
1242
- fe_sq(t1, t1);
1243
- }
1244
- fe_mul(t1, t1, t0);
1245
- fe_sq(t2, t1);
1246
- for (i = 1; i < 20; ++i) {
1247
- fe_sq(t2, t2);
1248
- }
1249
- fe_mul(t1, t2, t1);
1250
- fe_sq(t1, t1);
1251
- for (i = 1; i < 10; ++i) {
1252
- fe_sq(t1, t1);
1253
- }
1254
- fe_mul(t0, t1, t0);
1255
- fe_sq(t1, t0);
1256
- for (i = 1; i < 50; ++i) {
1257
- fe_sq(t1, t1);
1258
- }
1259
- fe_mul(t1, t1, t0);
1260
- fe_sq(t2, t1);
1261
- for (i = 1; i < 100; ++i) {
1262
- fe_sq(t2, t2);
1263
- }
1264
- fe_mul(t1, t2, t1);
1265
- fe_sq(t1, t1);
1266
- for (i = 1; i < 50; ++i) {
1267
- fe_sq(t1, t1);
1268
- }
1269
- fe_mul(t0, t1, t0);
1270
- fe_sq(t0, t0);
1271
- fe_sq(t0, t0);
1272
- fe_mul(out, t0, z);
1273
- }
1274
-
1275
- /*
1276
- h = f - g
1277
- Can overlap h with f or g.
1278
- *
1279
- Preconditions:
1280
- |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
1281
- |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
1282
- *
1283
- Postconditions:
1284
- |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
1285
- */
1286
-
1287
- void
1288
- fe_sub(fe h, const fe f, const fe g)
1289
- {
1290
- int32_t f0 = f[0];
1291
- int32_t f1 = f[1];
1292
- int32_t f2 = f[2];
1293
- int32_t f3 = f[3];
1294
- int32_t f4 = f[4];
1295
- int32_t f5 = f[5];
1296
- int32_t f6 = f[6];
1297
- int32_t f7 = f[7];
1298
- int32_t f8 = f[8];
1299
- int32_t f9 = f[9];
1300
- int32_t g0 = g[0];
1301
- int32_t g1 = g[1];
1302
- int32_t g2 = g[2];
1303
- int32_t g3 = g[3];
1304
- int32_t g4 = g[4];
1305
- int32_t g5 = g[5];
1306
- int32_t g6 = g[6];
1307
- int32_t g7 = g[7];
1308
- int32_t g8 = g[8];
1309
- int32_t g9 = g[9];
1310
-
1311
- int32_t h0 = f0 - g0;
1312
- int32_t h1 = f1 - g1;
1313
- int32_t h2 = f2 - g2;
1314
- int32_t h3 = f3 - g3;
1315
- int32_t h4 = f4 - g4;
1316
- int32_t h5 = f5 - g5;
1317
- int32_t h6 = f6 - g6;
1318
- int32_t h7 = f7 - g7;
1319
- int32_t h8 = f8 - g8;
1320
- int32_t h9 = f9 - g9;
1321
-
1322
- h[0] = h0;
1323
- h[1] = h1;
1324
- h[2] = h2;
1325
- h[3] = h3;
1326
- h[4] = h4;
1327
- h[5] = h5;
1328
- h[6] = h6;
1329
- h[7] = h7;
1330
- h[8] = h8;
1331
- h[9] = h9;
1332
- }
1333
-
1334
- /*
1335
- r = p + q
1336
- */
1337
-
1338
- void
1339
- ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q)
1340
- {
1341
- fe t0;
1342
-
1343
- fe_add(r->X, p->Y, p->X);
1344
- fe_sub(r->Y, p->Y, p->X);
1345
- fe_mul(r->Z, r->X, q->YplusX);
1346
- fe_mul(r->Y, r->Y, q->YminusX);
1347
- fe_mul(r->T, q->T2d, p->T);
1348
- fe_mul(r->X, p->Z, q->Z);
1349
- fe_add(t0, r->X, r->X);
1350
- fe_sub(r->X, r->Z, r->Y);
1351
- fe_add(r->Y, r->Z, r->Y);
1352
- fe_add(r->Z, t0, r->T);
1353
- fe_sub(r->T, t0, r->T);
1354
- }
1355
-
1356
- static void
1357
- slide(signed char *r, const unsigned char *a)
1358
- {
1359
- int i;
1360
- int b;
1361
- int k;
1362
- int ribs;
1363
- int cmp;
1364
-
1365
- for (i = 0; i < 256; ++i) {
1366
- r[i] = 1 & (a[i >> 3] >> (i & 7));
1367
- }
1368
- for (i = 0; i < 256; ++i) {
1369
- if (r[i]) {
1370
- for (b = 1; b <= 6 && i + b < 256; ++b) {
1371
- if (r[i + b]) {
1372
- ribs = r[i + b] << b;
1373
- cmp = r[i] + ribs;
1374
- if (cmp <= 15) {
1375
- r[i] = cmp;
1376
- r[i + b] = 0;
1377
- } else {
1378
- cmp = r[i] - ribs;
1379
- if (cmp >= -15) {
1380
- r[i] = cmp;
1381
- for (k = i + b; k < 256; ++k) {
1382
- if (!r[k]) {
1383
- r[k] = 1;
1384
- break;
1385
- }
1386
- r[k] = 0;
1387
- }
1388
- } else {
1389
- break;
1390
- }
1391
- }
1392
- }
1393
- }
1394
- }
1395
- }
1396
- }
1397
-
1398
- static const ge_precomp Bi[8] = {
1399
- #include "base2.h"
1400
- };
1401
-
1402
- /* 37095705934669439343138083508754565189542113879843219016388785533085940283555
1403
- */
1404
- static const fe d = { -10913610, 13857413, -15372611, 6949391, 114729,
1405
- -8787816, -6275908, -3247719, -18696448, -12055116 };
1406
-
1407
- /* sqrt(-1) */
1408
- static const fe sqrtm1 = { -32595792, -7943725, 9377950, 3500415, 12389472,
1409
- -272473, -25146209, -2005654, 326686, 11406482 };
1410
-
1411
- int
1412
- ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s)
1413
- {
1414
- fe u;
1415
- fe v;
1416
- fe v3;
1417
- fe vxx;
1418
- fe check;
1419
-
1420
- fe_frombytes(h->Y, s);
1421
- fe_1(h->Z);
1422
- fe_sq(u, h->Y);
1423
- fe_mul(v, u, d);
1424
- fe_sub(u, u, h->Z); /* u = y^2-1 */
1425
- fe_add(v, v, h->Z); /* v = dy^2+1 */
1426
-
1427
- fe_sq(v3, v);
1428
- fe_mul(v3, v3, v); /* v3 = v^3 */
1429
- fe_sq(h->X, v3);
1430
- fe_mul(h->X, h->X, v);
1431
- fe_mul(h->X, h->X, u); /* x = uv^7 */
1432
-
1433
- fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
1434
- fe_mul(h->X, h->X, v3);
1435
- fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
1436
-
1437
- fe_sq(vxx, h->X);
1438
- fe_mul(vxx, vxx, v);
1439
- fe_sub(check, vxx, u); /* vx^2-u */
1440
- if (fe_isnonzero(check)) {
1441
- fe_add(check, vxx, u); /* vx^2+u */
1442
- if (fe_isnonzero(check)) {
1443
- return -1;
1444
- }
1445
- fe_mul(h->X, h->X, sqrtm1);
1446
- }
1447
-
1448
- if (fe_isnegative(h->X) == (s[31] >> 7)) {
1449
- fe_neg(h->X, h->X);
1450
- }
1451
- fe_mul(h->T, h->X, h->Y);
1452
-
1453
- return 0;
1454
- }
1455
-
1456
- /*
1457
- r = p + q
1458
- */
1459
-
1460
- static void
1461
- ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
1462
- {
1463
- fe t0;
1464
-
1465
- fe_add(r->X, p->Y, p->X);
1466
- fe_sub(r->Y, p->Y, p->X);
1467
- fe_mul(r->Z, r->X, q->yplusx);
1468
- fe_mul(r->Y, r->Y, q->yminusx);
1469
- fe_mul(r->T, q->xy2d, p->T);
1470
- fe_add(t0, p->Z, p->Z);
1471
- fe_sub(r->X, r->Z, r->Y);
1472
- fe_add(r->Y, r->Z, r->Y);
1473
- fe_add(r->Z, t0, r->T);
1474
- fe_sub(r->T, t0, r->T);
1475
- }
1476
-
1477
- /*
1478
- r = p - q
1479
- */
1480
-
1481
- static void
1482
- ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
1483
- {
1484
- fe t0;
1485
-
1486
- fe_add(r->X, p->Y, p->X);
1487
- fe_sub(r->Y, p->Y, p->X);
1488
- fe_mul(r->Z, r->X, q->yminusx);
1489
- fe_mul(r->Y, r->Y, q->yplusx);
1490
- fe_mul(r->T, q->xy2d, p->T);
1491
- fe_add(t0, p->Z, p->Z);
1492
- fe_sub(r->X, r->Z, r->Y);
1493
- fe_add(r->Y, r->Z, r->Y);
1494
- fe_sub(r->Z, t0, r->T);
1495
- fe_add(r->T, t0, r->T);
1496
- }
1497
-
1498
- /*
1499
- r = p
1500
- */
1501
-
1502
- void
1503
- ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p)
1504
- {
1505
- fe_mul(r->X, p->X, p->T);
1506
- fe_mul(r->Y, p->Y, p->Z);
1507
- fe_mul(r->Z, p->Z, p->T);
1508
- }
1509
-
1510
- /*
1511
- r = p
1512
- */
1513
-
1514
- static void
1515
- ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p)
1516
- {
1517
- fe_mul(r->X, p->X, p->T);
1518
- fe_mul(r->Y, p->Y, p->Z);
1519
- fe_mul(r->Z, p->Z, p->T);
1520
- fe_mul(r->T, p->X, p->Y);
1521
- }
1522
-
1523
- static void
1524
- ge_p2_0(ge_p2 *h)
1525
- {
1526
- fe_0(h->X);
1527
- fe_1(h->Y);
1528
- fe_1(h->Z);
1529
- }
1530
-
1531
- /*
1532
- r = 2 * p
1533
- */
1534
-
1535
- static void
1536
- ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p)
1537
- {
1538
- fe t0;
1539
-
1540
- fe_sq(r->X, p->X);
1541
- fe_sq(r->Z, p->Y);
1542
- fe_sq2(r->T, p->Z);
1543
- fe_add(r->Y, p->X, p->Y);
1544
- fe_sq(t0, r->Y);
1545
- fe_add(r->Y, r->Z, r->X);
1546
- fe_sub(r->Z, r->Z, r->X);
1547
- fe_sub(r->X, t0, r->Y);
1548
- fe_sub(r->T, r->T, r->Z);
1549
- }
1550
-
1551
- static void
1552
- ge_p3_0(ge_p3 *h)
1553
- {
1554
- fe_0(h->X);
1555
- fe_1(h->Y);
1556
- fe_1(h->Z);
1557
- fe_0(h->T);
1558
- }
1559
-
1560
- /*
1561
- r = p
1562
- */
1563
-
1564
- /* 2 * d =
1565
- * 16295367250680780974490674513165176452449235426866156013048779062215315747161
1566
- */
1567
- static const fe d2 = { -21827239, -5839606, -30745221, 13898782, 229458,
1568
- 15978800, -12551817, -6495438, 29715968, 9444199 };
1569
-
1570
- void
1571
- ge_p3_to_cached(ge_cached *r, const ge_p3 *p)
1572
- {
1573
- fe_add(r->YplusX, p->Y, p->X);
1574
- fe_sub(r->YminusX, p->Y, p->X);
1575
- fe_copy(r->Z, p->Z);
1576
- fe_mul(r->T2d, p->T, d2);
1577
- }
1578
-
1579
- /*
1580
- r = p
1581
- */
1582
-
1583
- static void
1584
- ge_p3_to_p2(ge_p2 *r, const ge_p3 *p)
1585
- {
1586
- fe_copy(r->X, p->X);
1587
- fe_copy(r->Y, p->Y);
1588
- fe_copy(r->Z, p->Z);
1589
- }
1590
-
1591
- void
1592
- ge_p3_tobytes(unsigned char *s, const ge_p3 *h)
1593
- {
1594
- fe recip;
1595
- fe x;
1596
- fe y;
1597
-
1598
- fe_invert(recip, h->Z);
1599
- fe_mul(x, h->X, recip);
1600
- fe_mul(y, h->Y, recip);
1601
- fe_tobytes(s, y);
1602
- s[31] ^= fe_isnegative(x) << 7;
1603
- }
1604
-
1605
- /*
1606
- r = 2 * p
1607
- */
1608
-
1609
- static void
1610
- ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p)
1611
- {
1612
- ge_p2 q;
1613
- ge_p3_to_p2(&q, p);
1614
- ge_p2_dbl(r, &q);
1615
- }
1616
-
1617
- static void
1618
- ge_precomp_0(ge_precomp *h)
1619
- {
1620
- fe_1(h->yplusx);
1621
- fe_1(h->yminusx);
1622
- fe_0(h->xy2d);
1623
- }
1624
-
1625
- static unsigned char
1626
- equal(signed char b, signed char c)
1627
- {
1628
- unsigned char ub = b;
1629
- unsigned char uc = c;
1630
- unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */
1631
- uint32_t y = x; /* 0: yes; 1..255: no */
1632
-
1633
- y -= 1; /* 4294967295: yes; 0..254: no */
1634
- y >>= 31; /* 1: yes; 0: no */
1635
-
1636
- return y;
1637
- }
1638
-
1639
- static unsigned char
1640
- negative(signed char b)
1641
- {
1642
- uint64_t x =
1643
- b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */
1644
-
1645
- x >>= 63; /* 1: yes; 0: no */
1646
-
1647
- return x;
1648
- }
1649
-
1650
- static void
1651
- cmov(ge_precomp *t, const ge_precomp *u, unsigned char b)
1652
- {
1653
- fe_cmov(t->yplusx, u->yplusx, b);
1654
- fe_cmov(t->yminusx, u->yminusx, b);
1655
- fe_cmov(t->xy2d, u->xy2d, b);
1656
- }
1657
-
1658
- /* base[i][j] = (j+1)*256^i*B */
1659
- static const ge_precomp base[32][8] = {
1660
- #include "base.h"
1661
- };
1662
-
1663
- static void
1664
- ge_select(ge_precomp *t, int pos, signed char b)
1665
- {
1666
- ge_precomp minust;
1667
- unsigned char bnegative = negative(b);
1668
- unsigned char babs = b - (((-bnegative) & b) * ((signed char) 1 << 1));
1669
-
1670
- ge_precomp_0(t);
1671
- cmov(t, &base[pos][0], equal(babs, 1));
1672
- cmov(t, &base[pos][1], equal(babs, 2));
1673
- cmov(t, &base[pos][2], equal(babs, 3));
1674
- cmov(t, &base[pos][3], equal(babs, 4));
1675
- cmov(t, &base[pos][4], equal(babs, 5));
1676
- cmov(t, &base[pos][5], equal(babs, 6));
1677
- cmov(t, &base[pos][6], equal(babs, 7));
1678
- cmov(t, &base[pos][7], equal(babs, 8));
1679
- fe_copy(minust.yplusx, t->yminusx);
1680
- fe_copy(minust.yminusx, t->yplusx);
1681
- fe_neg(minust.xy2d, t->xy2d);
1682
- cmov(t, &minust, bnegative);
1683
- }
1684
-
1685
- /*
1686
- r = p - q
1687
- */
1688
-
1689
- static void
1690
- ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q)
1691
- {
1692
- fe t0;
1693
-
1694
- fe_add(r->X, p->Y, p->X);
1695
- fe_sub(r->Y, p->Y, p->X);
1696
- fe_mul(r->Z, r->X, q->YminusX);
1697
- fe_mul(r->Y, r->Y, q->YplusX);
1698
- fe_mul(r->T, q->T2d, p->T);
1699
- fe_mul(r->X, p->Z, q->Z);
1700
- fe_add(t0, r->X, r->X);
1701
- fe_sub(r->X, r->Z, r->Y);
1702
- fe_add(r->Y, r->Z, r->Y);
1703
- fe_sub(r->Z, t0, r->T);
1704
- fe_add(r->T, t0, r->T);
1705
- }
1706
-
1707
- void
1708
- ge_tobytes(unsigned char *s, const ge_p2 *h)
1709
- {
1710
- fe recip;
1711
- fe x;
1712
- fe y;
1713
-
1714
- fe_invert(recip, h->Z);
1715
- fe_mul(x, h->X, recip);
1716
- fe_mul(y, h->Y, recip);
1717
- fe_tobytes(s, y);
1718
- s[31] ^= fe_isnegative(x) << 7;
1719
- }
1720
-
1721
- /*
1722
- h = a * B
1723
- where a = a[0]+256*a[1]+...+256^31 a[31]
1724
- B is the Ed25519 base point (x,4/5) with x positive.
1725
- *
1726
- Preconditions:
1727
- a[31] <= 127
1728
- */
1729
-
1730
- /*
1731
- r = a * A + b * B
1732
- where a = a[0]+256*a[1]+...+256^31 a[31].
1733
- and b = b[0]+256*b[1]+...+256^31 b[31].
1734
- B is the Ed25519 base point (x,4/5) with x positive.
1735
- */
1736
-
1737
- void
1738
- ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A,
1739
- const unsigned char *b)
1740
- {
1741
- signed char aslide[256];
1742
- signed char bslide[256];
1743
- ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
1744
- ge_p1p1 t;
1745
- ge_p3 u;
1746
- ge_p3 A2;
1747
- int i;
1748
-
1749
- slide(aslide, a);
1750
- slide(bslide, b);
1751
-
1752
- ge_p3_to_cached(&Ai[0], A);
1753
- ge_p3_dbl(&t, A);
1754
- ge_p1p1_to_p3(&A2, &t);
1755
- ge_add(&t, &A2, &Ai[0]);
1756
- ge_p1p1_to_p3(&u, &t);
1757
- ge_p3_to_cached(&Ai[1], &u);
1758
- ge_add(&t, &A2, &Ai[1]);
1759
- ge_p1p1_to_p3(&u, &t);
1760
- ge_p3_to_cached(&Ai[2], &u);
1761
- ge_add(&t, &A2, &Ai[2]);
1762
- ge_p1p1_to_p3(&u, &t);
1763
- ge_p3_to_cached(&Ai[3], &u);
1764
- ge_add(&t, &A2, &Ai[3]);
1765
- ge_p1p1_to_p3(&u, &t);
1766
- ge_p3_to_cached(&Ai[4], &u);
1767
- ge_add(&t, &A2, &Ai[4]);
1768
- ge_p1p1_to_p3(&u, &t);
1769
- ge_p3_to_cached(&Ai[5], &u);
1770
- ge_add(&t, &A2, &Ai[5]);
1771
- ge_p1p1_to_p3(&u, &t);
1772
- ge_p3_to_cached(&Ai[6], &u);
1773
- ge_add(&t, &A2, &Ai[6]);
1774
- ge_p1p1_to_p3(&u, &t);
1775
- ge_p3_to_cached(&Ai[7], &u);
1776
-
1777
- ge_p2_0(r);
1778
-
1779
- for (i = 255; i >= 0; --i) {
1780
- if (aslide[i] || bslide[i])
1781
- break;
1782
- }
1783
-
1784
- for (; i >= 0; --i) {
1785
- ge_p2_dbl(&t, r);
1786
-
1787
- if (aslide[i] > 0) {
1788
- ge_p1p1_to_p3(&u, &t);
1789
- ge_add(&t, &u, &Ai[aslide[i] / 2]);
1790
- } else if (aslide[i] < 0) {
1791
- ge_p1p1_to_p3(&u, &t);
1792
- ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
1793
- }
1794
-
1795
- if (bslide[i] > 0) {
1796
- ge_p1p1_to_p3(&u, &t);
1797
- ge_madd(&t, &u, &Bi[bslide[i] / 2]);
1798
- } else if (bslide[i] < 0) {
1799
- ge_p1p1_to_p3(&u, &t);
1800
- ge_msub(&t, &u, &Bi[(-bslide[i]) / 2]);
1801
- }
1802
-
1803
- ge_p1p1_to_p2(r, &t);
1804
- }
1805
- }
1806
-
1807
- #ifndef MINIMAL
1808
-
1809
- /* only used for verification of legacy (edwards25519sha512batch) signatures */
1810
-
1811
- void
1812
- ge_scalarmult_vartime(ge_p3 *r, const unsigned char *a, const ge_p3 *A)
1813
- {
1814
- signed char aslide[256];
1815
- ge_cached Ai[8];
1816
- ge_p1p1 t;
1817
- ge_p3 u;
1818
- ge_p3 A2;
1819
- int i;
1820
-
1821
- slide(aslide, a);
1822
-
1823
- ge_p3_to_cached(&Ai[0], A);
1824
- ge_p3_dbl(&t, A);
1825
- ge_p1p1_to_p3(&A2, &t);
1826
- ge_add(&t, &A2, &Ai[0]);
1827
- ge_p1p1_to_p3(&u, &t);
1828
- ge_p3_to_cached(&Ai[1], &u);
1829
- ge_add(&t, &A2, &Ai[1]);
1830
- ge_p1p1_to_p3(&u, &t);
1831
- ge_p3_to_cached(&Ai[2], &u);
1832
- ge_add(&t, &A2, &Ai[2]);
1833
- ge_p1p1_to_p3(&u, &t);
1834
- ge_p3_to_cached(&Ai[3], &u);
1835
- ge_add(&t, &A2, &Ai[3]);
1836
- ge_p1p1_to_p3(&u, &t);
1837
- ge_p3_to_cached(&Ai[4], &u);
1838
- ge_add(&t, &A2, &Ai[4]);
1839
- ge_p1p1_to_p3(&u, &t);
1840
- ge_p3_to_cached(&Ai[5], &u);
1841
- ge_add(&t, &A2, &Ai[5]);
1842
- ge_p1p1_to_p3(&u, &t);
1843
- ge_p3_to_cached(&Ai[6], &u);
1844
- ge_add(&t, &A2, &Ai[6]);
1845
- ge_p1p1_to_p3(&u, &t);
1846
- ge_p3_to_cached(&Ai[7], &u);
1847
-
1848
- ge_p3_0(r);
1849
-
1850
- for (i = 255; i >= 0; --i) {
1851
- if (aslide[i])
1852
- break;
1853
- }
1854
-
1855
- for (; i >= 0; --i) {
1856
- ge_p3_dbl(&t, r);
1857
-
1858
- if (aslide[i] > 0) {
1859
- ge_p1p1_to_p3(&u, &t);
1860
- ge_add(&t, &u, &Ai[aslide[i] / 2]);
1861
- } else if (aslide[i] < 0) {
1862
- ge_p1p1_to_p3(&u, &t);
1863
- ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
1864
- }
1865
-
1866
- ge_p1p1_to_p3(r, &t);
1867
- }
1868
- }
1869
-
1870
- #endif
1871
-
1872
- void
1873
- ge_scalarmult_base(ge_p3 *h, const unsigned char *a)
1874
- {
1875
- signed char e[64];
1876
- signed char carry;
1877
- ge_p1p1 r;
1878
- ge_p2 s;
1879
- ge_precomp t;
1880
- int i;
1881
-
1882
- for (i = 0; i < 32; ++i) {
1883
- e[2 * i + 0] = (a[i] >> 0) & 15;
1884
- e[2 * i + 1] = (a[i] >> 4) & 15;
1885
- }
1886
- /* each e[i] is between 0 and 15 */
1887
- /* e[63] is between 0 and 7 */
1888
-
1889
- carry = 0;
1890
- for (i = 0; i < 63; ++i) {
1891
- e[i] += carry;
1892
- carry = e[i] + 8;
1893
- carry >>= 4;
1894
- e[i] -= carry * ((signed char) 1 << 4);
1895
- }
1896
- e[63] += carry;
1897
- /* each e[i] is between -8 and 8 */
1898
-
1899
- ge_p3_0(h);
1900
- for (i = 1; i < 64; i += 2) {
1901
- ge_select(&t, i / 2, e[i]);
1902
- ge_madd(&r, h, &t);
1903
- ge_p1p1_to_p3(h, &r);
1904
- }
1905
-
1906
- ge_p3_dbl(&r, h);
1907
- ge_p1p1_to_p2(&s, &r);
1908
- ge_p2_dbl(&r, &s);
1909
- ge_p1p1_to_p2(&s, &r);
1910
- ge_p2_dbl(&r, &s);
1911
- ge_p1p1_to_p2(&s, &r);
1912
- ge_p2_dbl(&r, &s);
1913
- ge_p1p1_to_p3(h, &r);
1914
-
1915
- for (i = 0; i < 64; i += 2) {
1916
- ge_select(&t, i / 2, e[i]);
1917
- ge_madd(&r, h, &t);
1918
- ge_p1p1_to_p3(h, &r);
1919
- }
1920
- }
1921
-
1922
- /* multiply by the order of the main subgroup l = 2^252+27742317777372353535851937790883648493 */
1923
- void
1924
- ge_mul_l(ge_p3 *r, const ge_p3 *A)
1925
- {
1926
- static const signed char aslide[253] = {
1927
- 13, 0, 0, 0, 0, -1, 0, 0, 0, 0, -11, 0, 0, 0, 0, 0, 0, -5, 0, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, -13, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, -13, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, -13, 0, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, 0, -1, 0, 0, 0, 0, 3, 0, 0, 0, 0, -11, 0, 0, 0, 0, 0, 0, 0, 15, 0, 0, 0, 0, 0, -1, 0, 0, 0, 0, -1, 0, 0, 0, 0, 7, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
1928
- };
1929
- ge_cached Ai[8];
1930
- ge_p1p1 t;
1931
- ge_p3 u;
1932
- ge_p3 A2;
1933
- int i;
1934
-
1935
- ge_p3_to_cached(&Ai[0], A);
1936
- ge_p3_dbl(&t, A);
1937
- ge_p1p1_to_p3(&A2, &t);
1938
- ge_add(&t, &A2, &Ai[0]);
1939
- ge_p1p1_to_p3(&u, &t);
1940
- ge_p3_to_cached(&Ai[1], &u);
1941
- ge_add(&t, &A2, &Ai[1]);
1942
- ge_p1p1_to_p3(&u, &t);
1943
- ge_p3_to_cached(&Ai[2], &u);
1944
- ge_add(&t, &A2, &Ai[2]);
1945
- ge_p1p1_to_p3(&u, &t);
1946
- ge_p3_to_cached(&Ai[3], &u);
1947
- ge_add(&t, &A2, &Ai[3]);
1948
- ge_p1p1_to_p3(&u, &t);
1949
- ge_p3_to_cached(&Ai[4], &u);
1950
- ge_add(&t, &A2, &Ai[4]);
1951
- ge_p1p1_to_p3(&u, &t);
1952
- ge_p3_to_cached(&Ai[5], &u);
1953
- ge_add(&t, &A2, &Ai[5]);
1954
- ge_p1p1_to_p3(&u, &t);
1955
- ge_p3_to_cached(&Ai[6], &u);
1956
- ge_add(&t, &A2, &Ai[6]);
1957
- ge_p1p1_to_p3(&u, &t);
1958
- ge_p3_to_cached(&Ai[7], &u);
1959
-
1960
- ge_p3_0(r);
1961
-
1962
- for (i = 252; i >= 0; --i) {
1963
- ge_p3_dbl(&t, r);
1964
-
1965
- if (aslide[i] > 0) {
1966
- ge_p1p1_to_p3(&u, &t);
1967
- ge_add(&t, &u, &Ai[aslide[i] / 2]);
1968
- } else if (aslide[i] < 0) {
1969
- ge_p1p1_to_p3(&u, &t);
1970
- ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
1971
- }
1972
-
1973
- ge_p1p1_to_p3(r, &t);
1974
- }
1975
- }
1976
-
1977
- /*
1978
- Input:
1979
- a[0]+256*a[1]+...+256^31*a[31] = a
1980
- b[0]+256*b[1]+...+256^31*b[31] = b
1981
- c[0]+256*c[1]+...+256^31*c[31] = c
1982
- *
1983
- Output:
1984
- s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
1985
- where l = 2^252 + 27742317777372353535851937790883648493.
1986
- */
1987
-
1988
- void
1989
- sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b,
1990
- const unsigned char *c)
1991
- {
1992
- int64_t a0 = 2097151 & load_3(a);
1993
- int64_t a1 = 2097151 & (load_4(a + 2) >> 5);
1994
- int64_t a2 = 2097151 & (load_3(a + 5) >> 2);
1995
- int64_t a3 = 2097151 & (load_4(a + 7) >> 7);
1996
- int64_t a4 = 2097151 & (load_4(a + 10) >> 4);
1997
- int64_t a5 = 2097151 & (load_3(a + 13) >> 1);
1998
- int64_t a6 = 2097151 & (load_4(a + 15) >> 6);
1999
- int64_t a7 = 2097151 & (load_3(a + 18) >> 3);
2000
- int64_t a8 = 2097151 & load_3(a + 21);
2001
- int64_t a9 = 2097151 & (load_4(a + 23) >> 5);
2002
- int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
2003
- int64_t a11 = (load_4(a + 28) >> 7);
2004
-
2005
- int64_t b0 = 2097151 & load_3(b);
2006
- int64_t b1 = 2097151 & (load_4(b + 2) >> 5);
2007
- int64_t b2 = 2097151 & (load_3(b + 5) >> 2);
2008
- int64_t b3 = 2097151 & (load_4(b + 7) >> 7);
2009
- int64_t b4 = 2097151 & (load_4(b + 10) >> 4);
2010
- int64_t b5 = 2097151 & (load_3(b + 13) >> 1);
2011
- int64_t b6 = 2097151 & (load_4(b + 15) >> 6);
2012
- int64_t b7 = 2097151 & (load_3(b + 18) >> 3);
2013
- int64_t b8 = 2097151 & load_3(b + 21);
2014
- int64_t b9 = 2097151 & (load_4(b + 23) >> 5);
2015
- int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
2016
- int64_t b11 = (load_4(b + 28) >> 7);
2017
-
2018
- int64_t c0 = 2097151 & load_3(c);
2019
- int64_t c1 = 2097151 & (load_4(c + 2) >> 5);
2020
- int64_t c2 = 2097151 & (load_3(c + 5) >> 2);
2021
- int64_t c3 = 2097151 & (load_4(c + 7) >> 7);
2022
- int64_t c4 = 2097151 & (load_4(c + 10) >> 4);
2023
- int64_t c5 = 2097151 & (load_3(c + 13) >> 1);
2024
- int64_t c6 = 2097151 & (load_4(c + 15) >> 6);
2025
- int64_t c7 = 2097151 & (load_3(c + 18) >> 3);
2026
- int64_t c8 = 2097151 & load_3(c + 21);
2027
- int64_t c9 = 2097151 & (load_4(c + 23) >> 5);
2028
- int64_t c10 = 2097151 & (load_3(c + 26) >> 2);
2029
- int64_t c11 = (load_4(c + 28) >> 7);
2030
-
2031
- int64_t s0;
2032
- int64_t s1;
2033
- int64_t s2;
2034
- int64_t s3;
2035
- int64_t s4;
2036
- int64_t s5;
2037
- int64_t s6;
2038
- int64_t s7;
2039
- int64_t s8;
2040
- int64_t s9;
2041
- int64_t s10;
2042
- int64_t s11;
2043
- int64_t s12;
2044
- int64_t s13;
2045
- int64_t s14;
2046
- int64_t s15;
2047
- int64_t s16;
2048
- int64_t s17;
2049
- int64_t s18;
2050
- int64_t s19;
2051
- int64_t s20;
2052
- int64_t s21;
2053
- int64_t s22;
2054
- int64_t s23;
2055
-
2056
- int64_t carry0;
2057
- int64_t carry1;
2058
- int64_t carry2;
2059
- int64_t carry3;
2060
- int64_t carry4;
2061
- int64_t carry5;
2062
- int64_t carry6;
2063
- int64_t carry7;
2064
- int64_t carry8;
2065
- int64_t carry9;
2066
- int64_t carry10;
2067
- int64_t carry11;
2068
- int64_t carry12;
2069
- int64_t carry13;
2070
- int64_t carry14;
2071
- int64_t carry15;
2072
- int64_t carry16;
2073
- int64_t carry17;
2074
- int64_t carry18;
2075
- int64_t carry19;
2076
- int64_t carry20;
2077
- int64_t carry21;
2078
- int64_t carry22;
2079
-
2080
- s0 = c0 + a0 * b0;
2081
- s1 = c1 + a0 * b1 + a1 * b0;
2082
- s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
2083
- s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
2084
- s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
2085
- s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
2086
- s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 +
2087
- a6 * b0;
2088
- s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 +
2089
- a6 * b1 + a7 * b0;
2090
- s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 +
2091
- a6 * b2 + a7 * b1 + a8 * b0;
2092
- s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 +
2093
- a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
2094
- s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 +
2095
- a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
2096
- s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 +
2097
- a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
2098
- s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 +
2099
- a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
2100
- s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 +
2101
- a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
2102
- s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 +
2103
- a9 * b5 + a10 * b4 + a11 * b3;
2104
- s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 +
2105
- a10 * b5 + a11 * b4;
2106
- s16 =
2107
- a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
2108
- s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
2109
- s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
2110
- s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
2111
- s20 = a9 * b11 + a10 * b10 + a11 * b9;
2112
- s21 = a10 * b11 + a11 * b10;
2113
- s22 = a11 * b11;
2114
- s23 = 0;
2115
-
2116
- carry0 = (s0 + (int64_t)(1L << 20)) >> 21;
2117
- s1 += carry0;
2118
- s0 -= carry0 * ((uint64_t) 1L << 21);
2119
- carry2 = (s2 + (int64_t)(1L << 20)) >> 21;
2120
- s3 += carry2;
2121
- s2 -= carry2 * ((uint64_t) 1L << 21);
2122
- carry4 = (s4 + (int64_t)(1L << 20)) >> 21;
2123
- s5 += carry4;
2124
- s4 -= carry4 * ((uint64_t) 1L << 21);
2125
- carry6 = (s6 + (int64_t)(1L << 20)) >> 21;
2126
- s7 += carry6;
2127
- s6 -= carry6 * ((uint64_t) 1L << 21);
2128
- carry8 = (s8 + (int64_t)(1L << 20)) >> 21;
2129
- s9 += carry8;
2130
- s8 -= carry8 * ((uint64_t) 1L << 21);
2131
- carry10 = (s10 + (int64_t)(1L << 20)) >> 21;
2132
- s11 += carry10;
2133
- s10 -= carry10 * ((uint64_t) 1L << 21);
2134
- carry12 = (s12 + (int64_t)(1L << 20)) >> 21;
2135
- s13 += carry12;
2136
- s12 -= carry12 * ((uint64_t) 1L << 21);
2137
- carry14 = (s14 + (int64_t)(1L << 20)) >> 21;
2138
- s15 += carry14;
2139
- s14 -= carry14 * ((uint64_t) 1L << 21);
2140
- carry16 = (s16 + (int64_t)(1L << 20)) >> 21;
2141
- s17 += carry16;
2142
- s16 -= carry16 * ((uint64_t) 1L << 21);
2143
- carry18 = (s18 + (int64_t)(1L << 20)) >> 21;
2144
- s19 += carry18;
2145
- s18 -= carry18 * ((uint64_t) 1L << 21);
2146
- carry20 = (s20 + (int64_t)(1L << 20)) >> 21;
2147
- s21 += carry20;
2148
- s20 -= carry20 * ((uint64_t) 1L << 21);
2149
- carry22 = (s22 + (int64_t)(1L << 20)) >> 21;
2150
- s23 += carry22;
2151
- s22 -= carry22 * ((uint64_t) 1L << 21);
2152
-
2153
- carry1 = (s1 + (int64_t)(1L << 20)) >> 21;
2154
- s2 += carry1;
2155
- s1 -= carry1 * ((uint64_t) 1L << 21);
2156
- carry3 = (s3 + (int64_t)(1L << 20)) >> 21;
2157
- s4 += carry3;
2158
- s3 -= carry3 * ((uint64_t) 1L << 21);
2159
- carry5 = (s5 + (int64_t)(1L << 20)) >> 21;
2160
- s6 += carry5;
2161
- s5 -= carry5 * ((uint64_t) 1L << 21);
2162
- carry7 = (s7 + (int64_t)(1L << 20)) >> 21;
2163
- s8 += carry7;
2164
- s7 -= carry7 * ((uint64_t) 1L << 21);
2165
- carry9 = (s9 + (int64_t)(1L << 20)) >> 21;
2166
- s10 += carry9;
2167
- s9 -= carry9 * ((uint64_t) 1L << 21);
2168
- carry11 = (s11 + (int64_t)(1L << 20)) >> 21;
2169
- s12 += carry11;
2170
- s11 -= carry11 * ((uint64_t) 1L << 21);
2171
- carry13 = (s13 + (int64_t)(1L << 20)) >> 21;
2172
- s14 += carry13;
2173
- s13 -= carry13 * ((uint64_t) 1L << 21);
2174
- carry15 = (s15 + (int64_t)(1L << 20)) >> 21;
2175
- s16 += carry15;
2176
- s15 -= carry15 * ((uint64_t) 1L << 21);
2177
- carry17 = (s17 + (int64_t)(1L << 20)) >> 21;
2178
- s18 += carry17;
2179
- s17 -= carry17 * ((uint64_t) 1L << 21);
2180
- carry19 = (s19 + (int64_t)(1L << 20)) >> 21;
2181
- s20 += carry19;
2182
- s19 -= carry19 * ((uint64_t) 1L << 21);
2183
- carry21 = (s21 + (int64_t)(1L << 20)) >> 21;
2184
- s22 += carry21;
2185
- s21 -= carry21 * ((uint64_t) 1L << 21);
2186
-
2187
- s11 += s23 * 666643;
2188
- s12 += s23 * 470296;
2189
- s13 += s23 * 654183;
2190
- s14 -= s23 * 997805;
2191
- s15 += s23 * 136657;
2192
- s16 -= s23 * 683901;
2193
-
2194
- s10 += s22 * 666643;
2195
- s11 += s22 * 470296;
2196
- s12 += s22 * 654183;
2197
- s13 -= s22 * 997805;
2198
- s14 += s22 * 136657;
2199
- s15 -= s22 * 683901;
2200
-
2201
- s9 += s21 * 666643;
2202
- s10 += s21 * 470296;
2203
- s11 += s21 * 654183;
2204
- s12 -= s21 * 997805;
2205
- s13 += s21 * 136657;
2206
- s14 -= s21 * 683901;
2207
-
2208
- s8 += s20 * 666643;
2209
- s9 += s20 * 470296;
2210
- s10 += s20 * 654183;
2211
- s11 -= s20 * 997805;
2212
- s12 += s20 * 136657;
2213
- s13 -= s20 * 683901;
2214
-
2215
- s7 += s19 * 666643;
2216
- s8 += s19 * 470296;
2217
- s9 += s19 * 654183;
2218
- s10 -= s19 * 997805;
2219
- s11 += s19 * 136657;
2220
- s12 -= s19 * 683901;
2221
-
2222
- s6 += s18 * 666643;
2223
- s7 += s18 * 470296;
2224
- s8 += s18 * 654183;
2225
- s9 -= s18 * 997805;
2226
- s10 += s18 * 136657;
2227
- s11 -= s18 * 683901;
2228
-
2229
- carry6 = (s6 + (int64_t)(1L << 20)) >> 21;
2230
- s7 += carry6;
2231
- s6 -= carry6 * ((uint64_t) 1L << 21);
2232
- carry8 = (s8 + (int64_t)(1L << 20)) >> 21;
2233
- s9 += carry8;
2234
- s8 -= carry8 * ((uint64_t) 1L << 21);
2235
- carry10 = (s10 + (int64_t)(1L << 20)) >> 21;
2236
- s11 += carry10;
2237
- s10 -= carry10 * ((uint64_t) 1L << 21);
2238
- carry12 = (s12 + (int64_t)(1L << 20)) >> 21;
2239
- s13 += carry12;
2240
- s12 -= carry12 * ((uint64_t) 1L << 21);
2241
- carry14 = (s14 + (int64_t)(1L << 20)) >> 21;
2242
- s15 += carry14;
2243
- s14 -= carry14 * ((uint64_t) 1L << 21);
2244
- carry16 = (s16 + (int64_t)(1L << 20)) >> 21;
2245
- s17 += carry16;
2246
- s16 -= carry16 * ((uint64_t) 1L << 21);
2247
-
2248
- carry7 = (s7 + (int64_t)(1L << 20)) >> 21;
2249
- s8 += carry7;
2250
- s7 -= carry7 * ((uint64_t) 1L << 21);
2251
- carry9 = (s9 + (int64_t)(1L << 20)) >> 21;
2252
- s10 += carry9;
2253
- s9 -= carry9 * ((uint64_t) 1L << 21);
2254
- carry11 = (s11 + (int64_t)(1L << 20)) >> 21;
2255
- s12 += carry11;
2256
- s11 -= carry11 * ((uint64_t) 1L << 21);
2257
- carry13 = (s13 + (int64_t)(1L << 20)) >> 21;
2258
- s14 += carry13;
2259
- s13 -= carry13 * ((uint64_t) 1L << 21);
2260
- carry15 = (s15 + (int64_t)(1L << 20)) >> 21;
2261
- s16 += carry15;
2262
- s15 -= carry15 * ((uint64_t) 1L << 21);
2263
-
2264
- s5 += s17 * 666643;
2265
- s6 += s17 * 470296;
2266
- s7 += s17 * 654183;
2267
- s8 -= s17 * 997805;
2268
- s9 += s17 * 136657;
2269
- s10 -= s17 * 683901;
2270
-
2271
- s4 += s16 * 666643;
2272
- s5 += s16 * 470296;
2273
- s6 += s16 * 654183;
2274
- s7 -= s16 * 997805;
2275
- s8 += s16 * 136657;
2276
- s9 -= s16 * 683901;
2277
-
2278
- s3 += s15 * 666643;
2279
- s4 += s15 * 470296;
2280
- s5 += s15 * 654183;
2281
- s6 -= s15 * 997805;
2282
- s7 += s15 * 136657;
2283
- s8 -= s15 * 683901;
2284
-
2285
- s2 += s14 * 666643;
2286
- s3 += s14 * 470296;
2287
- s4 += s14 * 654183;
2288
- s5 -= s14 * 997805;
2289
- s6 += s14 * 136657;
2290
- s7 -= s14 * 683901;
2291
-
2292
- s1 += s13 * 666643;
2293
- s2 += s13 * 470296;
2294
- s3 += s13 * 654183;
2295
- s4 -= s13 * 997805;
2296
- s5 += s13 * 136657;
2297
- s6 -= s13 * 683901;
2298
-
2299
- s0 += s12 * 666643;
2300
- s1 += s12 * 470296;
2301
- s2 += s12 * 654183;
2302
- s3 -= s12 * 997805;
2303
- s4 += s12 * 136657;
2304
- s5 -= s12 * 683901;
2305
- s12 = 0;
2306
-
2307
- carry0 = (s0 + (int64_t)(1L << 20)) >> 21;
2308
- s1 += carry0;
2309
- s0 -= carry0 * ((uint64_t) 1L << 21);
2310
- carry2 = (s2 + (int64_t)(1L << 20)) >> 21;
2311
- s3 += carry2;
2312
- s2 -= carry2 * ((uint64_t) 1L << 21);
2313
- carry4 = (s4 + (int64_t)(1L << 20)) >> 21;
2314
- s5 += carry4;
2315
- s4 -= carry4 * ((uint64_t) 1L << 21);
2316
- carry6 = (s6 + (int64_t)(1L << 20)) >> 21;
2317
- s7 += carry6;
2318
- s6 -= carry6 * ((uint64_t) 1L << 21);
2319
- carry8 = (s8 + (int64_t)(1L << 20)) >> 21;
2320
- s9 += carry8;
2321
- s8 -= carry8 * ((uint64_t) 1L << 21);
2322
- carry10 = (s10 + (int64_t)(1L << 20)) >> 21;
2323
- s11 += carry10;
2324
- s10 -= carry10 * ((uint64_t) 1L << 21);
2325
-
2326
- carry1 = (s1 + (int64_t)(1L << 20)) >> 21;
2327
- s2 += carry1;
2328
- s1 -= carry1 * ((uint64_t) 1L << 21);
2329
- carry3 = (s3 + (int64_t)(1L << 20)) >> 21;
2330
- s4 += carry3;
2331
- s3 -= carry3 * ((uint64_t) 1L << 21);
2332
- carry5 = (s5 + (int64_t)(1L << 20)) >> 21;
2333
- s6 += carry5;
2334
- s5 -= carry5 * ((uint64_t) 1L << 21);
2335
- carry7 = (s7 + (int64_t)(1L << 20)) >> 21;
2336
- s8 += carry7;
2337
- s7 -= carry7 * ((uint64_t) 1L << 21);
2338
- carry9 = (s9 + (int64_t)(1L << 20)) >> 21;
2339
- s10 += carry9;
2340
- s9 -= carry9 * ((uint64_t) 1L << 21);
2341
- carry11 = (s11 + (int64_t)(1L << 20)) >> 21;
2342
- s12 += carry11;
2343
- s11 -= carry11 * ((uint64_t) 1L << 21);
2344
-
2345
- s0 += s12 * 666643;
2346
- s1 += s12 * 470296;
2347
- s2 += s12 * 654183;
2348
- s3 -= s12 * 997805;
2349
- s4 += s12 * 136657;
2350
- s5 -= s12 * 683901;
2351
- s12 = 0;
2352
-
2353
- carry0 = s0 >> 21;
2354
- s1 += carry0;
2355
- s0 -= carry0 * ((uint64_t) 1L << 21);
2356
- carry1 = s1 >> 21;
2357
- s2 += carry1;
2358
- s1 -= carry1 * ((uint64_t) 1L << 21);
2359
- carry2 = s2 >> 21;
2360
- s3 += carry2;
2361
- s2 -= carry2 * ((uint64_t) 1L << 21);
2362
- carry3 = s3 >> 21;
2363
- s4 += carry3;
2364
- s3 -= carry3 * ((uint64_t) 1L << 21);
2365
- carry4 = s4 >> 21;
2366
- s5 += carry4;
2367
- s4 -= carry4 * ((uint64_t) 1L << 21);
2368
- carry5 = s5 >> 21;
2369
- s6 += carry5;
2370
- s5 -= carry5 * ((uint64_t) 1L << 21);
2371
- carry6 = s6 >> 21;
2372
- s7 += carry6;
2373
- s6 -= carry6 * ((uint64_t) 1L << 21);
2374
- carry7 = s7 >> 21;
2375
- s8 += carry7;
2376
- s7 -= carry7 * ((uint64_t) 1L << 21);
2377
- carry8 = s8 >> 21;
2378
- s9 += carry8;
2379
- s8 -= carry8 * ((uint64_t) 1L << 21);
2380
- carry9 = s9 >> 21;
2381
- s10 += carry9;
2382
- s9 -= carry9 * ((uint64_t) 1L << 21);
2383
- carry10 = s10 >> 21;
2384
- s11 += carry10;
2385
- s10 -= carry10 * ((uint64_t) 1L << 21);
2386
- carry11 = s11 >> 21;
2387
- s12 += carry11;
2388
- s11 -= carry11 * ((uint64_t) 1L << 21);
2389
-
2390
- s0 += s12 * 666643;
2391
- s1 += s12 * 470296;
2392
- s2 += s12 * 654183;
2393
- s3 -= s12 * 997805;
2394
- s4 += s12 * 136657;
2395
- s5 -= s12 * 683901;
2396
-
2397
- carry0 = s0 >> 21;
2398
- s1 += carry0;
2399
- s0 -= carry0 * ((uint64_t) 1L << 21);
2400
- carry1 = s1 >> 21;
2401
- s2 += carry1;
2402
- s1 -= carry1 * ((uint64_t) 1L << 21);
2403
- carry2 = s2 >> 21;
2404
- s3 += carry2;
2405
- s2 -= carry2 * ((uint64_t) 1L << 21);
2406
- carry3 = s3 >> 21;
2407
- s4 += carry3;
2408
- s3 -= carry3 * ((uint64_t) 1L << 21);
2409
- carry4 = s4 >> 21;
2410
- s5 += carry4;
2411
- s4 -= carry4 * ((uint64_t) 1L << 21);
2412
- carry5 = s5 >> 21;
2413
- s6 += carry5;
2414
- s5 -= carry5 * ((uint64_t) 1L << 21);
2415
- carry6 = s6 >> 21;
2416
- s7 += carry6;
2417
- s6 -= carry6 * ((uint64_t) 1L << 21);
2418
- carry7 = s7 >> 21;
2419
- s8 += carry7;
2420
- s7 -= carry7 * ((uint64_t) 1L << 21);
2421
- carry8 = s8 >> 21;
2422
- s9 += carry8;
2423
- s8 -= carry8 * ((uint64_t) 1L << 21);
2424
- carry9 = s9 >> 21;
2425
- s10 += carry9;
2426
- s9 -= carry9 * ((uint64_t) 1L << 21);
2427
- carry10 = s10 >> 21;
2428
- s11 += carry10;
2429
- s10 -= carry10 * ((uint64_t) 1L << 21);
2430
-
2431
- s[0] = s0 >> 0;
2432
- s[1] = s0 >> 8;
2433
- s[2] = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
2434
- s[3] = s1 >> 3;
2435
- s[4] = s1 >> 11;
2436
- s[5] = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
2437
- s[6] = s2 >> 6;
2438
- s[7] = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
2439
- s[8] = s3 >> 1;
2440
- s[9] = s3 >> 9;
2441
- s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4));
2442
- s[11] = s4 >> 4;
2443
- s[12] = s4 >> 12;
2444
- s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1));
2445
- s[14] = s5 >> 7;
2446
- s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6));
2447
- s[16] = s6 >> 2;
2448
- s[17] = s6 >> 10;
2449
- s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3));
2450
- s[19] = s7 >> 5;
2451
- s[20] = s7 >> 13;
2452
- s[21] = s8 >> 0;
2453
- s[22] = s8 >> 8;
2454
- s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5));
2455
- s[24] = s9 >> 3;
2456
- s[25] = s9 >> 11;
2457
- s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2));
2458
- s[27] = s10 >> 6;
2459
- s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7));
2460
- s[29] = s11 >> 1;
2461
- s[30] = s11 >> 9;
2462
- s[31] = s11 >> 17;
2463
- }
2464
-
2465
- /*
2466
- Input:
2467
- s[0]+256*s[1]+...+256^63*s[63] = s
2468
- *
2469
- Output:
2470
- s[0]+256*s[1]+...+256^31*s[31] = s mod l
2471
- where l = 2^252 + 27742317777372353535851937790883648493.
2472
- Overwrites s in place.
2473
- */
2474
-
2475
- void
2476
- sc_reduce(unsigned char *s)
2477
- {
2478
- int64_t s0 = 2097151 & load_3(s);
2479
- int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
2480
- int64_t s2 = 2097151 & (load_3(s + 5) >> 2);
2481
- int64_t s3 = 2097151 & (load_4(s + 7) >> 7);
2482
- int64_t s4 = 2097151 & (load_4(s + 10) >> 4);
2483
- int64_t s5 = 2097151 & (load_3(s + 13) >> 1);
2484
- int64_t s6 = 2097151 & (load_4(s + 15) >> 6);
2485
- int64_t s7 = 2097151 & (load_3(s + 18) >> 3);
2486
- int64_t s8 = 2097151 & load_3(s + 21);
2487
- int64_t s9 = 2097151 & (load_4(s + 23) >> 5);
2488
- int64_t s10 = 2097151 & (load_3(s + 26) >> 2);
2489
- int64_t s11 = 2097151 & (load_4(s + 28) >> 7);
2490
- int64_t s12 = 2097151 & (load_4(s + 31) >> 4);
2491
- int64_t s13 = 2097151 & (load_3(s + 34) >> 1);
2492
- int64_t s14 = 2097151 & (load_4(s + 36) >> 6);
2493
- int64_t s15 = 2097151 & (load_3(s + 39) >> 3);
2494
- int64_t s16 = 2097151 & load_3(s + 42);
2495
- int64_t s17 = 2097151 & (load_4(s + 44) >> 5);
2496
- int64_t s18 = 2097151 & (load_3(s + 47) >> 2);
2497
- int64_t s19 = 2097151 & (load_4(s + 49) >> 7);
2498
- int64_t s20 = 2097151 & (load_4(s + 52) >> 4);
2499
- int64_t s21 = 2097151 & (load_3(s + 55) >> 1);
2500
- int64_t s22 = 2097151 & (load_4(s + 57) >> 6);
2501
- int64_t s23 = (load_4(s + 60) >> 3);
2502
-
2503
- int64_t carry0;
2504
- int64_t carry1;
2505
- int64_t carry2;
2506
- int64_t carry3;
2507
- int64_t carry4;
2508
- int64_t carry5;
2509
- int64_t carry6;
2510
- int64_t carry7;
2511
- int64_t carry8;
2512
- int64_t carry9;
2513
- int64_t carry10;
2514
- int64_t carry11;
2515
- int64_t carry12;
2516
- int64_t carry13;
2517
- int64_t carry14;
2518
- int64_t carry15;
2519
- int64_t carry16;
2520
-
2521
- s11 += s23 * 666643;
2522
- s12 += s23 * 470296;
2523
- s13 += s23 * 654183;
2524
- s14 -= s23 * 997805;
2525
- s15 += s23 * 136657;
2526
- s16 -= s23 * 683901;
2527
-
2528
- s10 += s22 * 666643;
2529
- s11 += s22 * 470296;
2530
- s12 += s22 * 654183;
2531
- s13 -= s22 * 997805;
2532
- s14 += s22 * 136657;
2533
- s15 -= s22 * 683901;
2534
-
2535
- s9 += s21 * 666643;
2536
- s10 += s21 * 470296;
2537
- s11 += s21 * 654183;
2538
- s12 -= s21 * 997805;
2539
- s13 += s21 * 136657;
2540
- s14 -= s21 * 683901;
2541
-
2542
- s8 += s20 * 666643;
2543
- s9 += s20 * 470296;
2544
- s10 += s20 * 654183;
2545
- s11 -= s20 * 997805;
2546
- s12 += s20 * 136657;
2547
- s13 -= s20 * 683901;
2548
-
2549
- s7 += s19 * 666643;
2550
- s8 += s19 * 470296;
2551
- s9 += s19 * 654183;
2552
- s10 -= s19 * 997805;
2553
- s11 += s19 * 136657;
2554
- s12 -= s19 * 683901;
2555
-
2556
- s6 += s18 * 666643;
2557
- s7 += s18 * 470296;
2558
- s8 += s18 * 654183;
2559
- s9 -= s18 * 997805;
2560
- s10 += s18 * 136657;
2561
- s11 -= s18 * 683901;
2562
-
2563
- carry6 = (s6 + (int64_t)(1L << 20)) >> 21;
2564
- s7 += carry6;
2565
- s6 -= carry6 * ((uint64_t) 1L << 21);
2566
- carry8 = (s8 + (int64_t)(1L << 20)) >> 21;
2567
- s9 += carry8;
2568
- s8 -= carry8 * ((uint64_t) 1L << 21);
2569
- carry10 = (s10 + (int64_t)(1L << 20)) >> 21;
2570
- s11 += carry10;
2571
- s10 -= carry10 * ((uint64_t) 1L << 21);
2572
- carry12 = (s12 + (int64_t)(1L << 20)) >> 21;
2573
- s13 += carry12;
2574
- s12 -= carry12 * ((uint64_t) 1L << 21);
2575
- carry14 = (s14 + (int64_t)(1L << 20)) >> 21;
2576
- s15 += carry14;
2577
- s14 -= carry14 * ((uint64_t) 1L << 21);
2578
- carry16 = (s16 + (int64_t)(1L << 20)) >> 21;
2579
- s17 += carry16;
2580
- s16 -= carry16 * ((uint64_t) 1L << 21);
2581
-
2582
- carry7 = (s7 + (int64_t)(1L << 20)) >> 21;
2583
- s8 += carry7;
2584
- s7 -= carry7 * ((uint64_t) 1L << 21);
2585
- carry9 = (s9 + (int64_t)(1L << 20)) >> 21;
2586
- s10 += carry9;
2587
- s9 -= carry9 * ((uint64_t) 1L << 21);
2588
- carry11 = (s11 + (int64_t)(1L << 20)) >> 21;
2589
- s12 += carry11;
2590
- s11 -= carry11 * ((uint64_t) 1L << 21);
2591
- carry13 = (s13 + (int64_t)(1L << 20)) >> 21;
2592
- s14 += carry13;
2593
- s13 -= carry13 * ((uint64_t) 1L << 21);
2594
- carry15 = (s15 + (int64_t)(1L << 20)) >> 21;
2595
- s16 += carry15;
2596
- s15 -= carry15 * ((uint64_t) 1L << 21);
2597
-
2598
- s5 += s17 * 666643;
2599
- s6 += s17 * 470296;
2600
- s7 += s17 * 654183;
2601
- s8 -= s17 * 997805;
2602
- s9 += s17 * 136657;
2603
- s10 -= s17 * 683901;
2604
-
2605
- s4 += s16 * 666643;
2606
- s5 += s16 * 470296;
2607
- s6 += s16 * 654183;
2608
- s7 -= s16 * 997805;
2609
- s8 += s16 * 136657;
2610
- s9 -= s16 * 683901;
2611
-
2612
- s3 += s15 * 666643;
2613
- s4 += s15 * 470296;
2614
- s5 += s15 * 654183;
2615
- s6 -= s15 * 997805;
2616
- s7 += s15 * 136657;
2617
- s8 -= s15 * 683901;
2618
-
2619
- s2 += s14 * 666643;
2620
- s3 += s14 * 470296;
2621
- s4 += s14 * 654183;
2622
- s5 -= s14 * 997805;
2623
- s6 += s14 * 136657;
2624
- s7 -= s14 * 683901;
2625
-
2626
- s1 += s13 * 666643;
2627
- s2 += s13 * 470296;
2628
- s3 += s13 * 654183;
2629
- s4 -= s13 * 997805;
2630
- s5 += s13 * 136657;
2631
- s6 -= s13 * 683901;
2632
-
2633
- s0 += s12 * 666643;
2634
- s1 += s12 * 470296;
2635
- s2 += s12 * 654183;
2636
- s3 -= s12 * 997805;
2637
- s4 += s12 * 136657;
2638
- s5 -= s12 * 683901;
2639
- s12 = 0;
2640
-
2641
- carry0 = (s0 + (int64_t)(1L << 20)) >> 21;
2642
- s1 += carry0;
2643
- s0 -= carry0 * ((uint64_t) 1L << 21);
2644
- carry2 = (s2 + (int64_t)(1L << 20)) >> 21;
2645
- s3 += carry2;
2646
- s2 -= carry2 * ((uint64_t) 1L << 21);
2647
- carry4 = (s4 + (int64_t)(1L << 20)) >> 21;
2648
- s5 += carry4;
2649
- s4 -= carry4 * ((uint64_t) 1L << 21);
2650
- carry6 = (s6 + (int64_t)(1L << 20)) >> 21;
2651
- s7 += carry6;
2652
- s6 -= carry6 * ((uint64_t) 1L << 21);
2653
- carry8 = (s8 + (int64_t)(1L << 20)) >> 21;
2654
- s9 += carry8;
2655
- s8 -= carry8 * ((uint64_t) 1L << 21);
2656
- carry10 = (s10 + (int64_t)(1L << 20)) >> 21;
2657
- s11 += carry10;
2658
- s10 -= carry10 * ((uint64_t) 1L << 21);
2659
-
2660
- carry1 = (s1 + (int64_t)(1L << 20)) >> 21;
2661
- s2 += carry1;
2662
- s1 -= carry1 * ((uint64_t) 1L << 21);
2663
- carry3 = (s3 + (int64_t)(1L << 20)) >> 21;
2664
- s4 += carry3;
2665
- s3 -= carry3 * ((uint64_t) 1L << 21);
2666
- carry5 = (s5 + (int64_t)(1L << 20)) >> 21;
2667
- s6 += carry5;
2668
- s5 -= carry5 * ((uint64_t) 1L << 21);
2669
- carry7 = (s7 + (int64_t)(1L << 20)) >> 21;
2670
- s8 += carry7;
2671
- s7 -= carry7 * ((uint64_t) 1L << 21);
2672
- carry9 = (s9 + (int64_t)(1L << 20)) >> 21;
2673
- s10 += carry9;
2674
- s9 -= carry9 * ((uint64_t) 1L << 21);
2675
- carry11 = (s11 + (int64_t)(1L << 20)) >> 21;
2676
- s12 += carry11;
2677
- s11 -= carry11 * ((uint64_t) 1L << 21);
2678
-
2679
- s0 += s12 * 666643;
2680
- s1 += s12 * 470296;
2681
- s2 += s12 * 654183;
2682
- s3 -= s12 * 997805;
2683
- s4 += s12 * 136657;
2684
- s5 -= s12 * 683901;
2685
- s12 = 0;
2686
-
2687
- carry0 = s0 >> 21;
2688
- s1 += carry0;
2689
- s0 -= carry0 * ((uint64_t) 1L << 21);
2690
- carry1 = s1 >> 21;
2691
- s2 += carry1;
2692
- s1 -= carry1 * ((uint64_t) 1L << 21);
2693
- carry2 = s2 >> 21;
2694
- s3 += carry2;
2695
- s2 -= carry2 * ((uint64_t) 1L << 21);
2696
- carry3 = s3 >> 21;
2697
- s4 += carry3;
2698
- s3 -= carry3 * ((uint64_t) 1L << 21);
2699
- carry4 = s4 >> 21;
2700
- s5 += carry4;
2701
- s4 -= carry4 * ((uint64_t) 1L << 21);
2702
- carry5 = s5 >> 21;
2703
- s6 += carry5;
2704
- s5 -= carry5 * ((uint64_t) 1L << 21);
2705
- carry6 = s6 >> 21;
2706
- s7 += carry6;
2707
- s6 -= carry6 * ((uint64_t) 1L << 21);
2708
- carry7 = s7 >> 21;
2709
- s8 += carry7;
2710
- s7 -= carry7 * ((uint64_t) 1L << 21);
2711
- carry8 = s8 >> 21;
2712
- s9 += carry8;
2713
- s8 -= carry8 * ((uint64_t) 1L << 21);
2714
- carry9 = s9 >> 21;
2715
- s10 += carry9;
2716
- s9 -= carry9 * ((uint64_t) 1L << 21);
2717
- carry10 = s10 >> 21;
2718
- s11 += carry10;
2719
- s10 -= carry10 * ((uint64_t) 1L << 21);
2720
- carry11 = s11 >> 21;
2721
- s12 += carry11;
2722
- s11 -= carry11 * ((uint64_t) 1L << 21);
2723
-
2724
- s0 += s12 * 666643;
2725
- s1 += s12 * 470296;
2726
- s2 += s12 * 654183;
2727
- s3 -= s12 * 997805;
2728
- s4 += s12 * 136657;
2729
- s5 -= s12 * 683901;
2730
-
2731
- carry0 = s0 >> 21;
2732
- s1 += carry0;
2733
- s0 -= carry0 * ((uint64_t) 1L << 21);
2734
- carry1 = s1 >> 21;
2735
- s2 += carry1;
2736
- s1 -= carry1 * ((uint64_t) 1L << 21);
2737
- carry2 = s2 >> 21;
2738
- s3 += carry2;
2739
- s2 -= carry2 * ((uint64_t) 1L << 21);
2740
- carry3 = s3 >> 21;
2741
- s4 += carry3;
2742
- s3 -= carry3 * ((uint64_t) 1L << 21);
2743
- carry4 = s4 >> 21;
2744
- s5 += carry4;
2745
- s4 -= carry4 * ((uint64_t) 1L << 21);
2746
- carry5 = s5 >> 21;
2747
- s6 += carry5;
2748
- s5 -= carry5 * ((uint64_t) 1L << 21);
2749
- carry6 = s6 >> 21;
2750
- s7 += carry6;
2751
- s6 -= carry6 * ((uint64_t) 1L << 21);
2752
- carry7 = s7 >> 21;
2753
- s8 += carry7;
2754
- s7 -= carry7 * ((uint64_t) 1L << 21);
2755
- carry8 = s8 >> 21;
2756
- s9 += carry8;
2757
- s8 -= carry8 * ((uint64_t) 1L << 21);
2758
- carry9 = s9 >> 21;
2759
- s10 += carry9;
2760
- s9 -= carry9 * ((uint64_t) 1L << 21);
2761
- carry10 = s10 >> 21;
2762
- s11 += carry10;
2763
- s10 -= carry10 * ((uint64_t) 1L << 21);
2764
-
2765
- s[0] = s0 >> 0;
2766
- s[1] = s0 >> 8;
2767
- s[2] = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
2768
- s[3] = s1 >> 3;
2769
- s[4] = s1 >> 11;
2770
- s[5] = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
2771
- s[6] = s2 >> 6;
2772
- s[7] = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
2773
- s[8] = s3 >> 1;
2774
- s[9] = s3 >> 9;
2775
- s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4));
2776
- s[11] = s4 >> 4;
2777
- s[12] = s4 >> 12;
2778
- s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1));
2779
- s[14] = s5 >> 7;
2780
- s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6));
2781
- s[16] = s6 >> 2;
2782
- s[17] = s6 >> 10;
2783
- s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3));
2784
- s[19] = s7 >> 5;
2785
- s[20] = s7 >> 13;
2786
- s[21] = s8 >> 0;
2787
- s[22] = s8 >> 8;
2788
- s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5));
2789
- s[24] = s9 >> 3;
2790
- s[25] = s9 >> 11;
2791
- s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2));
2792
- s[27] = s10 >> 6;
2793
- s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7));
2794
- s[29] = s11 >> 1;
2795
- s[30] = s11 >> 9;
2796
- s[31] = s11 >> 17;
2797
- }