npm - react-native-quick-crypto - Versions diffs - 1.0.0-beta.16 → 1.0.0-beta.17 - Mend

react-native-quick-crypto 1.0.0-beta.16 → 1.0.0-beta.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (605) hide show

package/ios/libsodium-stable/src/libsodium/include/sodium/private/ed25519_ref10_fe_25_5.h DELETED Viewed

@@ -1,1030 +0,0 @@
-#include <string.h>
-#include "private/common.h"
-#include "utils.h"
-/*
- h = 0
- */
-static inline void
-fe25519_0(fe25519 h)
-{
-    memset(&h[0], 0, 10 * sizeof h[0]);
-}
-/*
- h = 1
- */
-static inline void
-fe25519_1(fe25519 h)
-{
-    h[0] = 1;
-    h[1] = 0;
-    memset(&h[2], 0, 8 * sizeof h[0]);
-}
-/*
- h = f + g
- Can overlap h with f or g.
- *
- Preconditions:
- |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- Postconditions:
- |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- */
-static inline void
-fe25519_add(fe25519 h, const fe25519 f, const fe25519 g)
-{
-    int32_t h0 = f[0] + g[0];
-    int32_t h1 = f[1] + g[1];
-    int32_t h2 = f[2] + g[2];
-    int32_t h3 = f[3] + g[3];
-    int32_t h4 = f[4] + g[4];
-    int32_t h5 = f[5] + g[5];
-    int32_t h6 = f[6] + g[6];
-    int32_t h7 = f[7] + g[7];
-    int32_t h8 = f[8] + g[8];
-    int32_t h9 = f[9] + g[9];
-    h[0] = h0;
-    h[1] = h1;
-    h[2] = h2;
-    h[3] = h3;
-    h[4] = h4;
-    h[5] = h5;
-    h[6] = h6;
-    h[7] = h7;
-    h[8] = h8;
-    h[9] = h9;
-}
-/*
- h = f - g
- Can overlap h with f or g.
- *
- Preconditions:
- |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- Postconditions:
- |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- */
-static void
-fe25519_sub(fe25519 h, const fe25519 f, const fe25519 g)
-{
-    int32_t h0 = f[0] - g[0];
-    int32_t h1 = f[1] - g[1];
-    int32_t h2 = f[2] - g[2];
-    int32_t h3 = f[3] - g[3];
-    int32_t h4 = f[4] - g[4];
-    int32_t h5 = f[5] - g[5];
-    int32_t h6 = f[6] - g[6];
-    int32_t h7 = f[7] - g[7];
-    int32_t h8 = f[8] - g[8];
-    int32_t h9 = f[9] - g[9];
-    h[0] = h0;
-    h[1] = h1;
-    h[2] = h2;
-    h[3] = h3;
-    h[4] = h4;
-    h[5] = h5;
-    h[6] = h6;
-    h[7] = h7;
-    h[8] = h8;
-    h[9] = h9;
-}
-/*
- h = -f
- *
- Preconditions:
- |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- Postconditions:
- |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- */
-static inline void
-fe25519_neg(fe25519 h, const fe25519 f)
-{
-    int32_t h0 = -f[0];
-    int32_t h1 = -f[1];
-    int32_t h2 = -f[2];
-    int32_t h3 = -f[3];
-    int32_t h4 = -f[4];
-    int32_t h5 = -f[5];
-    int32_t h6 = -f[6];
-    int32_t h7 = -f[7];
-    int32_t h8 = -f[8];
-    int32_t h9 = -f[9];
-    h[0] = h0;
-    h[1] = h1;
-    h[2] = h2;
-    h[3] = h3;
-    h[4] = h4;
-    h[5] = h5;
-    h[6] = h6;
-    h[7] = h7;
-    h[8] = h8;
-    h[9] = h9;
-}
-/*
- Replace (f,g) with (g,g) if b == 1;
- replace (f,g) with (f,g) if b == 0.
- *
- Preconditions: b in {0,1}.
- */
-static void
-fe25519_cmov(fe25519 f, const fe25519 g, unsigned int b)
-{
-    const uint32_t mask = (uint32_t) (-(int32_t) b);
-    int32_t f0 = f[0];
-    int32_t f1 = f[1];
-    int32_t f2 = f[2];
-    int32_t f3 = f[3];
-    int32_t f4 = f[4];
-    int32_t f5 = f[5];
-    int32_t f6 = f[6];
-    int32_t f7 = f[7];
-    int32_t f8 = f[8];
-    int32_t f9 = f[9];
-    int32_t x0 = f0 ^ g[0];
-    int32_t x1 = f1 ^ g[1];
-    int32_t x2 = f2 ^ g[2];
-    int32_t x3 = f3 ^ g[3];
-    int32_t x4 = f4 ^ g[4];
-    int32_t x5 = f5 ^ g[5];
-    int32_t x6 = f6 ^ g[6];
-    int32_t x7 = f7 ^ g[7];
-    int32_t x8 = f8 ^ g[8];
-    int32_t x9 = f9 ^ g[9];
-    x0 &= mask;
-    x1 &= mask;
-    x2 &= mask;
-    x3 &= mask;
-    x4 &= mask;
-    x5 &= mask;
-    x6 &= mask;
-    x7 &= mask;
-    x8 &= mask;
-    x9 &= mask;
-    f[0] = f0 ^ x0;
-    f[1] = f1 ^ x1;
-    f[2] = f2 ^ x2;
-    f[3] = f3 ^ x3;
-    f[4] = f4 ^ x4;
-    f[5] = f5 ^ x5;
-    f[6] = f6 ^ x6;
-    f[7] = f7 ^ x7;
-    f[8] = f8 ^ x8;
-    f[9] = f9 ^ x9;
-}
-static void
-fe25519_cswap(fe25519 f, fe25519 g, unsigned int b)
-{
-    const uint32_t mask = (uint32_t) (-(int64_t) b);
-    int32_t f0 = f[0];
-    int32_t f1 = f[1];
-    int32_t f2 = f[2];
-    int32_t f3 = f[3];
-    int32_t f4 = f[4];
-    int32_t f5 = f[5];
-    int32_t f6 = f[6];
-    int32_t f7 = f[7];
-    int32_t f8 = f[8];
-    int32_t f9 = f[9];
-    int32_t g0 = g[0];
-    int32_t g1 = g[1];
-    int32_t g2 = g[2];
-    int32_t g3 = g[3];
-    int32_t g4 = g[4];
-    int32_t g5 = g[5];
-    int32_t g6 = g[6];
-    int32_t g7 = g[7];
-    int32_t g8 = g[8];
-    int32_t g9 = g[9];
-    int32_t x0 = f0 ^ g0;
-    int32_t x1 = f1 ^ g1;
-    int32_t x2 = f2 ^ g2;
-    int32_t x3 = f3 ^ g3;
-    int32_t x4 = f4 ^ g4;
-    int32_t x5 = f5 ^ g5;
-    int32_t x6 = f6 ^ g6;
-    int32_t x7 = f7 ^ g7;
-    int32_t x8 = f8 ^ g8;
-    int32_t x9 = f9 ^ g9;
-    x0 &= mask;
-    x1 &= mask;
-    x2 &= mask;
-    x3 &= mask;
-    x4 &= mask;
-    x5 &= mask;
-    x6 &= mask;
-    x7 &= mask;
-    x8 &= mask;
-    x9 &= mask;
-    f[0] = f0 ^ x0;
-    f[1] = f1 ^ x1;
-    f[2] = f2 ^ x2;
-    f[3] = f3 ^ x3;
-    f[4] = f4 ^ x4;
-    f[5] = f5 ^ x5;
-    f[6] = f6 ^ x6;
-    f[7] = f7 ^ x7;
-    f[8] = f8 ^ x8;
-    f[9] = f9 ^ x9;
-    g[0] = g0 ^ x0;
-    g[1] = g1 ^ x1;
-    g[2] = g2 ^ x2;
-    g[3] = g3 ^ x3;
-    g[4] = g4 ^ x4;
-    g[5] = g5 ^ x5;
-    g[6] = g6 ^ x6;
-    g[7] = g7 ^ x7;
-    g[8] = g8 ^ x8;
-    g[9] = g9 ^ x9;
-}
-/*
- h = f
- */
-static inline void
-fe25519_copy(fe25519 h, const fe25519 f)
-{
-    memcpy(h, f, 10 * sizeof h[0]);
-}
-/*
- return 1 if f is in {1,3,5,...,q-2}
- return 0 if f is in {0,2,4,...,q-1}
- Preconditions:
- |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- */
-static inline int
-fe25519_isnegative(const fe25519 f)
-{
-    unsigned char s[32];
-    fe25519_tobytes(s, f);
-    return s[0] & 1;
-}
-/*
- return 1 if f == 0
- return 0 if f != 0
- Preconditions:
- |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- */
-static inline int
-fe25519_iszero(const fe25519 f)
-{
-    unsigned char s[32];
-    fe25519_tobytes(s, f);
-    return sodium_is_zero(s, 32);
-}
-/*
- h = f * g
- Can overlap h with f or g.
- *
- Preconditions:
- |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- Postconditions:
- |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- */
-/*
- Notes on implementation strategy:
- *
- Using schoolbook multiplication.
- Karatsuba would save a little in some cost models.
- *
- Most multiplications by 2 and 19 are 32-bit precomputations;
- cheaper than 64-bit postcomputations.
- *
- There is one remaining multiplication by 19 in the carry chain;
- one *19 precomputation can be merged into this,
- but the resulting data flow is considerably less clean.
- *
- There are 12 carries below.
- 10 of them are 2-way parallelizable and vectorizable.
- Can get away with 11 carries, but then data flow is much deeper.
- *
- With tighter constraints on inputs can squeeze carries into int32.
- */
-static void
-fe25519_mul(fe25519 h, const fe25519 f, const fe25519 g)
-{
-    int32_t f0 = f[0];
-    int32_t f1 = f[1];
-    int32_t f2 = f[2];
-    int32_t f3 = f[3];
-    int32_t f4 = f[4];
-    int32_t f5 = f[5];
-    int32_t f6 = f[6];
-    int32_t f7 = f[7];
-    int32_t f8 = f[8];
-    int32_t f9 = f[9];
-    int32_t g0 = g[0];
-    int32_t g1 = g[1];
-    int32_t g2 = g[2];
-    int32_t g3 = g[3];
-    int32_t g4 = g[4];
-    int32_t g5 = g[5];
-    int32_t g6 = g[6];
-    int32_t g7 = g[7];
-    int32_t g8 = g[8];
-    int32_t g9 = g[9];
-    int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
-    int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
-    int32_t g3_19 = 19 * g3;
-    int32_t g4_19 = 19 * g4;
-    int32_t g5_19 = 19 * g5;
-    int32_t g6_19 = 19 * g6;
-    int32_t g7_19 = 19 * g7;
-    int32_t g8_19 = 19 * g8;
-    int32_t g9_19 = 19 * g9;
-    int32_t f1_2  = 2 * f1;
-    int32_t f3_2  = 2 * f3;
-    int32_t f5_2  = 2 * f5;
-    int32_t f7_2  = 2 * f7;
-    int32_t f9_2  = 2 * f9;
-    int64_t f0g0    = f0 * (int64_t) g0;
-    int64_t f0g1    = f0 * (int64_t) g1;
-    int64_t f0g2    = f0 * (int64_t) g2;
-    int64_t f0g3    = f0 * (int64_t) g3;
-    int64_t f0g4    = f0 * (int64_t) g4;
-    int64_t f0g5    = f0 * (int64_t) g5;
-    int64_t f0g6    = f0 * (int64_t) g6;
-    int64_t f0g7    = f0 * (int64_t) g7;
-    int64_t f0g8    = f0 * (int64_t) g8;
-    int64_t f0g9    = f0 * (int64_t) g9;
-    int64_t f1g0    = f1 * (int64_t) g0;
-    int64_t f1g1_2  = f1_2 * (int64_t) g1;
-    int64_t f1g2    = f1 * (int64_t) g2;
-    int64_t f1g3_2  = f1_2 * (int64_t) g3;
-    int64_t f1g4    = f1 * (int64_t) g4;
-    int64_t f1g5_2  = f1_2 * (int64_t) g5;
-    int64_t f1g6    = f1 * (int64_t) g6;
-    int64_t f1g7_2  = f1_2 * (int64_t) g7;
-    int64_t f1g8    = f1 * (int64_t) g8;
-    int64_t f1g9_38 = f1_2 * (int64_t) g9_19;
-    int64_t f2g0    = f2 * (int64_t) g0;
-    int64_t f2g1    = f2 * (int64_t) g1;
-    int64_t f2g2    = f2 * (int64_t) g2;
-    int64_t f2g3    = f2 * (int64_t) g3;
-    int64_t f2g4    = f2 * (int64_t) g4;
-    int64_t f2g5    = f2 * (int64_t) g5;
-    int64_t f2g6    = f2 * (int64_t) g6;
-    int64_t f2g7    = f2 * (int64_t) g7;
-    int64_t f2g8_19 = f2 * (int64_t) g8_19;
-    int64_t f2g9_19 = f2 * (int64_t) g9_19;
-    int64_t f3g0    = f3 * (int64_t) g0;
-    int64_t f3g1_2  = f3_2 * (int64_t) g1;
-    int64_t f3g2    = f3 * (int64_t) g2;
-    int64_t f3g3_2  = f3_2 * (int64_t) g3;
-    int64_t f3g4    = f3 * (int64_t) g4;
-    int64_t f3g5_2  = f3_2 * (int64_t) g5;
-    int64_t f3g6    = f3 * (int64_t) g6;
-    int64_t f3g7_38 = f3_2 * (int64_t) g7_19;
-    int64_t f3g8_19 = f3 * (int64_t) g8_19;
-    int64_t f3g9_38 = f3_2 * (int64_t) g9_19;
-    int64_t f4g0    = f4 * (int64_t) g0;
-    int64_t f4g1    = f4 * (int64_t) g1;
-    int64_t f4g2    = f4 * (int64_t) g2;
-    int64_t f4g3    = f4 * (int64_t) g3;
-    int64_t f4g4    = f4 * (int64_t) g4;
-    int64_t f4g5    = f4 * (int64_t) g5;
-    int64_t f4g6_19 = f4 * (int64_t) g6_19;
-    int64_t f4g7_19 = f4 * (int64_t) g7_19;
-    int64_t f4g8_19 = f4 * (int64_t) g8_19;
-    int64_t f4g9_19 = f4 * (int64_t) g9_19;
-    int64_t f5g0    = f5 * (int64_t) g0;
-    int64_t f5g1_2  = f5_2 * (int64_t) g1;
-    int64_t f5g2    = f5 * (int64_t) g2;
-    int64_t f5g3_2  = f5_2 * (int64_t) g3;
-    int64_t f5g4    = f5 * (int64_t) g4;
-    int64_t f5g5_38 = f5_2 * (int64_t) g5_19;
-    int64_t f5g6_19 = f5 * (int64_t) g6_19;
-    int64_t f5g7_38 = f5_2 * (int64_t) g7_19;
-    int64_t f5g8_19 = f5 * (int64_t) g8_19;
-    int64_t f5g9_38 = f5_2 * (int64_t) g9_19;
-    int64_t f6g0    = f6 * (int64_t) g0;
-    int64_t f6g1    = f6 * (int64_t) g1;
-    int64_t f6g2    = f6 * (int64_t) g2;
-    int64_t f6g3    = f6 * (int64_t) g3;
-    int64_t f6g4_19 = f6 * (int64_t) g4_19;
-    int64_t f6g5_19 = f6 * (int64_t) g5_19;
-    int64_t f6g6_19 = f6 * (int64_t) g6_19;
-    int64_t f6g7_19 = f6 * (int64_t) g7_19;
-    int64_t f6g8_19 = f6 * (int64_t) g8_19;
-    int64_t f6g9_19 = f6 * (int64_t) g9_19;
-    int64_t f7g0    = f7 * (int64_t) g0;
-    int64_t f7g1_2  = f7_2 * (int64_t) g1;
-    int64_t f7g2    = f7 * (int64_t) g2;
-    int64_t f7g3_38 = f7_2 * (int64_t) g3_19;
-    int64_t f7g4_19 = f7 * (int64_t) g4_19;
-    int64_t f7g5_38 = f7_2 * (int64_t) g5_19;
-    int64_t f7g6_19 = f7 * (int64_t) g6_19;
-    int64_t f7g7_38 = f7_2 * (int64_t) g7_19;
-    int64_t f7g8_19 = f7 * (int64_t) g8_19;
-    int64_t f7g9_38 = f7_2 * (int64_t) g9_19;
-    int64_t f8g0    = f8 * (int64_t) g0;
-    int64_t f8g1    = f8 * (int64_t) g1;
-    int64_t f8g2_19 = f8 * (int64_t) g2_19;
-    int64_t f8g3_19 = f8 * (int64_t) g3_19;
-    int64_t f8g4_19 = f8 * (int64_t) g4_19;
-    int64_t f8g5_19 = f8 * (int64_t) g5_19;
-    int64_t f8g6_19 = f8 * (int64_t) g6_19;
-    int64_t f8g7_19 = f8 * (int64_t) g7_19;
-    int64_t f8g8_19 = f8 * (int64_t) g8_19;
-    int64_t f8g9_19 = f8 * (int64_t) g9_19;
-    int64_t f9g0    = f9 * (int64_t) g0;
-    int64_t f9g1_38 = f9_2 * (int64_t) g1_19;
-    int64_t f9g2_19 = f9 * (int64_t) g2_19;
-    int64_t f9g3_38 = f9_2 * (int64_t) g3_19;
-    int64_t f9g4_19 = f9 * (int64_t) g4_19;
-    int64_t f9g5_38 = f9_2 * (int64_t) g5_19;
-    int64_t f9g6_19 = f9 * (int64_t) g6_19;
-    int64_t f9g7_38 = f9_2 * (int64_t) g7_19;
-    int64_t f9g8_19 = f9 * (int64_t) g8_19;
-    int64_t f9g9_38 = f9_2 * (int64_t) g9_19;
-    int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 +
-                 f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38;
-    int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 +
-                 f7g4_19 + f8g3_19 + f9g2_19;
-    int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 +
-                 f7g5_38 + f8g4_19 + f9g3_38;
-    int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 +
-                 f7g6_19 + f8g5_19 + f9g4_19;
-    int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 +
-                 f7g7_38 + f8g6_19 + f9g5_38;
-    int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 +
-                 f8g7_19 + f9g6_19;
-    int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 +
-                 f7g9_38 + f8g8_19 + f9g7_38;
-    int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 +
-                 f8g9_19 + f9g8_19;
-    int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 +
-                 f8g0 + f9g9_38;
-    int64_t h9 =
-        f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0;
-    int64_t carry0;
-    int64_t carry1;
-    int64_t carry2;
-    int64_t carry3;
-    int64_t carry4;
-    int64_t carry5;
-    int64_t carry6;
-    int64_t carry7;
-    int64_t carry8;
-    int64_t carry9;
-    /*
-     |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
-     i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
-     |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
-     i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
-     */
-    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
-    h1 += carry0;
-    h0 -= carry0 * ((uint64_t) 1L << 26);
-    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
-    h5 += carry4;
-    h4 -= carry4 * ((uint64_t) 1L << 26);
-    /* |h0| <= 2^25 */
-    /* |h4| <= 2^25 */
-    /* |h1| <= 1.71*2^59 */
-    /* |h5| <= 1.71*2^59 */
-    carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
-    h2 += carry1;
-    h1 -= carry1 * ((uint64_t) 1L << 25);
-    carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
-    h6 += carry5;
-    h5 -= carry5 * ((uint64_t) 1L << 25);
-    /* |h1| <= 2^24; from now on fits into int32 */
-    /* |h5| <= 2^24; from now on fits into int32 */
-    /* |h2| <= 1.41*2^60 */
-    /* |h6| <= 1.41*2^60 */
-    carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
-    h3 += carry2;
-    h2 -= carry2 * ((uint64_t) 1L << 26);
-    carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
-    h7 += carry6;
-    h6 -= carry6 * ((uint64_t) 1L << 26);
-    /* |h2| <= 2^25; from now on fits into int32 unchanged */
-    /* |h6| <= 2^25; from now on fits into int32 unchanged */
-    /* |h3| <= 1.71*2^59 */
-    /* |h7| <= 1.71*2^59 */
-    carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
-    h4 += carry3;
-    h3 -= carry3 * ((uint64_t) 1L << 25);
-    carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
-    h8 += carry7;
-    h7 -= carry7 * ((uint64_t) 1L << 25);
-    /* |h3| <= 2^24; from now on fits into int32 unchanged */
-    /* |h7| <= 2^24; from now on fits into int32 unchanged */
-    /* |h4| <= 1.72*2^34 */
-    /* |h8| <= 1.41*2^60 */
-    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
-    h5 += carry4;
-    h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
-    h9 += carry8;
-    h8 -= carry8 * ((uint64_t) 1L << 26);
-    /* |h4| <= 2^25; from now on fits into int32 unchanged */
-    /* |h8| <= 2^25; from now on fits into int32 unchanged */
-    /* |h5| <= 1.01*2^24 */
-    /* |h9| <= 1.71*2^59 */
-    carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
-    h0 += carry9 * 19;
-    h9 -= carry9 * ((uint64_t) 1L << 25);
-    /* |h9| <= 2^24; from now on fits into int32 unchanged */
-    /* |h0| <= 1.1*2^39 */
-    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
-    h1 += carry0;
-    h0 -= carry0 * ((uint64_t) 1L << 26);
-    /* |h0| <= 2^25; from now on fits into int32 unchanged */
-    /* |h1| <= 1.01*2^24 */
-    h[0] = (int32_t) h0;
-    h[1] = (int32_t) h1;
-    h[2] = (int32_t) h2;
-    h[3] = (int32_t) h3;
-    h[4] = (int32_t) h4;
-    h[5] = (int32_t) h5;
-    h[6] = (int32_t) h6;
-    h[7] = (int32_t) h7;
-    h[8] = (int32_t) h8;
-    h[9] = (int32_t) h9;
-}
-/*
- h = f * f
- Can overlap h with f.
- *
- Preconditions:
- |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- Postconditions:
- |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- */
-static void
-fe25519_sq(fe25519 h, const fe25519 f)
-{
-    int32_t f0 = f[0];
-    int32_t f1 = f[1];
-    int32_t f2 = f[2];
-    int32_t f3 = f[3];
-    int32_t f4 = f[4];
-    int32_t f5 = f[5];
-    int32_t f6 = f[6];
-    int32_t f7 = f[7];
-    int32_t f8 = f[8];
-    int32_t f9 = f[9];
-    int32_t f0_2  = 2 * f0;
-    int32_t f1_2  = 2 * f1;
-    int32_t f2_2  = 2 * f2;
-    int32_t f3_2  = 2 * f3;
-    int32_t f4_2  = 2 * f4;
-    int32_t f5_2  = 2 * f5;
-    int32_t f6_2  = 2 * f6;
-    int32_t f7_2  = 2 * f7;
-    int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
-    int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
-    int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
-    int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
-    int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
-    int64_t f0f0    = f0 * (int64_t) f0;
-    int64_t f0f1_2  = f0_2 * (int64_t) f1;
-    int64_t f0f2_2  = f0_2 * (int64_t) f2;
-    int64_t f0f3_2  = f0_2 * (int64_t) f3;
-    int64_t f0f4_2  = f0_2 * (int64_t) f4;
-    int64_t f0f5_2  = f0_2 * (int64_t) f5;
-    int64_t f0f6_2  = f0_2 * (int64_t) f6;
-    int64_t f0f7_2  = f0_2 * (int64_t) f7;
-    int64_t f0f8_2  = f0_2 * (int64_t) f8;
-    int64_t f0f9_2  = f0_2 * (int64_t) f9;
-    int64_t f1f1_2  = f1_2 * (int64_t) f1;
-    int64_t f1f2_2  = f1_2 * (int64_t) f2;
-    int64_t f1f3_4  = f1_2 * (int64_t) f3_2;
-    int64_t f1f4_2  = f1_2 * (int64_t) f4;
-    int64_t f1f5_4  = f1_2 * (int64_t) f5_2;
-    int64_t f1f6_2  = f1_2 * (int64_t) f6;
-    int64_t f1f7_4  = f1_2 * (int64_t) f7_2;
-    int64_t f1f8_2  = f1_2 * (int64_t) f8;
-    int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
-    int64_t f2f2    = f2 * (int64_t) f2;
-    int64_t f2f3_2  = f2_2 * (int64_t) f3;
-    int64_t f2f4_2  = f2_2 * (int64_t) f4;
-    int64_t f2f5_2  = f2_2 * (int64_t) f5;
-    int64_t f2f6_2  = f2_2 * (int64_t) f6;
-    int64_t f2f7_2  = f2_2 * (int64_t) f7;
-    int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
-    int64_t f2f9_38 = f2 * (int64_t) f9_38;
-    int64_t f3f3_2  = f3_2 * (int64_t) f3;
-    int64_t f3f4_2  = f3_2 * (int64_t) f4;
-    int64_t f3f5_4  = f3_2 * (int64_t) f5_2;
-    int64_t f3f6_2  = f3_2 * (int64_t) f6;
-    int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
-    int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
-    int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
-    int64_t f4f4    = f4 * (int64_t) f4;
-    int64_t f4f5_2  = f4_2 * (int64_t) f5;
-    int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
-    int64_t f4f7_38 = f4 * (int64_t) f7_38;
-    int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
-    int64_t f4f9_38 = f4 * (int64_t) f9_38;
-    int64_t f5f5_38 = f5 * (int64_t) f5_38;
-    int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
-    int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
-    int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
-    int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
-    int64_t f6f6_19 = f6 * (int64_t) f6_19;
-    int64_t f6f7_38 = f6 * (int64_t) f7_38;
-    int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
-    int64_t f6f9_38 = f6 * (int64_t) f9_38;
-    int64_t f7f7_38 = f7 * (int64_t) f7_38;
-    int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
-    int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
-    int64_t f8f8_19 = f8 * (int64_t) f8_19;
-    int64_t f8f9_38 = f8 * (int64_t) f9_38;
-    int64_t f9f9_38 = f9 * (int64_t) f9_38;
-    int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
-    int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
-    int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
-    int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
-    int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
-    int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
-    int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
-    int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
-    int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
-    int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
-    int64_t carry0;
-    int64_t carry1;
-    int64_t carry2;
-    int64_t carry3;
-    int64_t carry4;
-    int64_t carry5;
-    int64_t carry6;
-    int64_t carry7;
-    int64_t carry8;
-    int64_t carry9;
-    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
-    h1 += carry0;
-    h0 -= carry0 * ((uint64_t) 1L << 26);
-    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
-    h5 += carry4;
-    h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
-    h2 += carry1;
-    h1 -= carry1 * ((uint64_t) 1L << 25);
-    carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
-    h6 += carry5;
-    h5 -= carry5 * ((uint64_t) 1L << 25);
-    carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
-    h3 += carry2;
-    h2 -= carry2 * ((uint64_t) 1L << 26);
-    carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
-    h7 += carry6;
-    h6 -= carry6 * ((uint64_t) 1L << 26);
-    carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
-    h4 += carry3;
-    h3 -= carry3 * ((uint64_t) 1L << 25);
-    carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
-    h8 += carry7;
-    h7 -= carry7 * ((uint64_t) 1L << 25);
-    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
-    h5 += carry4;
-    h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
-    h9 += carry8;
-    h8 -= carry8 * ((uint64_t) 1L << 26);
-    carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
-    h0 += carry9 * 19;
-    h9 -= carry9 * ((uint64_t) 1L << 25);
-    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
-    h1 += carry0;
-    h0 -= carry0 * ((uint64_t) 1L << 26);
-    h[0] = (int32_t) h0;
-    h[1] = (int32_t) h1;
-    h[2] = (int32_t) h2;
-    h[3] = (int32_t) h3;
-    h[4] = (int32_t) h4;
-    h[5] = (int32_t) h5;
-    h[6] = (int32_t) h6;
-    h[7] = (int32_t) h7;
-    h[8] = (int32_t) h8;
-    h[9] = (int32_t) h9;
-}
-/*
- h = 2 * f * f
- Can overlap h with f.
- *
- Preconditions:
- |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- Postconditions:
- |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- */
-static void
-fe25519_sq2(fe25519 h, const fe25519 f)
-{
-    int32_t f0 = f[0];
-    int32_t f1 = f[1];
-    int32_t f2 = f[2];
-    int32_t f3 = f[3];
-    int32_t f4 = f[4];
-    int32_t f5 = f[5];
-    int32_t f6 = f[6];
-    int32_t f7 = f[7];
-    int32_t f8 = f[8];
-    int32_t f9 = f[9];
-    int32_t f0_2  = 2 * f0;
-    int32_t f1_2  = 2 * f1;
-    int32_t f2_2  = 2 * f2;
-    int32_t f3_2  = 2 * f3;
-    int32_t f4_2  = 2 * f4;
-    int32_t f5_2  = 2 * f5;
-    int32_t f6_2  = 2 * f6;
-    int32_t f7_2  = 2 * f7;
-    int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
-    int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
-    int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
-    int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
-    int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
-    int64_t f0f0    = f0 * (int64_t) f0;
-    int64_t f0f1_2  = f0_2 * (int64_t) f1;
-    int64_t f0f2_2  = f0_2 * (int64_t) f2;
-    int64_t f0f3_2  = f0_2 * (int64_t) f3;
-    int64_t f0f4_2  = f0_2 * (int64_t) f4;
-    int64_t f0f5_2  = f0_2 * (int64_t) f5;
-    int64_t f0f6_2  = f0_2 * (int64_t) f6;
-    int64_t f0f7_2  = f0_2 * (int64_t) f7;
-    int64_t f0f8_2  = f0_2 * (int64_t) f8;
-    int64_t f0f9_2  = f0_2 * (int64_t) f9;
-    int64_t f1f1_2  = f1_2 * (int64_t) f1;
-    int64_t f1f2_2  = f1_2 * (int64_t) f2;
-    int64_t f1f3_4  = f1_2 * (int64_t) f3_2;
-    int64_t f1f4_2  = f1_2 * (int64_t) f4;
-    int64_t f1f5_4  = f1_2 * (int64_t) f5_2;
-    int64_t f1f6_2  = f1_2 * (int64_t) f6;
-    int64_t f1f7_4  = f1_2 * (int64_t) f7_2;
-    int64_t f1f8_2  = f1_2 * (int64_t) f8;
-    int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
-    int64_t f2f2    = f2 * (int64_t) f2;
-    int64_t f2f3_2  = f2_2 * (int64_t) f3;
-    int64_t f2f4_2  = f2_2 * (int64_t) f4;
-    int64_t f2f5_2  = f2_2 * (int64_t) f5;
-    int64_t f2f6_2  = f2_2 * (int64_t) f6;
-    int64_t f2f7_2  = f2_2 * (int64_t) f7;
-    int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
-    int64_t f2f9_38 = f2 * (int64_t) f9_38;
-    int64_t f3f3_2  = f3_2 * (int64_t) f3;
-    int64_t f3f4_2  = f3_2 * (int64_t) f4;
-    int64_t f3f5_4  = f3_2 * (int64_t) f5_2;
-    int64_t f3f6_2  = f3_2 * (int64_t) f6;
-    int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
-    int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
-    int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
-    int64_t f4f4    = f4 * (int64_t) f4;
-    int64_t f4f5_2  = f4_2 * (int64_t) f5;
-    int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
-    int64_t f4f7_38 = f4 * (int64_t) f7_38;
-    int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
-    int64_t f4f9_38 = f4 * (int64_t) f9_38;
-    int64_t f5f5_38 = f5 * (int64_t) f5_38;
-    int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
-    int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
-    int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
-    int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
-    int64_t f6f6_19 = f6 * (int64_t) f6_19;
-    int64_t f6f7_38 = f6 * (int64_t) f7_38;
-    int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
-    int64_t f6f9_38 = f6 * (int64_t) f9_38;
-    int64_t f7f7_38 = f7 * (int64_t) f7_38;
-    int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
-    int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
-    int64_t f8f8_19 = f8 * (int64_t) f8_19;
-    int64_t f8f9_38 = f8 * (int64_t) f9_38;
-    int64_t f9f9_38 = f9 * (int64_t) f9_38;
-    int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
-    int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
-    int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
-    int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
-    int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
-    int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
-    int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
-    int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
-    int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
-    int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
-    int64_t carry0;
-    int64_t carry1;
-    int64_t carry2;
-    int64_t carry3;
-    int64_t carry4;
-    int64_t carry5;
-    int64_t carry6;
-    int64_t carry7;
-    int64_t carry8;
-    int64_t carry9;
-    h0 += h0;
-    h1 += h1;
-    h2 += h2;
-    h3 += h3;
-    h4 += h4;
-    h5 += h5;
-    h6 += h6;
-    h7 += h7;
-    h8 += h8;
-    h9 += h9;
-    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
-    h1 += carry0;
-    h0 -= carry0 * ((uint64_t) 1L << 26);
-    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
-    h5 += carry4;
-    h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
-    h2 += carry1;
-    h1 -= carry1 * ((uint64_t) 1L << 25);
-    carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
-    h6 += carry5;
-    h5 -= carry5 * ((uint64_t) 1L << 25);
-    carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
-    h3 += carry2;
-    h2 -= carry2 * ((uint64_t) 1L << 26);
-    carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
-    h7 += carry6;
-    h6 -= carry6 * ((uint64_t) 1L << 26);
-    carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
-    h4 += carry3;
-    h3 -= carry3 * ((uint64_t) 1L << 25);
-    carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
-    h8 += carry7;
-    h7 -= carry7 * ((uint64_t) 1L << 25);
-    carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
-    h5 += carry4;
-    h4 -= carry4 * ((uint64_t) 1L << 26);
-    carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
-    h9 += carry8;
-    h8 -= carry8 * ((uint64_t) 1L << 26);
-    carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
-    h0 += carry9 * 19;
-    h9 -= carry9 * ((uint64_t) 1L << 25);
-    carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
-    h1 += carry0;
-    h0 -= carry0 * ((uint64_t) 1L << 26);
-    h[0] = (int32_t) h0;
-    h[1] = (int32_t) h1;
-    h[2] = (int32_t) h2;
-    h[3] = (int32_t) h3;
-    h[4] = (int32_t) h4;
-    h[5] = (int32_t) h5;
-    h[6] = (int32_t) h6;
-    h[7] = (int32_t) h7;
-    h[8] = (int32_t) h8;
-    h[9] = (int32_t) h9;
-}
-static inline void
-fe25519_mul32(fe25519 h, const fe25519 f, uint32_t n)
-{
-    int64_t sn = (int64_t) n;
-    int32_t f0 = f[0];
-    int32_t f1 = f[1];
-    int32_t f2 = f[2];
-    int32_t f3 = f[3];
-    int32_t f4 = f[4];
-    int32_t f5 = f[5];
-    int32_t f6 = f[6];
-    int32_t f7 = f[7];
-    int32_t f8 = f[8];
-    int32_t f9 = f[9];
-    int64_t h0 = f0 * sn;
-    int64_t h1 = f1 * sn;
-    int64_t h2 = f2 * sn;
-    int64_t h3 = f3 * sn;
-    int64_t h4 = f4 * sn;
-    int64_t h5 = f5 * sn;
-    int64_t h6 = f6 * sn;
-    int64_t h7 = f7 * sn;
-    int64_t h8 = f8 * sn;
-    int64_t h9 = f9 * sn;
-    int64_t carry0, carry1, carry2, carry3, carry4, carry5, carry6, carry7,
-            carry8, carry9;
-    carry9 = (h9 + ((int64_t) 1 << 24)) >> 25;
-    h0 += carry9 * 19;
-    h9 -= carry9 * ((int64_t) 1 << 25);
-    carry1 = (h1 + ((int64_t) 1 << 24)) >> 25;
-    h2 += carry1;
-    h1 -= carry1 * ((int64_t) 1 << 25);
-    carry3 = (h3 + ((int64_t) 1 << 24)) >> 25;
-    h4 += carry3;
-    h3 -= carry3 * ((int64_t) 1 << 25);
-    carry5 = (h5 + ((int64_t) 1 << 24)) >> 25;
-    h6 += carry5;
-    h5 -= carry5 * ((int64_t) 1 << 25);
-    carry7 = (h7 + ((int64_t) 1 << 24)) >> 25;
-    h8 += carry7;
-    h7 -= carry7 * ((int64_t) 1 << 25);
-    carry0 = (h0 + ((int64_t) 1 << 25)) >> 26;
-    h1 += carry0;
-    h0 -= carry0 * ((int64_t) 1 << 26);
-    carry2 = (h2 + ((int64_t) 1 << 25)) >> 26;
-    h3 += carry2;
-    h2 -= carry2 * ((int64_t) 1 << 26);
-    carry4 = (h4 + ((int64_t) 1 << 25)) >> 26;
-    h5 += carry4;
-    h4 -= carry4 * ((int64_t) 1 << 26);
-    carry6 = (h6 + ((int64_t) 1 << 25)) >> 26;
-    h7 += carry6;
-    h6 -= carry6 * ((int64_t) 1 << 26);
-    carry8 = (h8 + ((int64_t) 1 << 25)) >> 26;
-    h9 += carry8;
-    h8 -= carry8 * ((int64_t) 1 << 26);
-    h[0] = (int32_t) h0;
-    h[1] = (int32_t) h1;
-    h[2] = (int32_t) h2;
-    h[3] = (int32_t) h3;
-    h[4] = (int32_t) h4;
-    h[5] = (int32_t) h5;
-    h[6] = (int32_t) h6;
-    h[7] = (int32_t) h7;
-    h[8] = (int32_t) h8;
-    h[9] = (int32_t) h9;
-}