npm - react-native-quick-crypto - Versions diffs - 1.0.0-beta.20 → 1.0.0-beta.21 - Mend

react-native-quick-crypto 1.0.0-beta.20 → 1.0.0-beta.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (899) hide show

package/ios/libsodium-stable/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c DELETED Viewed

@@ -1,2873 +0,0 @@
-#include <stddef.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-#include "crypto_verify_32.h"
-#include "private/common.h"
-#include "private/ed25519_ref10.h"
-#include "utils.h"
-static inline uint64_t
-load_3(const unsigned char *in)
-{
-    uint64_t result;
-    result = (uint64_t) in[0];
-    result |= ((uint64_t) in[1]) << 8;
-    result |= ((uint64_t) in[2]) << 16;
-    return result;
-}
-static inline uint64_t
-load_4(const unsigned char *in)
-{
-    uint64_t result;
-    result = (uint64_t) in[0];
-    result |= ((uint64_t) in[1]) << 8;
-    result |= ((uint64_t) in[2]) << 16;
-    result |= ((uint64_t) in[3]) << 24;
-    return result;
-}
-/*
- * Field arithmetic:
- * Use 5*51 bit limbs on 64-bit systems with support for 128 bit arithmetic,
- * and 10*25.5 bit limbs elsewhere.
- *
- * Functions used elsewhere that are candidates for inlining are defined
- * via "private/curve25519_ref10.h".
- */
-#ifdef HAVE_TI_MODE
-# include "fe_51/constants.h"
-# include "fe_51/fe.h"
-#else
-# include "fe_25_5/constants.h"
-# include "fe_25_5/fe.h"
-#endif
-void
-fe25519_invert(fe25519 out, const fe25519 z)
-{
-    fe25519 t0;
-    fe25519 t1;
-    fe25519 t2;
-    fe25519 t3;
-    int     i;
-    fe25519_sq(t0, z);
-    fe25519_sq(t1, t0);
-    fe25519_sq(t1, t1);
-    fe25519_mul(t1, z, t1);
-    fe25519_mul(t0, t0, t1);
-    fe25519_sq(t2, t0);
-    fe25519_mul(t1, t1, t2);
-    fe25519_sq(t2, t1);
-    for (i = 1; i < 5; ++i) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t1, t2, t1);
-    fe25519_sq(t2, t1);
-    for (i = 1; i < 10; ++i) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t2, t2, t1);
-    fe25519_sq(t3, t2);
-    for (i = 1; i < 20; ++i) {
-        fe25519_sq(t3, t3);
-    }
-    fe25519_mul(t2, t3, t2);
-    for (i = 1; i < 11; ++i) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t1, t2, t1);
-    fe25519_sq(t2, t1);
-    for (i = 1; i < 50; ++i) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t2, t2, t1);
-    fe25519_sq(t3, t2);
-    for (i = 1; i < 100; ++i) {
-        fe25519_sq(t3, t3);
-    }
-    fe25519_mul(t2, t3, t2);
-    for (i = 1; i < 51; ++i) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t1, t2, t1);
-    for (i = 1; i < 6; ++i) {
-        fe25519_sq(t1, t1);
-    }
-    fe25519_mul(out, t1, t0);
-}
-static void
-fe25519_pow22523(fe25519 out, const fe25519 z)
-{
-    fe25519 t0;
-    fe25519 t1;
-    fe25519 t2;
-    int     i;
-    fe25519_sq(t0, z);
-    fe25519_sq(t1, t0);
-    fe25519_sq(t1, t1);
-    fe25519_mul(t1, z, t1);
-    fe25519_mul(t0, t0, t1);
-    fe25519_sq(t0, t0);
-    fe25519_mul(t0, t1, t0);
-    fe25519_sq(t1, t0);
-    for (i = 1; i < 5; ++i) {
-        fe25519_sq(t1, t1);
-    }
-    fe25519_mul(t0, t1, t0);
-    fe25519_sq(t1, t0);
-    for (i = 1; i < 10; ++i) {
-        fe25519_sq(t1, t1);
-    }
-    fe25519_mul(t1, t1, t0);
-    fe25519_sq(t2, t1);
-    for (i = 1; i < 20; ++i) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t1, t2, t1);
-    for (i = 1; i < 11; ++i) {
-        fe25519_sq(t1, t1);
-    }
-    fe25519_mul(t0, t1, t0);
-    fe25519_sq(t1, t0);
-    for (i = 1; i < 50; ++i) {
-        fe25519_sq(t1, t1);
-    }
-    fe25519_mul(t1, t1, t0);
-    fe25519_sq(t2, t1);
-    for (i = 1; i < 100; ++i) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t1, t2, t1);
-    for (i = 1; i < 51; ++i) {
-        fe25519_sq(t1, t1);
-    }
-    fe25519_mul(t0, t1, t0);
-    fe25519_sq(t0, t0);
-    fe25519_sq(t0, t0);
-    fe25519_mul(out, t0, z);
-}
-static inline void
-fe25519_cneg(fe25519 h, const fe25519 f, unsigned int b)
-{
-    fe25519 negf;
-    fe25519_neg(negf, f);
-    fe25519_copy(h, f);
-    fe25519_cmov(h, negf, b);
-}
-static inline void
-fe25519_abs(fe25519 h, const fe25519 f)
-{
-    fe25519_cneg(h, f, fe25519_isnegative(f));
-}
-static inline void
-fe25519_sqmul(fe25519 s, const int n, const fe25519 a)
-{
-    int i;
-    for (i = 0; i < n; i++) {
-        fe25519_sq(s, s);
-    }
-    fe25519_mul(s, s, a);
-}
-static unsigned int
-fe25519_notsquare(const fe25519 x)
-{
-    fe25519       _10, _11, _1100, _1111, _11110000, _11111111;
-    fe25519       t, u, v;
-    unsigned char s[32];
-    /* Jacobi symbol - x^((p-1)/2) */
-    fe25519_mul(_10, x, x);
-    fe25519_mul(_11, x, _10);
-    fe25519_sq(_1100, _11);
-    fe25519_sq(_1100, _1100);
-    fe25519_mul(_1111, _11, _1100);
-    fe25519_sq(_11110000, _1111);
-    fe25519_sq(_11110000, _11110000);
-    fe25519_sq(_11110000, _11110000);
-    fe25519_sq(_11110000, _11110000);
-    fe25519_mul(_11111111, _1111, _11110000);
-    fe25519_copy(t, _11111111);
-    fe25519_sqmul(t, 2, _11);
-    fe25519_copy(u, t);
-    fe25519_sqmul(t, 10, u);
-    fe25519_sqmul(t, 10, u);
-    fe25519_copy(v, t);
-    fe25519_sqmul(t, 30, v);
-    fe25519_copy(v, t);
-    fe25519_sqmul(t, 60, v);
-    fe25519_copy(v, t);
-    fe25519_sqmul(t, 120, v);
-    fe25519_sqmul(t, 10, u);
-    fe25519_sqmul(t, 3, _11);
-    fe25519_sq(t, t);
-    fe25519_tobytes(s, t);
-    return s[1] & 1;
-}
-/*
- r = p + q
- */
-void
-ge25519_add(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q)
-{
-    fe25519 t0;
-    fe25519_add(r->X, p->Y, p->X);
-    fe25519_sub(r->Y, p->Y, p->X);
-    fe25519_mul(r->Z, r->X, q->YplusX);
-    fe25519_mul(r->Y, r->Y, q->YminusX);
-    fe25519_mul(r->T, q->T2d, p->T);
-    fe25519_mul(r->X, p->Z, q->Z);
-    fe25519_add(t0, r->X, r->X);
-    fe25519_sub(r->X, r->Z, r->Y);
-    fe25519_add(r->Y, r->Z, r->Y);
-    fe25519_add(r->Z, t0, r->T);
-    fe25519_sub(r->T, t0, r->T);
-}
-static void
-slide_vartime(signed char *r, const unsigned char *a)
-{
-    int i;
-    int b;
-    int k;
-    int ribs;
-    int cmp;
-    for (i = 0; i < 256; ++i) {
-        r[i] = 1 & (a[i >> 3] >> (i & 7));
-    }
-    for (i = 0; i < 256; ++i) {
-        if (! r[i]) {
-            continue;
-        }
-        for (b = 1; b <= 6 && i + b < 256; ++b) {
-            if (! r[i + b]) {
-                continue;
-            }
-            ribs = r[i + b] << b;
-            cmp = r[i] + ribs;
-            if (cmp <= 15) {
-                r[i] = cmp;
-                r[i + b] = 0;
-            } else {
-                cmp = r[i] - ribs;
-                if (cmp < -15) {
-                    break;
-                }
-                r[i] = cmp;
-                for (k = i + b; k < 256; ++k) {
-                    if (! r[k]) {
-                        r[k] = 1;
-                        break;
-                    }
-                    r[k] = 0;
-                }
-            }
-        }
-    }
-}
-static volatile unsigned char optblocker_u8;
-int
-ge25519_frombytes(ge25519_p3 *h, const unsigned char *s)
-{
-    fe25519 u;
-    fe25519 v;
-    fe25519 vxx;
-    fe25519 m_root_check, p_root_check;
-    fe25519 negx;
-    fe25519 x_sqrtm1;
-    int     has_m_root, has_p_root;
-    fe25519_frombytes(h->Y, s);
-    fe25519_1(h->Z);
-    fe25519_sq(u, h->Y);
-    fe25519_mul(v, u, d);
-    fe25519_sub(u, u, h->Z); /* u = y^2-1 */
-    fe25519_add(v, v, h->Z); /* v = dy^2+1 */
-    fe25519_mul(h->X, u, v);
-    fe25519_pow22523(h->X, h->X);
-    fe25519_mul(h->X, u, h->X); /* u((uv)^((q-5)/8)) */
-    fe25519_sq(vxx, h->X);
-    fe25519_mul(vxx, vxx, v);
-    fe25519_sub(m_root_check, vxx, u); /* vx^2-u */
-    fe25519_add(p_root_check, vxx, u); /* vx^2+u */
-    has_m_root = fe25519_iszero(m_root_check);
-    has_p_root = fe25519_iszero(p_root_check);
-    fe25519_mul(x_sqrtm1, h->X, sqrtm1); /* x*sqrt(-1) */
-    fe25519_cmov(h->X, x_sqrtm1, 1 - has_m_root);
-    fe25519_neg(negx, h->X);
-    fe25519_cmov(h->X, negx, fe25519_isnegative(h->X) ^ (((s[31] >> 5) ^ optblocker_u8) >> 2));
-    fe25519_mul(h->T, h->X, h->Y);
-    return (has_m_root | has_p_root) - 1;
-}
-int
-ge25519_frombytes_negate_vartime(ge25519_p3 *h, const unsigned char *s)
-{
-    fe25519 u;
-    fe25519 v;
-    fe25519 v3;
-    fe25519 vxx;
-    fe25519 m_root_check, p_root_check;
-    fe25519_frombytes(h->Y, s);
-    fe25519_1(h->Z);
-    fe25519_sq(u, h->Y);
-    fe25519_mul(v, u, d);
-    fe25519_sub(u, u, h->Z); /* u = y^2-1 */
-    fe25519_add(v, v, h->Z); /* v = dy^2+1 */
-    fe25519_sq(v3, v);
-    fe25519_mul(v3, v3, v); /* v3 = v^3 */
-    fe25519_sq(h->X, v3);
-    fe25519_mul(h->X, h->X, v);
-    fe25519_mul(h->X, h->X, u); /* x = uv^7 */
-    fe25519_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
-    fe25519_mul(h->X, h->X, v3);
-    fe25519_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
-    fe25519_sq(vxx, h->X);
-    fe25519_mul(vxx, vxx, v);
-    fe25519_sub(m_root_check, vxx, u); /* vx^2-u */
-    if (fe25519_iszero(m_root_check) == 0) {
-        fe25519_add(p_root_check, vxx, u); /* vx^2+u */
-        if (fe25519_iszero(p_root_check) == 0) {
-            return -1;
-        }
-        fe25519_mul(h->X, h->X, sqrtm1);
-    }
-    if (fe25519_isnegative(h->X) == (s[31] >> 7)) {
-        fe25519_neg(h->X, h->X);
-    }
-    fe25519_mul(h->T, h->X, h->Y);
-    return 0;
-}
-/*
- r = p + q
- */
-static void
-ge25519_madd(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_precomp *q)
-{
-    fe25519 t0;
-    fe25519_add(r->X, p->Y, p->X);
-    fe25519_sub(r->Y, p->Y, p->X);
-    fe25519_mul(r->Z, r->X, q->yplusx);
-    fe25519_mul(r->Y, r->Y, q->yminusx);
-    fe25519_mul(r->T, q->xy2d, p->T);
-    fe25519_add(t0, p->Z, p->Z);
-    fe25519_sub(r->X, r->Z, r->Y);
-    fe25519_add(r->Y, r->Z, r->Y);
-    fe25519_add(r->Z, t0, r->T);
-    fe25519_sub(r->T, t0, r->T);
-}
-/*
- r = p - q
- */
-static void
-ge25519_msub(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_precomp *q)
-{
-    fe25519 t0;
-    fe25519_add(r->X, p->Y, p->X);
-    fe25519_sub(r->Y, p->Y, p->X);
-    fe25519_mul(r->Z, r->X, q->yminusx);
-    fe25519_mul(r->Y, r->Y, q->yplusx);
-    fe25519_mul(r->T, q->xy2d, p->T);
-    fe25519_add(t0, p->Z, p->Z);
-    fe25519_sub(r->X, r->Z, r->Y);
-    fe25519_add(r->Y, r->Z, r->Y);
-    fe25519_sub(r->Z, t0, r->T);
-    fe25519_add(r->T, t0, r->T);
-}
-/*
- r = p
- */
-void
-ge25519_p1p1_to_p2(ge25519_p2 *r, const ge25519_p1p1 *p)
-{
-    fe25519_mul(r->X, p->X, p->T);
-    fe25519_mul(r->Y, p->Y, p->Z);
-    fe25519_mul(r->Z, p->Z, p->T);
-}
-/*
- r = p
- */
-void
-ge25519_p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p)
-{
-    fe25519_mul(r->X, p->X, p->T);
-    fe25519_mul(r->Y, p->Y, p->Z);
-    fe25519_mul(r->Z, p->Z, p->T);
-    fe25519_mul(r->T, p->X, p->Y);
-}
-static void
-ge25519_p2_0(ge25519_p2 *h)
-{
-    fe25519_0(h->X);
-    fe25519_1(h->Y);
-    fe25519_1(h->Z);
-}
-/*
- r = 2 * p
- */
-static void
-ge25519_p2_dbl(ge25519_p1p1 *r, const ge25519_p2 *p)
-{
-    fe25519 t0;
-    fe25519_sq(r->X, p->X);
-    fe25519_sq(r->Z, p->Y);
-    fe25519_sq2(r->T, p->Z);
-    fe25519_add(r->Y, p->X, p->Y);
-    fe25519_sq(t0, r->Y);
-    fe25519_add(r->Y, r->Z, r->X);
-    fe25519_sub(r->Z, r->Z, r->X);
-    fe25519_sub(r->X, t0, r->Y);
-    fe25519_sub(r->T, r->T, r->Z);
-}
-static void
-ge25519_p3_0(ge25519_p3 *h)
-{
-    fe25519_0(h->X);
-    fe25519_1(h->Y);
-    fe25519_1(h->Z);
-    fe25519_0(h->T);
-}
-static void
-ge25519_cached_0(ge25519_cached *h)
-{
-    fe25519_1(h->YplusX);
-    fe25519_1(h->YminusX);
-    fe25519_1(h->Z);
-    fe25519_0(h->T2d);
-}
-/*
- r = p
- */
-void
-ge25519_p3_to_cached(ge25519_cached *r, const ge25519_p3 *p)
-{
-    fe25519_add(r->YplusX, p->Y, p->X);
-    fe25519_sub(r->YminusX, p->Y, p->X);
-    fe25519_copy(r->Z, p->Z);
-    fe25519_mul(r->T2d, p->T, d2);
-}
-static void
-ge25519_p3_to_precomp(ge25519_precomp *pi, const ge25519_p3 *p)
-{
-    fe25519 recip;
-    fe25519 x;
-    fe25519 y;
-    fe25519 xy;
-    fe25519_invert(recip, p->Z);
-    fe25519_mul(x, p->X, recip);
-    fe25519_mul(y, p->Y, recip);
-    fe25519_add(pi->yplusx, y, x);
-    fe25519_sub(pi->yminusx, y, x);
-    fe25519_mul(xy, x, y);
-    fe25519_mul(pi->xy2d, xy, d2);
-}
-/*
- r = p
- */
-static void
-ge25519_p3_to_p2(ge25519_p2 *r, const ge25519_p3 *p)
-{
-    fe25519_copy(r->X, p->X);
-    fe25519_copy(r->Y, p->Y);
-    fe25519_copy(r->Z, p->Z);
-}
-void
-ge25519_p3_tobytes(unsigned char *s, const ge25519_p3 *h)
-{
-    fe25519 recip;
-    fe25519 x;
-    fe25519 y;
-    fe25519_invert(recip, h->Z);
-    fe25519_mul(x, h->X, recip);
-    fe25519_mul(y, h->Y, recip);
-    fe25519_tobytes(s, y);
-    s[31] ^= fe25519_isnegative(x) << 7;
-}
-/*
- r = 2 * p
- */
-static void
-ge25519_p3_dbl(ge25519_p1p1 *r, const ge25519_p3 *p)
-{
-    ge25519_p2 q;
-    ge25519_p3_to_p2(&q, p);
-    ge25519_p2_dbl(r, &q);
-}
-static void
-ge25519_precomp_0(ge25519_precomp *h)
-{
-    fe25519_1(h->yplusx);
-    fe25519_1(h->yminusx);
-    fe25519_0(h->xy2d);
-}
-static unsigned char
-equal(signed char b, signed char c)
-{
-#if defined(HAVE_INLINE_ASM) && defined(__x86_64__)
-    int32_t b32 = (int32_t) b, c32 = (int32_t) c, q32, z32;
-    __asm__ ("xorl %0,%0\n movl $1,%1\n cmpb %b3,%b2\n cmovel %1,%0" :
-             "=&r"(z32), "=&r"(q32) : "q"(b32), "q"(c32) : "cc");
-    return (unsigned char) z32;
-#elif defined(HAVE_INLINE_ASM) && defined(__aarch64__)
-    unsigned char z;
-    __asm__ ("and %w0,%w1,255\n cmp %w0,%w2,uxtb\n cset %w0,eq" :
-             "=&r"(z) : "r"(b), "r"(c) : "cc");
-    return z;
-#else
-    const unsigned char x  = (unsigned char) b ^ (unsigned char) c; /* 0: yes; 1..255: no */
-    uint32_t            y  = (uint32_t) x; /* 0: yes; 1..255: no */
-    y--;
-    return ((y >> 29) ^ optblocker_u8) >> 2; /* 1: yes; 0: no */
-#endif
-}
-static unsigned char
-negative(signed char b)
-{
-#if defined(HAVE_INLINE_ASM) && defined(__x86_64__)
-    __asm__ ("shrb $7,%0" : "+r"(b) : : "cc");
-    return b;
-#elif defined(HAVE_INLINE_ASM) && defined(__aarch64__)
-    uint8_t x;
-    __asm__ ("ubfx %w0,%w1,7,1" : "=r"(x) : "r"(b) : );
-    return x;
-#else
-    const uint8_t x = (uint8_t) b; /* 0..127: no 128..255: yes */
-    return ((x >> 5) ^ optblocker_u8) >> 2; /* 1: yes; 0: no */
-#endif
-}
-static void
-ge25519_cmov(ge25519_precomp *t, const ge25519_precomp *u, unsigned char b)
-{
-    fe25519_cmov(t->yplusx, u->yplusx, b);
-    fe25519_cmov(t->yminusx, u->yminusx, b);
-    fe25519_cmov(t->xy2d, u->xy2d, b);
-}
-static void
-ge25519_cmov_cached(ge25519_cached *t, const ge25519_cached *u, unsigned char b)
-{
-    fe25519_cmov(t->YplusX, u->YplusX, b);
-    fe25519_cmov(t->YminusX, u->YminusX, b);
-    fe25519_cmov(t->Z, u->Z, b);
-    fe25519_cmov(t->T2d, u->T2d, b);
-}
-static void
-ge25519_cmov8(ge25519_precomp *t, const ge25519_precomp precomp[8], const signed char b)
-{
-    ge25519_precomp     minust;
-    const unsigned char bnegative = negative(b);
-    const unsigned char babs      = b - (((-bnegative) & b) * ((signed char) 1 << 1));
-    ge25519_precomp_0(t);
-    ge25519_cmov(t, &precomp[0], equal(babs, 1));
-    ge25519_cmov(t, &precomp[1], equal(babs, 2));
-    ge25519_cmov(t, &precomp[2], equal(babs, 3));
-    ge25519_cmov(t, &precomp[3], equal(babs, 4));
-    ge25519_cmov(t, &precomp[4], equal(babs, 5));
-    ge25519_cmov(t, &precomp[5], equal(babs, 6));
-    ge25519_cmov(t, &precomp[6], equal(babs, 7));
-    ge25519_cmov(t, &precomp[7], equal(babs, 8));
-    fe25519_copy(minust.yplusx, t->yminusx);
-    fe25519_copy(minust.yminusx, t->yplusx);
-    fe25519_neg(minust.xy2d, t->xy2d);
-    ge25519_cmov(t, &minust, bnegative);
-}
-static void
-ge25519_cmov8_base(ge25519_precomp *t, const int pos, const signed char b)
-{
-    static const ge25519_precomp base[32][8] = { /* base[i][j] = (j+1)*256^i*B */
-#ifdef HAVE_TI_MODE
-# include "fe_51/base.h"
-#else
-# include "fe_25_5/base.h"
-#endif
-    };
-    ge25519_cmov8(t, base[pos], b);
-}
-static void
-ge25519_cmov8_cached(ge25519_cached *t, const ge25519_cached cached[8], const signed char b)
-{
-    ge25519_cached      minust;
-    const unsigned char bnegative = negative(b);
-    const unsigned char babs      = b - (((-bnegative) & b) * ((signed char) 1 << 1));
-    ge25519_cached_0(t);
-    ge25519_cmov_cached(t, &cached[0], equal(babs, 1));
-    ge25519_cmov_cached(t, &cached[1], equal(babs, 2));
-    ge25519_cmov_cached(t, &cached[2], equal(babs, 3));
-    ge25519_cmov_cached(t, &cached[3], equal(babs, 4));
-    ge25519_cmov_cached(t, &cached[4], equal(babs, 5));
-    ge25519_cmov_cached(t, &cached[5], equal(babs, 6));
-    ge25519_cmov_cached(t, &cached[6], equal(babs, 7));
-    ge25519_cmov_cached(t, &cached[7], equal(babs, 8));
-    fe25519_copy(minust.YplusX, t->YminusX);
-    fe25519_copy(minust.YminusX, t->YplusX);
-    fe25519_copy(minust.Z, t->Z);
-    fe25519_neg(minust.T2d, t->T2d);
-    ge25519_cmov_cached(t, &minust, bnegative);
-}
-/*
- r = p - q
- */
-void
-ge25519_sub(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q)
-{
-    fe25519 t0;
-    fe25519_add(r->X, p->Y, p->X);
-    fe25519_sub(r->Y, p->Y, p->X);
-    fe25519_mul(r->Z, r->X, q->YminusX);
-    fe25519_mul(r->Y, r->Y, q->YplusX);
-    fe25519_mul(r->T, q->T2d, p->T);
-    fe25519_mul(r->X, p->Z, q->Z);
-    fe25519_add(t0, r->X, r->X);
-    fe25519_sub(r->X, r->Z, r->Y);
-    fe25519_add(r->Y, r->Z, r->Y);
-    fe25519_sub(r->Z, t0, r->T);
-    fe25519_add(r->T, t0, r->T);
-}
-void
-ge25519_tobytes(unsigned char *s, const ge25519_p2 *h)
-{
-    fe25519 recip;
-    fe25519 x;
-    fe25519 y;
-    fe25519_invert(recip, h->Z);
-    fe25519_mul(x, h->X, recip);
-    fe25519_mul(y, h->Y, recip);
-    fe25519_tobytes(s, y);
-    s[31] ^= fe25519_isnegative(x) << 7;
-}
-/*
- r = a * A + b * B
- where a = a[0]+256*a[1]+...+256^31 a[31].
- and b = b[0]+256*b[1]+...+256^31 b[31].
- B is the Ed25519 base point (x,4/5) with x positive.
- Only used for signatures verification.
- */
-void
-ge25519_double_scalarmult_vartime(ge25519_p2 *r, const unsigned char *a,
-                                  const ge25519_p3 *A, const unsigned char *b)
-{
-    static const ge25519_precomp Bi[8] = {
-#ifdef HAVE_TI_MODE
-# include "fe_51/base2.h"
-#else
-# include "fe_25_5/base2.h"
-#endif
-    };
-    signed char    aslide[256];
-    signed char    bslide[256];
-    ge25519_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
-    ge25519_p1p1   t;
-    ge25519_p3     u;
-    ge25519_p3     A2;
-    int            i;
-    slide_vartime(aslide, a);
-    slide_vartime(bslide, b);
-    ge25519_p3_to_cached(&Ai[0], A);
-    ge25519_p3_dbl(&t, A);
-    ge25519_p1p1_to_p3(&A2, &t);
-    ge25519_add(&t, &A2, &Ai[0]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[1], &u);
-    ge25519_add(&t, &A2, &Ai[1]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[2], &u);
-    ge25519_add(&t, &A2, &Ai[2]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[3], &u);
-    ge25519_add(&t, &A2, &Ai[3]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[4], &u);
-    ge25519_add(&t, &A2, &Ai[4]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[5], &u);
-    ge25519_add(&t, &A2, &Ai[5]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[6], &u);
-    ge25519_add(&t, &A2, &Ai[6]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[7], &u);
-    ge25519_p2_0(r);
-    for (i = 255; i >= 0; --i) {
-        if (aslide[i] || bslide[i]) {
-            break;
-        }
-    }
-    for (; i >= 0; --i) {
-        ge25519_p2_dbl(&t, r);
-        if (aslide[i] > 0) {
-            ge25519_p1p1_to_p3(&u, &t);
-            ge25519_add(&t, &u, &Ai[aslide[i] / 2]);
-        } else if (aslide[i] < 0) {
-            ge25519_p1p1_to_p3(&u, &t);
-            ge25519_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
-        }
-        if (bslide[i] > 0) {
-            ge25519_p1p1_to_p3(&u, &t);
-            ge25519_madd(&t, &u, &Bi[bslide[i] / 2]);
-        } else if (bslide[i] < 0) {
-            ge25519_p1p1_to_p3(&u, &t);
-            ge25519_msub(&t, &u, &Bi[(-bslide[i]) / 2]);
-        }
-        ge25519_p1p1_to_p2(r, &t);
-    }
-}
-/*
- h = a * p
- where a = a[0]+256*a[1]+...+256^31 a[31]
- Preconditions:
- a[31] <= 127
- p is public
- */
-void
-ge25519_scalarmult(ge25519_p3 *h, const unsigned char *a, const ge25519_p3 *p)
-{
-    signed char     e[64];
-    signed char     carry;
-    ge25519_p1p1    r;
-    ge25519_p2      s;
-    ge25519_p1p1    t2, t3, t4, t5, t6, t7, t8;
-    ge25519_p3      p2, p3, p4, p5, p6, p7, p8;
-    ge25519_cached  pi[8];
-    ge25519_cached  t;
-    int             i;
-    ge25519_p3_to_cached(&pi[1 - 1], p);   /* p */
-    ge25519_p3_dbl(&t2, p);
-    ge25519_p1p1_to_p3(&p2, &t2);
-    ge25519_p3_to_cached(&pi[2 - 1], &p2); /* 2p = 2*p */
-    ge25519_add(&t3, p, &pi[2 - 1]);
-    ge25519_p1p1_to_p3(&p3, &t3);
-    ge25519_p3_to_cached(&pi[3 - 1], &p3); /* 3p = 2p+p */
-    ge25519_p3_dbl(&t4, &p2);
-    ge25519_p1p1_to_p3(&p4, &t4);
-    ge25519_p3_to_cached(&pi[4 - 1], &p4); /* 4p = 2*2p */
-    ge25519_add(&t5, p, &pi[4 - 1]);
-    ge25519_p1p1_to_p3(&p5, &t5);
-    ge25519_p3_to_cached(&pi[5 - 1], &p5); /* 5p = 4p+p */
-    ge25519_p3_dbl(&t6, &p3);
-    ge25519_p1p1_to_p3(&p6, &t6);
-    ge25519_p3_to_cached(&pi[6 - 1], &p6); /* 6p = 2*3p */
-    ge25519_add(&t7, p, &pi[6 - 1]);
-    ge25519_p1p1_to_p3(&p7, &t7);
-    ge25519_p3_to_cached(&pi[7 - 1], &p7); /* 7p = 6p+p */
-    ge25519_p3_dbl(&t8, &p4);
-    ge25519_p1p1_to_p3(&p8, &t8);
-    ge25519_p3_to_cached(&pi[8 - 1], &p8); /* 8p = 2*4p */
-    for (i = 0; i < 32; ++i) {
-        e[2 * i + 0] = (a[i] >> 0) & 15;
-        e[2 * i + 1] = (a[i] >> 4) & 15;
-    }
-    /* each e[i] is between 0 and 15 */
-    /* e[63] is between 0 and 7 */
-    carry = 0;
-    for (i = 0; i < 63; ++i) {
-        e[i] += carry;
-        carry = e[i] + 8;
-        carry >>= 4;
-        e[i] -= carry * ((signed char) 1 << 4);
-    }
-    e[63] += carry;
-    /* each e[i] is between -8 and 8 */
-    ge25519_p3_0(h);
-    for (i = 63; i != 0; i--) {
-        ge25519_cmov8_cached(&t, pi, e[i]);
-        ge25519_add(&r, h, &t);
-        ge25519_p1p1_to_p2(&s, &r);
-        ge25519_p2_dbl(&r, &s);
-        ge25519_p1p1_to_p2(&s, &r);
-        ge25519_p2_dbl(&r, &s);
-        ge25519_p1p1_to_p2(&s, &r);
-        ge25519_p2_dbl(&r, &s);
-        ge25519_p1p1_to_p2(&s, &r);
-        ge25519_p2_dbl(&r, &s);
-        ge25519_p1p1_to_p3(h, &r);  /* *16 */
-    }
-    ge25519_cmov8_cached(&t, pi, e[i]);
-    ge25519_add(&r, h, &t);
-    ge25519_p1p1_to_p3(h, &r);
-}
-/*
- h = a * B (with precomputation)
- where a = a[0]+256*a[1]+...+256^31 a[31]
- B is the Ed25519 base point (x,4/5) with x positive
- (as bytes: 0x5866666666666666666666666666666666666666666666666666666666666666)
- Preconditions:
- a[31] <= 127
- */
-void
-ge25519_scalarmult_base(ge25519_p3 *h, const unsigned char *a)
-{
-    signed char     e[64];
-    signed char     carry;
-    ge25519_p1p1    r;
-    ge25519_p2      s;
-    ge25519_precomp t;
-    int             i;
-    for (i = 0; i < 32; ++i) {
-        e[2 * i + 0] = (a[i] >> 0) & 15;
-        e[2 * i + 1] = (a[i] >> 4) & 15;
-    }
-    /* each e[i] is between 0 and 15 */
-    /* e[63] is between 0 and 7 */
-    carry = 0;
-    for (i = 0; i < 63; ++i) {
-        e[i] += carry;
-        carry = e[i] + 8;
-        carry >>= 4;
-        e[i] -= carry * ((signed char) 1 << 4);
-    }
-    e[63] += carry;
-    /* each e[i] is between -8 and 8 */
-    ge25519_p3_0(h);
-    for (i = 1; i < 64; i += 2) {
-        ge25519_cmov8_base(&t, i / 2, e[i]);
-        ge25519_madd(&r, h, &t);
-        ge25519_p1p1_to_p3(h, &r);
-    }
-    ge25519_p3_dbl(&r, h);
-    ge25519_p1p1_to_p2(&s, &r);
-    ge25519_p2_dbl(&r, &s);
-    ge25519_p1p1_to_p2(&s, &r);
-    ge25519_p2_dbl(&r, &s);
-    ge25519_p1p1_to_p2(&s, &r);
-    ge25519_p2_dbl(&r, &s);
-    ge25519_p1p1_to_p3(h, &r);
-    for (i = 0; i < 64; i += 2) {
-        ge25519_cmov8_base(&t, i / 2, e[i]);
-        ge25519_madd(&r, h, &t);
-        ge25519_p1p1_to_p3(h, &r);
-    }
-}
-/* multiply by the order of the main subgroup l = 2^252+27742317777372353535851937790883648493 */
-static void
-ge25519_mul_l(ge25519_p3 *r, const ge25519_p3 *A)
-{
-    static const signed char aslide[253] = {
-        13, 0, 0, 0, 0, -1, 0, 0, 0, 0, -11, 0, 0, 0, 0, 0, 0, -5, 0, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, -13, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, -13, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, -13, 0, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, 0, -1, 0, 0, 0, 0, 3, 0, 0, 0, 0, -11, 0, 0, 0, 0, 0, 0, 0, 15, 0, 0, 0, 0, 0, -1, 0, 0, 0, 0, -1, 0, 0, 0, 0, 7, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
-    };
-    ge25519_cached Ai[8];
-    ge25519_p1p1   t;
-    ge25519_p3     u;
-    ge25519_p3     A2;
-    int            i;
-    ge25519_p3_to_cached(&Ai[0], A);
-    ge25519_p3_dbl(&t, A);
-    ge25519_p1p1_to_p3(&A2, &t);
-    ge25519_add(&t, &A2, &Ai[0]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[1], &u);
-    ge25519_add(&t, &A2, &Ai[1]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[2], &u);
-    ge25519_add(&t, &A2, &Ai[2]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[3], &u);
-    ge25519_add(&t, &A2, &Ai[3]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[4], &u);
-    ge25519_add(&t, &A2, &Ai[4]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[5], &u);
-    ge25519_add(&t, &A2, &Ai[5]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[6], &u);
-    ge25519_add(&t, &A2, &Ai[6]);
-    ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[7], &u);
-    ge25519_p3_0(r);
-    for (i = 252; i >= 0; --i) {
-        ge25519_p3_dbl(&t, r);
-        if (aslide[i] > 0) {
-            ge25519_p1p1_to_p3(&u, &t);
-            ge25519_add(&t, &u, &Ai[aslide[i] / 2]);
-        } else if (aslide[i] < 0) {
-            ge25519_p1p1_to_p3(&u, &t);
-            ge25519_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
-        }
-        ge25519_p1p1_to_p3(r, &t);
-    }
-}
-int
-ge25519_is_on_curve(const ge25519_p3 *p)
-{
-    fe25519 x2;
-    fe25519 y2;
-    fe25519 z2;
-    fe25519 z4;
-    fe25519 t0;
-    fe25519 t1;
-    fe25519_sq(x2, p->X);
-    fe25519_sq(y2, p->Y);
-    fe25519_sq(z2, p->Z);
-    fe25519_sub(t0, y2, x2);
-    fe25519_mul(t0, t0, z2);
-    fe25519_mul(t1, x2, y2);
-    fe25519_mul(t1, t1, d);
-    fe25519_sq(z4, z2);
-    fe25519_add(t1, t1, z4);
-    fe25519_sub(t0, t0, t1);
-    return fe25519_iszero(t0);
-}
-int
-ge25519_is_on_main_subgroup(const ge25519_p3 *p)
-{
-    ge25519_p3 pl;
-    ge25519_mul_l(&pl, p);
-    return fe25519_iszero(pl.X);
-}
-int
-ge25519_is_canonical(const unsigned char *s)
-{
-    unsigned char c;
-    unsigned char d;
-    unsigned int  i;
-    c = (s[31] & 0x7f) ^ 0x7f;
-    for (i = 30; i > 0; i--) {
-        c |= s[i] ^ 0xff;
-    }
-    c = (((unsigned int) c) - 1U) >> 8;
-    d = (0xed - 1U - (unsigned int) s[0]) >> 8;
-    return 1 - (c & d & 1);
-}
-int
-ge25519_has_small_order(const unsigned char s[32])
-{
-    CRYPTO_ALIGN(16)
-    static const unsigned char blacklist[][32] = {
-        /* 0 (order 4) */
-        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-        /* 1 (order 1) */
-        { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-        /* 2707385501144840649318225287225658788936804267575313519463743609750303402022
-           (order 8) */
-        { 0x26, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3, 0xf4,
-          0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3, 0xc6,
-          0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x05 },
-        /* 55188659117513257062467267217118295137698188065244968500265048394206261417927
-           (order 8) */
-        { 0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b,
-          0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, 0x39,
-          0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0x7a },
-        /* p-1 (order 2) */
-        { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
-        /* p (=0, order 4) */
-        { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
-        /* p+1 (=1, order 1) */
-        { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }
-    };
-    unsigned char c[7] = { 0 };
-    unsigned int  k;
-    size_t        i, j;
-    COMPILER_ASSERT(7 == sizeof blacklist / sizeof blacklist[0]);
-    for (j = 0; j < 31; j++) {
-        for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
-            c[i] |= s[j] ^ blacklist[i][j];
-        }
-    }
-    for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
-        c[i] |= (s[j] & 0x7f) ^ blacklist[i][j];
-    }
-    k = 0;
-    for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
-        k |= (c[i] - 1);
-    }
-    return (int) ((k >> 8) & 1);
-}
-/*
- Input:
- a[0]+256*a[1]+...+256^31*a[31] = a
- b[0]+256*b[1]+...+256^31*b[31] = b
- *
- Output:
- s[0]+256*s[1]+...+256^31*s[31] = (ab) mod l
- where l = 2^252 + 27742317777372353535851937790883648493.
- */
-void
-sc25519_mul(unsigned char s[32], const unsigned char a[32], const unsigned char b[32])
-{
-    int64_t a0  = 2097151 & load_3(a);
-    int64_t a1  = 2097151 & (load_4(a + 2) >> 5);
-    int64_t a2  = 2097151 & (load_3(a + 5) >> 2);
-    int64_t a3  = 2097151 & (load_4(a + 7) >> 7);
-    int64_t a4  = 2097151 & (load_4(a + 10) >> 4);
-    int64_t a5  = 2097151 & (load_3(a + 13) >> 1);
-    int64_t a6  = 2097151 & (load_4(a + 15) >> 6);
-    int64_t a7  = 2097151 & (load_3(a + 18) >> 3);
-    int64_t a8  = 2097151 & load_3(a + 21);
-    int64_t a9  = 2097151 & (load_4(a + 23) >> 5);
-    int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
-    int64_t a11 = (load_4(a + 28) >> 7);
-    int64_t b0  = 2097151 & load_3(b);
-    int64_t b1  = 2097151 & (load_4(b + 2) >> 5);
-    int64_t b2  = 2097151 & (load_3(b + 5) >> 2);
-    int64_t b3  = 2097151 & (load_4(b + 7) >> 7);
-    int64_t b4  = 2097151 & (load_4(b + 10) >> 4);
-    int64_t b5  = 2097151 & (load_3(b + 13) >> 1);
-    int64_t b6  = 2097151 & (load_4(b + 15) >> 6);
-    int64_t b7  = 2097151 & (load_3(b + 18) >> 3);
-    int64_t b8  = 2097151 & load_3(b + 21);
-    int64_t b9  = 2097151 & (load_4(b + 23) >> 5);
-    int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
-    int64_t b11 = (load_4(b + 28) >> 7);
-    int64_t s0;
-    int64_t s1;
-    int64_t s2;
-    int64_t s3;
-    int64_t s4;
-    int64_t s5;
-    int64_t s6;
-    int64_t s7;
-    int64_t s8;
-    int64_t s9;
-    int64_t s10;
-    int64_t s11;
-    int64_t s12;
-    int64_t s13;
-    int64_t s14;
-    int64_t s15;
-    int64_t s16;
-    int64_t s17;
-    int64_t s18;
-    int64_t s19;
-    int64_t s20;
-    int64_t s21;
-    int64_t s22;
-    int64_t s23;
-    int64_t carry0;
-    int64_t carry1;
-    int64_t carry2;
-    int64_t carry3;
-    int64_t carry4;
-    int64_t carry5;
-    int64_t carry6;
-    int64_t carry7;
-    int64_t carry8;
-    int64_t carry9;
-    int64_t carry10;
-    int64_t carry11;
-    int64_t carry12;
-    int64_t carry13;
-    int64_t carry14;
-    int64_t carry15;
-    int64_t carry16;
-    int64_t carry17;
-    int64_t carry18;
-    int64_t carry19;
-    int64_t carry20;
-    int64_t carry21;
-    int64_t carry22;
-    s0 = a0 * b0;
-    s1 = a0 * b1 + a1 * b0;
-    s2 = a0 * b2 + a1 * b1 + a2 * b0;
-    s3 = a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
-    s4 = a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
-    s5 = a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
-    s6 = a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
-    s7 = a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 +
-         a6 * b1 + a7 * b0;
-    s8 = a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 +
-         a6 * b2 + a7 * b1 + a8 * b0;
-    s9 = a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 +
-         a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
-    s10 = a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 +
-          a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
-    s11 = a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 +
-          a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
-    s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 +
-          a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
-    s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 +
-          a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
-    s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 +
-          a9 * b5 + a10 * b4 + a11 * b3;
-    s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 +
-          a10 * b5 + a11 * b4;
-    s16 =
-        a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
-    s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
-    s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
-    s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
-    s20 = a9 * b11 + a10 * b10 + a11 * b9;
-    s21 = a10 * b11 + a11 * b10;
-    s22 = a11 * b11;
-    s23 = 0;
-    carry0 = (s0 + (int64_t) (1L << 20)) >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry2 = (s2 + (int64_t) (1L << 20)) >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry4 = (s4 + (int64_t) (1L << 20)) >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry12 = (s12 + (int64_t) (1L << 20)) >> 21;
-    s13 += carry12;
-    s12 -= carry12 * ((uint64_t) 1L << 21);
-    carry14 = (s14 + (int64_t) (1L << 20)) >> 21;
-    s15 += carry14;
-    s14 -= carry14 * ((uint64_t) 1L << 21);
-    carry16 = (s16 + (int64_t) (1L << 20)) >> 21;
-    s17 += carry16;
-    s16 -= carry16 * ((uint64_t) 1L << 21);
-    carry18 = (s18 + (int64_t) (1L << 20)) >> 21;
-    s19 += carry18;
-    s18 -= carry18 * ((uint64_t) 1L << 21);
-    carry20 = (s20 + (int64_t) (1L << 20)) >> 21;
-    s21 += carry20;
-    s20 -= carry20 * ((uint64_t) 1L << 21);
-    carry22 = (s22 + (int64_t) (1L << 20)) >> 21;
-    s23 += carry22;
-    s22 -= carry22 * ((uint64_t) 1L << 21);
-    carry1 = (s1 + (int64_t) (1L << 20)) >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry3 = (s3 + (int64_t) (1L << 20)) >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry5 = (s5 + (int64_t) (1L << 20)) >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    carry13 = (s13 + (int64_t) (1L << 20)) >> 21;
-    s14 += carry13;
-    s13 -= carry13 * ((uint64_t) 1L << 21);
-    carry15 = (s15 + (int64_t) (1L << 20)) >> 21;
-    s16 += carry15;
-    s15 -= carry15 * ((uint64_t) 1L << 21);
-    carry17 = (s17 + (int64_t) (1L << 20)) >> 21;
-    s18 += carry17;
-    s17 -= carry17 * ((uint64_t) 1L << 21);
-    carry19 = (s19 + (int64_t) (1L << 20)) >> 21;
-    s20 += carry19;
-    s19 -= carry19 * ((uint64_t) 1L << 21);
-    carry21 = (s21 + (int64_t) (1L << 20)) >> 21;
-    s22 += carry21;
-    s21 -= carry21 * ((uint64_t) 1L << 21);
-    s11 += s23 * 666643;
-    s12 += s23 * 470296;
-    s13 += s23 * 654183;
-    s14 -= s23 * 997805;
-    s15 += s23 * 136657;
-    s16 -= s23 * 683901;
-    s10 += s22 * 666643;
-    s11 += s22 * 470296;
-    s12 += s22 * 654183;
-    s13 -= s22 * 997805;
-    s14 += s22 * 136657;
-    s15 -= s22 * 683901;
-    s9 += s21 * 666643;
-    s10 += s21 * 470296;
-    s11 += s21 * 654183;
-    s12 -= s21 * 997805;
-    s13 += s21 * 136657;
-    s14 -= s21 * 683901;
-    s8 += s20 * 666643;
-    s9 += s20 * 470296;
-    s10 += s20 * 654183;
-    s11 -= s20 * 997805;
-    s12 += s20 * 136657;
-    s13 -= s20 * 683901;
-    s7 += s19 * 666643;
-    s8 += s19 * 470296;
-    s9 += s19 * 654183;
-    s10 -= s19 * 997805;
-    s11 += s19 * 136657;
-    s12 -= s19 * 683901;
-    s6 += s18 * 666643;
-    s7 += s18 * 470296;
-    s8 += s18 * 654183;
-    s9 -= s18 * 997805;
-    s10 += s18 * 136657;
-    s11 -= s18 * 683901;
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry12 = (s12 + (int64_t) (1L << 20)) >> 21;
-    s13 += carry12;
-    s12 -= carry12 * ((uint64_t) 1L << 21);
-    carry14 = (s14 + (int64_t) (1L << 20)) >> 21;
-    s15 += carry14;
-    s14 -= carry14 * ((uint64_t) 1L << 21);
-    carry16 = (s16 + (int64_t) (1L << 20)) >> 21;
-    s17 += carry16;
-    s16 -= carry16 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    carry13 = (s13 + (int64_t) (1L << 20)) >> 21;
-    s14 += carry13;
-    s13 -= carry13 * ((uint64_t) 1L << 21);
-    carry15 = (s15 + (int64_t) (1L << 20)) >> 21;
-    s16 += carry15;
-    s15 -= carry15 * ((uint64_t) 1L << 21);
-    s5 += s17 * 666643;
-    s6 += s17 * 470296;
-    s7 += s17 * 654183;
-    s8 -= s17 * 997805;
-    s9 += s17 * 136657;
-    s10 -= s17 * 683901;
-    s4 += s16 * 666643;
-    s5 += s16 * 470296;
-    s6 += s16 * 654183;
-    s7 -= s16 * 997805;
-    s8 += s16 * 136657;
-    s9 -= s16 * 683901;
-    s3 += s15 * 666643;
-    s4 += s15 * 470296;
-    s5 += s15 * 654183;
-    s6 -= s15 * 997805;
-    s7 += s15 * 136657;
-    s8 -= s15 * 683901;
-    s2 += s14 * 666643;
-    s3 += s14 * 470296;
-    s4 += s14 * 654183;
-    s5 -= s14 * 997805;
-    s6 += s14 * 136657;
-    s7 -= s14 * 683901;
-    s1 += s13 * 666643;
-    s2 += s13 * 470296;
-    s3 += s13 * 654183;
-    s4 -= s13 * 997805;
-    s5 += s13 * 136657;
-    s6 -= s13 * 683901;
-    s0 += s12 * 666643;
-    s1 += s12 * 470296;
-    s2 += s12 * 654183;
-    s3 -= s12 * 997805;
-    s4 += s12 * 136657;
-    s5 -= s12 * 683901;
-    s12 = 0;
-    carry0 = (s0 + (int64_t) (1L << 20)) >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry2 = (s2 + (int64_t) (1L << 20)) >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry4 = (s4 + (int64_t) (1L << 20)) >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry1 = (s1 + (int64_t) (1L << 20)) >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry3 = (s3 + (int64_t) (1L << 20)) >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry5 = (s5 + (int64_t) (1L << 20)) >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    s0 += s12 * 666643;
-    s1 += s12 * 470296;
-    s2 += s12 * 654183;
-    s3 -= s12 * 997805;
-    s4 += s12 * 136657;
-    s5 -= s12 * 683901;
-    s12 = 0;
-    carry0 = s0 >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry1 = s1 >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry2 = s2 >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry3 = s3 >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry4 = s4 >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry5 = s5 >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry6 = s6 >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry7 = s7 >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry8 = s8 >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry9 = s9 >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry10 = s10 >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry11 = s11 >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    s0 += s12 * 666643;
-    s1 += s12 * 470296;
-    s2 += s12 * 654183;
-    s3 -= s12 * 997805;
-    s4 += s12 * 136657;
-    s5 -= s12 * 683901;
-    carry0 = s0 >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry1 = s1 >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry2 = s2 >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry3 = s3 >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry4 = s4 >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry5 = s5 >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry6 = s6 >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry7 = s7 >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry8 = s8 >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry9 = s9 >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry10 = s10 >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    s[0]  = s0 >> 0;
-    s[1]  = s0 >> 8;
-    s[2]  = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
-    s[3]  = s1 >> 3;
-    s[4]  = s1 >> 11;
-    s[5]  = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
-    s[6]  = s2 >> 6;
-    s[7]  = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
-    s[8]  = s3 >> 1;
-    s[9]  = s3 >> 9;
-    s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4));
-    s[11] = s4 >> 4;
-    s[12] = s4 >> 12;
-    s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1));
-    s[14] = s5 >> 7;
-    s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6));
-    s[16] = s6 >> 2;
-    s[17] = s6 >> 10;
-    s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3));
-    s[19] = s7 >> 5;
-    s[20] = s7 >> 13;
-    s[21] = s8 >> 0;
-    s[22] = s8 >> 8;
-    s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5));
-    s[24] = s9 >> 3;
-    s[25] = s9 >> 11;
-    s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2));
-    s[27] = s10 >> 6;
-    s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7));
-    s[29] = s11 >> 1;
-    s[30] = s11 >> 9;
-    s[31] = s11 >> 17;
-}
-/*
- Input:
- a[0]+256*a[1]+...+256^31*a[31] = a
- b[0]+256*b[1]+...+256^31*b[31] = b
- c[0]+256*c[1]+...+256^31*c[31] = c
- *
- Output:
- s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
- where l = 2^252 + 27742317777372353535851937790883648493.
- */
-void
-sc25519_muladd(unsigned char s[32], const unsigned char a[32],
-               const unsigned char b[32], const unsigned char c[32])
-{
-    int64_t a0  = 2097151 & load_3(a);
-    int64_t a1  = 2097151 & (load_4(a + 2) >> 5);
-    int64_t a2  = 2097151 & (load_3(a + 5) >> 2);
-    int64_t a3  = 2097151 & (load_4(a + 7) >> 7);
-    int64_t a4  = 2097151 & (load_4(a + 10) >> 4);
-    int64_t a5  = 2097151 & (load_3(a + 13) >> 1);
-    int64_t a6  = 2097151 & (load_4(a + 15) >> 6);
-    int64_t a7  = 2097151 & (load_3(a + 18) >> 3);
-    int64_t a8  = 2097151 & load_3(a + 21);
-    int64_t a9  = 2097151 & (load_4(a + 23) >> 5);
-    int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
-    int64_t a11 = (load_4(a + 28) >> 7);
-    int64_t b0  = 2097151 & load_3(b);
-    int64_t b1  = 2097151 & (load_4(b + 2) >> 5);
-    int64_t b2  = 2097151 & (load_3(b + 5) >> 2);
-    int64_t b3  = 2097151 & (load_4(b + 7) >> 7);
-    int64_t b4  = 2097151 & (load_4(b + 10) >> 4);
-    int64_t b5  = 2097151 & (load_3(b + 13) >> 1);
-    int64_t b6  = 2097151 & (load_4(b + 15) >> 6);
-    int64_t b7  = 2097151 & (load_3(b + 18) >> 3);
-    int64_t b8  = 2097151 & load_3(b + 21);
-    int64_t b9  = 2097151 & (load_4(b + 23) >> 5);
-    int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
-    int64_t b11 = (load_4(b + 28) >> 7);
-    int64_t c0  = 2097151 & load_3(c);
-    int64_t c1  = 2097151 & (load_4(c + 2) >> 5);
-    int64_t c2  = 2097151 & (load_3(c + 5) >> 2);
-    int64_t c3  = 2097151 & (load_4(c + 7) >> 7);
-    int64_t c4  = 2097151 & (load_4(c + 10) >> 4);
-    int64_t c5  = 2097151 & (load_3(c + 13) >> 1);
-    int64_t c6  = 2097151 & (load_4(c + 15) >> 6);
-    int64_t c7  = 2097151 & (load_3(c + 18) >> 3);
-    int64_t c8  = 2097151 & load_3(c + 21);
-    int64_t c9  = 2097151 & (load_4(c + 23) >> 5);
-    int64_t c10 = 2097151 & (load_3(c + 26) >> 2);
-    int64_t c11 = (load_4(c + 28) >> 7);
-    int64_t s0;
-    int64_t s1;
-    int64_t s2;
-    int64_t s3;
-    int64_t s4;
-    int64_t s5;
-    int64_t s6;
-    int64_t s7;
-    int64_t s8;
-    int64_t s9;
-    int64_t s10;
-    int64_t s11;
-    int64_t s12;
-    int64_t s13;
-    int64_t s14;
-    int64_t s15;
-    int64_t s16;
-    int64_t s17;
-    int64_t s18;
-    int64_t s19;
-    int64_t s20;
-    int64_t s21;
-    int64_t s22;
-    int64_t s23;
-    int64_t carry0;
-    int64_t carry1;
-    int64_t carry2;
-    int64_t carry3;
-    int64_t carry4;
-    int64_t carry5;
-    int64_t carry6;
-    int64_t carry7;
-    int64_t carry8;
-    int64_t carry9;
-    int64_t carry10;
-    int64_t carry11;
-    int64_t carry12;
-    int64_t carry13;
-    int64_t carry14;
-    int64_t carry15;
-    int64_t carry16;
-    int64_t carry17;
-    int64_t carry18;
-    int64_t carry19;
-    int64_t carry20;
-    int64_t carry21;
-    int64_t carry22;
-    s0 = c0 + a0 * b0;
-    s1 = c1 + a0 * b1 + a1 * b0;
-    s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
-    s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
-    s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
-    s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
-    s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 +
-         a6 * b0;
-    s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 +
-         a6 * b1 + a7 * b0;
-    s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 +
-         a6 * b2 + a7 * b1 + a8 * b0;
-    s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 +
-         a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
-    s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 +
-          a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
-    s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 +
-          a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
-    s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 +
-          a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
-    s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 +
-          a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
-    s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 +
-          a9 * b5 + a10 * b4 + a11 * b3;
-    s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 +
-          a10 * b5 + a11 * b4;
-    s16 =
-        a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
-    s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
-    s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
-    s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
-    s20 = a9 * b11 + a10 * b10 + a11 * b9;
-    s21 = a10 * b11 + a11 * b10;
-    s22 = a11 * b11;
-    s23 = 0;
-    carry0 = (s0 + (int64_t) (1L << 20)) >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry2 = (s2 + (int64_t) (1L << 20)) >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry4 = (s4 + (int64_t) (1L << 20)) >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry12 = (s12 + (int64_t) (1L << 20)) >> 21;
-    s13 += carry12;
-    s12 -= carry12 * ((uint64_t) 1L << 21);
-    carry14 = (s14 + (int64_t) (1L << 20)) >> 21;
-    s15 += carry14;
-    s14 -= carry14 * ((uint64_t) 1L << 21);
-    carry16 = (s16 + (int64_t) (1L << 20)) >> 21;
-    s17 += carry16;
-    s16 -= carry16 * ((uint64_t) 1L << 21);
-    carry18 = (s18 + (int64_t) (1L << 20)) >> 21;
-    s19 += carry18;
-    s18 -= carry18 * ((uint64_t) 1L << 21);
-    carry20 = (s20 + (int64_t) (1L << 20)) >> 21;
-    s21 += carry20;
-    s20 -= carry20 * ((uint64_t) 1L << 21);
-    carry22 = (s22 + (int64_t) (1L << 20)) >> 21;
-    s23 += carry22;
-    s22 -= carry22 * ((uint64_t) 1L << 21);
-    carry1 = (s1 + (int64_t) (1L << 20)) >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry3 = (s3 + (int64_t) (1L << 20)) >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry5 = (s5 + (int64_t) (1L << 20)) >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    carry13 = (s13 + (int64_t) (1L << 20)) >> 21;
-    s14 += carry13;
-    s13 -= carry13 * ((uint64_t) 1L << 21);
-    carry15 = (s15 + (int64_t) (1L << 20)) >> 21;
-    s16 += carry15;
-    s15 -= carry15 * ((uint64_t) 1L << 21);
-    carry17 = (s17 + (int64_t) (1L << 20)) >> 21;
-    s18 += carry17;
-    s17 -= carry17 * ((uint64_t) 1L << 21);
-    carry19 = (s19 + (int64_t) (1L << 20)) >> 21;
-    s20 += carry19;
-    s19 -= carry19 * ((uint64_t) 1L << 21);
-    carry21 = (s21 + (int64_t) (1L << 20)) >> 21;
-    s22 += carry21;
-    s21 -= carry21 * ((uint64_t) 1L << 21);
-    s11 += s23 * 666643;
-    s12 += s23 * 470296;
-    s13 += s23 * 654183;
-    s14 -= s23 * 997805;
-    s15 += s23 * 136657;
-    s16 -= s23 * 683901;
-    s10 += s22 * 666643;
-    s11 += s22 * 470296;
-    s12 += s22 * 654183;
-    s13 -= s22 * 997805;
-    s14 += s22 * 136657;
-    s15 -= s22 * 683901;
-    s9 += s21 * 666643;
-    s10 += s21 * 470296;
-    s11 += s21 * 654183;
-    s12 -= s21 * 997805;
-    s13 += s21 * 136657;
-    s14 -= s21 * 683901;
-    s8 += s20 * 666643;
-    s9 += s20 * 470296;
-    s10 += s20 * 654183;
-    s11 -= s20 * 997805;
-    s12 += s20 * 136657;
-    s13 -= s20 * 683901;
-    s7 += s19 * 666643;
-    s8 += s19 * 470296;
-    s9 += s19 * 654183;
-    s10 -= s19 * 997805;
-    s11 += s19 * 136657;
-    s12 -= s19 * 683901;
-    s6 += s18 * 666643;
-    s7 += s18 * 470296;
-    s8 += s18 * 654183;
-    s9 -= s18 * 997805;
-    s10 += s18 * 136657;
-    s11 -= s18 * 683901;
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry12 = (s12 + (int64_t) (1L << 20)) >> 21;
-    s13 += carry12;
-    s12 -= carry12 * ((uint64_t) 1L << 21);
-    carry14 = (s14 + (int64_t) (1L << 20)) >> 21;
-    s15 += carry14;
-    s14 -= carry14 * ((uint64_t) 1L << 21);
-    carry16 = (s16 + (int64_t) (1L << 20)) >> 21;
-    s17 += carry16;
-    s16 -= carry16 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    carry13 = (s13 + (int64_t) (1L << 20)) >> 21;
-    s14 += carry13;
-    s13 -= carry13 * ((uint64_t) 1L << 21);
-    carry15 = (s15 + (int64_t) (1L << 20)) >> 21;
-    s16 += carry15;
-    s15 -= carry15 * ((uint64_t) 1L << 21);
-    s5 += s17 * 666643;
-    s6 += s17 * 470296;
-    s7 += s17 * 654183;
-    s8 -= s17 * 997805;
-    s9 += s17 * 136657;
-    s10 -= s17 * 683901;
-    s4 += s16 * 666643;
-    s5 += s16 * 470296;
-    s6 += s16 * 654183;
-    s7 -= s16 * 997805;
-    s8 += s16 * 136657;
-    s9 -= s16 * 683901;
-    s3 += s15 * 666643;
-    s4 += s15 * 470296;
-    s5 += s15 * 654183;
-    s6 -= s15 * 997805;
-    s7 += s15 * 136657;
-    s8 -= s15 * 683901;
-    s2 += s14 * 666643;
-    s3 += s14 * 470296;
-    s4 += s14 * 654183;
-    s5 -= s14 * 997805;
-    s6 += s14 * 136657;
-    s7 -= s14 * 683901;
-    s1 += s13 * 666643;
-    s2 += s13 * 470296;
-    s3 += s13 * 654183;
-    s4 -= s13 * 997805;
-    s5 += s13 * 136657;
-    s6 -= s13 * 683901;
-    s0 += s12 * 666643;
-    s1 += s12 * 470296;
-    s2 += s12 * 654183;
-    s3 -= s12 * 997805;
-    s4 += s12 * 136657;
-    s5 -= s12 * 683901;
-    s12 = 0;
-    carry0 = (s0 + (int64_t) (1L << 20)) >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry2 = (s2 + (int64_t) (1L << 20)) >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry4 = (s4 + (int64_t) (1L << 20)) >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry1 = (s1 + (int64_t) (1L << 20)) >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry3 = (s3 + (int64_t) (1L << 20)) >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry5 = (s5 + (int64_t) (1L << 20)) >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    s0 += s12 * 666643;
-    s1 += s12 * 470296;
-    s2 += s12 * 654183;
-    s3 -= s12 * 997805;
-    s4 += s12 * 136657;
-    s5 -= s12 * 683901;
-    s12 = 0;
-    carry0 = s0 >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry1 = s1 >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry2 = s2 >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry3 = s3 >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry4 = s4 >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry5 = s5 >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry6 = s6 >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry7 = s7 >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry8 = s8 >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry9 = s9 >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry10 = s10 >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry11 = s11 >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    s0 += s12 * 666643;
-    s1 += s12 * 470296;
-    s2 += s12 * 654183;
-    s3 -= s12 * 997805;
-    s4 += s12 * 136657;
-    s5 -= s12 * 683901;
-    carry0 = s0 >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry1 = s1 >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry2 = s2 >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry3 = s3 >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry4 = s4 >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry5 = s5 >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry6 = s6 >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry7 = s7 >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry8 = s8 >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry9 = s9 >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry10 = s10 >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    s[0]  = s0 >> 0;
-    s[1]  = s0 >> 8;
-    s[2]  = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
-    s[3]  = s1 >> 3;
-    s[4]  = s1 >> 11;
-    s[5]  = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
-    s[6]  = s2 >> 6;
-    s[7]  = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
-    s[8]  = s3 >> 1;
-    s[9]  = s3 >> 9;
-    s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4));
-    s[11] = s4 >> 4;
-    s[12] = s4 >> 12;
-    s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1));
-    s[14] = s5 >> 7;
-    s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6));
-    s[16] = s6 >> 2;
-    s[17] = s6 >> 10;
-    s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3));
-    s[19] = s7 >> 5;
-    s[20] = s7 >> 13;
-    s[21] = s8 >> 0;
-    s[22] = s8 >> 8;
-    s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5));
-    s[24] = s9 >> 3;
-    s[25] = s9 >> 11;
-    s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2));
-    s[27] = s10 >> 6;
-    s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7));
-    s[29] = s11 >> 1;
-    s[30] = s11 >> 9;
-    s[31] = s11 >> 17;
-}
-/*
- Input:
- a[0]+256*a[1]+...+256^31*a[31] = a
- *
- Output:
- s[0]+256*s[1]+...+256^31*s[31] = a^2 mod l
- where l = 2^252 + 27742317777372353535851937790883648493.
- */
-static inline void
-sc25519_sq(unsigned char *s, const unsigned char *a)
-{
-    sc25519_mul(s, a, a);
-}
-/*
- Input:
- s[0]+256*a[1]+...+256^31*a[31] = a
- n
- *
- Output:
- s[0]+256*s[1]+...+256^31*s[31] = x * s^(s^n) mod l
- where l = 2^252 + 27742317777372353535851937790883648493.
- Overwrites s in place.
- */
-static inline void
-sc25519_sqmul(unsigned char s[32], const int n, const unsigned char a[32])
-{
-    int i;
-    for (i = 0; i < n; i++) {
-        sc25519_sq(s, s);
-    }
-    sc25519_mul(s, s, a);
-}
-void
-sc25519_invert(unsigned char recip[32], const unsigned char s[32])
-{
-    unsigned char _10[32], _100[32], _1000[32], _10000[32], _100000[32],
-        _1000000[32], _10010011[32], _10010111[32], _100110[32], _1010[32],
-        _1010000[32], _1010011[32], _1011[32], _10110[32], _10111101[32],
-        _11[32], _1100011[32], _1100111[32], _11010011[32], _1101011[32],
-        _11100111[32], _11101011[32], _11110101[32];
-    sc25519_sq(_10, s);
-    sc25519_mul(_11, s, _10);
-    sc25519_mul(_100, s, _11);
-    sc25519_sq(_1000, _100);
-    sc25519_mul(_1010, _10, _1000);
-    sc25519_mul(_1011, s, _1010);
-    sc25519_sq(_10000, _1000);
-    sc25519_sq(_10110, _1011);
-    sc25519_mul(_100000, _1010, _10110);
-    sc25519_mul(_100110, _10000, _10110);
-    sc25519_sq(_1000000, _100000);
-    sc25519_mul(_1010000, _10000, _1000000);
-    sc25519_mul(_1010011, _11, _1010000);
-    sc25519_mul(_1100011, _10000, _1010011);
-    sc25519_mul(_1100111, _100, _1100011);
-    sc25519_mul(_1101011, _100, _1100111);
-    sc25519_mul(_10010011, _1000000, _1010011);
-    sc25519_mul(_10010111, _100, _10010011);
-    sc25519_mul(_10111101, _100110, _10010111);
-    sc25519_mul(_11010011, _10110, _10111101);
-    sc25519_mul(_11100111, _1010000, _10010111);
-    sc25519_mul(_11101011, _100, _11100111);
-    sc25519_mul(_11110101, _1010, _11101011);
-    sc25519_mul(recip, _1011, _11110101);
-    sc25519_sqmul(recip, 126, _1010011);
-    sc25519_sqmul(recip, 9, _10);
-    sc25519_mul(recip, recip, _11110101);
-    sc25519_sqmul(recip, 7, _1100111);
-    sc25519_sqmul(recip, 9, _11110101);
-    sc25519_sqmul(recip, 11, _10111101);
-    sc25519_sqmul(recip, 8, _11100111);
-    sc25519_sqmul(recip, 9, _1101011);
-    sc25519_sqmul(recip, 6, _1011);
-    sc25519_sqmul(recip, 14, _10010011);
-    sc25519_sqmul(recip, 10, _1100011);
-    sc25519_sqmul(recip, 9, _10010111);
-    sc25519_sqmul(recip, 10, _11110101);
-    sc25519_sqmul(recip, 8, _11010011);
-    sc25519_sqmul(recip, 8, _11101011);
-}
-/*
- Input:
- s[0]+256*s[1]+...+256^63*s[63] = s
- *
- Output:
- s[0]+256*s[1]+...+256^31*s[31] = s mod l
- where l = 2^252 + 27742317777372353535851937790883648493.
- Overwrites s in place.
- */
-void
-sc25519_reduce(unsigned char s[64])
-{
-    int64_t s0  = 2097151 & load_3(s);
-    int64_t s1  = 2097151 & (load_4(s + 2) >> 5);
-    int64_t s2  = 2097151 & (load_3(s + 5) >> 2);
-    int64_t s3  = 2097151 & (load_4(s + 7) >> 7);
-    int64_t s4  = 2097151 & (load_4(s + 10) >> 4);
-    int64_t s5  = 2097151 & (load_3(s + 13) >> 1);
-    int64_t s6  = 2097151 & (load_4(s + 15) >> 6);
-    int64_t s7  = 2097151 & (load_3(s + 18) >> 3);
-    int64_t s8  = 2097151 & load_3(s + 21);
-    int64_t s9  = 2097151 & (load_4(s + 23) >> 5);
-    int64_t s10 = 2097151 & (load_3(s + 26) >> 2);
-    int64_t s11 = 2097151 & (load_4(s + 28) >> 7);
-    int64_t s12 = 2097151 & (load_4(s + 31) >> 4);
-    int64_t s13 = 2097151 & (load_3(s + 34) >> 1);
-    int64_t s14 = 2097151 & (load_4(s + 36) >> 6);
-    int64_t s15 = 2097151 & (load_3(s + 39) >> 3);
-    int64_t s16 = 2097151 & load_3(s + 42);
-    int64_t s17 = 2097151 & (load_4(s + 44) >> 5);
-    int64_t s18 = 2097151 & (load_3(s + 47) >> 2);
-    int64_t s19 = 2097151 & (load_4(s + 49) >> 7);
-    int64_t s20 = 2097151 & (load_4(s + 52) >> 4);
-    int64_t s21 = 2097151 & (load_3(s + 55) >> 1);
-    int64_t s22 = 2097151 & (load_4(s + 57) >> 6);
-    int64_t s23 = (load_4(s + 60) >> 3);
-    int64_t carry0;
-    int64_t carry1;
-    int64_t carry2;
-    int64_t carry3;
-    int64_t carry4;
-    int64_t carry5;
-    int64_t carry6;
-    int64_t carry7;
-    int64_t carry8;
-    int64_t carry9;
-    int64_t carry10;
-    int64_t carry11;
-    int64_t carry12;
-    int64_t carry13;
-    int64_t carry14;
-    int64_t carry15;
-    int64_t carry16;
-    s11 += s23 * 666643;
-    s12 += s23 * 470296;
-    s13 += s23 * 654183;
-    s14 -= s23 * 997805;
-    s15 += s23 * 136657;
-    s16 -= s23 * 683901;
-    s10 += s22 * 666643;
-    s11 += s22 * 470296;
-    s12 += s22 * 654183;
-    s13 -= s22 * 997805;
-    s14 += s22 * 136657;
-    s15 -= s22 * 683901;
-    s9 += s21 * 666643;
-    s10 += s21 * 470296;
-    s11 += s21 * 654183;
-    s12 -= s21 * 997805;
-    s13 += s21 * 136657;
-    s14 -= s21 * 683901;
-    s8 += s20 * 666643;
-    s9 += s20 * 470296;
-    s10 += s20 * 654183;
-    s11 -= s20 * 997805;
-    s12 += s20 * 136657;
-    s13 -= s20 * 683901;
-    s7 += s19 * 666643;
-    s8 += s19 * 470296;
-    s9 += s19 * 654183;
-    s10 -= s19 * 997805;
-    s11 += s19 * 136657;
-    s12 -= s19 * 683901;
-    s6 += s18 * 666643;
-    s7 += s18 * 470296;
-    s8 += s18 * 654183;
-    s9 -= s18 * 997805;
-    s10 += s18 * 136657;
-    s11 -= s18 * 683901;
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry12 = (s12 + (int64_t) (1L << 20)) >> 21;
-    s13 += carry12;
-    s12 -= carry12 * ((uint64_t) 1L << 21);
-    carry14 = (s14 + (int64_t) (1L << 20)) >> 21;
-    s15 += carry14;
-    s14 -= carry14 * ((uint64_t) 1L << 21);
-    carry16 = (s16 + (int64_t) (1L << 20)) >> 21;
-    s17 += carry16;
-    s16 -= carry16 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    carry13 = (s13 + (int64_t) (1L << 20)) >> 21;
-    s14 += carry13;
-    s13 -= carry13 * ((uint64_t) 1L << 21);
-    carry15 = (s15 + (int64_t) (1L << 20)) >> 21;
-    s16 += carry15;
-    s15 -= carry15 * ((uint64_t) 1L << 21);
-    s5 += s17 * 666643;
-    s6 += s17 * 470296;
-    s7 += s17 * 654183;
-    s8 -= s17 * 997805;
-    s9 += s17 * 136657;
-    s10 -= s17 * 683901;
-    s4 += s16 * 666643;
-    s5 += s16 * 470296;
-    s6 += s16 * 654183;
-    s7 -= s16 * 997805;
-    s8 += s16 * 136657;
-    s9 -= s16 * 683901;
-    s3 += s15 * 666643;
-    s4 += s15 * 470296;
-    s5 += s15 * 654183;
-    s6 -= s15 * 997805;
-    s7 += s15 * 136657;
-    s8 -= s15 * 683901;
-    s2 += s14 * 666643;
-    s3 += s14 * 470296;
-    s4 += s14 * 654183;
-    s5 -= s14 * 997805;
-    s6 += s14 * 136657;
-    s7 -= s14 * 683901;
-    s1 += s13 * 666643;
-    s2 += s13 * 470296;
-    s3 += s13 * 654183;
-    s4 -= s13 * 997805;
-    s5 += s13 * 136657;
-    s6 -= s13 * 683901;
-    s0 += s12 * 666643;
-    s1 += s12 * 470296;
-    s2 += s12 * 654183;
-    s3 -= s12 * 997805;
-    s4 += s12 * 136657;
-    s5 -= s12 * 683901;
-    s12 = 0;
-    carry0 = (s0 + (int64_t) (1L << 20)) >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry2 = (s2 + (int64_t) (1L << 20)) >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry4 = (s4 + (int64_t) (1L << 20)) >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry1 = (s1 + (int64_t) (1L << 20)) >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry3 = (s3 + (int64_t) (1L << 20)) >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry5 = (s5 + (int64_t) (1L << 20)) >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    s0 += s12 * 666643;
-    s1 += s12 * 470296;
-    s2 += s12 * 654183;
-    s3 -= s12 * 997805;
-    s4 += s12 * 136657;
-    s5 -= s12 * 683901;
-    s12 = 0;
-    carry0 = s0 >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry1 = s1 >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry2 = s2 >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry3 = s3 >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry4 = s4 >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry5 = s5 >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry6 = s6 >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry7 = s7 >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry8 = s8 >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry9 = s9 >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry10 = s10 >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    carry11 = s11 >> 21;
-    s12 += carry11;
-    s11 -= carry11 * ((uint64_t) 1L << 21);
-    s0 += s12 * 666643;
-    s1 += s12 * 470296;
-    s2 += s12 * 654183;
-    s3 -= s12 * 997805;
-    s4 += s12 * 136657;
-    s5 -= s12 * 683901;
-    carry0 = s0 >> 21;
-    s1 += carry0;
-    s0 -= carry0 * ((uint64_t) 1L << 21);
-    carry1 = s1 >> 21;
-    s2 += carry1;
-    s1 -= carry1 * ((uint64_t) 1L << 21);
-    carry2 = s2 >> 21;
-    s3 += carry2;
-    s2 -= carry2 * ((uint64_t) 1L << 21);
-    carry3 = s3 >> 21;
-    s4 += carry3;
-    s3 -= carry3 * ((uint64_t) 1L << 21);
-    carry4 = s4 >> 21;
-    s5 += carry4;
-    s4 -= carry4 * ((uint64_t) 1L << 21);
-    carry5 = s5 >> 21;
-    s6 += carry5;
-    s5 -= carry5 * ((uint64_t) 1L << 21);
-    carry6 = s6 >> 21;
-    s7 += carry6;
-    s6 -= carry6 * ((uint64_t) 1L << 21);
-    carry7 = s7 >> 21;
-    s8 += carry7;
-    s7 -= carry7 * ((uint64_t) 1L << 21);
-    carry8 = s8 >> 21;
-    s9 += carry8;
-    s8 -= carry8 * ((uint64_t) 1L << 21);
-    carry9 = s9 >> 21;
-    s10 += carry9;
-    s9 -= carry9 * ((uint64_t) 1L << 21);
-    carry10 = s10 >> 21;
-    s11 += carry10;
-    s10 -= carry10 * ((uint64_t) 1L << 21);
-    s[0]  = s0 >> 0;
-    s[1]  = s0 >> 8;
-    s[2]  = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
-    s[3]  = s1 >> 3;
-    s[4]  = s1 >> 11;
-    s[5]  = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
-    s[6]  = s2 >> 6;
-    s[7]  = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
-    s[8]  = s3 >> 1;
-    s[9]  = s3 >> 9;
-    s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4));
-    s[11] = s4 >> 4;
-    s[12] = s4 >> 12;
-    s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1));
-    s[14] = s5 >> 7;
-    s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6));
-    s[16] = s6 >> 2;
-    s[17] = s6 >> 10;
-    s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3));
-    s[19] = s7 >> 5;
-    s[20] = s7 >> 13;
-    s[21] = s8 >> 0;
-    s[22] = s8 >> 8;
-    s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5));
-    s[24] = s9 >> 3;
-    s[25] = s9 >> 11;
-    s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2));
-    s[27] = s10 >> 6;
-    s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7));
-    s[29] = s11 >> 1;
-    s[30] = s11 >> 9;
-    s[31] = s11 >> 17;
-}
-int
-sc25519_is_canonical(const unsigned char s[32])
-{
-    /* 2^252+27742317777372353535851937790883648493 */
-    static const unsigned char L[32] = {
-        0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7,
-        0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
-    };
-    unsigned char c = 0;
-    unsigned char n = 1;
-    unsigned int  i = 32;
-    do {
-        i--;
-        c |= ((s[i] - L[i]) >> 8) & n;
-        n &= ((s[i] ^ L[i]) - 1) >> 8;
-    } while (i != 0);
-    return (c != 0);
-}
-/* multiply by the cofactor */
-static void
-ge25519_clear_cofactor(ge25519_p3 *p3)
-{
-    ge25519_p1p1 p1;
-    ge25519_p2   p2;
-    ge25519_p3_dbl(&p1, p3);
-    ge25519_p1p1_to_p2(&p2, &p1);
-    ge25519_p2_dbl(&p1, &p2);
-    ge25519_p1p1_to_p2(&p2, &p1);
-    ge25519_p2_dbl(&p1, &p2);
-    ge25519_p1p1_to_p3(p3, &p1);
-}
-static void
-ge25519_elligator2(unsigned char s[32], const fe25519 r, const unsigned char x_sign)
-{
-    fe25519      gx;
-    fe25519      negx;
-    fe25519      rr2;
-    fe25519      x, x2, x3;
-    ge25519_p3   p3;
-    unsigned int notsquare;
-    fe25519_sq2(rr2, r);
-    rr2[0]++;
-    fe25519_invert(rr2, rr2);
-    fe25519_mul32(x, rr2, curve25519_A[0]);
-    fe25519_neg(x, x);
-    fe25519_sq(x2, x);
-    fe25519_mul(x3, x, x2);
-    fe25519_add(gx, x3, x);
-    fe25519_mul32(x2, x2, curve25519_A[0]);
-    fe25519_add(gx, x2, gx);
-    notsquare = fe25519_notsquare(gx);
-    fe25519_neg(negx, x);
-    fe25519_cmov(x, negx, notsquare);
-    fe25519_0(x2);
-    fe25519_cmov(x2, curve25519_A, notsquare);
-    fe25519_sub(x, x, x2);
-    /* yed = (x-1)/(x+1) */
-    {
-        fe25519 one;
-        fe25519 x_plus_one;
-        fe25519 x_plus_one_inv;
-        fe25519 x_minus_one;
-        fe25519 yed;
-        fe25519_1(one);
-        fe25519_add(x_plus_one, x, one);
-        fe25519_sub(x_minus_one, x, one);
-        fe25519_invert(x_plus_one_inv, x_plus_one);
-        fe25519_mul(yed, x_minus_one, x_plus_one_inv);
-        fe25519_tobytes(s, yed);
-    }
-    /* recover x */
-    s[31] |= x_sign;
-    if (ge25519_frombytes(&p3, s) != 0) {
-        abort(); /* LCOV_EXCL_LINE */
-    }
-    ge25519_clear_cofactor(&p3);
-    ge25519_p3_tobytes(s, &p3);
-}
-void
-ge25519_from_uniform(unsigned char s[32], const unsigned char r[32])
-{
-    fe25519       r_fe;
-    unsigned char x_sign;
-    memcpy(s, r, 32);
-    x_sign = s[31] & 0x80;
-    s[31] &= 0x7f;
-    fe25519_frombytes(r_fe, s);
-    ge25519_elligator2(s, r_fe, x_sign);
-}
-void
-ge25519_from_hash(unsigned char s[32], const unsigned char h[64])
-{
-    unsigned char fl[32];
-    unsigned char gl[32];
-    fe25519       fe_f;
-    fe25519       fe_g;
-    size_t        i;
-    unsigned char x_sign;
-    x_sign = h[0] & 0x80;
-    for (i = 0; i < 32; i++) {
-        fl[i] = h[63 - i];
-        gl[i] = h[31 - i];
-    }
-    fl[31] &= 0x7f;
-    gl[31] &= 0x7f;
-    fe25519_frombytes(fe_f, fl);
-    fe25519_frombytes(fe_g, gl);
-    fe_f[0] += (h[32] >> 7) * 19;
-    for (i = 0; i < sizeof (fe25519) / sizeof fe_f[0]; i++) {
-        fe_f[i] += 38 * fe_g[i];
-    }
-    fe25519_reduce(fe_f, fe_f);
-    ge25519_elligator2(s, fe_f, x_sign);
-}
-/* Ristretto group */
-static int
-ristretto255_sqrt_ratio_m1(fe25519 x, const fe25519 u, const fe25519 v)
-{
-    fe25519 v3;
-    fe25519 vxx;
-    fe25519 m_root_check, p_root_check, f_root_check;
-    fe25519 x_sqrtm1;
-    int     has_m_root, has_p_root, has_f_root;
-    fe25519_sq(v3, v);
-    fe25519_mul(v3, v3, v); /* v3 = v^3 */
-    fe25519_sq(x, v3);
-    fe25519_mul(x, x, v);
-    fe25519_mul(x, x, u); /* x = uv^7 */
-    fe25519_pow22523(x, x); /* x = (uv^7)^((q-5)/8) */
-    fe25519_mul(x, x, v3);
-    fe25519_mul(x, x, u); /* x = uv^3(uv^7)^((q-5)/8) */
-    fe25519_sq(vxx, x);
-    fe25519_mul(vxx, vxx, v); /* vx^2 */
-    fe25519_sub(m_root_check, vxx, u); /* vx^2-u */
-    fe25519_add(p_root_check, vxx, u); /* vx^2+u */
-    fe25519_mul(f_root_check, u, sqrtm1); /* u*sqrt(-1) */
-    fe25519_add(f_root_check, vxx, f_root_check); /* vx^2+u*sqrt(-1) */
-    has_m_root = fe25519_iszero(m_root_check);
-    has_p_root = fe25519_iszero(p_root_check);
-    has_f_root = fe25519_iszero(f_root_check);
-    fe25519_mul(x_sqrtm1, x, sqrtm1); /* x*sqrt(-1) */
-    fe25519_cmov(x, x_sqrtm1, has_p_root | has_f_root);
-    fe25519_abs(x, x);
-    return has_m_root | has_p_root;
-}
-static int
-ristretto255_is_canonical(const unsigned char *s)
-{
-    unsigned char c;
-    unsigned char d;
-    unsigned char e;
-    unsigned int  i;
-    c = (s[31] & 0x7f) ^ 0x7f;
-    for (i = 30; i > 0; i--) {
-        c |= s[i] ^ 0xff;
-    }
-    c = (((unsigned int) c) - 1U) >> 8;
-    d = (0xed - 1U - (unsigned int) s[0]) >> 8;
-    e = s[31] >> 7;
-    return 1 - (((c & d) | e | s[0]) & 1);
-}
-int
-ristretto255_frombytes(ge25519_p3 *h, const unsigned char *s)
-{
-    fe25519 inv_sqrt;
-    fe25519 one;
-    fe25519 s_;
-    fe25519 ss;
-    fe25519 u1, u2;
-    fe25519 u1u1, u2u2;
-    fe25519 v;
-    fe25519 v_u2u2;
-    int     was_square;
-    if (ristretto255_is_canonical(s) == 0) {
-        return -1;
-    }
-    fe25519_frombytes(s_, s);
-    fe25519_sq(ss, s_);                /* ss = s^2 */
-    fe25519_1(u1);
-    fe25519_sub(u1, u1, ss);           /* u1 = 1-ss */
-    fe25519_sq(u1u1, u1);              /* u1u1 = u1^2 */
-    fe25519_1(u2);
-    fe25519_add(u2, u2, ss);           /* u2 = 1+ss */
-    fe25519_sq(u2u2, u2);              /* u2u2 = u2^2 */
-    fe25519_mul(v, d, u1u1);           /* v = d*u1^2 */
-    fe25519_neg(v, v);                 /* v = -d*u1^2 */
-    fe25519_sub(v, v, u2u2);           /* v = -(d*u1^2)-u2^2 */
-    fe25519_mul(v_u2u2, v, u2u2);      /* v_u2u2 = v*u2^2 */
-    fe25519_1(one);
-    was_square = ristretto255_sqrt_ratio_m1(inv_sqrt, one, v_u2u2);
-    fe25519_mul(h->X, inv_sqrt, u2);
-    fe25519_mul(h->Y, inv_sqrt, h->X);
-    fe25519_mul(h->Y, h->Y, v);
-    fe25519_mul(h->X, h->X, s_);
-    fe25519_add(h->X, h->X, h->X);
-    fe25519_abs(h->X, h->X);
-    fe25519_mul(h->Y, u1, h->Y);
-    fe25519_1(h->Z);
-    fe25519_mul(h->T, h->X, h->Y);
-    return - ((1 - was_square) |
-              fe25519_isnegative(h->T) | fe25519_iszero(h->Y));
-}
-void
-ristretto255_p3_tobytes(unsigned char *s, const ge25519_p3 *h)
-{
-    fe25519 den1, den2;
-    fe25519 den_inv;
-    fe25519 eden;
-    fe25519 inv_sqrt;
-    fe25519 ix, iy;
-    fe25519 one;
-    fe25519 s_;
-    fe25519 t_z_inv;
-    fe25519 u1, u2;
-    fe25519 u1_u2u2;
-    fe25519 x_, y_;
-    fe25519 x_z_inv;
-    fe25519 z_inv;
-    fe25519 zmy;
-    int     rotate;
-    fe25519_add(u1, h->Z, h->Y);       /* u1 = Z+Y */
-    fe25519_sub(zmy, h->Z, h->Y);      /* zmy = Z-Y */
-    fe25519_mul(u1, u1, zmy);          /* u1 = (Z+Y)*(Z-Y) */
-    fe25519_mul(u2, h->X, h->Y);       /* u2 = X*Y */
-    fe25519_sq(u1_u2u2, u2);           /* u1_u2u2 = u2^2 */
-    fe25519_mul(u1_u2u2, u1, u1_u2u2); /* u1_u2u2 = u1*u2^2 */
-    fe25519_1(one);
-    (void) ristretto255_sqrt_ratio_m1(inv_sqrt, one, u1_u2u2);
-    fe25519_mul(den1, inv_sqrt, u1);   /* den1 = inv_sqrt*u1 */
-    fe25519_mul(den2, inv_sqrt, u2);   /* den2 = inv_sqrt*u2 */
-    fe25519_mul(z_inv, den1, den2);    /* z_inv = den1*den2 */
-    fe25519_mul(z_inv, z_inv, h->T);   /* z_inv = den1*den2*T */
-    fe25519_mul(ix, h->X, sqrtm1);     /* ix = X*sqrt(-1) */
-    fe25519_mul(iy, h->Y, sqrtm1);     /* iy = Y*sqrt(-1) */
-    fe25519_mul(eden, den1, invsqrtamd); /* eden = den1/sqrt(a-d) */
-    fe25519_mul(t_z_inv, h->T, z_inv); /* t_z_inv = T*z_inv */
-    rotate = fe25519_isnegative(t_z_inv);
-    fe25519_copy(x_, h->X);
-    fe25519_copy(y_, h->Y);
-    fe25519_copy(den_inv, den2);
-    fe25519_cmov(x_, iy, rotate);
-    fe25519_cmov(y_, ix, rotate);
-    fe25519_cmov(den_inv, eden, rotate);
-    fe25519_mul(x_z_inv, x_, z_inv);
-    fe25519_cneg(y_, y_, fe25519_isnegative(x_z_inv));
-    fe25519_sub(s_, h->Z, y_);
-    fe25519_mul(s_, den_inv, s_);
-    fe25519_abs(s_, s_);
-    fe25519_tobytes(s, s_);
-}
-static void
-ristretto255_elligator(ge25519_p3 *p, const fe25519 t)
-{
-    fe25519 c;
-    fe25519 n;
-    fe25519 one;
-    fe25519 r;
-    fe25519 rpd;
-    fe25519 s, s_prime;
-    fe25519 ss;
-    fe25519 u, v;
-    fe25519 w0, w1, w2, w3;
-    int     wasnt_square;
-    fe25519_1(one);
-    fe25519_sq(r, t);                  /* r = t^2 */
-    fe25519_mul(r, sqrtm1, r);         /* r = sqrt(-1)*t^2 */
-    fe25519_add(u, r, one);            /* u = r+1 */
-    fe25519_mul(u, u, onemsqd);        /* u = (r+1)*(1-d^2) */
-    fe25519_1(c);
-    fe25519_neg(c, c);                 /* c = -1 */
-    fe25519_add(rpd, r, d);            /* rpd = r+d */
-    fe25519_mul(v, r, d);              /* v = r*d */
-    fe25519_sub(v, c, v);              /* v = c-r*d */
-    fe25519_mul(v, v, rpd);            /* v = (c-r*d)*(r+d) */
-    wasnt_square = 1 - ristretto255_sqrt_ratio_m1(s, u, v);
-    fe25519_mul(s_prime, s, t);
-    fe25519_abs(s_prime, s_prime);
-    fe25519_neg(s_prime, s_prime);     /* s_prime = -|s*t| */
-    fe25519_cmov(s, s_prime, wasnt_square);
-    fe25519_cmov(c, r, wasnt_square);
-    fe25519_sub(n, r, one);            /* n = r-1 */
-    fe25519_mul(n, n, c);              /* n = c*(r-1) */
-    fe25519_mul(n, n, sqdmone);        /* n = c*(r-1)*(d-1)^2 */
-    fe25519_sub(n, n, v);              /* n =  c*(r-1)*(d-1)^2-v */
-    fe25519_add(w0, s, s);             /* w0 = 2s */
-    fe25519_mul(w0, w0, v);            /* w0 = 2s*v */
-    fe25519_mul(w1, n, sqrtadm1);      /* w1 = n*sqrt(ad-1) */
-    fe25519_sq(ss, s);                 /* ss = s^2 */
-    fe25519_sub(w2, one, ss);          /* w2 = 1-s^2 */
-    fe25519_add(w3, one, ss);          /* w3 = 1+s^2 */
-    fe25519_mul(p->X, w0, w3);
-    fe25519_mul(p->Y, w2, w1);
-    fe25519_mul(p->Z, w1, w3);
-    fe25519_mul(p->T, w0, w2);
-}
-void
-ristretto255_from_hash(unsigned char s[32], const unsigned char h[64])
-{
-    fe25519        r0, r1;
-    ge25519_cached p1_cached;
-    ge25519_p1p1   p_p1p1;
-    ge25519_p3     p0, p1;
-    ge25519_p3     p;
-    fe25519_frombytes(r0, h);
-    fe25519_frombytes(r1, h + 32);
-    ristretto255_elligator(&p0, r0);
-    ristretto255_elligator(&p1, r1);
-    ge25519_p3_to_cached(&p1_cached, &p1);
-    ge25519_add(&p_p1p1, &p0, &p1_cached);
-    ge25519_p1p1_to_p3(&p, &p_p1p1);
-    ristretto255_p3_tobytes(s, &p);
-}