arnaucube
/
derosuite
mirror of https://github.com/arnaucube/derosuite.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17 Commits
1 Branch
0 Tags
68 MiB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
derosuite/crypto/edwards25519.go

3176 lines
76 KiB
Raw Permalink Normal View History

Derosuite Status Update Release 2
6 years ago
  1. // Copyright 2017-2018 DERO Project. All rights reserved.
  2. // Use of this source code in any form is governed by RESEARCH license.
  3. // license can be found in the LICENSE file.
  4. // GPG: 0F39 E425 8C65 3947 702A 8234 08B2 0360 A03A 9DE8
  5. //
  6. //
  7. // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
  8. // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
  9. // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
  10. // THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  11. // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  12. // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  13. // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  14. // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
  15. // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  17. // Copyright 2013 The Go Authors. All rights reserved.
  18. // Use of this source code is governed by a BSD-style
  19. // license that can be found in the LICENSE-BSD file.
  21. // Most of this is from the golang x/crypto package
  23. // Package edwards25519 implements operations in GF(2**255-19) and on an
  24. // Edwards curve that is isomorphic to curve25519. See
  25. // http://ed25519.cr.yp.to/.
  27. // move this file out of this package and use x/crypto
  28. package crypto
  30. // This code is a port of the public domain, "ref10" implementation of ed25519
  31. // from SUPERCOP.
  33. // FieldElement represents an element of the field GF(2^255 - 19). An element
  34. // t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
  35. // t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
  36. // context.
  37. type FieldElement [10]int32
  39. var FeMa = FieldElement{-486662, 0, 0, 0, 0, 0, 0, 0, 0, 0} /* -A */
  40. var FeMa2 = FieldElement{-12721188, -3529, 0, 0, 0, 0, 0, 0, 0, 0} /* -A^2 */
  41. var FeFffb1 = FieldElement{-31702527, -2466483, -26106795, -12203692, -12169197, -321052, 14850977, -10296299, -16929438, -407568} /* sqrt(-2 * A * (A + 2)) */
  42. var FeFffb2 = FieldElement{8166131, -6741800, -17040804, 3154616, 21461005, 1466302, -30876704, -6368709, 10503587, -13363080} /* sqrt(2 * A * (A + 2)) */
  43. var FeFffb3 = FieldElement{-13620103, 14639558, 4532995, 7679154, 16815101, -15883539, -22863840, -14813421, 13716513, -6477756} /* sqrt(-sqrt(-1) * A * (A + 2)) */
  44. var FeFffb4 = FieldElement{-21786234, -12173074, 21573800, 4524538, -4645904, 16204591, 8012863, -8444712, 3212926, 6885324} /* sqrt(sqrt(-1) * A * (A + 2)) */
  45. var FeSqrtM1 = FieldElement{-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482} /* sqrt(-1) */
  47. var zero FieldElement
  48. var one FieldElement
  50. func init() {
  51. one[0] = 1
  52. }
  54. func (f *FieldElement) Zero() {
  55. copy(f[:], zero[:])
  56. }
  58. func (f *FieldElement) One() {
  59. copy(f[:], one[:])
  60. }
  62. func FeAdd(dst, a, b *FieldElement) {
  63. dst[0] = a[0] + b[0]
  64. dst[1] = a[1] + b[1]
  65. dst[2] = a[2] + b[2]
  66. dst[3] = a[3] + b[3]
  67. dst[4] = a[4] + b[4]
  68. dst[5] = a[5] + b[5]
  69. dst[6] = a[6] + b[6]
  70. dst[7] = a[7] + b[7]
  71. dst[8] = a[8] + b[8]
  72. dst[9] = a[9] + b[9]
  73. }
  75. func FeSub(dst, a, b *FieldElement) {
  76. dst[0] = a[0] - b[0]
  77. dst[1] = a[1] - b[1]
  78. dst[2] = a[2] - b[2]
  79. dst[3] = a[3] - b[3]
  80. dst[4] = a[4] - b[4]
  81. dst[5] = a[5] - b[5]
  82. dst[6] = a[6] - b[6]
  83. dst[7] = a[7] - b[7]
  84. dst[8] = a[8] - b[8]
  85. dst[9] = a[9] - b[9]
  86. }
  88. func FeCopy(dst, src *FieldElement) {
  89. copy(dst[:], src[:])
  90. }
  92. // Replace (f,g) with (g,g) if b == 1;
  93. // replace (f,g) with (f,g) if b == 0.
  94. //
  95. // Preconditions: b in {0,1}.
  96. func FeCMove(f, g *FieldElement, b int32) {
  97. b = -b
  98. f[0] ^= b & (f[0] ^ g[0])
  99. f[1] ^= b & (f[1] ^ g[1])
  100. f[2] ^= b & (f[2] ^ g[2])
  101. f[3] ^= b & (f[3] ^ g[3])
  102. f[4] ^= b & (f[4] ^ g[4])
  103. f[5] ^= b & (f[5] ^ g[5])
  104. f[6] ^= b & (f[6] ^ g[6])
  105. f[7] ^= b & (f[7] ^ g[7])
  106. f[8] ^= b & (f[8] ^ g[8])
  107. f[9] ^= b & (f[9] ^ g[9])
  108. }
  110. func load3(in []byte) (result int64) {
  111. result = int64(in[0]) | (int64(in[1]) << 8) | (int64(in[2]) << 16)
  112. return
  113. }
  115. func load4(in []byte) (result int64) {
  116. result = int64(in[0]) | (int64(in[1]) << 8) | (int64(in[2]) << 16) | (int64(in[3]) << 24)
  117. return
  118. }
  120. func FeFromBytes(dst *FieldElement, src *Key) {
  121. h0 := load4(src[:])
  122. h1 := load3(src[4:]) << 6
  123. h2 := load3(src[7:]) << 5
  124. h3 := load3(src[10:]) << 3
  125. h4 := load3(src[13:]) << 2
  126. h5 := load4(src[16:])
  127. h6 := load3(src[20:]) << 7
  128. h7 := load3(src[23:]) << 5
  129. h8 := load3(src[26:]) << 4
  130. h9 := (load3(src[29:]) & 8388607) << 2
  132. FeCombine(dst, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  133. }
  135. // FeToBytes marshals h to s.
  136. // Preconditions:
  137. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  138. //
  139. // Write p=2^255-19; q=floor(h/p).
  140. // Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
  141. //
  142. // Proof:
  143. // Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
  144. // Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
  145. //
  146. // Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
  147. // Then 0<y<1.
  148. //
  149. // Write r=h-pq.
  150. // Have 0<=r<=p-1=2^255-20.
  151. // Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
  152. //
  153. // Write x=r+19(2^-255)r+y.
  154. // Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
  155. //
  156. // Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
  157. // so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
  158. func FeToBytes(s *Key, h *FieldElement) {
  159. var carry [10]int32
  161. q := (19*h[9] + (1 << 24)) >> 25
  162. q = (h[0] + q) >> 26
  163. q = (h[1] + q) >> 25
  164. q = (h[2] + q) >> 26
  165. q = (h[3] + q) >> 25
  166. q = (h[4] + q) >> 26
  167. q = (h[5] + q) >> 25
  168. q = (h[6] + q) >> 26
  169. q = (h[7] + q) >> 25
  170. q = (h[8] + q) >> 26
  171. q = (h[9] + q) >> 25
  173. // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
  174. h[0] += 19 * q
  175. // Goal: Output h-2^255 q, which is between 0 and 2^255-20.
  177. carry[0] = h[0] >> 26
  178. h[1] += carry[0]
  179. h[0] -= carry[0] << 26
  180. carry[1] = h[1] >> 25
  181. h[2] += carry[1]
  182. h[1] -= carry[1] << 25
  183. carry[2] = h[2] >> 26
  184. h[3] += carry[2]
  185. h[2] -= carry[2] << 26
  186. carry[3] = h[3] >> 25
  187. h[4] += carry[3]
  188. h[3] -= carry[3] << 25
  189. carry[4] = h[4] >> 26
  190. h[5] += carry[4]
  191. h[4] -= carry[4] << 26
  192. carry[5] = h[5] >> 25
  193. h[6] += carry[5]
  194. h[5] -= carry[5] << 25
  195. carry[6] = h[6] >> 26
  196. h[7] += carry[6]
  197. h[6] -= carry[6] << 26
  198. carry[7] = h[7] >> 25
  199. h[8] += carry[7]
  200. h[7] -= carry[7] << 25
  201. carry[8] = h[8] >> 26
  202. h[9] += carry[8]
  203. h[8] -= carry[8] << 26
  204. carry[9] = h[9] >> 25
  205. h[9] -= carry[9] << 25
  206. // h10 = carry9
  208. // Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
  209. // Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
  210. // evidently 2^255 h10-2^255 q = 0.
  211. // Goal: Output h[0]+...+2^230 h[9].
  213. s[0] = byte(h[0] >> 0)
  214. s[1] = byte(h[0] >> 8)
  215. s[2] = byte(h[0] >> 16)
  216. s[3] = byte((h[0] >> 24) | (h[1] << 2))
  217. s[4] = byte(h[1] >> 6)
  218. s[5] = byte(h[1] >> 14)
  219. s[6] = byte((h[1] >> 22) | (h[2] << 3))
  220. s[7] = byte(h[2] >> 5)
  221. s[8] = byte(h[2] >> 13)
  222. s[9] = byte((h[2] >> 21) | (h[3] << 5))
  223. s[10] = byte(h[3] >> 3)
  224. s[11] = byte(h[3] >> 11)
  225. s[12] = byte((h[3] >> 19) | (h[4] << 6))
  226. s[13] = byte(h[4] >> 2)
  227. s[14] = byte(h[4] >> 10)
  228. s[15] = byte(h[4] >> 18)
  229. s[16] = byte(h[5] >> 0)
  230. s[17] = byte(h[5] >> 8)
  231. s[18] = byte(h[5] >> 16)
  232. s[19] = byte((h[5] >> 24) | (h[6] << 1))
  233. s[20] = byte(h[6] >> 7)
  234. s[21] = byte(h[6] >> 15)
  235. s[22] = byte((h[6] >> 23) | (h[7] << 3))
  236. s[23] = byte(h[7] >> 5)
  237. s[24] = byte(h[7] >> 13)
  238. s[25] = byte((h[7] >> 21) | (h[8] << 4))
  239. s[26] = byte(h[8] >> 4)
  240. s[27] = byte(h[8] >> 12)
  241. s[28] = byte((h[8] >> 20) | (h[9] << 6))
  242. s[29] = byte(h[9] >> 2)
  243. s[30] = byte(h[9] >> 10)
  244. s[31] = byte(h[9] >> 18)
  245. }
  247. func (f *FieldElement) IsNegative() byte {
  248. var s Key
  249. FeToBytes(&s, f)
  250. return s[0] & 1
  251. }
  253. func (f *FieldElement) IsNonZero() int32 {
  254. var s Key
  255. FeToBytes(&s, f)
  256. var x uint8
  257. for _, b := range s {
  258. x |= b
  259. }
  260. x |= x >> 4
  261. x |= x >> 2
  262. x |= x >> 1
  263. return int32(x & 1)
  264. }
  266. // FeNeg sets h = -f
  267. //
  268. // Preconditions:
  269. // |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  270. //
  271. // Postconditions:
  272. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  273. func FeNeg(h, f *FieldElement) {
  274. h[0] = -f[0]
  275. h[1] = -f[1]
  276. h[2] = -f[2]
  277. h[3] = -f[3]
  278. h[4] = -f[4]
  279. h[5] = -f[5]
  280. h[6] = -f[6]
  281. h[7] = -f[7]
  282. h[8] = -f[8]
  283. h[9] = -f[9]
  284. }
  286. func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) {
  287. var c0, c1, c2, c3, c4, c5, c6, c7, c8, c9 int64
  289. /*
  290. |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
  291. i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
  292. |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
  293. i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
  294. */
  296. c0 = (h0 + (1 << 25)) >> 26
  297. h1 += c0
  298. h0 -= c0 << 26
  299. c4 = (h4 + (1 << 25)) >> 26
  300. h5 += c4
  301. h4 -= c4 << 26
  302. /* |h0| <= 2^25 */
  303. /* |h4| <= 2^25 */
  304. /* |h1| <= 1.51*2^58 */
  305. /* |h5| <= 1.51*2^58 */
  307. c1 = (h1 + (1 << 24)) >> 25
  308. h2 += c1
  309. h1 -= c1 << 25
  310. c5 = (h5 + (1 << 24)) >> 25
  311. h6 += c5
  312. h5 -= c5 << 25
  313. /* |h1| <= 2^24; from now on fits into int32 */
  314. /* |h5| <= 2^24; from now on fits into int32 */
  315. /* |h2| <= 1.21*2^59 */
  316. /* |h6| <= 1.21*2^59 */
  318. c2 = (h2 + (1 << 25)) >> 26
  319. h3 += c2
  320. h2 -= c2 << 26
  321. c6 = (h6 + (1 << 25)) >> 26
  322. h7 += c6
  323. h6 -= c6 << 26
  324. /* |h2| <= 2^25; from now on fits into int32 unchanged */
  325. /* |h6| <= 2^25; from now on fits into int32 unchanged */
  326. /* |h3| <= 1.51*2^58 */
  327. /* |h7| <= 1.51*2^58 */
  329. c3 = (h3 + (1 << 24)) >> 25
  330. h4 += c3
  331. h3 -= c3 << 25
  332. c7 = (h7 + (1 << 24)) >> 25
  333. h8 += c7
  334. h7 -= c7 << 25
  335. /* |h3| <= 2^24; from now on fits into int32 unchanged */
  336. /* |h7| <= 2^24; from now on fits into int32 unchanged */
  337. /* |h4| <= 1.52*2^33 */
  338. /* |h8| <= 1.52*2^33 */
  340. c4 = (h4 + (1 << 25)) >> 26
  341. h5 += c4
  342. h4 -= c4 << 26
  343. c8 = (h8 + (1 << 25)) >> 26
  344. h9 += c8
  345. h8 -= c8 << 26
  346. /* |h4| <= 2^25; from now on fits into int32 unchanged */
  347. /* |h8| <= 2^25; from now on fits into int32 unchanged */
  348. /* |h5| <= 1.01*2^24 */
  349. /* |h9| <= 1.51*2^58 */
  351. c9 = (h9 + (1 << 24)) >> 25
  352. h0 += c9 * 19
  353. h9 -= c9 << 25
  354. /* |h9| <= 2^24; from now on fits into int32 unchanged */
  355. /* |h0| <= 1.8*2^37 */
  357. c0 = (h0 + (1 << 25)) >> 26
  358. h1 += c0
  359. h0 -= c0 << 26
  360. /* |h0| <= 2^25; from now on fits into int32 unchanged */
  361. /* |h1| <= 1.01*2^24 */
  363. h[0] = int32(h0)
  364. h[1] = int32(h1)
  365. h[2] = int32(h2)
  366. h[3] = int32(h3)
  367. h[4] = int32(h4)
  368. h[5] = int32(h5)
  369. h[6] = int32(h6)
  370. h[7] = int32(h7)
  371. h[8] = int32(h8)
  372. h[9] = int32(h9)
  373. }
  375. // FeMul calculates h = f * g
  376. // Can overlap h with f or g.
  377. //
  378. // Preconditions:
  379. // |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  380. // |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  381. //
  382. // Postconditions:
  383. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  384. //
  385. // Notes on implementation strategy:
  386. //
  387. // Using schoolbook multiplication.
  388. // Karatsuba would save a little in some cost models.
  389. //
  390. // Most multiplications by 2 and 19 are 32-bit precomputations;
  391. // cheaper than 64-bit postcomputations.
  392. //
  393. // There is one remaining multiplication by 19 in the carry chain;
  394. // one *19 precomputation can be merged into this,
  395. // but the resulting data flow is considerably less clean.
  396. //
  397. // There are 12 carries below.
  398. // 10 of them are 2-way parallelizable and vectorizable.
  399. // Can get away with 11 carries, but then data flow is much deeper.
  400. //
  401. // With tighter constraints on inputs can squeeze carries into int32.
  402. func FeMul(h, f, g *FieldElement) {
  403. f0 := int64(f[0])
  404. f1 := int64(f[1])
  405. f2 := int64(f[2])
  406. f3 := int64(f[3])
  407. f4 := int64(f[4])
  408. f5 := int64(f[5])
  409. f6 := int64(f[6])
  410. f7 := int64(f[7])
  411. f8 := int64(f[8])
  412. f9 := int64(f[9])
  414. f1_2 := int64(2 * f[1])
  415. f3_2 := int64(2 * f[3])
  416. f5_2 := int64(2 * f[5])
  417. f7_2 := int64(2 * f[7])
  418. f9_2 := int64(2 * f[9])
  420. g0 := int64(g[0])
  421. g1 := int64(g[1])
  422. g2 := int64(g[2])
  423. g3 := int64(g[3])
  424. g4 := int64(g[4])
  425. g5 := int64(g[5])
  426. g6 := int64(g[6])
  427. g7 := int64(g[7])
  428. g8 := int64(g[8])
  429. g9 := int64(g[9])
  431. g1_19 := int64(19 * g[1]) /* 1.4*2^29 */
  432. g2_19 := int64(19 * g[2]) /* 1.4*2^30; still ok */
  433. g3_19 := int64(19 * g[3])
  434. g4_19 := int64(19 * g[4])
  435. g5_19 := int64(19 * g[5])
  436. g6_19 := int64(19 * g[6])
  437. g7_19 := int64(19 * g[7])
  438. g8_19 := int64(19 * g[8])
  439. g9_19 := int64(19 * g[9])
  441. h0 := f0*g0 + f1_2*g9_19 + f2*g8_19 + f3_2*g7_19 + f4*g6_19 + f5_2*g5_19 + f6*g4_19 + f7_2*g3_19 + f8*g2_19 + f9_2*g1_19
  442. h1 := f0*g1 + f1*g0 + f2*g9_19 + f3*g8_19 + f4*g7_19 + f5*g6_19 + f6*g5_19 + f7*g4_19 + f8*g3_19 + f9*g2_19
  443. h2 := f0*g2 + f1_2*g1 + f2*g0 + f3_2*g9_19 + f4*g8_19 + f5_2*g7_19 + f6*g6_19 + f7_2*g5_19 + f8*g4_19 + f9_2*g3_19
  444. h3 := f0*g3 + f1*g2 + f2*g1 + f3*g0 + f4*g9_19 + f5*g8_19 + f6*g7_19 + f7*g6_19 + f8*g5_19 + f9*g4_19
  445. h4 := f0*g4 + f1_2*g3 + f2*g2 + f3_2*g1 + f4*g0 + f5_2*g9_19 + f6*g8_19 + f7_2*g7_19 + f8*g6_19 + f9_2*g5_19
  446. h5 := f0*g5 + f1*g4 + f2*g3 + f3*g2 + f4*g1 + f5*g0 + f6*g9_19 + f7*g8_19 + f8*g7_19 + f9*g6_19
  447. h6 := f0*g6 + f1_2*g5 + f2*g4 + f3_2*g3 + f4*g2 + f5_2*g1 + f6*g0 + f7_2*g9_19 + f8*g8_19 + f9_2*g7_19
  448. h7 := f0*g7 + f1*g6 + f2*g5 + f3*g4 + f4*g3 + f5*g2 + f6*g1 + f7*g0 + f8*g9_19 + f9*g8_19
  449. h8 := f0*g8 + f1_2*g7 + f2*g6 + f3_2*g5 + f4*g4 + f5_2*g3 + f6*g2 + f7_2*g1 + f8*g0 + f9_2*g9_19
  450. h9 := f0*g9 + f1*g8 + f2*g7 + f3*g6 + f4*g5 + f5*g4 + f6*g3 + f7*g2 + f8*g1 + f9*g0
  452. FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  453. }
  455. func feSquare(f *FieldElement) (h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) {
  456. f0 := int64(f[0])
  457. f1 := int64(f[1])
  458. f2 := int64(f[2])
  459. f3 := int64(f[3])
  460. f4 := int64(f[4])
  461. f5 := int64(f[5])
  462. f6 := int64(f[6])
  463. f7 := int64(f[7])
  464. f8 := int64(f[8])
  465. f9 := int64(f[9])
  466. f0_2 := int64(2 * f[0])
  467. f1_2 := int64(2 * f[1])
  468. f2_2 := int64(2 * f[2])
  469. f3_2 := int64(2 * f[3])
  470. f4_2 := int64(2 * f[4])
  471. f5_2 := int64(2 * f[5])
  472. f6_2 := int64(2 * f[6])
  473. f7_2 := int64(2 * f[7])
  474. f5_38 := 38 * f5 // 1.31*2^30
  475. f6_19 := 19 * f6 // 1.31*2^30
  476. f7_38 := 38 * f7 // 1.31*2^30
  477. f8_19 := 19 * f8 // 1.31*2^30
  478. f9_38 := 38 * f9 // 1.31*2^30
  480. h0 = f0*f0 + f1_2*f9_38 + f2_2*f8_19 + f3_2*f7_38 + f4_2*f6_19 + f5*f5_38
  481. h1 = f0_2*f1 + f2*f9_38 + f3_2*f8_19 + f4*f7_38 + f5_2*f6_19
  482. h2 = f0_2*f2 + f1_2*f1 + f3_2*f9_38 + f4_2*f8_19 + f5_2*f7_38 + f6*f6_19
  483. h3 = f0_2*f3 + f1_2*f2 + f4*f9_38 + f5_2*f8_19 + f6*f7_38
  484. h4 = f0_2*f4 + f1_2*f3_2 + f2*f2 + f5_2*f9_38 + f6_2*f8_19 + f7*f7_38
  485. h5 = f0_2*f5 + f1_2*f4 + f2_2*f3 + f6*f9_38 + f7_2*f8_19
  486. h6 = f0_2*f6 + f1_2*f5_2 + f2_2*f4 + f3_2*f3 + f7_2*f9_38 + f8*f8_19
  487. h7 = f0_2*f7 + f1_2*f6 + f2_2*f5 + f3_2*f4 + f8*f9_38
  488. h8 = f0_2*f8 + f1_2*f7_2 + f2_2*f6 + f3_2*f5_2 + f4*f4 + f9*f9_38
  489. h9 = f0_2*f9 + f1_2*f8 + f2_2*f7 + f3_2*f6 + f4_2*f5
  491. return
  492. }
  494. // FeSquare calculates h = f*f. Can overlap h with f.
  495. //
  496. // Preconditions:
  497. // |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  498. //
  499. // Postconditions:
  500. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  501. func FeSquare(h, f *FieldElement) {
  502. h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f)
  503. FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  504. }
  506. // FeSquare2 sets h = 2 * f * f
  507. //
  508. // Can overlap h with f.
  509. //
  510. // Preconditions:
  511. // |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
  512. //
  513. // Postconditions:
  514. // |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
  515. // See fe_mul.c for discussion of implementation strategy.
  516. func FeSquare2(h, f *FieldElement) {
  517. h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f)
  519. h0 += h0
  520. h1 += h1
  521. h2 += h2
  522. h3 += h3
  523. h4 += h4
  524. h5 += h5
  525. h6 += h6
  526. h7 += h7
  527. h8 += h8
  528. h9 += h9
  530. FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  531. }
  533. func FeInvert(out, z *FieldElement) {
  534. var t0, t1, t2, t3 FieldElement
  535. var i int
  537. FeSquare(&t0, z) // 2^1
  538. FeSquare(&t1, &t0) // 2^2
  539. for i = 1; i < 2; i++ { // 2^3
  540. FeSquare(&t1, &t1)
  541. }
  542. FeMul(&t1, z, &t1) // 2^3 + 2^0
  543. FeMul(&t0, &t0, &t1) // 2^3 + 2^1 + 2^0
  544. FeSquare(&t2, &t0) // 2^4 + 2^2 + 2^1
  545. FeMul(&t1, &t1, &t2) // 2^4 + 2^3 + 2^2 + 2^1 + 2^0
  546. FeSquare(&t2, &t1) // 5,4,3,2,1
  547. for i = 1; i < 5; i++ { // 9,8,7,6,5
  548. FeSquare(&t2, &t2)
  549. }
  550. FeMul(&t1, &t2, &t1) // 9,8,7,6,5,4,3,2,1,0
  551. FeSquare(&t2, &t1) // 10..1
  552. for i = 1; i < 10; i++ { // 19..10
  553. FeSquare(&t2, &t2)
  554. }
  555. FeMul(&t2, &t2, &t1) // 19..0
  556. FeSquare(&t3, &t2) // 20..1
  557. for i = 1; i < 20; i++ { // 39..20
  558. FeSquare(&t3, &t3)
  559. }
  560. FeMul(&t2, &t3, &t2) // 39..0
  561. FeSquare(&t2, &t2) // 40..1
  562. for i = 1; i < 10; i++ { // 49..10
  563. FeSquare(&t2, &t2)
  564. }
  565. FeMul(&t1, &t2, &t1) // 49..0
  566. FeSquare(&t2, &t1) // 50..1
  567. for i = 1; i < 50; i++ { // 99..50
  568. FeSquare(&t2, &t2)
  569. }
  570. FeMul(&t2, &t2, &t1) // 99..0
  571. FeSquare(&t3, &t2) // 100..1
  572. for i = 1; i < 100; i++ { // 199..100
  573. FeSquare(&t3, &t3)
  574. }
  575. FeMul(&t2, &t3, &t2) // 199..0
  576. FeSquare(&t2, &t2) // 200..1
  577. for i = 1; i < 50; i++ { // 249..50
  578. FeSquare(&t2, &t2)
  579. }
  580. FeMul(&t1, &t2, &t1) // 249..0
  581. FeSquare(&t1, &t1) // 250..1
  582. for i = 1; i < 5; i++ { // 254..5
  583. FeSquare(&t1, &t1)
  584. }
  585. FeMul(out, &t1, &t0) // 254..5,3,1,0
  586. }
  588. func fePow22523(out, z *FieldElement) {
  589. var t0, t1, t2 FieldElement
  590. var i int
  592. FeSquare(&t0, z)
  593. for i = 1; i < 1; i++ {
  594. FeSquare(&t0, &t0)
  595. }
  596. FeSquare(&t1, &t0)
  597. for i = 1; i < 2; i++ {
  598. FeSquare(&t1, &t1)
  599. }
  600. FeMul(&t1, z, &t1)
  601. FeMul(&t0, &t0, &t1)
  602. FeSquare(&t0, &t0)
  603. for i = 1; i < 1; i++ {
  604. FeSquare(&t0, &t0)
  605. }
  606. FeMul(&t0, &t1, &t0)
  607. FeSquare(&t1, &t0)
  608. for i = 1; i < 5; i++ {
  609. FeSquare(&t1, &t1)
  610. }
  611. FeMul(&t0, &t1, &t0)
  612. FeSquare(&t1, &t0)
  613. for i = 1; i < 10; i++ {
  614. FeSquare(&t1, &t1)
  615. }
  616. FeMul(&t1, &t1, &t0)
  617. FeSquare(&t2, &t1)
  618. for i = 1; i < 20; i++ {
  619. FeSquare(&t2, &t2)
  620. }
  621. FeMul(&t1, &t2, &t1)
  622. FeSquare(&t1, &t1)
  623. for i = 1; i < 10; i++ {
  624. FeSquare(&t1, &t1)
  625. }
  626. FeMul(&t0, &t1, &t0)
  627. FeSquare(&t1, &t0)
  628. for i = 1; i < 50; i++ {
  629. FeSquare(&t1, &t1)
  630. }
  631. FeMul(&t1, &t1, &t0)
  632. FeSquare(&t2, &t1)
  633. for i = 1; i < 100; i++ {
  634. FeSquare(&t2, &t2)
  635. }
  636. FeMul(&t1, &t2, &t1)
  637. FeSquare(&t1, &t1)
  638. for i = 1; i < 50; i++ {
  639. FeSquare(&t1, &t1)
  640. }
  641. FeMul(&t0, &t1, &t0)
  642. FeSquare(&t0, &t0)
  643. for i = 1; i < 2; i++ {
  644. FeSquare(&t0, &t0)
  645. }
  646. FeMul(out, &t0, z)
  647. }
  649. func FeDivPowM1(out, u, v *FieldElement) {
  650. var v3, uv7, t0 FieldElement
  652. FeSquare(&v3, v)
  653. FeMul(&v3, &v3, v) /* v3 = v^3 */
  654. FeSquare(&uv7, &v3)
  655. FeMul(&uv7, &uv7, v)
  656. FeMul(&uv7, &uv7, u) /* uv7 = uv^7 */
  658. fePow22523(&t0, &uv7)
  659. /* t0 = (uv^7)^((q-5)/8) */
  660. FeMul(&t0, &t0, &v3)
  661. FeMul(out, &t0, u) /* u^(m+1)v^(-(m+1)) */
  662. }
  664. // Group elements are members of the elliptic curve -x^2 + y^2 = 1 + d * x^2 *
  665. // y^2 where d = -121665/121666.
  666. //
  667. // Several representations are used:
  668. // ProjectiveGroupElement: (X:Y:Z) satisfying x=X/Z, y=Y/Z
  669. // ExtendedGroupElement: (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
  670. // CompletedGroupElement: ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
  671. // PreComputedGroupElement: (y+x,y-x,2dxy)
  673. type ProjectiveGroupElement struct {
  674. X, Y, Z FieldElement
  675. }
  677. type ExtendedGroupElement struct {
  678. X, Y, Z, T FieldElement
  679. }
  681. type CompletedGroupElement struct {
  682. X, Y, Z, T FieldElement
  683. }
  685. type PreComputedGroupElement struct {
  686. yPlusX, yMinusX, xy2d FieldElement
  687. }
  689. type CachedGroupElement struct {
  690. yPlusX, yMinusX, Z, T2d FieldElement
  691. }
  693. func (p *ProjectiveGroupElement) Zero() {
  694. p.X.Zero()
  695. p.Y.One()
  696. p.Z.One()
  697. }
  699. func (p *ProjectiveGroupElement) Double(r *CompletedGroupElement) {
  700. var t0 FieldElement
  702. FeSquare(&r.X, &p.X)
  703. FeSquare(&r.Z, &p.Y)
  704. FeSquare2(&r.T, &p.Z)
  705. FeAdd(&r.Y, &p.X, &p.Y)
  706. FeSquare(&t0, &r.Y)
  707. FeAdd(&r.Y, &r.Z, &r.X)
  708. FeSub(&r.Z, &r.Z, &r.X)
  709. FeSub(&r.X, &t0, &r.Y)
  710. FeSub(&r.T, &r.T, &r.Z)
  711. }
  713. func (p *ProjectiveGroupElement) ToBytes(s *Key) {
  714. var recip, x, y FieldElement
  716. FeInvert(&recip, &p.Z)
  717. FeMul(&x, &p.X, &recip)
  718. FeMul(&y, &p.Y, &recip)
  719. FeToBytes(s, &y)
  720. s[31] ^= x.IsNegative() << 7
  721. }
  723. // this is equivalent to ge_fromfe_frombytes_vartime
  724. func (p *ProjectiveGroupElement) FromBytes(s *Key) {
  725. h0 := load4(s[:])
  726. h1 := load3(s[4:]) << 6
  727. h2 := load3(s[7:]) << 5
  728. h3 := load3(s[10:]) << 3
  729. h4 := load3(s[13:]) << 2
  730. h5 := load4(s[16:])
  731. h6 := load3(s[20:]) << 7
  732. h7 := load3(s[23:]) << 5
  733. h8 := load3(s[26:]) << 4
  734. h9 := load3(s[29:]) << 2
  735. var carry [10]int64
  736. carry[9] = (h9 + int64(1<<24)) >> 25
  737. h0 += carry[9] * 19
  738. h9 -= carry[9] << 25
  739. carry[1] = (h1 + int64(1<<24)) >> 25
  740. h2 += carry[1]
  741. h1 -= carry[1] << 25
  742. carry[3] = (h3 + int64(1<<24)) >> 25
  743. h4 += carry[3]
  744. h3 -= carry[3] << 25
  745. carry[5] = (h5 + int64(1<<24)) >> 25
  746. h6 += carry[5]
  747. h5 -= carry[5] << 25
  748. carry[7] = (h7 + int64(1<<24)) >> 25
  749. h8 += carry[7]
  750. h7 -= carry[7] << 25
  752. carry[0] = (h0 + int64(1<<25)) >> 26
  753. h1 += carry[0]
  754. h0 -= carry[0] << 26
  755. carry[2] = (h2 + int64(1<<25)) >> 26
  756. h3 += carry[2]
  757. h2 -= carry[2] << 26
  758. carry[4] = (h4 + int64(1<<25)) >> 26
  759. h5 += carry[4]
  760. h4 -= carry[4] << 26
  761. carry[6] = (h6 + int64(1<<25)) >> 26
  762. h7 += carry[6]
  763. h6 -= carry[6] << 26
  764. carry[8] = (h8 + int64(1<<25)) >> 26
  765. h9 += carry[8]
  766. h8 -= carry[8] << 26
  768. var u, v, w, x, y, z FieldElement
  769. u[0] = int32(h0)
  770. u[1] = int32(h1)
  771. u[2] = int32(h2)
  772. u[3] = int32(h3)
  773. u[4] = int32(h4)
  774. u[5] = int32(h5)
  775. u[6] = int32(h6)
  776. u[7] = int32(h7)
  777. u[8] = int32(h8)
  778. u[9] = int32(h9)
  779. FeSquare2(&v, &u) /* 2 * u^2 */
  780. w.One()
  781. FeAdd(&w, &v, &w) /* w = 2 * u^2 + 1 */
  782. FeSquare(&x, &w) /* w^2 */
  783. FeMul(&y, &FeMa2, &v) /* -2 * A^2 * u^2 */
  784. FeAdd(&x, &x, &y) /* x = w^2 - 2 * A^2 * u^2 */
  785. FeDivPowM1(&p.X, &w, &x) /* (w / x)^(m + 1) */
  786. FeSquare(&y, &p.X)
  787. FeMul(&x, &y, &x)
  788. FeSub(&y, &w, &x)
  789. FeCopy(&z, &FeMa)
  790. isNegative := false
  791. var sign byte
  792. if y.IsNonZero() != 0 {
  793. FeAdd(&y, &w, &x)
  794. if y.IsNonZero() != 0 {
  795. isNegative = true
  796. } else {
  797. FeMul(&p.X, &p.X, &FeFffb1)
  798. }
  799. } else {
  800. FeMul(&p.X, &p.X, &FeFffb2)
  801. }
  802. if isNegative {
  803. FeMul(&x, &x, &FeSqrtM1)
  804. FeSub(&y, &w, &x)
  805. if y.IsNonZero() != 0 {
  806. FeAdd(&y, &w, &x)
  807. FeMul(&p.X, &p.X, &FeFffb3)
  808. } else {
  809. FeMul(&p.X, &p.X, &FeFffb4)
  810. }
  811. /* p.X = sqrt(A * (A + 2) * w / x) */
  812. /* z = -A */
  813. sign = 1
  814. } else {
  815. FeMul(&p.X, &p.X, &u) /* u * sqrt(2 * A * (A + 2) * w / x) */
  816. FeMul(&z, &z, &v) /* -2 * A * u^2 */
  817. sign = 0
  818. }
  819. if p.X.IsNegative() != sign {
  820. FeNeg(&p.X, &p.X)
  821. }
  822. FeAdd(&p.Z, &z, &w)
  823. FeSub(&p.Y, &z, &w)
  824. FeMul(&p.X, &p.X, &p.Z)
  825. }
  827. func (p *ExtendedGroupElement) Zero() {
  828. p.X.Zero()
  829. p.Y.One()
  830. p.Z.One()
  831. p.T.Zero()
  832. }
  834. func (p *ExtendedGroupElement) Double(r *CompletedGroupElement) {
  835. var q ProjectiveGroupElement
  836. p.ToProjective(&q)
  837. q.Double(r)
  838. }
  840. func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement) {
  841. FeAdd(&r.yPlusX, &p.Y, &p.X)
  842. FeSub(&r.yMinusX, &p.Y, &p.X)
  843. FeCopy(&r.Z, &p.Z)
  844. FeMul(&r.T2d, &p.T, &d2)
  845. }
  847. func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement) {
  848. FeCopy(&r.X, &p.X)
  849. FeCopy(&r.Y, &p.Y)
  850. FeCopy(&r.Z, &p.Z)
  851. }
  853. func (p *ExtendedGroupElement) ToBytes(s *Key) {
  854. var recip, x, y FieldElement
  856. FeInvert(&recip, &p.Z)
  857. FeMul(&x, &p.X, &recip)
  858. FeMul(&y, &p.Y, &recip)
  859. FeToBytes(s, &y)
  860. s[31] ^= x.IsNegative() << 7
  861. }
  863. // used to verify whether a KEY is a point on the curve
  864. // equivalent to ge_frombytes_vartime
  865. // the original one skipped a few checks, we do them now
  866. // the original one failed a few checks so it was rewritten
  867. func (p *ExtendedGroupElement) FromBytes(s *Key) bool {
  868. /* Original implementation without checks
  869. var u, v, v3, vxx, check FieldElement
  871. FeFromBytes(&p.Y, s)
  872. p.Z.One()
  873. FeSquare(&u, &p.Y)
  874. FeMul(&v, &u, &d)
  875. FeSub(&u, &u, &p.Z) // y = y^2-1
  876. FeAdd(&v, &v, &p.Z) // v = dy^2+1
  878. FeSquare(&v3, &v)
  879. FeMul(&v3, &v3, &v) // v3 = v^3
  880. FeSquare(&p.X, &v3)
  881. FeMul(&p.X, &p.X, &v)
  882. FeMul(&p.X, &p.X, &u) // x = uv^7
  884. fePow22523(&p.X, &p.X) // x = (uv^7)^((q-5)/8)
  885. FeMul(&p.X, &p.X, &v3)
  886. FeMul(&p.X, &p.X, &u) // x = uv^3(uv^7)^((q-5)/8)
  888. var tmpX, tmp2 Key
  890. FeSquare(&vxx, &p.X)
  891. FeMul(&vxx, &vxx, &v)
  892. FeSub(&check, &vxx, &u) // vx^2-u
  893. if check.IsNonZero() == 1 {
  894. FeAdd(&check, &vxx, &u) // vx^2+u
  895. if check.IsNonZero() == 1 {
  896. return false
  897. }
  898. FeMul(&p.X, &p.X, &SqrtM1)
  900. FeToBytes(&tmpX, &p.X)
  901. for i, v := range tmpX {
  902. tmp2[31-i] = v
  903. }
  904. }
  906. if p.X.IsNegative() != (s[31] >> 7) {
  907. FeNeg(&p.X, &p.X)
  908. }
  910. FeMul(&p.T, &p.X, &p.Y)
  911. return true
  913. */
  915. var u, v, vxx, check FieldElement
  917. // expanded FeFromBytes (with canonical check)
  918. h0 := load4(s[:])
  919. h1 := load3(s[4:]) << 6
  920. h2 := load3(s[7:]) << 5
  921. h3 := load3(s[10:]) << 3
  922. h4 := load3(s[13:]) << 2
  923. h5 := load4(s[16:])
  924. h6 := load3(s[20:]) << 7
  925. h7 := load3(s[23:]) << 5
  926. h8 := load3(s[26:]) << 4
  927. h9 := (load3(s[29:]) & 8388607) << 2
  929. // Validate the number to be canonical
  930. if h9 == 33554428 && h8 == 268435440 && h7 == 536870880 && h6 == 2147483520 &&
  931. h5 == 4294967295 && h4 == 67108860 && h3 == 134217720 && h2 == 536870880 &&
  932. h1 == 1073741760 && h0 >= 4294967277 {
  933. return false
  934. }
  936. var carry [10]int64
  937. carry[9] = (h9 + 1<<24) >> 25
  938. h0 += carry[9] * 19
  939. h9 -= carry[9] << 25
  940. carry[1] = (h1 + 1<<24) >> 25
  941. h2 += carry[1]
  942. h1 -= carry[1] << 25
  943. carry[3] = (h3 + 1<<24) >> 25
  944. h4 += carry[3]
  945. h3 -= carry[3] << 25
  946. carry[5] = (h5 + 1<<24) >> 25
  947. h6 += carry[5]
  948. h5 -= carry[5] << 25
  949. carry[7] = (h7 + 1<<24) >> 25
  950. h8 += carry[7]
  951. h7 -= carry[7] << 25
  953. carry[0] = (h0 + 1<<25) >> 26
  954. h1 += carry[0]
  955. h0 -= carry[0] << 26
  956. carry[2] = (h2 + 1<<25) >> 26
  957. h3 += carry[2]
  958. h2 -= carry[2] << 26
  959. carry[4] = (h4 + 1<<25) >> 26
  960. h5 += carry[4]
  961. h4 -= carry[4] << 26
  962. carry[6] = (h6 + 1<<25) >> 26
  963. h7 += carry[6]
  964. h6 -= carry[6] << 26
  965. carry[8] = (h8 + 1<<25) >> 26
  966. h9 += carry[8]
  967. h8 -= carry[8] << 26
  969. p.Y[0] = int32(h0)
  970. p.Y[1] = int32(h1)
  971. p.Y[2] = int32(h2)
  972. p.Y[3] = int32(h3)
  973. p.Y[4] = int32(h4)
  974. p.Y[5] = int32(h5)
  975. p.Y[6] = int32(h6)
  976. p.Y[7] = int32(h7)
  977. p.Y[8] = int32(h8)
  978. p.Y[9] = int32(h9)
  979. // Finished: FeFromBytes
  981. p.Z.One() // = FeOne(&p.Z)
  982. FeSquare(&u, &p.Y)
  983. FeMul(&v, &u, &edD)
  984. FeSub(&u, &u, &p.Z) // y = y^2-1
  985. FeAdd(&v, &v, &p.Z) // v = dy^2+1
  987. FeDivPowM1(&p.X, &u, &v) // x = uv^3(uv^7)^((q-5)/8)
  989. FeSquare(&vxx, &p.X)
  990. FeMul(&vxx, &vxx, &v)
  991. FeSub(&check, &vxx, &u) // vx^2-u
  992. if check.IsNonZero() == 1 {
  993. FeAdd(&check, &vxx, &u) // vx^2+u
  994. if check.IsNonZero() == 1 {
  995. return false
  996. }
  997. FeMul(&p.X, &p.X, &edSqrtM1)
  998. }
  1000. if p.X.IsNegative() != (s[31] >> 7) {
  1001. // If x = 0, the sign must be positive
  1002. if p.X.IsNonZero() == 0 {
  1003. return false
  1004. }
  1005. FeNeg(&p.X, &p.X)
  1006. }
  1008. FeMul(&p.T, &p.X, &p.Y)
  1009. return true
  1010. }
  1012. func (p *CompletedGroupElement) ToProjective(r *ProjectiveGroupElement) {
  1013. FeMul(&r.X, &p.X, &p.T)
  1014. FeMul(&r.Y, &p.Y, &p.Z)
  1015. FeMul(&r.Z, &p.Z, &p.T)
  1016. }
  1018. func (p *CompletedGroupElement) ToExtended(r *ExtendedGroupElement) {
  1019. FeMul(&r.X, &p.X, &p.T)
  1020. FeMul(&r.Y, &p.Y, &p.Z)
  1021. FeMul(&r.Z, &p.Z, &p.T)
  1022. FeMul(&r.T, &p.X, &p.Y)
  1023. }
  1025. func (p *PreComputedGroupElement) Zero() {
  1026. p.yPlusX.One()
  1027. p.yMinusX.One()
  1028. p.xy2d.Zero()
  1029. }
  1031. func (c *CachedGroupElement) Zero() {
  1032. c.yPlusX.One()
  1033. c.yMinusX.One()
  1034. c.Z.One()
  1035. c.T2d.Zero()
  1036. }
  1038. func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
  1039. var t0 FieldElement
  1041. FeAdd(&r.X, &p.Y, &p.X)
  1042. FeSub(&r.Y, &p.Y, &p.X)
  1043. FeMul(&r.Z, &r.X, &q.yPlusX)
  1044. FeMul(&r.Y, &r.Y, &q.yMinusX)
  1045. FeMul(&r.T, &q.T2d, &p.T)
  1046. FeMul(&r.X, &p.Z, &q.Z)
  1047. FeAdd(&t0, &r.X, &r.X)
  1048. FeSub(&r.X, &r.Z, &r.Y)
  1049. FeAdd(&r.Y, &r.Z, &r.Y)
  1050. FeAdd(&r.Z, &t0, &r.T)
  1051. FeSub(&r.T, &t0, &r.T)
  1052. }
  1054. func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
  1055. var t0 FieldElement
  1057. FeAdd(&r.X, &p.Y, &p.X)
  1058. FeSub(&r.Y, &p.Y, &p.X)
  1059. FeMul(&r.Z, &r.X, &q.yMinusX)
  1060. FeMul(&r.Y, &r.Y, &q.yPlusX)
  1061. FeMul(&r.T, &q.T2d, &p.T)
  1062. FeMul(&r.X, &p.Z, &q.Z)
  1063. FeAdd(&t0, &r.X, &r.X)
  1064. FeSub(&r.X, &r.Z, &r.Y)
  1065. FeAdd(&r.Y, &r.Z, &r.Y)
  1066. FeSub(&r.Z, &t0, &r.T)
  1067. FeAdd(&r.T, &t0, &r.T)
  1068. }
  1070. func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
  1071. var t0 FieldElement
  1073. FeAdd(&r.X, &p.Y, &p.X)
  1074. FeSub(&r.Y, &p.Y, &p.X)
  1075. FeMul(&r.Z, &r.X, &q.yPlusX)
  1076. FeMul(&r.Y, &r.Y, &q.yMinusX)
  1077. FeMul(&r.T, &q.xy2d, &p.T)
  1078. FeAdd(&t0, &p.Z, &p.Z)
  1079. FeSub(&r.X, &r.Z, &r.Y)
  1080. FeAdd(&r.Y, &r.Z, &r.Y)
  1081. FeAdd(&r.Z, &t0, &r.T)
  1082. FeSub(&r.T, &t0, &r.T)
  1083. }
  1085. func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
  1086. var t0 FieldElement
  1088. FeAdd(&r.X, &p.Y, &p.X)
  1089. FeSub(&r.Y, &p.Y, &p.X)
  1090. FeMul(&r.Z, &r.X, &q.yMinusX)
  1091. FeMul(&r.Y, &r.Y, &q.yPlusX)
  1092. FeMul(&r.T, &q.xy2d, &p.T)
  1093. FeAdd(&t0, &p.Z, &p.Z)
  1094. FeSub(&r.X, &r.Z, &r.Y)
  1095. FeAdd(&r.Y, &r.Z, &r.Y)
  1096. FeSub(&r.Z, &t0, &r.T)
  1097. FeAdd(&r.T, &t0, &r.T)
  1098. }
  1100. // r = 8 * t
  1101. func GeMul8(r *CompletedGroupElement, t *ProjectiveGroupElement) {
  1102. var u ProjectiveGroupElement
  1103. t.Double(r)
  1104. r.ToProjective(&u)
  1105. u.Double(r)
  1106. r.ToProjective(&u)
  1107. u.Double(r)
  1108. }
  1110. // caches s into an array of CachedGroupElements for scalar multiplication later
  1111. func GePrecompute(r *[8]CachedGroupElement, s *ExtendedGroupElement) {
  1112. var t CompletedGroupElement
  1113. var s2, u ExtendedGroupElement
  1114. s.ToCached(&r[0])
  1115. s.Double(&t)
  1116. t.ToExtended(&s2)
  1117. for i := 0; i < 7; i++ {
  1118. geAdd(&t, &s2, &r[i])
  1119. t.ToExtended(&u)
  1120. u.ToCached(&r[i+1])
  1121. }
  1122. }
  1124. func slide(r *[256]int8, a *Key) {
  1125. for i := range r {
  1126. r[i] = int8(1 & (a[i>>3] >> uint(i&7)))
  1127. }
  1129. for i := range r {
  1130. if r[i] != 0 {
  1131. for b := 1; b <= 6 && i+b < 256; b++ {
  1132. if r[i+b] != 0 {
  1133. if r[i]+(r[i+b]<<uint(b)) <= 15 {
  1134. r[i] += r[i+b] << uint(b)
  1135. r[i+b] = 0
  1136. } else if r[i]-(r[i+b]<<uint(b)) >= -15 {
  1137. r[i] -= r[i+b] << uint(b)
  1138. for k := i + b; k < 256; k++ {
  1139. if r[k] == 0 {
  1140. r[k] = 1
  1141. break
  1142. }
  1143. r[k] = 0
  1144. }
  1145. } else {
  1146. break
  1147. }
  1148. }
  1149. }
  1150. }
  1151. }
  1152. }
  1154. // GeDoubleScalarMultVartime sets r = a*A + b*B
  1155. // where a = a[0]+256*a[1]+...+256^31 a[31].
  1156. // and b = b[0]+256*b[1]+...+256^31 b[31].
  1157. // B is the Ed25519 base point (x,4/5) with x positive.
  1158. func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *Key, A *ExtendedGroupElement, b *Key) {
  1159. var aSlide, bSlide [256]int8
  1160. var Ai [8]CachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A
  1161. var t CompletedGroupElement
  1162. var u ExtendedGroupElement
  1163. var i int
  1165. slide(&aSlide, a)
  1166. slide(&bSlide, b)
  1167. GePrecompute(&Ai, A)
  1169. r.Zero()
  1171. for i = 255; i >= 0; i-- {
  1172. if aSlide[i] != 0 || bSlide[i] != 0 {
  1173. break
  1174. }
  1175. }
  1177. for ; i >= 0; i-- {
  1178. r.Double(&t)
  1180. if aSlide[i] > 0 {
  1181. t.ToExtended(&u)
  1182. geAdd(&t, &u, &Ai[aSlide[i]/2])
  1183. } else if aSlide[i] < 0 {
  1184. t.ToExtended(&u)
  1185. geSub(&t, &u, &Ai[(-aSlide[i])/2])
  1186. }
  1188. if bSlide[i] > 0 {
  1189. t.ToExtended(&u)
  1190. geMixedAdd(&t, &u, &bi[bSlide[i]/2])
  1191. } else if bSlide[i] < 0 {
  1192. t.ToExtended(&u)
  1193. geMixedSub(&t, &u, &bi[(-bSlide[i])/2])
  1194. }
  1196. t.ToProjective(r)
  1197. }
  1198. }
  1200. // sets r = a*A + b*B
  1201. // where Bi is the [8]CachedGroupElement consisting of
  1202. // B,3B,5B,7B,9B,11B,13B,15B
  1203. func GeDoubleScalarMultPrecompVartime(r *ProjectiveGroupElement, a *Key, A *ExtendedGroupElement, b *Key, Bi *[8]CachedGroupElement) {
  1204. var aSlide, bSlide [256]int8
  1205. var Ai [8]CachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A
  1206. var t CompletedGroupElement
  1207. var u ExtendedGroupElement
  1208. var i int
  1209. slide(&aSlide, a)
  1210. slide(&bSlide, b)
  1211. GePrecompute(&Ai, A)
  1212. r.Zero()
  1213. for i = 255; i >= 0; i-- {
  1214. if aSlide[i] != 0 || bSlide[i] != 0 {
  1215. break
  1216. }
  1217. }
  1218. for ; i >= 0; i-- {
  1219. r.Double(&t)
  1220. if aSlide[i] > 0 {
  1221. t.ToExtended(&u)
  1222. geAdd(&t, &u, &Ai[aSlide[i]/2])
  1223. } else if aSlide[i] < 0 {
  1224. t.ToExtended(&u)
  1225. geSub(&t, &u, &Ai[(-aSlide[i])/2])
  1226. }
  1227. if bSlide[i] > 0 {
  1228. t.ToExtended(&u)
  1229. geAdd(&t, &u, &Bi[bSlide[i]/2])
  1230. } else if bSlide[i] < 0 {
  1231. t.ToExtended(&u)
  1232. geSub(&t, &u, &Bi[(-bSlide[i])/2])
  1233. }
  1234. t.ToProjective(r)
  1235. }
  1236. return
  1237. }
  1239. // equal returns 1 if b == c and 0 otherwise.
  1240. func equal(b, c int32) int32 {
  1241. x := uint32(b ^ c)
  1242. x--
  1243. return int32(x >> 31)
  1244. }
  1246. // negative returns 1 if b < 0 and 0 otherwise.
  1247. func negative(b int32) int32 {
  1248. return (b >> 31) & 1
  1249. }
  1251. func CachedGroupElementCMove(t, u *CachedGroupElement, b int32) {
  1252. FeCMove(&t.yPlusX, &u.yPlusX, b)
  1253. FeCMove(&t.yMinusX, &u.yMinusX, b)
  1254. FeCMove(&t.Z, &u.Z, b)
  1255. FeCMove(&t.T2d, &u.T2d, b)
  1256. }
  1258. func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32) {
  1259. FeCMove(&t.yPlusX, &u.yPlusX, b)
  1260. FeCMove(&t.yMinusX, &u.yMinusX, b)
  1261. FeCMove(&t.xy2d, &u.xy2d, b)
  1262. }
  1264. func selectPoint(t *PreComputedGroupElement, pos int32, b int32) {
  1265. var minusT PreComputedGroupElement
  1266. bNegative := negative(b)
  1267. bAbs := b - (((-bNegative) & b) << 1)
  1269. t.Zero()
  1270. for i := int32(0); i < 8; i++ {
  1271. PreComputedGroupElementCMove(t, &base[pos][i], equal(bAbs, i+1))
  1272. }
  1273. FeCopy(&minusT.yPlusX, &t.yMinusX)
  1274. FeCopy(&minusT.yMinusX, &t.yPlusX)
  1275. FeNeg(&minusT.xy2d, &t.xy2d)
  1276. PreComputedGroupElementCMove(t, &minusT, bNegative)
  1277. }
  1279. // GeScalarMult computes h = a*A, where
  1280. // a = a[0]+256*a[1]+...+256^31 a[31]
  1281. // A is a point on the curve
  1282. //
  1283. // Preconditions:
  1284. // a[31] <= 127
  1285. func GeScalarMult(r *ProjectiveGroupElement, a *Key, A *ExtendedGroupElement) {
  1286. var e [64]int32
  1287. var carry, carry2 int32
  1288. for i := 0; i < 31; i++ {
  1289. carry += int32(a[i]) /* 0..256 */
  1290. carry2 = (carry + 8) >> 4 /* 0..16 */
  1291. e[2*i] = carry - (carry2 << 4) /* -8..7 */
  1292. carry = (carry2 + 8) >> 4 /* 0..1 */
  1293. e[2*i+1] = carry2 - (carry << 4) /* -8..7 */
  1294. }
  1295. carry += int32(a[31]) /* 0..128 */
  1296. carry2 = (carry + 8) >> 4 /* 0..8 */
  1297. e[62] = carry - (carry2 << 4) /* -8..7 */
  1298. e[63] = carry2 /* 0..8 */
  1300. var Ai [8]CachedGroupElement // A,2A,3A,4A,5A,6A,7A,8A
  1301. t := new(CompletedGroupElement)
  1302. u := new(ExtendedGroupElement)
  1303. A.ToCached(&Ai[0])
  1304. for i := 0; i < 7; i++ {
  1305. geAdd(t, A, &Ai[i])
  1306. t.ToExtended(u)
  1307. u.ToCached(&Ai[i+1])
  1308. }
  1309. r.Zero()
  1310. cur := new(CachedGroupElement)
  1311. minusCur := new(CachedGroupElement)
  1312. for i := 63; i >= 0; i-- {
  1313. b := e[i]
  1314. bNegative := negative(b)
  1315. bAbs := b - (((-bNegative) & b) << 1)
  1316. r.Double(t)
  1317. t.ToProjective(r)
  1318. r.Double(t)
  1319. t.ToProjective(r)
  1320. r.Double(t)
  1321. t.ToProjective(r)
  1322. r.Double(t)
  1323. t.ToExtended(u)
  1324. cur.Zero()
  1325. for j := int32(0); j < 8; j++ {
  1326. CachedGroupElementCMove(cur, &Ai[j], equal(bAbs, j+1))
  1327. }
  1328. FeCopy(&minusCur.yPlusX, &cur.yMinusX)
  1329. FeCopy(&minusCur.yMinusX, &cur.yPlusX)
  1330. FeCopy(&minusCur.Z, &cur.Z)
  1331. FeNeg(&minusCur.T2d, &cur.T2d)
  1332. CachedGroupElementCMove(cur, minusCur, bNegative)
  1333. geAdd(t, u, cur)
  1334. t.ToProjective(r)
  1335. }
  1336. }
  1338. // GeScalarMultBase computes h = a*B, where
  1339. // a = a[0]+256*a[1]+...+256^31 a[31]
  1340. // B is the Ed25519 base point (x,4/5) with x positive.
  1341. //
  1342. // Preconditions:
  1343. // a[31] <= 127
  1344. func GeScalarMultBase(h *ExtendedGroupElement, a *Key) {
  1345. var e [64]int8
  1347. for i, v := range a {
  1348. e[2*i] = int8(v & 15)
  1349. e[2*i+1] = int8((v >> 4) & 15)
  1350. }
  1352. // each e[i] is between 0 and 15 and e[63] is between 0 and 7.
  1354. carry := int8(0)
  1355. for i := 0; i < 63; i++ {
  1356. e[i] += carry
  1357. carry = (e[i] + 8) >> 4
  1358. e[i] -= carry << 4
  1359. }
  1360. e[63] += carry
  1361. // each e[i] is between -8 and 8.
  1363. h.Zero()
  1364. var t PreComputedGroupElement
  1365. var r CompletedGroupElement
  1366. for i := int32(1); i < 64; i += 2 {
  1367. selectPoint(&t, i/2, int32(e[i]))
  1368. geMixedAdd(&r, h, &t)
  1369. r.ToExtended(h)
  1370. }
  1372. var s ProjectiveGroupElement
  1374. h.Double(&r)
  1375. r.ToProjective(&s)
  1376. s.Double(&r)
  1377. r.ToProjective(&s)
  1378. s.Double(&r)
  1379. r.ToProjective(&s)
  1380. s.Double(&r)
  1381. r.ToExtended(h)
  1383. for i := int32(0); i < 64; i += 2 {
  1384. selectPoint(&t, i/2, int32(e[i]))
  1385. geMixedAdd(&r, h, &t)
  1386. r.ToExtended(h)
  1387. }
  1388. }
  1390. func ScAdd(s, a, b *Key) {
  1391. a0 := 2097151 & load3(a[:])
  1392. a1 := 2097151 & (load4(a[2:]) >> 5)
  1393. a2 := 2097151 & (load3(a[5:]) >> 2)
  1394. a3 := 2097151 & (load4(a[7:]) >> 7)
  1395. a4 := 2097151 & (load4(a[10:]) >> 4)
  1396. a5 := 2097151 & (load3(a[13:]) >> 1)
  1397. a6 := 2097151 & (load4(a[15:]) >> 6)
  1398. a7 := 2097151 & (load3(a[18:]) >> 3)
  1399. a8 := 2097151 & load3(a[21:])
  1400. a9 := 2097151 & (load4(a[23:]) >> 5)
  1401. a10 := 2097151 & (load3(a[26:]) >> 2)
  1402. a11 := (load4(a[28:]) >> 7)
  1403. b0 := 2097151 & load3(b[:])
  1404. b1 := 2097151 & (load4(b[2:]) >> 5)
  1405. b2 := 2097151 & (load3(b[5:]) >> 2)
  1406. b3 := 2097151 & (load4(b[7:]) >> 7)
  1407. b4 := 2097151 & (load4(b[10:]) >> 4)
  1408. b5 := 2097151 & (load3(b[13:]) >> 1)
  1409. b6 := 2097151 & (load4(b[15:]) >> 6)
  1410. b7 := 2097151 & (load3(b[18:]) >> 3)
  1411. b8 := 2097151 & load3(b[21:])
  1412. b9 := 2097151 & (load4(b[23:]) >> 5)
  1413. b10 := 2097151 & (load3(b[26:]) >> 2)
  1414. b11 := (load4(b[28:]) >> 7)
  1415. s0 := a0 + b0
  1416. s1 := a1 + b1
  1417. s2 := a2 + b2
  1418. s3 := a3 + b3
  1419. s4 := a4 + b4
  1420. s5 := a5 + b5
  1421. s6 := a6 + b6
  1422. s7 := a7 + b7
  1423. s8 := a8 + b8
  1424. s9 := a9 + b9
  1425. s10 := a10 + b10
  1426. s11 := a11 + b11
  1427. s12 := int64(0)
  1428. var carry [12]int64
  1430. carry[0] = (s0 + (1 << 20)) >> 21
  1431. s1 += carry[0]
  1432. s0 -= carry[0] << 21
  1433. carry[2] = (s2 + (1 << 20)) >> 21
  1434. s3 += carry[2]
  1435. s2 -= carry[2] << 21
  1436. carry[4] = (s4 + (1 << 20)) >> 21
  1437. s5 += carry[4]
  1438. s4 -= carry[4] << 21
  1439. carry[6] = (s6 + (1 << 20)) >> 21
  1440. s7 += carry[6]
  1441. s6 -= carry[6] << 21
  1442. carry[8] = (s8 + (1 << 20)) >> 21
  1443. s9 += carry[8]
  1444. s8 -= carry[8] << 21
  1445. carry[10] = (s10 + (1 << 20)) >> 21
  1446. s11 += carry[10]
  1447. s10 -= carry[10] << 21
  1449. carry[1] = (s1 + (1 << 20)) >> 21
  1450. s2 += carry[1]
  1451. s1 -= carry[1] << 21
  1452. carry[3] = (s3 + (1 << 20)) >> 21
  1453. s4 += carry[3]
  1454. s3 -= carry[3] << 21
  1455. carry[5] = (s5 + (1 << 20)) >> 21
  1456. s6 += carry[5]
  1457. s5 -= carry[5] << 21
  1458. carry[7] = (s7 + (1 << 20)) >> 21
  1459. s8 += carry[7]
  1460. s7 -= carry[7] << 21
  1461. carry[9] = (s9 + (1 << 20)) >> 21
  1462. s10 += carry[9]
  1463. s9 -= carry[9] << 21
  1464. carry[11] = (s11 + (1 << 20)) >> 21
  1465. s12 += carry[11]
  1466. s11 -= carry[11] << 21
  1468. s0 += s12 * 666643
  1469. s1 += s12 * 470296
  1470. s2 += s12 * 654183
  1471. s3 -= s12 * 997805
  1472. s4 += s12 * 136657
  1473. s5 -= s12 * 683901
  1474. s12 = 0
  1476. carry[0] = s0 >> 21
  1477. s1 += carry[0]
  1478. s0 -= carry[0] << 21
  1479. carry[1] = s1 >> 21
  1480. s2 += carry[1]
  1481. s1 -= carry[1] << 21
  1482. carry[2] = s2 >> 21
  1483. s3 += carry[2]
  1484. s2 -= carry[2] << 21
  1485. carry[3] = s3 >> 21
  1486. s4 += carry[3]
  1487. s3 -= carry[3] << 21
  1488. carry[4] = s4 >> 21
  1489. s5 += carry[4]
  1490. s4 -= carry[4] << 21
  1491. carry[5] = s5 >> 21
  1492. s6 += carry[5]
  1493. s5 -= carry[5] << 21
  1494. carry[6] = s6 >> 21
  1495. s7 += carry[6]
  1496. s6 -= carry[6] << 21
  1497. carry[7] = s7 >> 21
  1498. s8 += carry[7]
  1499. s7 -= carry[7] << 21
  1500. carry[8] = s8 >> 21
  1501. s9 += carry[8]
  1502. s8 -= carry[8] << 21
  1503. carry[9] = s9 >> 21
  1504. s10 += carry[9]
  1505. s9 -= carry[9] << 21
  1506. carry[10] = s10 >> 21
  1507. s11 += carry[10]
  1508. s10 -= carry[10] << 21
  1509. carry[11] = s11 >> 21
  1510. s12 += carry[11]
  1511. s11 -= carry[11] << 21
  1513. s0 += s12 * 666643
  1514. s1 += s12 * 470296
  1515. s2 += s12 * 654183
  1516. s3 -= s12 * 997805
  1517. s4 += s12 * 136657
  1518. s5 -= s12 * 683901
  1520. carry[0] = s0 >> 21
  1521. s1 += carry[0]
  1522. s0 -= carry[0] << 21
  1523. carry[1] = s1 >> 21
  1524. s2 += carry[1]
  1525. s1 -= carry[1] << 21
  1526. carry[2] = s2 >> 21
  1527. s3 += carry[2]
  1528. s2 -= carry[2] << 21
  1529. carry[3] = s3 >> 21
  1530. s4 += carry[3]
  1531. s3 -= carry[3] << 21
  1532. carry[4] = s4 >> 21
  1533. s5 += carry[4]
  1534. s4 -= carry[4] << 21
  1535. carry[5] = s5 >> 21
  1536. s6 += carry[5]
  1537. s5 -= carry[5] << 21
  1538. carry[6] = s6 >> 21
  1539. s7 += carry[6]
  1540. s6 -= carry[6] << 21
  1541. carry[7] = s7 >> 21
  1542. s8 += carry[7]
  1543. s7 -= carry[7] << 21
  1544. carry[8] = s8 >> 21
  1545. s9 += carry[8]
  1546. s8 -= carry[8] << 21
  1547. carry[9] = s9 >> 21
  1548. s10 += carry[9]
  1549. s9 -= carry[9] << 21
  1550. carry[10] = s10 >> 21
  1551. s11 += carry[10]
  1552. s10 -= carry[10] << 21
  1554. s[0] = byte(s0 >> 0)
  1555. s[1] = byte(s0 >> 8)
  1556. s[2] = byte((s0 >> 16) | (s1 << 5))
  1557. s[3] = byte(s1 >> 3)
  1558. s[4] = byte(s1 >> 11)
  1559. s[5] = byte((s1 >> 19) | (s2 << 2))
  1560. s[6] = byte(s2 >> 6)
  1561. s[7] = byte((s2 >> 14) | (s3 << 7))
  1562. s[8] = byte(s3 >> 1)
  1563. s[9] = byte(s3 >> 9)
  1564. s[10] = byte((s3 >> 17) | (s4 << 4))
  1565. s[11] = byte(s4 >> 4)
  1566. s[12] = byte(s4 >> 12)
  1567. s[13] = byte((s4 >> 20) | (s5 << 1))
  1568. s[14] = byte(s5 >> 7)
  1569. s[15] = byte((s5 >> 15) | (s6 << 6))
  1570. s[16] = byte(s6 >> 2)
  1571. s[17] = byte(s6 >> 10)
  1572. s[18] = byte((s6 >> 18) | (s7 << 3))
  1573. s[19] = byte(s7 >> 5)
  1574. s[20] = byte(s7 >> 13)
  1575. s[21] = byte(s8 >> 0)
  1576. s[22] = byte(s8 >> 8)
  1577. s[23] = byte((s8 >> 16) | (s9 << 5))
  1578. s[24] = byte(s9 >> 3)
  1579. s[25] = byte(s9 >> 11)
  1580. s[26] = byte((s9 >> 19) | (s10 << 2))
  1581. s[27] = byte(s10 >> 6)
  1582. s[28] = byte((s10 >> 14) | (s11 << 7))
  1583. s[29] = byte(s11 >> 1)
  1584. s[30] = byte(s11 >> 9)
  1585. s[31] = byte(s11 >> 17)
  1586. }
  1588. func ScSub(s, a, b *Key) {
  1589. a0 := 2097151 & load3(a[:])
  1590. a1 := 2097151 & (load4(a[2:]) >> 5)
  1591. a2 := 2097151 & (load3(a[5:]) >> 2)
  1592. a3 := 2097151 & (load4(a[7:]) >> 7)
  1593. a4 := 2097151 & (load4(a[10:]) >> 4)
  1594. a5 := 2097151 & (load3(a[13:]) >> 1)
  1595. a6 := 2097151 & (load4(a[15:]) >> 6)
  1596. a7 := 2097151 & (load3(a[18:]) >> 3)
  1597. a8 := 2097151 & load3(a[21:])
  1598. a9 := 2097151 & (load4(a[23:]) >> 5)
  1599. a10 := 2097151 & (load3(a[26:]) >> 2)
  1600. a11 := (load4(a[28:]) >> 7)
  1601. b0 := 2097151 & load3(b[:])
  1602. b1 := 2097151 & (load4(b[2:]) >> 5)
  1603. b2 := 2097151 & (load3(b[5:]) >> 2)
  1604. b3 := 2097151 & (load4(b[7:]) >> 7)
  1605. b4 := 2097151 & (load4(b[10:]) >> 4)
  1606. b5 := 2097151 & (load3(b[13:]) >> 1)
  1607. b6 := 2097151 & (load4(b[15:]) >> 6)
  1608. b7 := 2097151 & (load3(b[18:]) >> 3)
  1609. b8 := 2097151 & load3(b[21:])
  1610. b9 := 2097151 & (load4(b[23:]) >> 5)
  1611. b10 := 2097151 & (load3(b[26:]) >> 2)
  1612. b11 := (load4(b[28:]) >> 7)
  1613. s0 := a0 - b0
  1614. s1 := a1 - b1
  1615. s2 := a2 - b2
  1616. s3 := a3 - b3
  1617. s4 := a4 - b4
  1618. s5 := a5 - b5
  1619. s6 := a6 - b6
  1620. s7 := a7 - b7
  1621. s8 := a8 - b8
  1622. s9 := a9 - b9
  1623. s10 := a10 - b10
  1624. s11 := a11 - b11
  1625. s12 := int64(0)
  1626. var carry [12]int64
  1628. carry[0] = (s0 + (1 << 20)) >> 21
  1629. s1 += carry[0]
  1630. s0 -= carry[0] << 21
  1631. carry[2] = (s2 + (1 << 20)) >> 21
  1632. s3 += carry[2]
  1633. s2 -= carry[2] << 21
  1634. carry[4] = (s4 + (1 << 20)) >> 21
  1635. s5 += carry[4]
  1636. s4 -= carry[4] << 21
  1637. carry[6] = (s6 + (1 << 20)) >> 21
  1638. s7 += carry[6]
  1639. s6 -= carry[6] << 21
  1640. carry[8] = (s8 + (1 << 20)) >> 21
  1641. s9 += carry[8]
  1642. s8 -= carry[8] << 21
  1643. carry[10] = (s10 + (1 << 20)) >> 21
  1644. s11 += carry[10]
  1645. s10 -= carry[10] << 21
  1647. carry[1] = (s1 + (1 << 20)) >> 21
  1648. s2 += carry[1]
  1649. s1 -= carry[1] << 21
  1650. carry[3] = (s3 + (1 << 20)) >> 21
  1651. s4 += carry[3]
  1652. s3 -= carry[3] << 21
  1653. carry[5] = (s5 + (1 << 20)) >> 21
  1654. s6 += carry[5]
  1655. s5 -= carry[5] << 21
  1656. carry[7] = (s7 + (1 << 20)) >> 21
  1657. s8 += carry[7]
  1658. s7 -= carry[7] << 21
  1659. carry[9] = (s9 + (1 << 20)) >> 21
  1660. s10 += carry[9]
  1661. s9 -= carry[9] << 21
  1662. carry[11] = (s11 + (1 << 20)) >> 21
  1663. s12 += carry[11]
  1664. s11 -= carry[11] << 21
  1666. s0 += s12 * 666643
  1667. s1 += s12 * 470296
  1668. s2 += s12 * 654183
  1669. s3 -= s12 * 997805
  1670. s4 += s12 * 136657
  1671. s5 -= s12 * 683901
  1672. s12 = 0
  1674. carry[0] = s0 >> 21
  1675. s1 += carry[0]
  1676. s0 -= carry[0] << 21
  1677. carry[1] = s1 >> 21
  1678. s2 += carry[1]
  1679. s1 -= carry[1] << 21
  1680. carry[2] = s2 >> 21
  1681. s3 += carry[2]
  1682. s2 -= carry[2] << 21
  1683. carry[3] = s3 >> 21
  1684. s4 += carry[3]
  1685. s3 -= carry[3] << 21
  1686. carry[4] = s4 >> 21
  1687. s5 += carry[4]
  1688. s4 -= carry[4] << 21
  1689. carry[5] = s5 >> 21
  1690. s6 += carry[5]
  1691. s5 -= carry[5] << 21
  1692. carry[6] = s6 >> 21
  1693. s7 += carry[6]
  1694. s6 -= carry[6] << 21
  1695. carry[7] = s7 >> 21
  1696. s8 += carry[7]
  1697. s7 -= carry[7] << 21
  1698. carry[8] = s8 >> 21
  1699. s9 += carry[8]
  1700. s8 -= carry[8] << 21
  1701. carry[9] = s9 >> 21
  1702. s10 += carry[9]
  1703. s9 -= carry[9] << 21
  1704. carry[10] = s10 >> 21
  1705. s11 += carry[10]
  1706. s10 -= carry[10] << 21
  1707. carry[11] = s11 >> 21
  1708. s12 += carry[11]
  1709. s11 -= carry[11] << 21
  1711. s0 += s12 * 666643
  1712. s1 += s12 * 470296
  1713. s2 += s12 * 654183
  1714. s3 -= s12 * 997805
  1715. s4 += s12 * 136657
  1716. s5 -= s12 * 683901
  1718. carry[0] = s0 >> 21
  1719. s1 += carry[0]
  1720. s0 -= carry[0] << 21
  1721. carry[1] = s1 >> 21
  1722. s2 += carry[1]
  1723. s1 -= carry[1] << 21
  1724. carry[2] = s2 >> 21
  1725. s3 += carry[2]
  1726. s2 -= carry[2] << 21
  1727. carry[3] = s3 >> 21
  1728. s4 += carry[3]
  1729. s3 -= carry[3] << 21
  1730. carry[4] = s4 >> 21
  1731. s5 += carry[4]
  1732. s4 -= carry[4] << 21
  1733. carry[5] = s5 >> 21
  1734. s6 += carry[5]
  1735. s5 -= carry[5] << 21
  1736. carry[6] = s6 >> 21
  1737. s7 += carry[6]
  1738. s6 -= carry[6] << 21
  1739. carry[7] = s7 >> 21
  1740. s8 += carry[7]
  1741. s7 -= carry[7] << 21
  1742. carry[8] = s8 >> 21
  1743. s9 += carry[8]
  1744. s8 -= carry[8] << 21
  1745. carry[9] = s9 >> 21
  1746. s10 += carry[9]
  1747. s9 -= carry[9] << 21
  1748. carry[10] = s10 >> 21
  1749. s11 += carry[10]
  1750. s10 -= carry[10] << 21
  1752. s[0] = byte(s0 >> 0)
  1753. s[1] = byte(s0 >> 8)
  1754. s[2] = byte((s0 >> 16) | (s1 << 5))
  1755. s[3] = byte(s1 >> 3)
  1756. s[4] = byte(s1 >> 11)
  1757. s[5] = byte((s1 >> 19) | (s2 << 2))
  1758. s[6] = byte(s2 >> 6)
  1759. s[7] = byte((s2 >> 14) | (s3 << 7))
  1760. s[8] = byte(s3 >> 1)
  1761. s[9] = byte(s3 >> 9)
  1762. s[10] = byte((s3 >> 17) | (s4 << 4))
  1763. s[11] = byte(s4 >> 4)
  1764. s[12] = byte(s4 >> 12)
  1765. s[13] = byte((s4 >> 20) | (s5 << 1))
  1766. s[14] = byte(s5 >> 7)
  1767. s[15] = byte((s5 >> 15) | (s6 << 6))
  1768. s[16] = byte(s6 >> 2)
  1769. s[17] = byte(s6 >> 10)
  1770. s[18] = byte((s6 >> 18) | (s7 << 3))
  1771. s[19] = byte(s7 >> 5)
  1772. s[20] = byte(s7 >> 13)
  1773. s[21] = byte(s8 >> 0)
  1774. s[22] = byte(s8 >> 8)
  1775. s[23] = byte((s8 >> 16) | (s9 << 5))
  1776. s[24] = byte(s9 >> 3)
  1777. s[25] = byte(s9 >> 11)
  1778. s[26] = byte((s9 >> 19) | (s10 << 2))
  1779. s[27] = byte(s10 >> 6)
  1780. s[28] = byte((s10 >> 14) | (s11 << 7))
  1781. s[29] = byte(s11 >> 1)
  1782. s[30] = byte(s11 >> 9)
  1783. s[31] = byte(s11 >> 17)
  1784. }
  1786. func signum(a int64) int64 {
  1787. return a>>63 - ((-a) >> 63)
  1788. }
  1790. // equivalent to sc_check
  1791. func Sc_check(s *Key) bool {
  1792. return ScValid(s)
  1793. }
  1794. func ScValid(s *Key) bool {
  1795. s0 := load4(s[:])
  1796. s1 := load4(s[4:])
  1797. s2 := load4(s[8:])
  1798. s3 := load4(s[12:])
  1799. s4 := load4(s[16:])
  1800. s5 := load4(s[20:])
  1801. s6 := load4(s[24:])
  1802. s7 := load4(s[28:])
  1803. return (signum(1559614444-s0)+(signum(1477600026-s1)<<1)+(signum(2734136534-s2)<<2)+(signum(350157278-s3)<<3)+(signum(-s4)<<4)+(signum(-s5)<<5)+(signum(-s6)<<6)+(signum(268435456-s7)<<7))>>8 == 0
  1805. }
  1807. func ScIsZero(s *Key) bool {
  1808. return ((int(s[0]|s[1]|s[2]|s[3]|s[4]|s[5]|s[6]|s[7]|s[8]|
  1809. s[9]|s[10]|s[11]|s[12]|s[13]|s[14]|s[15]|s[16]|s[17]|
  1810. s[18]|s[19]|s[20]|s[21]|s[22]|s[23]|s[24]|s[25]|s[26]|
  1811. s[27]|s[28]|s[29]|s[30]|s[31])-1)>>8)+1 == 0
  1812. }
  1814. // The scalars are GF(2^252 + 27742317777372353535851937790883648493).
  1816. // Input:
  1817. // a[0]+256*a[1]+...+256^31*a[31] = a
  1818. // b[0]+256*b[1]+...+256^31*b[31] = b
  1819. // c[0]+256*c[1]+...+256^31*c[31] = c
  1820. //
  1821. // Output:
  1822. // s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
  1823. // where l = 2^252 + 27742317777372353535851937790883648493.
  1824. func ScMulAdd(s, a, b, c *Key) {
  1825. a0 := 2097151 & load3(a[:])
  1826. a1 := 2097151 & (load4(a[2:]) >> 5)
  1827. a2 := 2097151 & (load3(a[5:]) >> 2)
  1828. a3 := 2097151 & (load4(a[7:]) >> 7)
  1829. a4 := 2097151 & (load4(a[10:]) >> 4)
  1830. a5 := 2097151 & (load3(a[13:]) >> 1)
  1831. a6 := 2097151 & (load4(a[15:]) >> 6)
  1832. a7 := 2097151 & (load3(a[18:]) >> 3)
  1833. a8 := 2097151 & load3(a[21:])
  1834. a9 := 2097151 & (load4(a[23:]) >> 5)
  1835. a10 := 2097151 & (load3(a[26:]) >> 2)
  1836. a11 := (load4(a[28:]) >> 7)
  1837. b0 := 2097151 & load3(b[:])
  1838. b1 := 2097151 & (load4(b[2:]) >> 5)
  1839. b2 := 2097151 & (load3(b[5:]) >> 2)
  1840. b3 := 2097151 & (load4(b[7:]) >> 7)
  1841. b4 := 2097151 & (load4(b[10:]) >> 4)
  1842. b5 := 2097151 & (load3(b[13:]) >> 1)
  1843. b6 := 2097151 & (load4(b[15:]) >> 6)
  1844. b7 := 2097151 & (load3(b[18:]) >> 3)
  1845. b8 := 2097151 & load3(b[21:])
  1846. b9 := 2097151 & (load4(b[23:]) >> 5)
  1847. b10 := 2097151 & (load3(b[26:]) >> 2)
  1848. b11 := (load4(b[28:]) >> 7)
  1849. c0 := 2097151 & load3(c[:])
  1850. c1 := 2097151 & (load4(c[2:]) >> 5)
  1851. c2 := 2097151 & (load3(c[5:]) >> 2)
  1852. c3 := 2097151 & (load4(c[7:]) >> 7)
  1853. c4 := 2097151 & (load4(c[10:]) >> 4)
  1854. c5 := 2097151 & (load3(c[13:]) >> 1)
  1855. c6 := 2097151 & (load4(c[15:]) >> 6)
  1856. c7 := 2097151 & (load3(c[18:]) >> 3)
  1857. c8 := 2097151 & load3(c[21:])
  1858. c9 := 2097151 & (load4(c[23:]) >> 5)
  1859. c10 := 2097151 & (load3(c[26:]) >> 2)
  1860. c11 := (load4(c[28:]) >> 7)
  1861. var carry [23]int64
  1863. s0 := c0 + a0*b0
  1864. s1 := c1 + a0*b1 + a1*b0
  1865. s2 := c2 + a0*b2 + a1*b1 + a2*b0
  1866. s3 := c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0
  1867. s4 := c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0
  1868. s5 := c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0
  1869. s6 := c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0
  1870. s7 := c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0
  1871. s8 := c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0
  1872. s9 := c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0
  1873. s10 := c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0
  1874. s11 := c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0
  1875. s12 := a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1
  1876. s13 := a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2
  1877. s14 := a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3
  1878. s15 := a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4
  1879. s16 := a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5
  1880. s17 := a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6
  1881. s18 := a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7
  1882. s19 := a8*b11 + a9*b10 + a10*b9 + a11*b8
  1883. s20 := a9*b11 + a10*b10 + a11*b9
  1884. s21 := a10*b11 + a11*b10
  1885. s22 := a11 * b11
  1886. s23 := int64(0)
  1888. carry[0] = (s0 + (1 << 20)) >> 21
  1889. s1 += carry[0]
  1890. s0 -= carry[0] << 21
  1891. carry[2] = (s2 + (1 << 20)) >> 21
  1892. s3 += carry[2]
  1893. s2 -= carry[2] << 21
  1894. carry[4] = (s4 + (1 << 20)) >> 21
  1895. s5 += carry[4]
  1896. s4 -= carry[4] << 21
  1897. carry[6] = (s6 + (1 << 20)) >> 21
  1898. s7 += carry[6]
  1899. s6 -= carry[6] << 21
  1900. carry[8] = (s8 + (1 << 20)) >> 21
  1901. s9 += carry[8]
  1902. s8 -= carry[8] << 21
  1903. carry[10] = (s10 + (1 << 20)) >> 21
  1904. s11 += carry[10]
  1905. s10 -= carry[10] << 21
  1906. carry[12] = (s12 + (1 << 20)) >> 21
  1907. s13 += carry[12]
  1908. s12 -= carry[12] << 21
  1909. carry[14] = (s14 + (1 << 20)) >> 21
  1910. s15 += carry[14]
  1911. s14 -= carry[14] << 21
  1912. carry[16] = (s16 + (1 << 20)) >> 21
  1913. s17 += carry[16]
  1914. s16 -= carry[16] << 21
  1915. carry[18] = (s18 + (1 << 20)) >> 21
  1916. s19 += carry[18]
  1917. s18 -= carry[18] << 21
  1918. carry[20] = (s20 + (1 << 20)) >> 21
  1919. s21 += carry[20]
  1920. s20 -= carry[20] << 21
  1921. carry[22] = (s22 + (1 << 20)) >> 21
  1922. s23 += carry[22]
  1923. s22 -= carry[22] << 21
  1925. carry[1] = (s1 + (1 << 20)) >> 21
  1926. s2 += carry[1]
  1927. s1 -= carry[1] << 21
  1928. carry[3] = (s3 + (1 << 20)) >> 21
  1929. s4 += carry[3]
  1930. s3 -= carry[3] << 21
  1931. carry[5] = (s5 + (1 << 20)) >> 21
  1932. s6 += carry[5]
  1933. s5 -= carry[5] << 21
  1934. carry[7] = (s7 + (1 << 20)) >> 21
  1935. s8 += carry[7]
  1936. s7 -= carry[7] << 21
  1937. carry[9] = (s9 + (1 << 20)) >> 21
  1938. s10 += carry[9]
  1939. s9 -= carry[9] << 21
  1940. carry[11] = (s11 + (1 << 20)) >> 21
  1941. s12 += carry[11]
  1942. s11 -= carry[11] << 21
  1943. carry[13] = (s13 + (1 << 20)) >> 21
  1944. s14 += carry[13]
  1945. s13 -= carry[13] << 21
  1946. carry[15] = (s15 + (1 << 20)) >> 21
  1947. s16 += carry[15]
  1948. s15 -= carry[15] << 21
  1949. carry[17] = (s17 + (1 << 20)) >> 21
  1950. s18 += carry[17]
  1951. s17 -= carry[17] << 21
  1952. carry[19] = (s19 + (1 << 20)) >> 21
  1953. s20 += carry[19]
  1954. s19 -= carry[19] << 21
  1955. carry[21] = (s21 + (1 << 20)) >> 21
  1956. s22 += carry[21]
  1957. s21 -= carry[21] << 21
  1959. s11 += s23 * 666643
  1960. s12 += s23 * 470296
  1961. s13 += s23 * 654183
  1962. s14 -= s23 * 997805
  1963. s15 += s23 * 136657
  1964. s16 -= s23 * 683901
  1965. s23 = 0
  1967. s10 += s22 * 666643
  1968. s11 += s22 * 470296
  1969. s12 += s22 * 654183
  1970. s13 -= s22 * 997805
  1971. s14 += s22 * 136657
  1972. s15 -= s22 * 683901
  1973. s22 = 0
  1975. s9 += s21 * 666643
  1976. s10 += s21 * 470296
  1977. s11 += s21 * 654183
  1978. s12 -= s21 * 997805
  1979. s13 += s21 * 136657
  1980. s14 -= s21 * 683901
  1981. s21 = 0
  1983. s8 += s20 * 666643
  1984. s9 += s20 * 470296
  1985. s10 += s20 * 654183
  1986. s11 -= s20 * 997805
  1987. s12 += s20 * 136657
  1988. s13 -= s20 * 683901
  1989. s20 = 0
  1991. s7 += s19 * 666643
  1992. s8 += s19 * 470296
  1993. s9 += s19 * 654183
  1994. s10 -= s19 * 997805
  1995. s11 += s19 * 136657
  1996. s12 -= s19 * 683901
  1997. s19 = 0
  1999. s6 += s18 * 666643
  2000. s7 += s18 * 470296
  2001. s8 += s18 * 654183
  2002. s9 -= s18 * 997805
  2003. s10 += s18 * 136657
  2004. s11 -= s18 * 683901
  2005. s18 = 0
  2007. carry[6] = (s6 + (1 << 20)) >> 21
  2008. s7 += carry[6]
  2009. s6 -= carry[6] << 21
  2010. carry[8] = (s8 + (1 << 20)) >> 21
  2011. s9 += carry[8]
  2012. s8 -= carry[8] << 21
  2013. carry[10] = (s10 + (1 << 20)) >> 21
  2014. s11 += carry[10]
  2015. s10 -= carry[10] << 21
  2016. carry[12] = (s12 + (1 << 20)) >> 21
  2017. s13 += carry[12]
  2018. s12 -= carry[12] << 21
  2019. carry[14] = (s14 + (1 << 20)) >> 21
  2020. s15 += carry[14]
  2021. s14 -= carry[14] << 21
  2022. carry[16] = (s16 + (1 << 20)) >> 21
  2023. s17 += carry[16]
  2024. s16 -= carry[16] << 21
  2026. carry[7] = (s7 + (1 << 20)) >> 21
  2027. s8 += carry[7]
  2028. s7 -= carry[7] << 21
  2029. carry[9] = (s9 + (1 << 20)) >> 21
  2030. s10 += carry[9]
  2031. s9 -= carry[9] << 21
  2032. carry[11] = (s11 + (1 << 20)) >> 21
  2033. s12 += carry[11]
  2034. s11 -= carry[11] << 21
  2035. carry[13] = (s13 + (1 << 20)) >> 21
  2036. s14 += carry[13]
  2037. s13 -= carry[13] << 21
  2038. carry[15] = (s15 + (1 << 20)) >> 21
  2039. s16 += carry[15]
  2040. s15 -= carry[15] << 21
  2042. s5 += s17 * 666643
  2043. s6 += s17 * 470296
  2044. s7 += s17 * 654183
  2045. s8 -= s17 * 997805
  2046. s9 += s17 * 136657
  2047. s10 -= s17 * 683901
  2048. s17 = 0
  2050. s4 += s16 * 666643
  2051. s5 += s16 * 470296
  2052. s6 += s16 * 654183
  2053. s7 -= s16 * 997805
  2054. s8 += s16 * 136657
  2055. s9 -= s16 * 683901
  2056. s16 = 0
  2058. s3 += s15 * 666643
  2059. s4 += s15 * 470296
  2060. s5 += s15 * 654183
  2061. s6 -= s15 * 997805
  2062. s7 += s15 * 136657
  2063. s8 -= s15 * 683901
  2064. s15 = 0
  2066. s2 += s14 * 666643
  2067. s3 += s14 * 470296
  2068. s4 += s14 * 654183
  2069. s5 -= s14 * 997805
  2070. s6 += s14 * 136657
  2071. s7 -= s14 * 683901
  2072. s14 = 0
  2074. s1 += s13 * 666643
  2075. s2 += s13 * 470296
  2076. s3 += s13 * 654183
  2077. s4 -= s13 * 997805
  2078. s5 += s13 * 136657
  2079. s6 -= s13 * 683901
  2080. s13 = 0
  2082. s0 += s12 * 666643
  2083. s1 += s12 * 470296
  2084. s2 += s12 * 654183
  2085. s3 -= s12 * 997805
  2086. s4 += s12 * 136657
  2087. s5 -= s12 * 683901
  2088. s12 = 0
  2090. carry[0] = (s0 + (1 << 20)) >> 21
  2091. s1 += carry[0]
  2092. s0 -= carry[0] << 21
  2093. carry[2] = (s2 + (1 << 20)) >> 21
  2094. s3 += carry[2]
  2095. s2 -= carry[2] << 21
  2096. carry[4] = (s4 + (1 << 20)) >> 21
  2097. s5 += carry[4]
  2098. s4 -= carry[4] << 21
  2099. carry[6] = (s6 + (1 << 20)) >> 21
  2100. s7 += carry[6]
  2101. s6 -= carry[6] << 21
  2102. carry[8] = (s8 + (1 << 20)) >> 21
  2103. s9 += carry[8]
  2104. s8 -= carry[8] << 21
  2105. carry[10] = (s10 + (1 << 20)) >> 21
  2106. s11 += carry[10]
  2107. s10 -= carry[10] << 21
  2109. carry[1] = (s1 + (1 << 20)) >> 21
  2110. s2 += carry[1]
  2111. s1 -= carry[1] << 21
  2112. carry[3] = (s3 + (1 << 20)) >> 21
  2113. s4 += carry[3]
  2114. s3 -= carry[3] << 21
  2115. carry[5] = (s5 + (1 << 20)) >> 21
  2116. s6 += carry[5]
  2117. s5 -= carry[5] << 21
  2118. carry[7] = (s7 + (1 << 20)) >> 21
  2119. s8 += carry[7]
  2120. s7 -= carry[7] << 21
  2121. carry[9] = (s9 + (1 << 20)) >> 21
  2122. s10 += carry[9]
  2123. s9 -= carry[9] << 21
  2124. carry[11] = (s11 + (1 << 20)) >> 21
  2125. s12 += carry[11]
  2126. s11 -= carry[11] << 21
  2128. s0 += s12 * 666643
  2129. s1 += s12 * 470296
  2130. s2 += s12 * 654183
  2131. s3 -= s12 * 997805
  2132. s4 += s12 * 136657
  2133. s5 -= s12 * 683901
  2134. s12 = 0
  2136. carry[0] = s0 >> 21
  2137. s1 += carry[0]
  2138. s0 -= carry[0] << 21
  2139. carry[1] = s1 >> 21
  2140. s2 += carry[1]
  2141. s1 -= carry[1] << 21
  2142. carry[2] = s2 >> 21
  2143. s3 += carry[2]
  2144. s2 -= carry[2] << 21
  2145. carry[3] = s3 >> 21
  2146. s4 += carry[3]
  2147. s3 -= carry[3] << 21
  2148. carry[4] = s4 >> 21
  2149. s5 += carry[4]
  2150. s4 -= carry[4] << 21
  2151. carry[5] = s5 >> 21
  2152. s6 += carry[5]
  2153. s5 -= carry[5] << 21
  2154. carry[6] = s6 >> 21
  2155. s7 += carry[6]
  2156. s6 -= carry[6] << 21
  2157. carry[7] = s7 >> 21
  2158. s8 += carry[7]
  2159. s7 -= carry[7] << 21
  2160. carry[8] = s8 >> 21
  2161. s9 += carry[8]
  2162. s8 -= carry[8] << 21
  2163. carry[9] = s9 >> 21
  2164. s10 += carry[9]
  2165. s9 -= carry[9] << 21
  2166. carry[10] = s10 >> 21
  2167. s11 += carry[10]
  2168. s10 -= carry[10] << 21
  2169. carry[11] = s11 >> 21
  2170. s12 += carry[11]
  2171. s11 -= carry[11] << 21
  2173. s0 += s12 * 666643
  2174. s1 += s12 * 470296
  2175. s2 += s12 * 654183
  2176. s3 -= s12 * 997805
  2177. s4 += s12 * 136657
  2178. s5 -= s12 * 683901
  2179. s12 = 0
  2181. carry[0] = s0 >> 21
  2182. s1 += carry[0]
  2183. s0 -= carry[0] << 21
  2184. carry[1] = s1 >> 21
  2185. s2 += carry[1]
  2186. s1 -= carry[1] << 21
  2187. carry[2] = s2 >> 21
  2188. s3 += carry[2]
  2189. s2 -= carry[2] << 21
  2190. carry[3] = s3 >> 21
  2191. s4 += carry[3]
  2192. s3 -= carry[3] << 21
  2193. carry[4] = s4 >> 21
  2194. s5 += carry[4]
  2195. s4 -= carry[4] << 21
  2196. carry[5] = s5 >> 21
  2197. s6 += carry[5]
  2198. s5 -= carry[5] << 21
  2199. carry[6] = s6 >> 21
  2200. s7 += carry[6]
  2201. s6 -= carry[6] << 21
  2202. carry[7] = s7 >> 21
  2203. s8 += carry[7]
  2204. s7 -= carry[7] << 21
  2205. carry[8] = s8 >> 21
  2206. s9 += carry[8]
  2207. s8 -= carry[8] << 21
  2208. carry[9] = s9 >> 21
  2209. s10 += carry[9]
  2210. s9 -= carry[9] << 21
  2211. carry[10] = s10 >> 21
  2212. s11 += carry[10]
  2213. s10 -= carry[10] << 21
  2215. s[0] = byte(s0 >> 0)
  2216. s[1] = byte(s0 >> 8)
  2217. s[2] = byte((s0 >> 16) | (s1 << 5))
  2218. s[3] = byte(s1 >> 3)
  2219. s[4] = byte(s1 >> 11)
  2220. s[5] = byte((s1 >> 19) | (s2 << 2))
  2221. s[6] = byte(s2 >> 6)
  2222. s[7] = byte((s2 >> 14) | (s3 << 7))
  2223. s[8] = byte(s3 >> 1)
  2224. s[9] = byte(s3 >> 9)
  2225. s[10] = byte((s3 >> 17) | (s4 << 4))
  2226. s[11] = byte(s4 >> 4)
  2227. s[12] = byte(s4 >> 12)
  2228. s[13] = byte((s4 >> 20) | (s5 << 1))
  2229. s[14] = byte(s5 >> 7)
  2230. s[15] = byte((s5 >> 15) | (s6 << 6))
  2231. s[16] = byte(s6 >> 2)
  2232. s[17] = byte(s6 >> 10)
  2233. s[18] = byte((s6 >> 18) | (s7 << 3))
  2234. s[19] = byte(s7 >> 5)
  2235. s[20] = byte(s7 >> 13)
  2236. s[21] = byte(s8 >> 0)
  2237. s[22] = byte(s8 >> 8)
  2238. s[23] = byte((s8 >> 16) | (s9 << 5))
  2239. s[24] = byte(s9 >> 3)
  2240. s[25] = byte(s9 >> 11)
  2241. s[26] = byte((s9 >> 19) | (s10 << 2))
  2242. s[27] = byte(s10 >> 6)
  2243. s[28] = byte((s10 >> 14) | (s11 << 7))
  2244. s[29] = byte(s11 >> 1)
  2245. s[30] = byte(s11 >> 9)
  2246. s[31] = byte(s11 >> 17)
  2247. }
  2249. // Input:
  2250. // a[0]+256*a[1]+...+256^31*a[31] = a
  2251. // b[0]+256*b[1]+...+256^31*b[31] = b
  2252. // c[0]+256*c[1]+...+256^31*c[31] = c
  2253. //
  2254. // Output:
  2255. // s[0]+256*s[1]+...+256^31*s[31] = (c-ab) mod l
  2256. // where l = 2^252 + 27742317777372353535851937790883648493.
  2257. func ScMulSub(s, a, b, c *Key) {
  2258. a0 := 2097151 & load3(a[:])
  2259. a1 := 2097151 & (load4(a[2:]) >> 5)
  2260. a2 := 2097151 & (load3(a[5:]) >> 2)
  2261. a3 := 2097151 & (load4(a[7:]) >> 7)
  2262. a4 := 2097151 & (load4(a[10:]) >> 4)
  2263. a5 := 2097151 & (load3(a[13:]) >> 1)
  2264. a6 := 2097151 & (load4(a[15:]) >> 6)
  2265. a7 := 2097151 & (load3(a[18:]) >> 3)
  2266. a8 := 2097151 & load3(a[21:])
  2267. a9 := 2097151 & (load4(a[23:]) >> 5)
  2268. a10 := 2097151 & (load3(a[26:]) >> 2)
  2269. a11 := (load4(a[28:]) >> 7)
  2270. b0 := 2097151 & load3(b[:])
  2271. b1 := 2097151 & (load4(b[2:]) >> 5)
  2272. b2 := 2097151 & (load3(b[5:]) >> 2)
  2273. b3 := 2097151 & (load4(b[7:]) >> 7)
  2274. b4 := 2097151 & (load4(b[10:]) >> 4)
  2275. b5 := 2097151 & (load3(b[13:]) >> 1)
  2276. b6 := 2097151 & (load4(b[15:]) >> 6)
  2277. b7 := 2097151 & (load3(b[18:]) >> 3)
  2278. b8 := 2097151 & load3(b[21:])
  2279. b9 := 2097151 & (load4(b[23:]) >> 5)
  2280. b10 := 2097151 & (load3(b[26:]) >> 2)
  2281. b11 := (load4(b[28:]) >> 7)
  2282. c0 := 2097151 & load3(c[:])
  2283. c1 := 2097151 & (load4(c[2:]) >> 5)
  2284. c2 := 2097151 & (load3(c[5:]) >> 2)
  2285. c3 := 2097151 & (load4(c[7:]) >> 7)
  2286. c4 := 2097151 & (load4(c[10:]) >> 4)
  2287. c5 := 2097151 & (load3(c[13:]) >> 1)
  2288. c6 := 2097151 & (load4(c[15:]) >> 6)
  2289. c7 := 2097151 & (load3(c[18:]) >> 3)
  2290. c8 := 2097151 & load3(c[21:])
  2291. c9 := 2097151 & (load4(c[23:]) >> 5)
  2292. c10 := 2097151 & (load3(c[26:]) >> 2)
  2293. c11 := (load4(c[28:]) >> 7)
  2294. var carry [23]int64
  2296. s0 := c0 - a0*b0
  2297. s1 := c1 - a0*b1 - a1*b0
  2298. s2 := c2 - a0*b2 - a1*b1 - a2*b0
  2299. s3 := c3 - a0*b3 - a1*b2 - a2*b1 - a3*b0
  2300. s4 := c4 - a0*b4 - a1*b3 - a2*b2 - a3*b1 - a4*b0
  2301. s5 := c5 - a0*b5 - a1*b4 - a2*b3 - a3*b2 - a4*b1 - a5*b0
  2302. s6 := c6 - a0*b6 - a1*b5 - a2*b4 - a3*b3 - a4*b2 - a5*b1 - a6*b0
  2303. s7 := c7 - a0*b7 - a1*b6 - a2*b5 - a3*b4 - a4*b3 - a5*b2 - a6*b1 - a7*b0
  2304. s8 := c8 - a0*b8 - a1*b7 - a2*b6 - a3*b5 - a4*b4 - a5*b3 - a6*b2 - a7*b1 - a8*b0
  2305. s9 := c9 - a0*b9 - a1*b8 - a2*b7 - a3*b6 - a4*b5 - a5*b4 - a6*b3 - a7*b2 - a8*b1 - a9*b0
  2306. s10 := c10 - a0*b10 - a1*b9 - a2*b8 - a3*b7 - a4*b6 - a5*b5 - a6*b4 - a7*b3 - a8*b2 - a9*b1 - a10*b0
  2307. s11 := c11 - a0*b11 - a1*b10 - a2*b9 - a3*b8 - a4*b7 - a5*b6 - a6*b5 - a7*b4 - a8*b3 - a9*b2 - a10*b1 - a11*b0
  2308. s12 := -a1*b11 - a2*b10 - a3*b9 - a4*b8 - a5*b7 - a6*b6 - a7*b5 - a8*b4 - a9*b3 - a10*b2 - a11*b1
  2309. s13 := -a2*b11 - a3*b10 - a4*b9 - a5*b8 - a6*b7 - a7*b6 - a8*b5 - a9*b4 - a10*b3 - a11*b2
  2310. s14 := -a3*b11 - a4*b10 - a5*b9 - a6*b8 - a7*b7 - a8*b6 - a9*b5 - a10*b4 - a11*b3
  2311. s15 := -a4*b11 - a5*b10 - a6*b9 - a7*b8 - a8*b7 - a9*b6 - a10*b5 - a11*b4
  2312. s16 := -a5*b11 - a6*b10 - a7*b9 - a8*b8 - a9*b7 - a10*b6 - a11*b5
  2313. s17 := -a6*b11 - a7*b10 - a8*b9 - a9*b8 - a10*b7 - a11*b6
  2314. s18 := -a7*b11 - a8*b10 - a9*b9 - a10*b8 - a11*b7
  2315. s19 := -a8*b11 - a9*b10 - a10*b9 - a11*b8
  2316. s20 := -a9*b11 - a10*b10 - a11*b9
  2317. s21 := -a10*b11 - a11*b10
  2318. s22 := -a11 * b11
  2319. s23 := int64(0)
  2321. carry[0] = (s0 + (1 << 20)) >> 21
  2322. s1 += carry[0]
  2323. s0 -= carry[0] << 21
  2324. carry[2] = (s2 + (1 << 20)) >> 21
  2325. s3 += carry[2]
  2326. s2 -= carry[2] << 21
  2327. carry[4] = (s4 + (1 << 20)) >> 21
  2328. s5 += carry[4]
  2329. s4 -= carry[4] << 21
  2330. carry[6] = (s6 + (1 << 20)) >> 21
  2331. s7 += carry[6]
  2332. s6 -= carry[6] << 21
  2333. carry[8] = (s8 + (1 << 20)) >> 21
  2334. s9 += carry[8]
  2335. s8 -= carry[8] << 21
  2336. carry[10] = (s10 + (1 << 20)) >> 21
  2337. s11 += carry[10]
  2338. s10 -= carry[10] << 21
  2339. carry[12] = (s12 + (1 << 20)) >> 21
  2340. s13 += carry[12]
  2341. s12 -= carry[12] << 21
  2342. carry[14] = (s14 + (1 << 20)) >> 21
  2343. s15 += carry[14]
  2344. s14 -= carry[14] << 21
  2345. carry[16] = (s16 + (1 << 20)) >> 21
  2346. s17 += carry[16]
  2347. s16 -= carry[16] << 21
  2348. carry[18] = (s18 + (1 << 20)) >> 21
  2349. s19 += carry[18]
  2350. s18 -= carry[18] << 21
  2351. carry[20] = (s20 + (1 << 20)) >> 21
  2352. s21 += carry[20]
  2353. s20 -= carry[20] << 21
  2354. carry[22] = (s22 + (1 << 20)) >> 21
  2355. s23 += carry[22]
  2356. s22 -= carry[22] << 21
  2358. carry[1] = (s1 + (1 << 20)) >> 21
  2359. s2 += carry[1]
  2360. s1 -= carry[1] << 21
  2361. carry[3] = (s3 + (1 << 20)) >> 21
  2362. s4 += carry[3]
  2363. s3 -= carry[3] << 21
  2364. carry[5] = (s5 + (1 << 20)) >> 21
  2365. s6 += carry[5]
  2366. s5 -= carry[5] << 21
  2367. carry[7] = (s7 + (1 << 20)) >> 21
  2368. s8 += carry[7]
  2369. s7 -= carry[7] << 21
  2370. carry[9] = (s9 + (1 << 20)) >> 21
  2371. s10 += carry[9]
  2372. s9 -= carry[9] << 21
  2373. carry[11] = (s11 + (1 << 20)) >> 21
  2374. s12 += carry[11]
  2375. s11 -= carry[11] << 21
  2376. carry[13] = (s13 + (1 << 20)) >> 21
  2377. s14 += carry[13]
  2378. s13 -= carry[13] << 21
  2379. carry[15] = (s15 + (1 << 20)) >> 21
  2380. s16 += carry[15]
  2381. s15 -= carry[15] << 21
  2382. carry[17] = (s17 + (1 << 20)) >> 21
  2383. s18 += carry[17]
  2384. s17 -= carry[17] << 21
  2385. carry[19] = (s19 + (1 << 20)) >> 21
  2386. s20 += carry[19]
  2387. s19 -= carry[19] << 21
  2388. carry[21] = (s21 + (1 << 20)) >> 21
  2389. s22 += carry[21]
  2390. s21 -= carry[21] << 21
  2392. s11 += s23 * 666643
  2393. s12 += s23 * 470296
  2394. s13 += s23 * 654183
  2395. s14 -= s23 * 997805
  2396. s15 += s23 * 136657
  2397. s16 -= s23 * 683901
  2398. s23 = 0
  2400. s10 += s22 * 666643
  2401. s11 += s22 * 470296
  2402. s12 += s22 * 654183
  2403. s13 -= s22 * 997805
  2404. s14 += s22 * 136657
  2405. s15 -= s22 * 683901
  2406. s22 = 0
  2408. s9 += s21 * 666643
  2409. s10 += s21 * 470296
  2410. s11 += s21 * 654183
  2411. s12 -= s21 * 997805
  2412. s13 += s21 * 136657
  2413. s14 -= s21 * 683901
  2414. s21 = 0
  2416. s8 += s20 * 666643
  2417. s9 += s20 * 470296
  2418. s10 += s20 * 654183
  2419. s11 -= s20 * 997805
  2420. s12 += s20 * 136657
  2421. s13 -= s20 * 683901
  2422. s20 = 0
  2424. s7 += s19 * 666643
  2425. s8 += s19 * 470296
  2426. s9 += s19 * 654183
  2427. s10 -= s19 * 997805
  2428. s11 += s19 * 136657
  2429. s12 -= s19 * 683901
  2430. s19 = 0
  2432. s6 += s18 * 666643
  2433. s7 += s18 * 470296
  2434. s8 += s18 * 654183
  2435. s9 -= s18 * 997805
  2436. s10 += s18 * 136657
  2437. s11 -= s18 * 683901
  2438. s18 = 0
  2440. carry[6] = (s6 + (1 << 20)) >> 21
  2441. s7 += carry[6]
  2442. s6 -= carry[6] << 21
  2443. carry[8] = (s8 + (1 << 20)) >> 21
  2444. s9 += carry[8]
  2445. s8 -= carry[8] << 21
  2446. carry[10] = (s10 + (1 << 20)) >> 21
  2447. s11 += carry[10]
  2448. s10 -= carry[10] << 21
  2449. carry[12] = (s12 + (1 << 20)) >> 21
  2450. s13 += carry[12]
  2451. s12 -= carry[12] << 21
  2452. carry[14] = (s14 + (1 << 20)) >> 21
  2453. s15 += carry[14]
  2454. s14 -= carry[14] << 21
  2455. carry[16] = (s16 + (1 << 20)) >> 21
  2456. s17 += carry[16]
  2457. s16 -= carry[16] << 21
  2459. carry[7] = (s7 + (1 << 20)) >> 21
  2460. s8 += carry[7]
  2461. s7 -= carry[7] << 21
  2462. carry[9] = (s9 + (1 << 20)) >> 21
  2463. s10 += carry[9]
  2464. s9 -= carry[9] << 21
  2465. carry[11] = (s11 + (1 << 20)) >> 21
  2466. s12 += carry[11]
  2467. s11 -= carry[11] << 21
  2468. carry[13] = (s13 + (1 << 20)) >> 21
  2469. s14 += carry[13]
  2470. s13 -= carry[13] << 21
  2471. carry[15] = (s15 + (1 << 20)) >> 21
  2472. s16 += carry[15]
  2473. s15 -= carry[15] << 21
  2475. s5 += s17 * 666643
  2476. s6 += s17 * 470296
  2477. s7 += s17 * 654183
  2478. s8 -= s17 * 997805
  2479. s9 += s17 * 136657
  2480. s10 -= s17 * 683901
  2481. s17 = 0
  2483. s4 += s16 * 666643
  2484. s5 += s16 * 470296
  2485. s6 += s16 * 654183
  2486. s7 -= s16 * 997805
  2487. s8 += s16 * 136657
  2488. s9 -= s16 * 683901
  2489. s16 = 0
  2491. s3 += s15 * 666643
  2492. s4 += s15 * 470296
  2493. s5 += s15 * 654183
  2494. s6 -= s15 * 997805
  2495. s7 += s15 * 136657
  2496. s8 -= s15 * 683901
  2497. s15 = 0
  2499. s2 += s14 * 666643
  2500. s3 += s14 * 470296
  2501. s4 += s14 * 654183
  2502. s5 -= s14 * 997805
  2503. s6 += s14 * 136657
  2504. s7 -= s14 * 683901
  2505. s14 = 0
  2507. s1 += s13 * 666643
  2508. s2 += s13 * 470296
  2509. s3 += s13 * 654183
  2510. s4 -= s13 * 997805
  2511. s5 += s13 * 136657
  2512. s6 -= s13 * 683901
  2513. s13 = 0
  2515. s0 += s12 * 666643
  2516. s1 += s12 * 470296
  2517. s2 += s12 * 654183
  2518. s3 -= s12 * 997805
  2519. s4 += s12 * 136657
  2520. s5 -= s12 * 683901
  2521. s12 = 0
  2523. carry[0] = (s0 + (1 << 20)) >> 21
  2524. s1 += carry[0]
  2525. s0 -= carry[0] << 21
  2526. carry[2] = (s2 + (1 << 20)) >> 21
  2527. s3 += carry[2]
  2528. s2 -= carry[2] << 21
  2529. carry[4] = (s4 + (1 << 20)) >> 21
  2530. s5 += carry[4]
  2531. s4 -= carry[4] << 21
  2532. carry[6] = (s6 + (1 << 20)) >> 21
  2533. s7 += carry[6]
  2534. s6 -= carry[6] << 21
  2535. carry[8] = (s8 + (1 << 20)) >> 21
  2536. s9 += carry[8]
  2537. s8 -= carry[8] << 21
  2538. carry[10] = (s10 + (1 << 20)) >> 21
  2539. s11 += carry[10]
  2540. s10 -= carry[10] << 21
  2542. carry[1] = (s1 + (1 << 20)) >> 21
  2543. s2 += carry[1]
  2544. s1 -= carry[1] << 21
  2545. carry[3] = (s3 + (1 << 20)) >> 21
  2546. s4 += carry[3]
  2547. s3 -= carry[3] << 21
  2548. carry[5] = (s5 + (1 << 20)) >> 21
  2549. s6 += carry[5]
  2550. s5 -= carry[5] << 21
  2551. carry[7] = (s7 + (1 << 20)) >> 21
  2552. s8 += carry[7]
  2553. s7 -= carry[7] << 21
  2554. carry[9] = (s9 + (1 << 20)) >> 21
  2555. s10 += carry[9]
  2556. s9 -= carry[9] << 21
  2557. carry[11] = (s11 + (1 << 20)) >> 21
  2558. s12 += carry[11]
  2559. s11 -= carry[11] << 21
  2561. s0 += s12 * 666643
  2562. s1 += s12 * 470296
  2563. s2 += s12 * 654183
  2564. s3 -= s12 * 997805
  2565. s4 += s12 * 136657
  2566. s5 -= s12 * 683901
  2567. s12 = 0
  2569. carry[0] = s0 >> 21
  2570. s1 += carry[0]
  2571. s0 -= carry[0] << 21
  2572. carry[1] = s1 >> 21
  2573. s2 += carry[1]
  2574. s1 -= carry[1] << 21
  2575. carry[2] = s2 >> 21
  2576. s3 += carry[2]
  2577. s2 -= carry[2] << 21
  2578. carry[3] = s3 >> 21
  2579. s4 += carry[3]
  2580. s3 -= carry[3] << 21
  2581. carry[4] = s4 >> 21
  2582. s5 += carry[4]
  2583. s4 -= carry[4] << 21
  2584. carry[5] = s5 >> 21
  2585. s6 += carry[5]
  2586. s5 -= carry[5] << 21
  2587. carry[6] = s6 >> 21
  2588. s7 += carry[6]
  2589. s6 -= carry[6] << 21
  2590. carry[7] = s7 >> 21
  2591. s8 += carry[7]
  2592. s7 -= carry[7] << 21
  2593. carry[8] = s8 >> 21
  2594. s9 += carry[8]
  2595. s8 -= carry[8] << 21
  2596. carry[9] = s9 >> 21
  2597. s10 += carry[9]
  2598. s9 -= carry[9] << 21
  2599. carry[10] = s10 >> 21
  2600. s11 += carry[10]
  2601. s10 -= carry[10] << 21
  2602. carry[11] = s11 >> 21
  2603. s12 += carry[11]
  2604. s11 -= carry[11] << 21
  2606. s0 += s12 * 666643
  2607. s1 += s12 * 470296
  2608. s2 += s12 * 654183
  2609. s3 -= s12 * 997805
  2610. s4 += s12 * 136657
  2611. s5 -= s12 * 683901
  2612. s12 = 0
  2614. carry[0] = s0 >> 21
  2615. s1 += carry[0]
  2616. s0 -= carry[0] << 21
  2617. carry[1] = s1 >> 21
  2618. s2 += carry[1]
  2619. s1 -= carry[1] << 21
  2620. carry[2] = s2 >> 21
  2621. s3 += carry[2]
  2622. s2 -= carry[2] << 21
  2623. carry[3] = s3 >> 21
  2624. s4 += carry[3]
  2625. s3 -= carry[3] << 21
  2626. carry[4] = s4 >> 21
  2627. s5 += carry[4]
  2628. s4 -= carry[4] << 21
  2629. carry[5] = s5 >> 21
  2630. s6 += carry[5]
  2631. s5 -= carry[5] << 21
  2632. carry[6] = s6 >> 21
  2633. s7 += carry[6]
  2634. s6 -= carry[6] << 21
  2635. carry[7] = s7 >> 21
  2636. s8 += carry[7]
  2637. s7 -= carry[7] << 21
  2638. carry[8] = s8 >> 21
  2639. s9 += carry[8]
  2640. s8 -= carry[8] << 21
  2641. carry[9] = s9 >> 21
  2642. s10 += carry[9]
  2643. s9 -= carry[9] << 21
  2644. carry[10] = s10 >> 21
  2645. s11 += carry[10]
  2646. s10 -= carry[10] << 21
  2648. s[0] = byte(s0 >> 0)
  2649. s[1] = byte(s0 >> 8)
  2650. s[2] = byte((s0 >> 16) | (s1 << 5))
  2651. s[3] = byte(s1 >> 3)
  2652. s[4] = byte(s1 >> 11)
  2653. s[5] = byte((s1 >> 19) | (s2 << 2))
  2654. s[6] = byte(s2 >> 6)
  2655. s[7] = byte((s2 >> 14) | (s3 << 7))
  2656. s[8] = byte(s3 >> 1)
  2657. s[9] = byte(s3 >> 9)
  2658. s[10] = byte((s3 >> 17) | (s4 << 4))
  2659. s[11] = byte(s4 >> 4)
  2660. s[12] = byte(s4 >> 12)
  2661. s[13] = byte((s4 >> 20) | (s5 << 1))
  2662. s[14] = byte(s5 >> 7)
  2663. s[15] = byte((s5 >> 15) | (s6 << 6))
  2664. s[16] = byte(s6 >> 2)
  2665. s[17] = byte(s6 >> 10)
  2666. s[18] = byte((s6 >> 18) | (s7 << 3))
  2667. s[19] = byte(s7 >> 5)
  2668. s[20] = byte(s7 >> 13)
  2669. s[21] = byte(s8 >> 0)
  2670. s[22] = byte(s8 >> 8)
  2671. s[23] = byte((s8 >> 16) | (s9 << 5))
  2672. s[24] = byte(s9 >> 3)
  2673. s[25] = byte(s9 >> 11)
  2674. s[26] = byte((s9 >> 19) | (s10 << 2))
  2675. s[27] = byte(s10 >> 6)
  2676. s[28] = byte((s10 >> 14) | (s11 << 7))
  2677. s[29] = byte(s11 >> 1)
  2678. s[30] = byte(s11 >> 9)
  2679. s[31] = byte(s11 >> 17)
  2680. }
  2682. // Input:
  2683. // s[0]+256*s[1]+...+256^63*s[63] = s
  2684. //
  2685. // Output:
  2686. // s[0]+256*s[1]+...+256^31*s[31] = s mod l
  2687. // where l = 2^252 + 27742317777372353535851937790883648493.
  2688. func ScReduce(out *Key, s *[64]byte) {
  2689. s0 := 2097151 & load3(s[:])
  2690. s1 := 2097151 & (load4(s[2:]) >> 5)
  2691. s2 := 2097151 & (load3(s[5:]) >> 2)
  2692. s3 := 2097151 & (load4(s[7:]) >> 7)
  2693. s4 := 2097151 & (load4(s[10:]) >> 4)
  2694. s5 := 2097151 & (load3(s[13:]) >> 1)
  2695. s6 := 2097151 & (load4(s[15:]) >> 6)
  2696. s7 := 2097151 & (load3(s[18:]) >> 3)
  2697. s8 := 2097151 & load3(s[21:])
  2698. s9 := 2097151 & (load4(s[23:]) >> 5)
  2699. s10 := 2097151 & (load3(s[26:]) >> 2)
  2700. s11 := 2097151 & (load4(s[28:]) >> 7)
  2701. s12 := 2097151 & (load4(s[31:]) >> 4)
  2702. s13 := 2097151 & (load3(s[34:]) >> 1)
  2703. s14 := 2097151 & (load4(s[36:]) >> 6)
  2704. s15 := 2097151 & (load3(s[39:]) >> 3)
  2705. s16 := 2097151 & load3(s[42:])
  2706. s17 := 2097151 & (load4(s[44:]) >> 5)
  2707. s18 := 2097151 & (load3(s[47:]) >> 2)
  2708. s19 := 2097151 & (load4(s[49:]) >> 7)
  2709. s20 := 2097151 & (load4(s[52:]) >> 4)
  2710. s21 := 2097151 & (load3(s[55:]) >> 1)
  2711. s22 := 2097151 & (load4(s[57:]) >> 6)
  2712. s23 := (load4(s[60:]) >> 3)
  2714. s11 += s23 * 666643
  2715. s12 += s23 * 470296
  2716. s13 += s23 * 654183
  2717. s14 -= s23 * 997805
  2718. s15 += s23 * 136657
  2719. s16 -= s23 * 683901
  2720. s23 = 0
  2722. s10 += s22 * 666643
  2723. s11 += s22 * 470296
  2724. s12 += s22 * 654183
  2725. s13 -= s22 * 997805
  2726. s14 += s22 * 136657
  2727. s15 -= s22 * 683901
  2728. s22 = 0
  2730. s9 += s21 * 666643
  2731. s10 += s21 * 470296
  2732. s11 += s21 * 654183
  2733. s12 -= s21 * 997805
  2734. s13 += s21 * 136657
  2735. s14 -= s21 * 683901
  2736. s21 = 0
  2738. s8 += s20 * 666643
  2739. s9 += s20 * 470296
  2740. s10 += s20 * 654183
  2741. s11 -= s20 * 997805
  2742. s12 += s20 * 136657
  2743. s13 -= s20 * 683901
  2744. s20 = 0
  2746. s7 += s19 * 666643
  2747. s8 += s19 * 470296
  2748. s9 += s19 * 654183
  2749. s10 -= s19 * 997805
  2750. s11 += s19 * 136657
  2751. s12 -= s19 * 683901
  2752. s19 = 0
  2754. s6 += s18 * 666643
  2755. s7 += s18 * 470296
  2756. s8 += s18 * 654183
  2757. s9 -= s18 * 997805
  2758. s10 += s18 * 136657
  2759. s11 -= s18 * 683901
  2760. s18 = 0
  2762. var carry [17]int64
  2764. carry[6] = (s6 + (1 << 20)) >> 21
  2765. s7 += carry[6]
  2766. s6 -= carry[6] << 21
  2767. carry[8] = (s8 + (1 << 20)) >> 21
  2768. s9 += carry[8]
  2769. s8 -= carry[8] << 21
  2770. carry[10] = (s10 + (1 << 20)) >> 21
  2771. s11 += carry[10]
  2772. s10 -= carry[10] << 21
  2773. carry[12] = (s12 + (1 << 20)) >> 21
  2774. s13 += carry[12]
  2775. s12 -= carry[12] << 21
  2776. carry[14] = (s14 + (1 << 20)) >> 21
  2777. s15 += carry[14]
  2778. s14 -= carry[14] << 21
  2779. carry[16] = (s16 + (1 << 20)) >> 21
  2780. s17 += carry[16]
  2781. s16 -= carry[16] << 21
  2783. carry[7] = (s7 + (1 << 20)) >> 21
  2784. s8 += carry[7]
  2785. s7 -= carry[7] << 21
  2786. carry[9] = (s9 + (1 << 20)) >> 21
  2787. s10 += carry[9]
  2788. s9 -= carry[9] << 21
  2789. carry[11] = (s11 + (1 << 20)) >> 21
  2790. s12 += carry[11]
  2791. s11 -= carry[11] << 21
  2792. carry[13] = (s13 + (1 << 20)) >> 21
  2793. s14 += carry[13]
  2794. s13 -= carry[13] << 21
  2795. carry[15] = (s15 + (1 << 20)) >> 21
  2796. s16 += carry[15]
  2797. s15 -= carry[15] << 21
  2799. s5 += s17 * 666643
  2800. s6 += s17 * 470296
  2801. s7 += s17 * 654183
  2802. s8 -= s17 * 997805
  2803. s9 += s17 * 136657
  2804. s10 -= s17 * 683901
  2805. s17 = 0
  2807. s4 += s16 * 666643
  2808. s5 += s16 * 470296
  2809. s6 += s16 * 654183
  2810. s7 -= s16 * 997805
  2811. s8 += s16 * 136657
  2812. s9 -= s16 * 683901
  2813. s16 = 0
  2815. s3 += s15 * 666643
  2816. s4 += s15 * 470296
  2817. s5 += s15 * 654183
  2818. s6 -= s15 * 997805
  2819. s7 += s15 * 136657
  2820. s8 -= s15 * 683901
  2821. s15 = 0
  2823. s2 += s14 * 666643
  2824. s3 += s14 * 470296
  2825. s4 += s14 * 654183
  2826. s5 -= s14 * 997805
  2827. s6 += s14 * 136657
  2828. s7 -= s14 * 683901
  2829. s14 = 0
  2831. s1 += s13 * 666643
  2832. s2 += s13 * 470296
  2833. s3 += s13 * 654183
  2834. s4 -= s13 * 997805
  2835. s5 += s13 * 136657
  2836. s6 -= s13 * 683901
  2837. s13 = 0
  2839. s0 += s12 * 666643
  2840. s1 += s12 * 470296
  2841. s2 += s12 * 654183
  2842. s3 -= s12 * 997805
  2843. s4 += s12 * 136657
  2844. s5 -= s12 * 683901
  2845. s12 = 0
  2847. carry[0] = (s0 + (1 << 20)) >> 21
  2848. s1 += carry[0]
  2849. s0 -= carry[0] << 21
  2850. carry[2] = (s2 + (1 << 20)) >> 21
  2851. s3 += carry[2]
  2852. s2 -= carry[2] << 21
  2853. carry[4] = (s4 + (1 << 20)) >> 21
  2854. s5 += carry[4]
  2855. s4 -= carry[4] << 21
  2856. carry[6] = (s6 + (1 << 20)) >> 21
  2857. s7 += carry[6]
  2858. s6 -= carry[6] << 21
  2859. carry[8] = (s8 + (1 << 20)) >> 21
  2860. s9 += carry[8]
  2861. s8 -= carry[8] << 21
  2862. carry[10] = (s10 + (1 << 20)) >> 21
  2863. s11 += carry[10]
  2864. s10 -= carry[10] << 21
  2866. carry[1] = (s1 + (1 << 20)) >> 21
  2867. s2 += carry[1]
  2868. s1 -= carry[1] << 21
  2869. carry[3] = (s3 + (1 << 20)) >> 21
  2870. s4 += carry[3]
  2871. s3 -= carry[3] << 21
  2872. carry[5] = (s5 + (1 << 20)) >> 21
  2873. s6 += carry[5]
  2874. s5 -= carry[5] << 21
  2875. carry[7] = (s7 + (1 << 20)) >> 21
  2876. s8 += carry[7]
  2877. s7 -= carry[7] << 21
  2878. carry[9] = (s9 + (1 << 20)) >> 21
  2879. s10 += carry[9]
  2880. s9 -= carry[9] << 21
  2881. carry[11] = (s11 + (1 << 20)) >> 21
  2882. s12 += carry[11]
  2883. s11 -= carry[11] << 21
  2885. s0 += s12 * 666643
  2886. s1 += s12 * 470296
  2887. s2 += s12 * 654183
  2888. s3 -= s12 * 997805
  2889. s4 += s12 * 136657
  2890. s5 -= s12 * 683901
  2891. s12 = 0
  2893. carry[0] = s0 >> 21
  2894. s1 += carry[0]
  2895. s0 -= carry[0] << 21
  2896. carry[1] = s1 >> 21
  2897. s2 += carry[1]
  2898. s1 -= carry[1] << 21
  2899. carry[2] = s2 >> 21
  2900. s3 += carry[2]
  2901. s2 -= carry[2] << 21
  2902. carry[3] = s3 >> 21
  2903. s4 += carry[3]
  2904. s3 -= carry[3] << 21
  2905. carry[4] = s4 >> 21
  2906. s5 += carry[4]
  2907. s4 -= carry[4] << 21
  2908. carry[5] = s5 >> 21
  2909. s6 += carry[5]
  2910. s5 -= carry[5] << 21
  2911. carry[6] = s6 >> 21
  2912. s7 += carry[6]
  2913. s6 -= carry[6] << 21
  2914. carry[7] = s7 >> 21
  2915. s8 += carry[7]
  2916. s7 -= carry[7] << 21
  2917. carry[8] = s8 >> 21
  2918. s9 += carry[8]
  2919. s8 -= carry[8] << 21
  2920. carry[9] = s9 >> 21
  2921. s10 += carry[9]
  2922. s9 -= carry[9] << 21
  2923. carry[10] = s10 >> 21
  2924. s11 += carry[10]
  2925. s10 -= carry[10] << 21
  2926. carry[11] = s11 >> 21
  2927. s12 += carry[11]
  2928. s11 -= carry[11] << 21
  2930. s0 += s12 * 666643
  2931. s1 += s12 * 470296
  2932. s2 += s12 * 654183
  2933. s3 -= s12 * 997805
  2934. s4 += s12 * 136657
  2935. s5 -= s12 * 683901
  2936. s12 = 0
  2938. carry[0] = s0 >> 21
  2939. s1 += carry[0]
  2940. s0 -= carry[0] << 21
  2941. carry[1] = s1 >> 21
  2942. s2 += carry[1]
  2943. s1 -= carry[1] << 21
  2944. carry[2] = s2 >> 21
  2945. s3 += carry[2]
  2946. s2 -= carry[2] << 21
  2947. carry[3] = s3 >> 21
  2948. s4 += carry[3]
  2949. s3 -= carry[3] << 21
  2950. carry[4] = s4 >> 21
  2951. s5 += carry[4]
  2952. s4 -= carry[4] << 21
  2953. carry[5] = s5 >> 21
  2954. s6 += carry[5]
  2955. s5 -= carry[5] << 21
  2956. carry[6] = s6 >> 21
  2957. s7 += carry[6]
  2958. s6 -= carry[6] << 21
  2959. carry[7] = s7 >> 21
  2960. s8 += carry[7]
  2961. s7 -= carry[7] << 21
  2962. carry[8] = s8 >> 21
  2963. s9 += carry[8]
  2964. s8 -= carry[8] << 21
  2965. carry[9] = s9 >> 21
  2966. s10 += carry[9]
  2967. s9 -= carry[9] << 21
  2968. carry[10] = s10 >> 21
  2969. s11 += carry[10]
  2970. s10 -= carry[10] << 21
  2972. out[0] = byte(s0 >> 0)
  2973. out[1] = byte(s0 >> 8)
  2974. out[2] = byte((s0 >> 16) | (s1 << 5))
  2975. out[3] = byte(s1 >> 3)
  2976. out[4] = byte(s1 >> 11)
  2977. out[5] = byte((s1 >> 19) | (s2 << 2))
  2978. out[6] = byte(s2 >> 6)
  2979. out[7] = byte((s2 >> 14) | (s3 << 7))
  2980. out[8] = byte(s3 >> 1)
  2981. out[9] = byte(s3 >> 9)
  2982. out[10] = byte((s3 >> 17) | (s4 << 4))
  2983. out[11] = byte(s4 >> 4)
  2984. out[12] = byte(s4 >> 12)
  2985. out[13] = byte((s4 >> 20) | (s5 << 1))
  2986. out[14] = byte(s5 >> 7)
  2987. out[15] = byte((s5 >> 15) | (s6 << 6))
  2988. out[16] = byte(s6 >> 2)
  2989. out[17] = byte(s6 >> 10)
  2990. out[18] = byte((s6 >> 18) | (s7 << 3))
  2991. out[19] = byte(s7 >> 5)
  2992. out[20] = byte(s7 >> 13)
  2993. out[21] = byte(s8 >> 0)
  2994. out[22] = byte(s8 >> 8)
  2995. out[23] = byte((s8 >> 16) | (s9 << 5))
  2996. out[24] = byte(s9 >> 3)
  2997. out[25] = byte(s9 >> 11)
  2998. out[26] = byte((s9 >> 19) | (s10 << 2))
  2999. out[27] = byte(s10 >> 6)
  3000. out[28] = byte((s10 >> 14) | (s11 << 7))
  3001. out[29] = byte(s11 >> 1)
  3002. out[30] = byte(s11 >> 9)
  3003. out[31] = byte(s11 >> 17)
  3004. }
  3006. func ScReduce32(s *Key) {
  3007. s0 := 2097151 & load3(s[:])
  3008. s1 := 2097151 & (load4(s[2:]) >> 5)
  3009. s2 := 2097151 & (load3(s[5:]) >> 2)
  3010. s3 := 2097151 & (load4(s[7:]) >> 7)
  3011. s4 := 2097151 & (load4(s[10:]) >> 4)
  3012. s5 := 2097151 & (load3(s[13:]) >> 1)
  3013. s6 := 2097151 & (load4(s[15:]) >> 6)
  3014. s7 := 2097151 & (load3(s[18:]) >> 3)
  3015. s8 := 2097151 & load3(s[21:])
  3016. s9 := 2097151 & (load4(s[23:]) >> 5)
  3017. s10 := 2097151 & (load3(s[26:]) >> 2)
  3018. s11 := (load4(s[28:]) >> 7)
  3019. s12 := int64(0)
  3020. var carry [12]int64
  3021. carry[0] = (s0 + (1 << 20)) >> 21
  3022. s1 += carry[0]
  3023. s0 -= carry[0] << 21
  3024. carry[2] = (s2 + (1 << 20)) >> 21
  3025. s3 += carry[2]
  3026. s2 -= carry[2] << 21
  3027. carry[4] = (s4 + (1 << 20)) >> 21
  3028. s5 += carry[4]
  3029. s4 -= carry[4] << 21
  3030. carry[6] = (s6 + (1 << 20)) >> 21
  3031. s7 += carry[6]
  3032. s6 -= carry[6] << 21
  3033. carry[8] = (s8 + (1 << 20)) >> 21
  3034. s9 += carry[8]
  3035. s8 -= carry[8] << 21
  3036. carry[10] = (s10 + (1 << 20)) >> 21
  3037. s11 += carry[10]
  3038. s10 -= carry[10] << 21
  3039. carry[1] = (s1 + (1 << 20)) >> 21
  3040. s2 += carry[1]
  3041. s1 -= carry[1] << 21
  3042. carry[3] = (s3 + (1 << 20)) >> 21
  3043. s4 += carry[3]
  3044. s3 -= carry[3] << 21
  3045. carry[5] = (s5 + (1 << 20)) >> 21
  3046. s6 += carry[5]
  3047. s5 -= carry[5] << 21
  3048. carry[7] = (s7 + (1 << 20)) >> 21
  3049. s8 += carry[7]
  3050. s7 -= carry[7] << 21
  3051. carry[9] = (s9 + (1 << 20)) >> 21
  3052. s10 += carry[9]
  3053. s9 -= carry[9] << 21
  3054. carry[11] = (s11 + (1 << 20)) >> 21
  3055. s12 += carry[11]
  3056. s11 -= carry[11] << 21
  3058. s0 += s12 * 666643
  3059. s1 += s12 * 470296
  3060. s2 += s12 * 654183
  3061. s3 -= s12 * 997805
  3062. s4 += s12 * 136657
  3063. s5 -= s12 * 683901
  3064. s12 = 0
  3066. carry[0] = s0 >> 21
  3067. s1 += carry[0]
  3068. s0 -= carry[0] << 21
  3069. carry[1] = s1 >> 21
  3070. s2 += carry[1]
  3071. s1 -= carry[1] << 21
  3072. carry[2] = s2 >> 21
  3073. s3 += carry[2]
  3074. s2 -= carry[2] << 21
  3075. carry[3] = s3 >> 21
  3076. s4 += carry[3]
  3077. s3 -= carry[3] << 21
  3078. carry[4] = s4 >> 21
  3079. s5 += carry[4]
  3080. s4 -= carry[4] << 21
  3081. carry[5] = s5 >> 21
  3082. s6 += carry[5]
  3083. s5 -= carry[5] << 21
  3084. carry[6] = s6 >> 21
  3085. s7 += carry[6]
  3086. s6 -= carry[6] << 21
  3087. carry[7] = s7 >> 21
  3088. s8 += carry[7]
  3089. s7 -= carry[7] << 21
  3090. carry[8] = s8 >> 21
  3091. s9 += carry[8]
  3092. s8 -= carry[8] << 21
  3093. carry[9] = s9 >> 21
  3094. s10 += carry[9]
  3095. s9 -= carry[9] << 21
  3096. carry[10] = s10 >> 21
  3097. s11 += carry[10]
  3098. s10 -= carry[10] << 21
  3099. carry[11] = s11 >> 21
  3100. s12 += carry[11]
  3101. s11 -= carry[11] << 21
  3103. s0 += s12 * 666643
  3104. s1 += s12 * 470296
  3105. s2 += s12 * 654183
  3106. s3 -= s12 * 997805
  3107. s4 += s12 * 136657
  3108. s5 -= s12 * 683901
  3110. carry[0] = s0 >> 21
  3111. s1 += carry[0]
  3112. s0 -= carry[0] << 21
  3113. carry[1] = s1 >> 21
  3114. s2 += carry[1]
  3115. s1 -= carry[1] << 21
  3116. carry[2] = s2 >> 21
  3117. s3 += carry[2]
  3118. s2 -= carry[2] << 21
  3119. carry[3] = s3 >> 21
  3120. s4 += carry[3]
  3121. s3 -= carry[3] << 21
  3122. carry[4] = s4 >> 21
  3123. s5 += carry[4]
  3124. s4 -= carry[4] << 21
  3125. carry[5] = s5 >> 21
  3126. s6 += carry[5]
  3127. s5 -= carry[5] << 21
  3128. carry[6] = s6 >> 21
  3129. s7 += carry[6]
  3130. s6 -= carry[6] << 21
  3131. carry[7] = s7 >> 21
  3132. s8 += carry[7]
  3133. s7 -= carry[7] << 21
  3134. carry[8] = s8 >> 21
  3135. s9 += carry[8]
  3136. s8 -= carry[8] << 21
  3137. carry[9] = s9 >> 21
  3138. s10 += carry[9]
  3139. s9 -= carry[9] << 21
  3140. carry[10] = s10 >> 21
  3141. s11 += carry[10]
  3142. s10 -= carry[10] << 21
  3144. s[0] = byte(s0 >> 0)
  3145. s[1] = byte(s0 >> 8)
  3146. s[2] = byte((s0 >> 16) | (s1 << 5))
  3147. s[3] = byte(s1 >> 3)
  3148. s[4] = byte(s1 >> 11)
  3149. s[5] = byte((s1 >> 19) | (s2 << 2))
  3150. s[6] = byte(s2 >> 6)
  3151. s[7] = byte((s2 >> 14) | (s3 << 7))
  3152. s[8] = byte(s3 >> 1)
  3153. s[9] = byte(s3 >> 9)
  3154. s[10] = byte((s3 >> 17) | (s4 << 4))
  3155. s[11] = byte(s4 >> 4)
  3156. s[12] = byte(s4 >> 12)
  3157. s[13] = byte((s4 >> 20) | (s5 << 1))
  3158. s[14] = byte(s5 >> 7)
  3159. s[15] = byte((s5 >> 15) | (s6 << 6))
  3160. s[16] = byte(s6 >> 2)
  3161. s[17] = byte(s6 >> 10)
  3162. s[18] = byte((s6 >> 18) | (s7 << 3))
  3163. s[19] = byte(s7 >> 5)
  3164. s[20] = byte(s7 >> 13)
  3165. s[21] = byte(s8 >> 0)
  3166. s[22] = byte(s8 >> 8)
  3167. s[23] = byte((s8 >> 16) | (s9 << 5))
  3168. s[24] = byte(s9 >> 3)
  3169. s[25] = byte(s9 >> 11)
  3170. s[26] = byte((s9 >> 19) | (s10 << 2))
  3171. s[27] = byte(s10 >> 6)
  3172. s[28] = byte((s10 >> 14) | (s11 << 7))
  3173. s[29] = byte(s11 >> 1)
  3174. s[30] = byte(s11 >> 9)
  3175. s[31] = byte(s11 >> 17)
  3176. }