arnaucube
/
derosuite
mirror of https://github.com/arnaucube/derosuite.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
1 Branch
0 Tags
68 MiB
Tree: 9687ad9cb4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9687ad9cb4'
${ noResults }
derosuite/crypto/ringct/edwards25519.go

3068 lines
73 KiB
Raw Normal View History

Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
  1. // Copyright 2017-2018 DERO Project. All rights reserved.
  2. // Use of this source code in any form is governed by RESEARCH license.
  3. // license can be found in the LICENSE file.
  4. // GPG: 0F39 E425 8C65 3947 702A 8234 08B2 0360 A03A 9DE8
  5. //
  6. //
  7. // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
  8. // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
  9. // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
  10. // THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  11. // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  12. // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  13. // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  14. // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
  15. // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  17. // Copyright 2013 The Go Authors. All rights reserved.
  18. // Use of this source code is governed by a BSD-style
  19. // license that can be found in the LICENSE-BSD file.
  21. // Most of this is from the golang x/crypto package
  23. // Package edwards25519 implements operations in GF(2**255-19) and on an
  24. // Edwards curve that is isomorphic to curve25519. See
  25. // http://ed25519.cr.yp.to/.
  27. // move this file out of this package and use x/crypto
  28. package ringct
  30. // This code is a port of the public domain, "ref10" implementation of ed25519
  31. // from SUPERCOP.
  33. // FieldElement represents an element of the field GF(2^255 - 19). An element
  34. // t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
  35. // t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
  36. // context.
  37. type FieldElement [10]int32
  39. var FeMa = FieldElement{-486662, 0, 0, 0, 0, 0, 0, 0, 0, 0} /* -A */
  40. var FeMa2 = FieldElement{-12721188, -3529, 0, 0, 0, 0, 0, 0, 0, 0} /* -A^2 */
  41. var FeFffb1 = FieldElement{-31702527, -2466483, -26106795, -12203692, -12169197, -321052, 14850977, -10296299, -16929438, -407568} /* sqrt(-2 * A * (A + 2)) */
  42. var FeFffb2 = FieldElement{8166131, -6741800, -17040804, 3154616, 21461005, 1466302, -30876704, -6368709, 10503587, -13363080} /* sqrt(2 * A * (A + 2)) */
  43. var FeFffb3 = FieldElement{-13620103, 14639558, 4532995, 7679154, 16815101, -15883539, -22863840, -14813421, 13716513, -6477756} /* sqrt(-sqrt(-1) * A * (A + 2)) */
  44. var FeFffb4 = FieldElement{-21786234, -12173074, 21573800, 4524538, -4645904, 16204591, 8012863, -8444712, 3212926, 6885324} /* sqrt(sqrt(-1) * A * (A + 2)) */
  45. var FeSqrtM1 = FieldElement{-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482} /* sqrt(-1) */
  47. var zero FieldElement
  48. var one FieldElement
  50. func init() {
  51. one[0] = 1
  52. }
  54. func (f *FieldElement) Zero() {
  55. copy(f[:], zero[:])
  56. }
  58. func (f *FieldElement) One() {
  59. copy(f[:], one[:])
  60. }
  62. func FeAdd(dst, a, b *FieldElement) {
  63. dst[0] = a[0] + b[0]
  64. dst[1] = a[1] + b[1]
  65. dst[2] = a[2] + b[2]
  66. dst[3] = a[3] + b[3]
  67. dst[4] = a[4] + b[4]
  68. dst[5] = a[5] + b[5]
  69. dst[6] = a[6] + b[6]
  70. dst[7] = a[7] + b[7]
  71. dst[8] = a[8] + b[8]
  72. dst[9] = a[9] + b[9]
  73. }
  75. func FeSub(dst, a, b *FieldElement) {
  76. dst[0] = a[0] - b[0]
  77. dst[1] = a[1] - b[1]
  78. dst[2] = a[2] - b[2]
  79. dst[3] = a[3] - b[3]
  80. dst[4] = a[4] - b[4]
  81. dst[5] = a[5] - b[5]
  82. dst[6] = a[6] - b[6]
  83. dst[7] = a[7] - b[7]
  84. dst[8] = a[8] - b[8]
  85. dst[9] = a[9] - b[9]
  86. }
  88. func FeCopy(dst, src *FieldElement) {
  89. copy(dst[:], src[:])
  90. }
  92. // Replace (f,g) with (g,g) if b == 1;
  93. // replace (f,g) with (f,g) if b == 0.
  94. //
  95. // Preconditions: b in {0,1}.
  96. func FeCMove(f, g *FieldElement, b int32) {
  97. b = -b
  98. f[0] ^= b & (f[0] ^ g[0])
  99. f[1] ^= b & (f[1] ^ g[1])
  100. f[2] ^= b & (f[2] ^ g[2])
  101. f[3] ^= b & (f[3] ^ g[3])
  102. f[4] ^= b & (f[4] ^ g[4])
  103. f[5] ^= b & (f[5] ^ g[5])
  104. f[6] ^= b & (f[6] ^ g[6])
  105. f[7] ^= b & (f[7] ^ g[7])
  106. f[8] ^= b & (f[8] ^ g[8])
  107. f[9] ^= b & (f[9] ^ g[9])
  108. }
  110. func load3(in []byte) (result int64) {
  111. result = int64(in[0]) | (int64(in[1]) << 8) | (int64(in[2]) << 16)
  112. return
  113. }
  115. func load4(in []byte) (result int64) {
  116. result = int64(in[0]) | (int64(in[1]) << 8) | (int64(in[2]) << 16) | (int64(in[3]) << 24)
  117. return
  118. }
  120. func FeFromBytes(dst *FieldElement, src *Key) {
  121. h0 := load4(src[:])
  122. h1 := load3(src[4:]) << 6
  123. h2 := load3(src[7:]) << 5
  124. h3 := load3(src[10:]) << 3
  125. h4 := load3(src[13:]) << 2
  126. h5 := load4(src[16:])
  127. h6 := load3(src[20:]) << 7
  128. h7 := load3(src[23:]) << 5
  129. h8 := load3(src[26:]) << 4
  130. h9 := (load3(src[29:]) & 8388607) << 2
  132. FeCombine(dst, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  133. }
  135. // FeToBytes marshals h to s.
  136. // Preconditions:
  137. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  138. //
  139. // Write p=2^255-19; q=floor(h/p).
  140. // Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
  141. //
  142. // Proof:
  143. // Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
  144. // Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
  145. //
  146. // Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
  147. // Then 0<y<1.
  148. //
  149. // Write r=h-pq.
  150. // Have 0<=r<=p-1=2^255-20.
  151. // Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
  152. //
  153. // Write x=r+19(2^-255)r+y.
  154. // Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
  155. //
  156. // Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
  157. // so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
  158. func FeToBytes(s *Key, h *FieldElement) {
  159. var carry [10]int32
  161. q := (19*h[9] + (1 << 24)) >> 25
  162. q = (h[0] + q) >> 26
  163. q = (h[1] + q) >> 25
  164. q = (h[2] + q) >> 26
  165. q = (h[3] + q) >> 25
  166. q = (h[4] + q) >> 26
  167. q = (h[5] + q) >> 25
  168. q = (h[6] + q) >> 26
  169. q = (h[7] + q) >> 25
  170. q = (h[8] + q) >> 26
  171. q = (h[9] + q) >> 25
  173. // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
  174. h[0] += 19 * q
  175. // Goal: Output h-2^255 q, which is between 0 and 2^255-20.
  177. carry[0] = h[0] >> 26
  178. h[1] += carry[0]
  179. h[0] -= carry[0] << 26
  180. carry[1] = h[1] >> 25
  181. h[2] += carry[1]
  182. h[1] -= carry[1] << 25
  183. carry[2] = h[2] >> 26
  184. h[3] += carry[2]
  185. h[2] -= carry[2] << 26
  186. carry[3] = h[3] >> 25
  187. h[4] += carry[3]
  188. h[3] -= carry[3] << 25
  189. carry[4] = h[4] >> 26
  190. h[5] += carry[4]
  191. h[4] -= carry[4] << 26
  192. carry[5] = h[5] >> 25
  193. h[6] += carry[5]
  194. h[5] -= carry[5] << 25
  195. carry[6] = h[6] >> 26
  196. h[7] += carry[6]
  197. h[6] -= carry[6] << 26
  198. carry[7] = h[7] >> 25
  199. h[8] += carry[7]
  200. h[7] -= carry[7] << 25
  201. carry[8] = h[8] >> 26
  202. h[9] += carry[8]
  203. h[8] -= carry[8] << 26
  204. carry[9] = h[9] >> 25
  205. h[9] -= carry[9] << 25
  206. // h10 = carry9
  208. // Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
  209. // Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
  210. // evidently 2^255 h10-2^255 q = 0.
  211. // Goal: Output h[0]+...+2^230 h[9].
  213. s[0] = byte(h[0] >> 0)
  214. s[1] = byte(h[0] >> 8)
  215. s[2] = byte(h[0] >> 16)
  216. s[3] = byte((h[0] >> 24) | (h[1] << 2))
  217. s[4] = byte(h[1] >> 6)
  218. s[5] = byte(h[1] >> 14)
  219. s[6] = byte((h[1] >> 22) | (h[2] << 3))
  220. s[7] = byte(h[2] >> 5)
  221. s[8] = byte(h[2] >> 13)
  222. s[9] = byte((h[2] >> 21) | (h[3] << 5))
  223. s[10] = byte(h[3] >> 3)
  224. s[11] = byte(h[3] >> 11)
  225. s[12] = byte((h[3] >> 19) | (h[4] << 6))
  226. s[13] = byte(h[4] >> 2)
  227. s[14] = byte(h[4] >> 10)
  228. s[15] = byte(h[4] >> 18)
  229. s[16] = byte(h[5] >> 0)
  230. s[17] = byte(h[5] >> 8)
  231. s[18] = byte(h[5] >> 16)
  232. s[19] = byte((h[5] >> 24) | (h[6] << 1))
  233. s[20] = byte(h[6] >> 7)
  234. s[21] = byte(h[6] >> 15)
  235. s[22] = byte((h[6] >> 23) | (h[7] << 3))
  236. s[23] = byte(h[7] >> 5)
  237. s[24] = byte(h[7] >> 13)
  238. s[25] = byte((h[7] >> 21) | (h[8] << 4))
  239. s[26] = byte(h[8] >> 4)
  240. s[27] = byte(h[8] >> 12)
  241. s[28] = byte((h[8] >> 20) | (h[9] << 6))
  242. s[29] = byte(h[9] >> 2)
  243. s[30] = byte(h[9] >> 10)
  244. s[31] = byte(h[9] >> 18)
  245. }
  247. func (f *FieldElement) IsNegative() byte {
  248. var s Key
  249. FeToBytes(&s, f)
  250. return s[0] & 1
  251. }
  253. func (f *FieldElement) IsNonZero() int32 {
  254. var s Key
  255. FeToBytes(&s, f)
  256. var x uint8
  257. for _, b := range s {
  258. x |= b
  259. }
  260. x |= x >> 4
  261. x |= x >> 2
  262. x |= x >> 1
  263. return int32(x & 1)
  264. }
  266. // FeNeg sets h = -f
  267. //
  268. // Preconditions:
  269. // |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  270. //
  271. // Postconditions:
  272. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  273. func FeNeg(h, f *FieldElement) {
  274. h[0] = -f[0]
  275. h[1] = -f[1]
  276. h[2] = -f[2]
  277. h[3] = -f[3]
  278. h[4] = -f[4]
  279. h[5] = -f[5]
  280. h[6] = -f[6]
  281. h[7] = -f[7]
  282. h[8] = -f[8]
  283. h[9] = -f[9]
  284. }
  286. func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) {
  287. var c0, c1, c2, c3, c4, c5, c6, c7, c8, c9 int64
  289. /*
  290. |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
  291. i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
  292. |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
  293. i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
  294. */
  296. c0 = (h0 + (1 << 25)) >> 26
  297. h1 += c0
  298. h0 -= c0 << 26
  299. c4 = (h4 + (1 << 25)) >> 26
  300. h5 += c4
  301. h4 -= c4 << 26
  302. /* |h0| <= 2^25 */
  303. /* |h4| <= 2^25 */
  304. /* |h1| <= 1.51*2^58 */
  305. /* |h5| <= 1.51*2^58 */
  307. c1 = (h1 + (1 << 24)) >> 25
  308. h2 += c1
  309. h1 -= c1 << 25
  310. c5 = (h5 + (1 << 24)) >> 25
  311. h6 += c5
  312. h5 -= c5 << 25
  313. /* |h1| <= 2^24; from now on fits into int32 */
  314. /* |h5| <= 2^24; from now on fits into int32 */
  315. /* |h2| <= 1.21*2^59 */
  316. /* |h6| <= 1.21*2^59 */
  318. c2 = (h2 + (1 << 25)) >> 26
  319. h3 += c2
  320. h2 -= c2 << 26
  321. c6 = (h6 + (1 << 25)) >> 26
  322. h7 += c6
  323. h6 -= c6 << 26
  324. /* |h2| <= 2^25; from now on fits into int32 unchanged */
  325. /* |h6| <= 2^25; from now on fits into int32 unchanged */
  326. /* |h3| <= 1.51*2^58 */
  327. /* |h7| <= 1.51*2^58 */
  329. c3 = (h3 + (1 << 24)) >> 25
  330. h4 += c3
  331. h3 -= c3 << 25
  332. c7 = (h7 + (1 << 24)) >> 25
  333. h8 += c7
  334. h7 -= c7 << 25
  335. /* |h3| <= 2^24; from now on fits into int32 unchanged */
  336. /* |h7| <= 2^24; from now on fits into int32 unchanged */
  337. /* |h4| <= 1.52*2^33 */
  338. /* |h8| <= 1.52*2^33 */
  340. c4 = (h4 + (1 << 25)) >> 26
  341. h5 += c4
  342. h4 -= c4 << 26
  343. c8 = (h8 + (1 << 25)) >> 26
  344. h9 += c8
  345. h8 -= c8 << 26
  346. /* |h4| <= 2^25; from now on fits into int32 unchanged */
  347. /* |h8| <= 2^25; from now on fits into int32 unchanged */
  348. /* |h5| <= 1.01*2^24 */
  349. /* |h9| <= 1.51*2^58 */
  351. c9 = (h9 + (1 << 24)) >> 25
  352. h0 += c9 * 19
  353. h9 -= c9 << 25
  354. /* |h9| <= 2^24; from now on fits into int32 unchanged */
  355. /* |h0| <= 1.8*2^37 */
  357. c0 = (h0 + (1 << 25)) >> 26
  358. h1 += c0
  359. h0 -= c0 << 26
  360. /* |h0| <= 2^25; from now on fits into int32 unchanged */
  361. /* |h1| <= 1.01*2^24 */
  363. h[0] = int32(h0)
  364. h[1] = int32(h1)
  365. h[2] = int32(h2)
  366. h[3] = int32(h3)
  367. h[4] = int32(h4)
  368. h[5] = int32(h5)
  369. h[6] = int32(h6)
  370. h[7] = int32(h7)
  371. h[8] = int32(h8)
  372. h[9] = int32(h9)
  373. }
  375. // FeMul calculates h = f * g
  376. // Can overlap h with f or g.
  377. //
  378. // Preconditions:
  379. // |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  380. // |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  381. //
  382. // Postconditions:
  383. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  384. //
  385. // Notes on implementation strategy:
  386. //
  387. // Using schoolbook multiplication.
  388. // Karatsuba would save a little in some cost models.
  389. //
  390. // Most multiplications by 2 and 19 are 32-bit precomputations;
  391. // cheaper than 64-bit postcomputations.
  392. //
  393. // There is one remaining multiplication by 19 in the carry chain;
  394. // one *19 precomputation can be merged into this,
  395. // but the resulting data flow is considerably less clean.
  396. //
  397. // There are 12 carries below.
  398. // 10 of them are 2-way parallelizable and vectorizable.
  399. // Can get away with 11 carries, but then data flow is much deeper.
  400. //
  401. // With tighter constraints on inputs can squeeze carries into int32.
  402. func FeMul(h, f, g *FieldElement) {
  403. f0 := int64(f[0])
  404. f1 := int64(f[1])
  405. f2 := int64(f[2])
  406. f3 := int64(f[3])
  407. f4 := int64(f[4])
  408. f5 := int64(f[5])
  409. f6 := int64(f[6])
  410. f7 := int64(f[7])
  411. f8 := int64(f[8])
  412. f9 := int64(f[9])
  414. f1_2 := int64(2 * f[1])
  415. f3_2 := int64(2 * f[3])
  416. f5_2 := int64(2 * f[5])
  417. f7_2 := int64(2 * f[7])
  418. f9_2 := int64(2 * f[9])
  420. g0 := int64(g[0])
  421. g1 := int64(g[1])
  422. g2 := int64(g[2])
  423. g3 := int64(g[3])
  424. g4 := int64(g[4])
  425. g5 := int64(g[5])
  426. g6 := int64(g[6])
  427. g7 := int64(g[7])
  428. g8 := int64(g[8])
  429. g9 := int64(g[9])
  431. g1_19 := int64(19 * g[1]) /* 1.4*2^29 */
  432. g2_19 := int64(19 * g[2]) /* 1.4*2^30; still ok */
  433. g3_19 := int64(19 * g[3])
  434. g4_19 := int64(19 * g[4])
  435. g5_19 := int64(19 * g[5])
  436. g6_19 := int64(19 * g[6])
  437. g7_19 := int64(19 * g[7])
  438. g8_19 := int64(19 * g[8])
  439. g9_19 := int64(19 * g[9])
  441. h0 := f0*g0 + f1_2*g9_19 + f2*g8_19 + f3_2*g7_19 + f4*g6_19 + f5_2*g5_19 + f6*g4_19 + f7_2*g3_19 + f8*g2_19 + f9_2*g1_19
  442. h1 := f0*g1 + f1*g0 + f2*g9_19 + f3*g8_19 + f4*g7_19 + f5*g6_19 + f6*g5_19 + f7*g4_19 + f8*g3_19 + f9*g2_19
  443. h2 := f0*g2 + f1_2*g1 + f2*g0 + f3_2*g9_19 + f4*g8_19 + f5_2*g7_19 + f6*g6_19 + f7_2*g5_19 + f8*g4_19 + f9_2*g3_19
  444. h3 := f0*g3 + f1*g2 + f2*g1 + f3*g0 + f4*g9_19 + f5*g8_19 + f6*g7_19 + f7*g6_19 + f8*g5_19 + f9*g4_19
  445. h4 := f0*g4 + f1_2*g3 + f2*g2 + f3_2*g1 + f4*g0 + f5_2*g9_19 + f6*g8_19 + f7_2*g7_19 + f8*g6_19 + f9_2*g5_19
  446. h5 := f0*g5 + f1*g4 + f2*g3 + f3*g2 + f4*g1 + f5*g0 + f6*g9_19 + f7*g8_19 + f8*g7_19 + f9*g6_19
  447. h6 := f0*g6 + f1_2*g5 + f2*g4 + f3_2*g3 + f4*g2 + f5_2*g1 + f6*g0 + f7_2*g9_19 + f8*g8_19 + f9_2*g7_19
  448. h7 := f0*g7 + f1*g6 + f2*g5 + f3*g4 + f4*g3 + f5*g2 + f6*g1 + f7*g0 + f8*g9_19 + f9*g8_19
  449. h8 := f0*g8 + f1_2*g7 + f2*g6 + f3_2*g5 + f4*g4 + f5_2*g3 + f6*g2 + f7_2*g1 + f8*g0 + f9_2*g9_19
  450. h9 := f0*g9 + f1*g8 + f2*g7 + f3*g6 + f4*g5 + f5*g4 + f6*g3 + f7*g2 + f8*g1 + f9*g0
  452. FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  453. }
  455. func feSquare(f *FieldElement) (h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) {
  456. f0 := int64(f[0])
  457. f1 := int64(f[1])
  458. f2 := int64(f[2])
  459. f3 := int64(f[3])
  460. f4 := int64(f[4])
  461. f5 := int64(f[5])
  462. f6 := int64(f[6])
  463. f7 := int64(f[7])
  464. f8 := int64(f[8])
  465. f9 := int64(f[9])
  466. f0_2 := int64(2 * f[0])
  467. f1_2 := int64(2 * f[1])
  468. f2_2 := int64(2 * f[2])
  469. f3_2 := int64(2 * f[3])
  470. f4_2 := int64(2 * f[4])
  471. f5_2 := int64(2 * f[5])
  472. f6_2 := int64(2 * f[6])
  473. f7_2 := int64(2 * f[7])
  474. f5_38 := 38 * f5 // 1.31*2^30
  475. f6_19 := 19 * f6 // 1.31*2^30
  476. f7_38 := 38 * f7 // 1.31*2^30
  477. f8_19 := 19 * f8 // 1.31*2^30
  478. f9_38 := 38 * f9 // 1.31*2^30
  480. h0 = f0*f0 + f1_2*f9_38 + f2_2*f8_19 + f3_2*f7_38 + f4_2*f6_19 + f5*f5_38
  481. h1 = f0_2*f1 + f2*f9_38 + f3_2*f8_19 + f4*f7_38 + f5_2*f6_19
  482. h2 = f0_2*f2 + f1_2*f1 + f3_2*f9_38 + f4_2*f8_19 + f5_2*f7_38 + f6*f6_19
  483. h3 = f0_2*f3 + f1_2*f2 + f4*f9_38 + f5_2*f8_19 + f6*f7_38
  484. h4 = f0_2*f4 + f1_2*f3_2 + f2*f2 + f5_2*f9_38 + f6_2*f8_19 + f7*f7_38
  485. h5 = f0_2*f5 + f1_2*f4 + f2_2*f3 + f6*f9_38 + f7_2*f8_19
  486. h6 = f0_2*f6 + f1_2*f5_2 + f2_2*f4 + f3_2*f3 + f7_2*f9_38 + f8*f8_19
  487. h7 = f0_2*f7 + f1_2*f6 + f2_2*f5 + f3_2*f4 + f8*f9_38
  488. h8 = f0_2*f8 + f1_2*f7_2 + f2_2*f6 + f3_2*f5_2 + f4*f4 + f9*f9_38
  489. h9 = f0_2*f9 + f1_2*f8 + f2_2*f7 + f3_2*f6 + f4_2*f5
  491. return
  492. }
  494. // FeSquare calculates h = f*f. Can overlap h with f.
  495. //
  496. // Preconditions:
  497. // |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  498. //
  499. // Postconditions:
  500. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  501. func FeSquare(h, f *FieldElement) {
  502. h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f)
  503. FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  504. }
  506. // FeSquare2 sets h = 2 * f * f
  507. //
  508. // Can overlap h with f.
  509. //
  510. // Preconditions:
  511. // |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
  512. //
  513. // Postconditions:
  514. // |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
  515. // See fe_mul.c for discussion of implementation strategy.
  516. func FeSquare2(h, f *FieldElement) {
  517. h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f)
  519. h0 += h0
  520. h1 += h1
  521. h2 += h2
  522. h3 += h3
  523. h4 += h4
  524. h5 += h5
  525. h6 += h6
  526. h7 += h7
  527. h8 += h8
  528. h9 += h9
  530. FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  531. }
  533. func FeInvert(out, z *FieldElement) {
  534. var t0, t1, t2, t3 FieldElement
  535. var i int
  537. FeSquare(&t0, z) // 2^1
  538. FeSquare(&t1, &t0) // 2^2
  539. for i = 1; i < 2; i++ { // 2^3
  540. FeSquare(&t1, &t1)
  541. }
  542. FeMul(&t1, z, &t1) // 2^3 + 2^0
  543. FeMul(&t0, &t0, &t1) // 2^3 + 2^1 + 2^0
  544. FeSquare(&t2, &t0) // 2^4 + 2^2 + 2^1
  545. FeMul(&t1, &t1, &t2) // 2^4 + 2^3 + 2^2 + 2^1 + 2^0
  546. FeSquare(&t2, &t1) // 5,4,3,2,1
  547. for i = 1; i < 5; i++ { // 9,8,7,6,5
  548. FeSquare(&t2, &t2)
  549. }
  550. FeMul(&t1, &t2, &t1) // 9,8,7,6,5,4,3,2,1,0
  551. FeSquare(&t2, &t1) // 10..1
  552. for i = 1; i < 10; i++ { // 19..10
  553. FeSquare(&t2, &t2)
  554. }
  555. FeMul(&t2, &t2, &t1) // 19..0
  556. FeSquare(&t3, &t2) // 20..1
  557. for i = 1; i < 20; i++ { // 39..20
  558. FeSquare(&t3, &t3)
  559. }
  560. FeMul(&t2, &t3, &t2) // 39..0
  561. FeSquare(&t2, &t2) // 40..1
  562. for i = 1; i < 10; i++ { // 49..10
  563. FeSquare(&t2, &t2)
  564. }
  565. FeMul(&t1, &t2, &t1) // 49..0
  566. FeSquare(&t2, &t1) // 50..1
  567. for i = 1; i < 50; i++ { // 99..50
  568. FeSquare(&t2, &t2)
  569. }
  570. FeMul(&t2, &t2, &t1) // 99..0
  571. FeSquare(&t3, &t2) // 100..1
  572. for i = 1; i < 100; i++ { // 199..100
  573. FeSquare(&t3, &t3)
  574. }
  575. FeMul(&t2, &t3, &t2) // 199..0
  576. FeSquare(&t2, &t2) // 200..1
  577. for i = 1; i < 50; i++ { // 249..50
  578. FeSquare(&t2, &t2)
  579. }
  580. FeMul(&t1, &t2, &t1) // 249..0
  581. FeSquare(&t1, &t1) // 250..1
  582. for i = 1; i < 5; i++ { // 254..5
  583. FeSquare(&t1, &t1)
  584. }
  585. FeMul(out, &t1, &t0) // 254..5,3,1,0
  586. }
  588. func fePow22523(out, z *FieldElement) {
  589. var t0, t1, t2 FieldElement
  590. var i int
  592. FeSquare(&t0, z)
  593. for i = 1; i < 1; i++ {
  594. FeSquare(&t0, &t0)
  595. }
  596. FeSquare(&t1, &t0)
  597. for i = 1; i < 2; i++ {
  598. FeSquare(&t1, &t1)
  599. }
  600. FeMul(&t1, z, &t1)
  601. FeMul(&t0, &t0, &t1)
  602. FeSquare(&t0, &t0)
  603. for i = 1; i < 1; i++ {
  604. FeSquare(&t0, &t0)
  605. }
  606. FeMul(&t0, &t1, &t0)
  607. FeSquare(&t1, &t0)
  608. for i = 1; i < 5; i++ {
  609. FeSquare(&t1, &t1)
  610. }
  611. FeMul(&t0, &t1, &t0)
  612. FeSquare(&t1, &t0)
  613. for i = 1; i < 10; i++ {
  614. FeSquare(&t1, &t1)
  615. }
  616. FeMul(&t1, &t1, &t0)
  617. FeSquare(&t2, &t1)
  618. for i = 1; i < 20; i++ {
  619. FeSquare(&t2, &t2)
  620. }
  621. FeMul(&t1, &t2, &t1)
  622. FeSquare(&t1, &t1)
  623. for i = 1; i < 10; i++ {
  624. FeSquare(&t1, &t1)
  625. }
  626. FeMul(&t0, &t1, &t0)
  627. FeSquare(&t1, &t0)
  628. for i = 1; i < 50; i++ {
  629. FeSquare(&t1, &t1)
  630. }
  631. FeMul(&t1, &t1, &t0)
  632. FeSquare(&t2, &t1)
  633. for i = 1; i < 100; i++ {
  634. FeSquare(&t2, &t2)
  635. }
  636. FeMul(&t1, &t2, &t1)
  637. FeSquare(&t1, &t1)
  638. for i = 1; i < 50; i++ {
  639. FeSquare(&t1, &t1)
  640. }
  641. FeMul(&t0, &t1, &t0)
  642. FeSquare(&t0, &t0)
  643. for i = 1; i < 2; i++ {
  644. FeSquare(&t0, &t0)
  645. }
  646. FeMul(out, &t0, z)
  647. }
  649. func FeDivPowM1(out, u, v *FieldElement) {
  650. var v3, uv7, t0 FieldElement
  652. FeSquare(&v3, v)
  653. FeMul(&v3, &v3, v) /* v3 = v^3 */
  654. FeSquare(&uv7, &v3)
  655. FeMul(&uv7, &uv7, v)
  656. FeMul(&uv7, &uv7, u) /* uv7 = uv^7 */
  658. fePow22523(&t0, &uv7)
  659. /* t0 = (uv^7)^((q-5)/8) */
  660. FeMul(&t0, &t0, &v3)
  661. FeMul(out, &t0, u) /* u^(m+1)v^(-(m+1)) */
  662. }
  664. // Group elements are members of the elliptic curve -x^2 + y^2 = 1 + d * x^2 *
  665. // y^2 where d = -121665/121666.
  666. //
  667. // Several representations are used:
  668. // ProjectiveGroupElement: (X:Y:Z) satisfying x=X/Z, y=Y/Z
  669. // ExtendedGroupElement: (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
  670. // CompletedGroupElement: ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
  671. // PreComputedGroupElement: (y+x,y-x,2dxy)
  673. type ProjectiveGroupElement struct {
  674. X, Y, Z FieldElement
  675. }
  677. type ExtendedGroupElement struct {
  678. X, Y, Z, T FieldElement
  679. }
  681. type CompletedGroupElement struct {
  682. X, Y, Z, T FieldElement
  683. }
  685. type PreComputedGroupElement struct {
  686. yPlusX, yMinusX, xy2d FieldElement
  687. }
  689. type CachedGroupElement struct {
  690. yPlusX, yMinusX, Z, T2d FieldElement
  691. }
  693. func (p *ProjectiveGroupElement) Zero() {
  694. p.X.Zero()
  695. p.Y.One()
  696. p.Z.One()
  697. }
  699. func (p *ProjectiveGroupElement) Double(r *CompletedGroupElement) {
  700. var t0 FieldElement
  702. FeSquare(&r.X, &p.X)
  703. FeSquare(&r.Z, &p.Y)
  704. FeSquare2(&r.T, &p.Z)
  705. FeAdd(&r.Y, &p.X, &p.Y)
  706. FeSquare(&t0, &r.Y)
  707. FeAdd(&r.Y, &r.Z, &r.X)
  708. FeSub(&r.Z, &r.Z, &r.X)
  709. FeSub(&r.X, &t0, &r.Y)
  710. FeSub(&r.T, &r.T, &r.Z)
  711. }
  713. func (p *ProjectiveGroupElement) ToBytes(s *Key) {
  714. var recip, x, y FieldElement
  716. FeInvert(&recip, &p.Z)
  717. FeMul(&x, &p.X, &recip)
  718. FeMul(&y, &p.Y, &recip)
  719. FeToBytes(s, &y)
  720. s[31] ^= x.IsNegative() << 7
  721. }
  723. func (p *ProjectiveGroupElement) FromBytes(s *Key) {
  724. h0 := load4(s[:])
  725. h1 := load3(s[4:]) << 6
  726. h2 := load3(s[7:]) << 5
  727. h3 := load3(s[10:]) << 3
  728. h4 := load3(s[13:]) << 2
  729. h5 := load4(s[16:])
  730. h6 := load3(s[20:]) << 7
  731. h7 := load3(s[23:]) << 5
  732. h8 := load3(s[26:]) << 4
  733. h9 := load3(s[29:]) << 2
  734. var carry [10]int64
  735. carry[9] = (h9 + int64(1<<24)) >> 25
  736. h0 += carry[9] * 19
  737. h9 -= carry[9] << 25
  738. carry[1] = (h1 + int64(1<<24)) >> 25
  739. h2 += carry[1]
  740. h1 -= carry[1] << 25
  741. carry[3] = (h3 + int64(1<<24)) >> 25
  742. h4 += carry[3]
  743. h3 -= carry[3] << 25
  744. carry[5] = (h5 + int64(1<<24)) >> 25
  745. h6 += carry[5]
  746. h5 -= carry[5] << 25
  747. carry[7] = (h7 + int64(1<<24)) >> 25
  748. h8 += carry[7]
  749. h7 -= carry[7] << 25
  751. carry[0] = (h0 + int64(1<<25)) >> 26
  752. h1 += carry[0]
  753. h0 -= carry[0] << 26
  754. carry[2] = (h2 + int64(1<<25)) >> 26
  755. h3 += carry[2]
  756. h2 -= carry[2] << 26
  757. carry[4] = (h4 + int64(1<<25)) >> 26
  758. h5 += carry[4]
  759. h4 -= carry[4] << 26
  760. carry[6] = (h6 + int64(1<<25)) >> 26
  761. h7 += carry[6]
  762. h6 -= carry[6] << 26
  763. carry[8] = (h8 + int64(1<<25)) >> 26
  764. h9 += carry[8]
  765. h8 -= carry[8] << 26
  767. var u, v, w, x, y, z FieldElement
  768. u[0] = int32(h0)
  769. u[1] = int32(h1)
  770. u[2] = int32(h2)
  771. u[3] = int32(h3)
  772. u[4] = int32(h4)
  773. u[5] = int32(h5)
  774. u[6] = int32(h6)
  775. u[7] = int32(h7)
  776. u[8] = int32(h8)
  777. u[9] = int32(h9)
  778. FeSquare2(&v, &u) /* 2 * u^2 */
  779. w.One()
  780. FeAdd(&w, &v, &w) /* w = 2 * u^2 + 1 */
  781. FeSquare(&x, &w) /* w^2 */
  782. FeMul(&y, &FeMa2, &v) /* -2 * A^2 * u^2 */
  783. FeAdd(&x, &x, &y) /* x = w^2 - 2 * A^2 * u^2 */
  784. FeDivPowM1(&p.X, &w, &x) /* (w / x)^(m + 1) */
  785. FeSquare(&y, &p.X)
  786. FeMul(&x, &y, &x)
  787. FeSub(&y, &w, &x)
  788. FeCopy(&z, &FeMa)
  789. isNegative := false
  790. var sign byte
  791. if y.IsNonZero() != 0 {
  792. FeAdd(&y, &w, &x)
  793. if y.IsNonZero() != 0 {
  794. isNegative = true
  795. } else {
  796. FeMul(&p.X, &p.X, &FeFffb1)
  797. }
  798. } else {
  799. FeMul(&p.X, &p.X, &FeFffb2)
  800. }
  801. if isNegative {
  802. FeMul(&x, &x, &FeSqrtM1)
  803. FeSub(&y, &w, &x)
  804. if y.IsNonZero() != 0 {
  805. FeAdd(&y, &w, &x)
  806. FeMul(&p.X, &p.X, &FeFffb3)
  807. } else {
  808. FeMul(&p.X, &p.X, &FeFffb4)
  809. }
  810. /* p.X = sqrt(A * (A + 2) * w / x) */
  811. /* z = -A */
  812. sign = 1
  813. } else {
  814. FeMul(&p.X, &p.X, &u) /* u * sqrt(2 * A * (A + 2) * w / x) */
  815. FeMul(&z, &z, &v) /* -2 * A * u^2 */
  816. sign = 0
  817. }
  818. if p.X.IsNegative() != sign {
  819. FeNeg(&p.X, &p.X)
  820. }
  821. FeAdd(&p.Z, &z, &w)
  822. FeSub(&p.Y, &z, &w)
  823. FeMul(&p.X, &p.X, &p.Z)
  824. }
  826. func (p *ExtendedGroupElement) Zero() {
  827. p.X.Zero()
  828. p.Y.One()
  829. p.Z.One()
  830. p.T.Zero()
  831. }
  833. func (p *ExtendedGroupElement) Double(r *CompletedGroupElement) {
  834. var q ProjectiveGroupElement
  835. p.ToProjective(&q)
  836. q.Double(r)
  837. }
  839. func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement) {
  840. FeAdd(&r.yPlusX, &p.Y, &p.X)
  841. FeSub(&r.yMinusX, &p.Y, &p.X)
  842. FeCopy(&r.Z, &p.Z)
  843. FeMul(&r.T2d, &p.T, &d2)
  844. }
  846. func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement) {
  847. FeCopy(&r.X, &p.X)
  848. FeCopy(&r.Y, &p.Y)
  849. FeCopy(&r.Z, &p.Z)
  850. }
  852. func (p *ExtendedGroupElement) ToBytes(s *Key) {
  853. var recip, x, y FieldElement
  855. FeInvert(&recip, &p.Z)
  856. FeMul(&x, &p.X, &recip)
  857. FeMul(&y, &p.Y, &recip)
  858. FeToBytes(s, &y)
  859. s[31] ^= x.IsNegative() << 7
  860. }
  862. func (p *ExtendedGroupElement) FromBytes(s *Key) bool {
  863. var u, v, v3, vxx, check FieldElement
  865. FeFromBytes(&p.Y, s)
  866. p.Z.One()
  867. FeSquare(&u, &p.Y)
  868. FeMul(&v, &u, &d)
  869. FeSub(&u, &u, &p.Z) // y = y^2-1
  870. FeAdd(&v, &v, &p.Z) // v = dy^2+1
  872. FeSquare(&v3, &v)
  873. FeMul(&v3, &v3, &v) // v3 = v^3
  874. FeSquare(&p.X, &v3)
  875. FeMul(&p.X, &p.X, &v)
  876. FeMul(&p.X, &p.X, &u) // x = uv^7
  878. fePow22523(&p.X, &p.X) // x = (uv^7)^((q-5)/8)
  879. FeMul(&p.X, &p.X, &v3)
  880. FeMul(&p.X, &p.X, &u) // x = uv^3(uv^7)^((q-5)/8)
  882. var tmpX, tmp2 Key
  884. FeSquare(&vxx, &p.X)
  885. FeMul(&vxx, &vxx, &v)
  886. FeSub(&check, &vxx, &u) // vx^2-u
  887. if check.IsNonZero() == 1 {
  888. FeAdd(&check, &vxx, &u) // vx^2+u
  889. if check.IsNonZero() == 1 {
  890. return false
  891. }
  892. FeMul(&p.X, &p.X, &SqrtM1)
  894. FeToBytes(&tmpX, &p.X)
  895. for i, v := range tmpX {
  896. tmp2[31-i] = v
  897. }
  898. }
  900. if p.X.IsNegative() != (s[31] >> 7) {
  901. FeNeg(&p.X, &p.X)
  902. }
  904. FeMul(&p.T, &p.X, &p.Y)
  905. return true
  906. }
  908. func (p *CompletedGroupElement) ToProjective(r *ProjectiveGroupElement) {
  909. FeMul(&r.X, &p.X, &p.T)
  910. FeMul(&r.Y, &p.Y, &p.Z)
  911. FeMul(&r.Z, &p.Z, &p.T)
  912. }
  914. func (p *CompletedGroupElement) ToExtended(r *ExtendedGroupElement) {
  915. FeMul(&r.X, &p.X, &p.T)
  916. FeMul(&r.Y, &p.Y, &p.Z)
  917. FeMul(&r.Z, &p.Z, &p.T)
  918. FeMul(&r.T, &p.X, &p.Y)
  919. }
  921. func (p *PreComputedGroupElement) Zero() {
  922. p.yPlusX.One()
  923. p.yMinusX.One()
  924. p.xy2d.Zero()
  925. }
  927. func (c *CachedGroupElement) Zero() {
  928. c.yPlusX.One()
  929. c.yMinusX.One()
  930. c.Z.One()
  931. c.T2d.Zero()
  932. }
  934. func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
  935. var t0 FieldElement
  937. FeAdd(&r.X, &p.Y, &p.X)
  938. FeSub(&r.Y, &p.Y, &p.X)
  939. FeMul(&r.Z, &r.X, &q.yPlusX)
  940. FeMul(&r.Y, &r.Y, &q.yMinusX)
  941. FeMul(&r.T, &q.T2d, &p.T)
  942. FeMul(&r.X, &p.Z, &q.Z)
  943. FeAdd(&t0, &r.X, &r.X)
  944. FeSub(&r.X, &r.Z, &r.Y)
  945. FeAdd(&r.Y, &r.Z, &r.Y)
  946. FeAdd(&r.Z, &t0, &r.T)
  947. FeSub(&r.T, &t0, &r.T)
  948. }
  950. func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
  951. var t0 FieldElement
  953. FeAdd(&r.X, &p.Y, &p.X)
  954. FeSub(&r.Y, &p.Y, &p.X)
  955. FeMul(&r.Z, &r.X, &q.yMinusX)
  956. FeMul(&r.Y, &r.Y, &q.yPlusX)
  957. FeMul(&r.T, &q.T2d, &p.T)
  958. FeMul(&r.X, &p.Z, &q.Z)
  959. FeAdd(&t0, &r.X, &r.X)
  960. FeSub(&r.X, &r.Z, &r.Y)
  961. FeAdd(&r.Y, &r.Z, &r.Y)
  962. FeSub(&r.Z, &t0, &r.T)
  963. FeAdd(&r.T, &t0, &r.T)
  964. }
  966. func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
  967. var t0 FieldElement
  969. FeAdd(&r.X, &p.Y, &p.X)
  970. FeSub(&r.Y, &p.Y, &p.X)
  971. FeMul(&r.Z, &r.X, &q.yPlusX)
  972. FeMul(&r.Y, &r.Y, &q.yMinusX)
  973. FeMul(&r.T, &q.xy2d, &p.T)
  974. FeAdd(&t0, &p.Z, &p.Z)
  975. FeSub(&r.X, &r.Z, &r.Y)
  976. FeAdd(&r.Y, &r.Z, &r.Y)
  977. FeAdd(&r.Z, &t0, &r.T)
  978. FeSub(&r.T, &t0, &r.T)
  979. }
  981. func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
  982. var t0 FieldElement
  984. FeAdd(&r.X, &p.Y, &p.X)
  985. FeSub(&r.Y, &p.Y, &p.X)
  986. FeMul(&r.Z, &r.X, &q.yMinusX)
  987. FeMul(&r.Y, &r.Y, &q.yPlusX)
  988. FeMul(&r.T, &q.xy2d, &p.T)
  989. FeAdd(&t0, &p.Z, &p.Z)
  990. FeSub(&r.X, &r.Z, &r.Y)
  991. FeAdd(&r.Y, &r.Z, &r.Y)
  992. FeSub(&r.Z, &t0, &r.T)
  993. FeAdd(&r.T, &t0, &r.T)
  994. }
  996. // r = 8 * t
  997. func GeMul8(r *CompletedGroupElement, t *ProjectiveGroupElement) {
  998. var u ProjectiveGroupElement
  999. t.Double(r)
  1000. r.ToProjective(&u)
  1001. u.Double(r)
  1002. r.ToProjective(&u)
  1003. u.Double(r)
  1004. }
  1006. // caches s into an array of CachedGroupElements for scalar multiplication later
  1007. func GePrecompute(r *[8]CachedGroupElement, s *ExtendedGroupElement) {
  1008. var t CompletedGroupElement
  1009. var s2, u ExtendedGroupElement
  1010. s.ToCached(&r[0])
  1011. s.Double(&t)
  1012. t.ToExtended(&s2)
  1013. for i := 0; i < 7; i++ {
  1014. geAdd(&t, &s2, &r[i])
  1015. t.ToExtended(&u)
  1016. u.ToCached(&r[i+1])
  1017. }
  1018. }
  1020. func slide(r *[256]int8, a *Key) {
  1021. for i := range r {
  1022. r[i] = int8(1 & (a[i>>3] >> uint(i&7)))
  1023. }
  1025. for i := range r {
  1026. if r[i] != 0 {
  1027. for b := 1; b <= 6 && i+b < 256; b++ {
  1028. if r[i+b] != 0 {
  1029. if r[i]+(r[i+b]<<uint(b)) <= 15 {
  1030. r[i] += r[i+b] << uint(b)
  1031. r[i+b] = 0
  1032. } else if r[i]-(r[i+b]<<uint(b)) >= -15 {
  1033. r[i] -= r[i+b] << uint(b)
  1034. for k := i + b; k < 256; k++ {
  1035. if r[k] == 0 {
  1036. r[k] = 1
  1037. break
  1038. }
  1039. r[k] = 0
  1040. }
  1041. } else {
  1042. break
  1043. }
  1044. }
  1045. }
  1046. }
  1047. }
  1048. }
  1050. // GeDoubleScalarMultVartime sets r = a*A + b*B
  1051. // where a = a[0]+256*a[1]+...+256^31 a[31].
  1052. // and b = b[0]+256*b[1]+...+256^31 b[31].
  1053. // B is the Ed25519 base point (x,4/5) with x positive.
  1054. func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *Key, A *ExtendedGroupElement, b *Key) {
  1055. var aSlide, bSlide [256]int8
  1056. var Ai [8]CachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A
  1057. var t CompletedGroupElement
  1058. var u ExtendedGroupElement
  1059. var i int
  1061. slide(&aSlide, a)
  1062. slide(&bSlide, b)
  1063. GePrecompute(&Ai, A)
  1065. r.Zero()
  1067. for i = 255; i >= 0; i-- {
  1068. if aSlide[i] != 0 || bSlide[i] != 0 {
  1069. break
  1070. }
  1071. }
  1073. for ; i >= 0; i-- {
  1074. r.Double(&t)
  1076. if aSlide[i] > 0 {
  1077. t.ToExtended(&u)
  1078. geAdd(&t, &u, &Ai[aSlide[i]/2])
  1079. } else if aSlide[i] < 0 {
  1080. t.ToExtended(&u)
  1081. geSub(&t, &u, &Ai[(-aSlide[i])/2])
  1082. }
  1084. if bSlide[i] > 0 {
  1085. t.ToExtended(&u)
  1086. geMixedAdd(&t, &u, &bi[bSlide[i]/2])
  1087. } else if bSlide[i] < 0 {
  1088. t.ToExtended(&u)
  1089. geMixedSub(&t, &u, &bi[(-bSlide[i])/2])
  1090. }
  1092. t.ToProjective(r)
  1093. }
  1094. }
  1096. // sets r = a*A + b*B
  1097. // where Bi is the [8]CachedGroupElement consisting of
  1098. // B,3B,5B,7B,9B,11B,13B,15B
  1099. func GeDoubleScalarMultPrecompVartime(r *ProjectiveGroupElement, a *Key, A *ExtendedGroupElement, b *Key, Bi *[8]CachedGroupElement) {
  1100. var aSlide, bSlide [256]int8
  1101. var Ai [8]CachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A
  1102. var t CompletedGroupElement
  1103. var u ExtendedGroupElement
  1104. var i int
  1105. slide(&aSlide, a)
  1106. slide(&bSlide, b)
  1107. GePrecompute(&Ai, A)
  1108. r.Zero()
  1109. for i = 255; i >= 0; i-- {
  1110. if aSlide[i] != 0 || bSlide[i] != 0 {
  1111. break
  1112. }
  1113. }
  1114. for ; i >= 0; i-- {
  1115. r.Double(&t)
  1116. if aSlide[i] > 0 {
  1117. t.ToExtended(&u)
  1118. geAdd(&t, &u, &Ai[aSlide[i]/2])
  1119. } else if aSlide[i] < 0 {
  1120. t.ToExtended(&u)
  1121. geSub(&t, &u, &Ai[(-aSlide[i])/2])
  1122. }
  1123. if bSlide[i] > 0 {
  1124. t.ToExtended(&u)
  1125. geAdd(&t, &u, &Bi[bSlide[i]/2])
  1126. } else if bSlide[i] < 0 {
  1127. t.ToExtended(&u)
  1128. geSub(&t, &u, &Bi[(-bSlide[i])/2])
  1129. }
  1130. t.ToProjective(r)
  1131. }
  1132. return
  1133. }
  1135. // equal returns 1 if b == c and 0 otherwise.
  1136. func equal(b, c int32) int32 {
  1137. x := uint32(b ^ c)
  1138. x--
  1139. return int32(x >> 31)
  1140. }
  1142. // negative returns 1 if b < 0 and 0 otherwise.
  1143. func negative(b int32) int32 {
  1144. return (b >> 31) & 1
  1145. }
  1147. func CachedGroupElementCMove(t, u *CachedGroupElement, b int32) {
  1148. FeCMove(&t.yPlusX, &u.yPlusX, b)
  1149. FeCMove(&t.yMinusX, &u.yMinusX, b)
  1150. FeCMove(&t.Z, &u.Z, b)
  1151. FeCMove(&t.T2d, &u.T2d, b)
  1152. }
  1154. func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32) {
  1155. FeCMove(&t.yPlusX, &u.yPlusX, b)
  1156. FeCMove(&t.yMinusX, &u.yMinusX, b)
  1157. FeCMove(&t.xy2d, &u.xy2d, b)
  1158. }
  1160. func selectPoint(t *PreComputedGroupElement, pos int32, b int32) {
  1161. var minusT PreComputedGroupElement
  1162. bNegative := negative(b)
  1163. bAbs := b - (((-bNegative) & b) << 1)
  1165. t.Zero()
  1166. for i := int32(0); i < 8; i++ {
  1167. PreComputedGroupElementCMove(t, &base[pos][i], equal(bAbs, i+1))
  1168. }
  1169. FeCopy(&minusT.yPlusX, &t.yMinusX)
  1170. FeCopy(&minusT.yMinusX, &t.yPlusX)
  1171. FeNeg(&minusT.xy2d, &t.xy2d)
  1172. PreComputedGroupElementCMove(t, &minusT, bNegative)
  1173. }
  1175. // GeScalarMult computes h = a*A, where
  1176. // a = a[0]+256*a[1]+...+256^31 a[31]
  1177. // A is a point on the curve
  1178. //
  1179. // Preconditions:
  1180. // a[31] <= 127
  1181. func GeScalarMult(r *ProjectiveGroupElement, a *Key, A *ExtendedGroupElement) {
  1182. var e [64]int32
  1183. var carry, carry2 int32
  1184. for i := 0; i < 31; i++ {
  1185. carry += int32(a[i]) /* 0..256 */
  1186. carry2 = (carry + 8) >> 4 /* 0..16 */
  1187. e[2*i] = carry - (carry2 << 4) /* -8..7 */
  1188. carry = (carry2 + 8) >> 4 /* 0..1 */
  1189. e[2*i+1] = carry2 - (carry << 4) /* -8..7 */
  1190. }
  1191. carry += int32(a[31]) /* 0..128 */
  1192. carry2 = (carry + 8) >> 4 /* 0..8 */
  1193. e[62] = carry - (carry2 << 4) /* -8..7 */
  1194. e[63] = carry2 /* 0..8 */
  1196. var Ai [8]CachedGroupElement // A,2A,3A,4A,5A,6A,7A,8A
  1197. t := new(CompletedGroupElement)
  1198. u := new(ExtendedGroupElement)
  1199. A.ToCached(&Ai[0])
  1200. for i := 0; i < 7; i++ {
  1201. geAdd(t, A, &Ai[i])
  1202. t.ToExtended(u)
  1203. u.ToCached(&Ai[i+1])
  1204. }
  1205. r.Zero()
  1206. cur := new(CachedGroupElement)
  1207. minusCur := new(CachedGroupElement)
  1208. for i := 63; i >= 0; i-- {
  1209. b := e[i]
  1210. bNegative := negative(b)
  1211. bAbs := b - (((-bNegative) & b) << 1)
  1212. r.Double(t)
  1213. t.ToProjective(r)
  1214. r.Double(t)
  1215. t.ToProjective(r)
  1216. r.Double(t)
  1217. t.ToProjective(r)
  1218. r.Double(t)
  1219. t.ToExtended(u)
  1220. cur.Zero()
  1221. for j := int32(0); j < 8; j++ {
  1222. CachedGroupElementCMove(cur, &Ai[j], equal(bAbs, j+1))
  1223. }
  1224. FeCopy(&minusCur.yPlusX, &cur.yMinusX)
  1225. FeCopy(&minusCur.yMinusX, &cur.yPlusX)
  1226. FeCopy(&minusCur.Z, &cur.Z)
  1227. FeNeg(&minusCur.T2d, &cur.T2d)
  1228. CachedGroupElementCMove(cur, minusCur, bNegative)
  1229. geAdd(t, u, cur)
  1230. t.ToProjective(r)
  1231. }
  1232. }
  1234. // GeScalarMultBase computes h = a*B, where
  1235. // a = a[0]+256*a[1]+...+256^31 a[31]
  1236. // B is the Ed25519 base point (x,4/5) with x positive.
  1237. //
  1238. // Preconditions:
  1239. // a[31] <= 127
  1240. func GeScalarMultBase(h *ExtendedGroupElement, a *Key) {
  1241. var e [64]int8
  1243. for i, v := range a {
  1244. e[2*i] = int8(v & 15)
  1245. e[2*i+1] = int8((v >> 4) & 15)
  1246. }
  1248. // each e[i] is between 0 and 15 and e[63] is between 0 and 7.
  1250. carry := int8(0)
  1251. for i := 0; i < 63; i++ {
  1252. e[i] += carry
  1253. carry = (e[i] + 8) >> 4
  1254. e[i] -= carry << 4
  1255. }
  1256. e[63] += carry
  1257. // each e[i] is between -8 and 8.
  1259. h.Zero()
  1260. var t PreComputedGroupElement
  1261. var r CompletedGroupElement
  1262. for i := int32(1); i < 64; i += 2 {
  1263. selectPoint(&t, i/2, int32(e[i]))
  1264. geMixedAdd(&r, h, &t)
  1265. r.ToExtended(h)
  1266. }
  1268. var s ProjectiveGroupElement
  1270. h.Double(&r)
  1271. r.ToProjective(&s)
  1272. s.Double(&r)
  1273. r.ToProjective(&s)
  1274. s.Double(&r)
  1275. r.ToProjective(&s)
  1276. s.Double(&r)
  1277. r.ToExtended(h)
  1279. for i := int32(0); i < 64; i += 2 {
  1280. selectPoint(&t, i/2, int32(e[i]))
  1281. geMixedAdd(&r, h, &t)
  1282. r.ToExtended(h)
  1283. }
  1284. }
  1286. func ScAdd(s, a, b *Key) {
  1287. a0 := 2097151 & load3(a[:])
  1288. a1 := 2097151 & (load4(a[2:]) >> 5)
  1289. a2 := 2097151 & (load3(a[5:]) >> 2)
  1290. a3 := 2097151 & (load4(a[7:]) >> 7)
  1291. a4 := 2097151 & (load4(a[10:]) >> 4)
  1292. a5 := 2097151 & (load3(a[13:]) >> 1)
  1293. a6 := 2097151 & (load4(a[15:]) >> 6)
  1294. a7 := 2097151 & (load3(a[18:]) >> 3)
  1295. a8 := 2097151 & load3(a[21:])
  1296. a9 := 2097151 & (load4(a[23:]) >> 5)
  1297. a10 := 2097151 & (load3(a[26:]) >> 2)
  1298. a11 := (load4(a[28:]) >> 7)
  1299. b0 := 2097151 & load3(b[:])
  1300. b1 := 2097151 & (load4(b[2:]) >> 5)
  1301. b2 := 2097151 & (load3(b[5:]) >> 2)
  1302. b3 := 2097151 & (load4(b[7:]) >> 7)
  1303. b4 := 2097151 & (load4(b[10:]) >> 4)
  1304. b5 := 2097151 & (load3(b[13:]) >> 1)
  1305. b6 := 2097151 & (load4(b[15:]) >> 6)
  1306. b7 := 2097151 & (load3(b[18:]) >> 3)
  1307. b8 := 2097151 & load3(b[21:])
  1308. b9 := 2097151 & (load4(b[23:]) >> 5)
  1309. b10 := 2097151 & (load3(b[26:]) >> 2)
  1310. b11 := (load4(b[28:]) >> 7)
  1311. s0 := a0 + b0
  1312. s1 := a1 + b1
  1313. s2 := a2 + b2
  1314. s3 := a3 + b3
  1315. s4 := a4 + b4
  1316. s5 := a5 + b5
  1317. s6 := a6 + b6
  1318. s7 := a7 + b7
  1319. s8 := a8 + b8
  1320. s9 := a9 + b9
  1321. s10 := a10 + b10
  1322. s11 := a11 + b11
  1323. s12 := int64(0)
  1324. var carry [12]int64
  1326. carry[0] = (s0 + (1 << 20)) >> 21
  1327. s1 += carry[0]
  1328. s0 -= carry[0] << 21
  1329. carry[2] = (s2 + (1 << 20)) >> 21
  1330. s3 += carry[2]
  1331. s2 -= carry[2] << 21
  1332. carry[4] = (s4 + (1 << 20)) >> 21
  1333. s5 += carry[4]
  1334. s4 -= carry[4] << 21
  1335. carry[6] = (s6 + (1 << 20)) >> 21
  1336. s7 += carry[6]
  1337. s6 -= carry[6] << 21
  1338. carry[8] = (s8 + (1 << 20)) >> 21
  1339. s9 += carry[8]
  1340. s8 -= carry[8] << 21
  1341. carry[10] = (s10 + (1 << 20)) >> 21
  1342. s11 += carry[10]
  1343. s10 -= carry[10] << 21
  1345. carry[1] = (s1 + (1 << 20)) >> 21
  1346. s2 += carry[1]
  1347. s1 -= carry[1] << 21
  1348. carry[3] = (s3 + (1 << 20)) >> 21
  1349. s4 += carry[3]
  1350. s3 -= carry[3] << 21
  1351. carry[5] = (s5 + (1 << 20)) >> 21
  1352. s6 += carry[5]
  1353. s5 -= carry[5] << 21
  1354. carry[7] = (s7 + (1 << 20)) >> 21
  1355. s8 += carry[7]
  1356. s7 -= carry[7] << 21
  1357. carry[9] = (s9 + (1 << 20)) >> 21
  1358. s10 += carry[9]
  1359. s9 -= carry[9] << 21
  1360. carry[11] = (s11 + (1 << 20)) >> 21
  1361. s12 += carry[11]
  1362. s11 -= carry[11] << 21
  1364. s0 += s12 * 666643
  1365. s1 += s12 * 470296
  1366. s2 += s12 * 654183
  1367. s3 -= s12 * 997805
  1368. s4 += s12 * 136657
  1369. s5 -= s12 * 683901
  1370. s12 = 0
  1372. carry[0] = s0 >> 21
  1373. s1 += carry[0]
  1374. s0 -= carry[0] << 21
  1375. carry[1] = s1 >> 21
  1376. s2 += carry[1]
  1377. s1 -= carry[1] << 21
  1378. carry[2] = s2 >> 21
  1379. s3 += carry[2]
  1380. s2 -= carry[2] << 21
  1381. carry[3] = s3 >> 21
  1382. s4 += carry[3]
  1383. s3 -= carry[3] << 21
  1384. carry[4] = s4 >> 21
  1385. s5 += carry[4]
  1386. s4 -= carry[4] << 21
  1387. carry[5] = s5 >> 21
  1388. s6 += carry[5]
  1389. s5 -= carry[5] << 21
  1390. carry[6] = s6 >> 21
  1391. s7 += carry[6]
  1392. s6 -= carry[6] << 21
  1393. carry[7] = s7 >> 21
  1394. s8 += carry[7]
  1395. s7 -= carry[7] << 21
  1396. carry[8] = s8 >> 21
  1397. s9 += carry[8]
  1398. s8 -= carry[8] << 21
  1399. carry[9] = s9 >> 21
  1400. s10 += carry[9]
  1401. s9 -= carry[9] << 21
  1402. carry[10] = s10 >> 21
  1403. s11 += carry[10]
  1404. s10 -= carry[10] << 21
  1405. carry[11] = s11 >> 21
  1406. s12 += carry[11]
  1407. s11 -= carry[11] << 21
  1409. s0 += s12 * 666643
  1410. s1 += s12 * 470296
  1411. s2 += s12 * 654183
  1412. s3 -= s12 * 997805
  1413. s4 += s12 * 136657
  1414. s5 -= s12 * 683901
  1416. carry[0] = s0 >> 21
  1417. s1 += carry[0]
  1418. s0 -= carry[0] << 21
  1419. carry[1] = s1 >> 21
  1420. s2 += carry[1]
  1421. s1 -= carry[1] << 21
  1422. carry[2] = s2 >> 21
  1423. s3 += carry[2]
  1424. s2 -= carry[2] << 21
  1425. carry[3] = s3 >> 21
  1426. s4 += carry[3]
  1427. s3 -= carry[3] << 21
  1428. carry[4] = s4 >> 21
  1429. s5 += carry[4]
  1430. s4 -= carry[4] << 21
  1431. carry[5] = s5 >> 21
  1432. s6 += carry[5]
  1433. s5 -= carry[5] << 21
  1434. carry[6] = s6 >> 21
  1435. s7 += carry[6]
  1436. s6 -= carry[6] << 21
  1437. carry[7] = s7 >> 21
  1438. s8 += carry[7]
  1439. s7 -= carry[7] << 21
  1440. carry[8] = s8 >> 21
  1441. s9 += carry[8]
  1442. s8 -= carry[8] << 21
  1443. carry[9] = s9 >> 21
  1444. s10 += carry[9]
  1445. s9 -= carry[9] << 21
  1446. carry[10] = s10 >> 21
  1447. s11 += carry[10]
  1448. s10 -= carry[10] << 21
  1450. s[0] = byte(s0 >> 0)
  1451. s[1] = byte(s0 >> 8)
  1452. s[2] = byte((s0 >> 16) | (s1 << 5))
  1453. s[3] = byte(s1 >> 3)
  1454. s[4] = byte(s1 >> 11)
  1455. s[5] = byte((s1 >> 19) | (s2 << 2))
  1456. s[6] = byte(s2 >> 6)
  1457. s[7] = byte((s2 >> 14) | (s3 << 7))
  1458. s[8] = byte(s3 >> 1)
  1459. s[9] = byte(s3 >> 9)
  1460. s[10] = byte((s3 >> 17) | (s4 << 4))
  1461. s[11] = byte(s4 >> 4)
  1462. s[12] = byte(s4 >> 12)
  1463. s[13] = byte((s4 >> 20) | (s5 << 1))
  1464. s[14] = byte(s5 >> 7)
  1465. s[15] = byte((s5 >> 15) | (s6 << 6))
  1466. s[16] = byte(s6 >> 2)
  1467. s[17] = byte(s6 >> 10)
  1468. s[18] = byte((s6 >> 18) | (s7 << 3))
  1469. s[19] = byte(s7 >> 5)
  1470. s[20] = byte(s7 >> 13)
  1471. s[21] = byte(s8 >> 0)
  1472. s[22] = byte(s8 >> 8)
  1473. s[23] = byte((s8 >> 16) | (s9 << 5))
  1474. s[24] = byte(s9 >> 3)
  1475. s[25] = byte(s9 >> 11)
  1476. s[26] = byte((s9 >> 19) | (s10 << 2))
  1477. s[27] = byte(s10 >> 6)
  1478. s[28] = byte((s10 >> 14) | (s11 << 7))
  1479. s[29] = byte(s11 >> 1)
  1480. s[30] = byte(s11 >> 9)
  1481. s[31] = byte(s11 >> 17)
  1482. }
  1484. func ScSub(s, a, b *Key) {
  1485. a0 := 2097151 & load3(a[:])
  1486. a1 := 2097151 & (load4(a[2:]) >> 5)
  1487. a2 := 2097151 & (load3(a[5:]) >> 2)
  1488. a3 := 2097151 & (load4(a[7:]) >> 7)
  1489. a4 := 2097151 & (load4(a[10:]) >> 4)
  1490. a5 := 2097151 & (load3(a[13:]) >> 1)
  1491. a6 := 2097151 & (load4(a[15:]) >> 6)
  1492. a7 := 2097151 & (load3(a[18:]) >> 3)
  1493. a8 := 2097151 & load3(a[21:])
  1494. a9 := 2097151 & (load4(a[23:]) >> 5)
  1495. a10 := 2097151 & (load3(a[26:]) >> 2)
  1496. a11 := (load4(a[28:]) >> 7)
  1497. b0 := 2097151 & load3(b[:])
  1498. b1 := 2097151 & (load4(b[2:]) >> 5)
  1499. b2 := 2097151 & (load3(b[5:]) >> 2)
  1500. b3 := 2097151 & (load4(b[7:]) >> 7)
  1501. b4 := 2097151 & (load4(b[10:]) >> 4)
  1502. b5 := 2097151 & (load3(b[13:]) >> 1)
  1503. b6 := 2097151 & (load4(b[15:]) >> 6)
  1504. b7 := 2097151 & (load3(b[18:]) >> 3)
  1505. b8 := 2097151 & load3(b[21:])
  1506. b9 := 2097151 & (load4(b[23:]) >> 5)
  1507. b10 := 2097151 & (load3(b[26:]) >> 2)
  1508. b11 := (load4(b[28:]) >> 7)
  1509. s0 := a0 - b0
  1510. s1 := a1 - b1
  1511. s2 := a2 - b2
  1512. s3 := a3 - b3
  1513. s4 := a4 - b4
  1514. s5 := a5 - b5
  1515. s6 := a6 - b6
  1516. s7 := a7 - b7
  1517. s8 := a8 - b8
  1518. s9 := a9 - b9
  1519. s10 := a10 - b10
  1520. s11 := a11 - b11
  1521. s12 := int64(0)
  1522. var carry [12]int64
  1524. carry[0] = (s0 + (1 << 20)) >> 21
  1525. s1 += carry[0]
  1526. s0 -= carry[0] << 21
  1527. carry[2] = (s2 + (1 << 20)) >> 21
  1528. s3 += carry[2]
  1529. s2 -= carry[2] << 21
  1530. carry[4] = (s4 + (1 << 20)) >> 21
  1531. s5 += carry[4]
  1532. s4 -= carry[4] << 21
  1533. carry[6] = (s6 + (1 << 20)) >> 21
  1534. s7 += carry[6]
  1535. s6 -= carry[6] << 21
  1536. carry[8] = (s8 + (1 << 20)) >> 21
  1537. s9 += carry[8]
  1538. s8 -= carry[8] << 21
  1539. carry[10] = (s10 + (1 << 20)) >> 21
  1540. s11 += carry[10]
  1541. s10 -= carry[10] << 21
  1543. carry[1] = (s1 + (1 << 20)) >> 21
  1544. s2 += carry[1]
  1545. s1 -= carry[1] << 21
  1546. carry[3] = (s3 + (1 << 20)) >> 21
  1547. s4 += carry[3]
  1548. s3 -= carry[3] << 21
  1549. carry[5] = (s5 + (1 << 20)) >> 21
  1550. s6 += carry[5]
  1551. s5 -= carry[5] << 21
  1552. carry[7] = (s7 + (1 << 20)) >> 21
  1553. s8 += carry[7]
  1554. s7 -= carry[7] << 21
  1555. carry[9] = (s9 + (1 << 20)) >> 21
  1556. s10 += carry[9]
  1557. s9 -= carry[9] << 21
  1558. carry[11] = (s11 + (1 << 20)) >> 21
  1559. s12 += carry[11]
  1560. s11 -= carry[11] << 21
  1562. s0 += s12 * 666643
  1563. s1 += s12 * 470296
  1564. s2 += s12 * 654183
  1565. s3 -= s12 * 997805
  1566. s4 += s12 * 136657
  1567. s5 -= s12 * 683901
  1568. s12 = 0
  1570. carry[0] = s0 >> 21
  1571. s1 += carry[0]
  1572. s0 -= carry[0] << 21
  1573. carry[1] = s1 >> 21
  1574. s2 += carry[1]
  1575. s1 -= carry[1] << 21
  1576. carry[2] = s2 >> 21
  1577. s3 += carry[2]
  1578. s2 -= carry[2] << 21
  1579. carry[3] = s3 >> 21
  1580. s4 += carry[3]
  1581. s3 -= carry[3] << 21
  1582. carry[4] = s4 >> 21
  1583. s5 += carry[4]
  1584. s4 -= carry[4] << 21
  1585. carry[5] = s5 >> 21
  1586. s6 += carry[5]
  1587. s5 -= carry[5] << 21
  1588. carry[6] = s6 >> 21
  1589. s7 += carry[6]
  1590. s6 -= carry[6] << 21
  1591. carry[7] = s7 >> 21
  1592. s8 += carry[7]
  1593. s7 -= carry[7] << 21
  1594. carry[8] = s8 >> 21
  1595. s9 += carry[8]
  1596. s8 -= carry[8] << 21
  1597. carry[9] = s9 >> 21
  1598. s10 += carry[9]
  1599. s9 -= carry[9] << 21
  1600. carry[10] = s10 >> 21
  1601. s11 += carry[10]
  1602. s10 -= carry[10] << 21
  1603. carry[11] = s11 >> 21
  1604. s12 += carry[11]
  1605. s11 -= carry[11] << 21
  1607. s0 += s12 * 666643
  1608. s1 += s12 * 470296
  1609. s2 += s12 * 654183
  1610. s3 -= s12 * 997805
  1611. s4 += s12 * 136657
  1612. s5 -= s12 * 683901
  1614. carry[0] = s0 >> 21
  1615. s1 += carry[0]
  1616. s0 -= carry[0] << 21
  1617. carry[1] = s1 >> 21
  1618. s2 += carry[1]
  1619. s1 -= carry[1] << 21
  1620. carry[2] = s2 >> 21
  1621. s3 += carry[2]
  1622. s2 -= carry[2] << 21
  1623. carry[3] = s3 >> 21
  1624. s4 += carry[3]
  1625. s3 -= carry[3] << 21
  1626. carry[4] = s4 >> 21
  1627. s5 += carry[4]
  1628. s4 -= carry[4] << 21
  1629. carry[5] = s5 >> 21
  1630. s6 += carry[5]
  1631. s5 -= carry[5] << 21
  1632. carry[6] = s6 >> 21
  1633. s7 += carry[6]
  1634. s6 -= carry[6] << 21
  1635. carry[7] = s7 >> 21
  1636. s8 += carry[7]
  1637. s7 -= carry[7] << 21
  1638. carry[8] = s8 >> 21
  1639. s9 += carry[8]
  1640. s8 -= carry[8] << 21
  1641. carry[9] = s9 >> 21
  1642. s10 += carry[9]
  1643. s9 -= carry[9] << 21
  1644. carry[10] = s10 >> 21
  1645. s11 += carry[10]
  1646. s10 -= carry[10] << 21
  1648. s[0] = byte(s0 >> 0)
  1649. s[1] = byte(s0 >> 8)
  1650. s[2] = byte((s0 >> 16) | (s1 << 5))
  1651. s[3] = byte(s1 >> 3)
  1652. s[4] = byte(s1 >> 11)
  1653. s[5] = byte((s1 >> 19) | (s2 << 2))
  1654. s[6] = byte(s2 >> 6)
  1655. s[7] = byte((s2 >> 14) | (s3 << 7))
  1656. s[8] = byte(s3 >> 1)
  1657. s[9] = byte(s3 >> 9)
  1658. s[10] = byte((s3 >> 17) | (s4 << 4))
  1659. s[11] = byte(s4 >> 4)
  1660. s[12] = byte(s4 >> 12)
  1661. s[13] = byte((s4 >> 20) | (s5 << 1))
  1662. s[14] = byte(s5 >> 7)
  1663. s[15] = byte((s5 >> 15) | (s6 << 6))
  1664. s[16] = byte(s6 >> 2)
  1665. s[17] = byte(s6 >> 10)
  1666. s[18] = byte((s6 >> 18) | (s7 << 3))
  1667. s[19] = byte(s7 >> 5)
  1668. s[20] = byte(s7 >> 13)
  1669. s[21] = byte(s8 >> 0)
  1670. s[22] = byte(s8 >> 8)
  1671. s[23] = byte((s8 >> 16) | (s9 << 5))
  1672. s[24] = byte(s9 >> 3)
  1673. s[25] = byte(s9 >> 11)
  1674. s[26] = byte((s9 >> 19) | (s10 << 2))
  1675. s[27] = byte(s10 >> 6)
  1676. s[28] = byte((s10 >> 14) | (s11 << 7))
  1677. s[29] = byte(s11 >> 1)
  1678. s[30] = byte(s11 >> 9)
  1679. s[31] = byte(s11 >> 17)
  1680. }
  1682. func signum(a int64) int64 {
  1683. return a>>63 - ((-a) >> 63)
  1684. }
  1686. func ScValid(s *Key) bool {
  1687. s0 := load4(s[:])
  1688. s1 := load4(s[4:])
  1689. s2 := load4(s[8:])
  1690. s3 := load4(s[12:])
  1691. s4 := load4(s[16:])
  1692. s5 := load4(s[20:])
  1693. s6 := load4(s[24:])
  1694. s7 := load4(s[28:])
  1695. return (signum(1559614444-s0)+(signum(1477600026-s1)<<1)+(signum(2734136534-s2)<<2)+(signum(350157278-s3)<<3)+(signum(-s4)<<4)+(signum(-s5)<<5)+(signum(-s6)<<6)+(signum(268435456-s7)<<7))>>8 == 0
  1697. }
  1699. func ScIsZero(s *Key) bool {
  1700. return ((int(s[0]|s[1]|s[2]|s[3]|s[4]|s[5]|s[6]|s[7]|s[8]|
  1701. s[9]|s[10]|s[11]|s[12]|s[13]|s[14]|s[15]|s[16]|s[17]|
  1702. s[18]|s[19]|s[20]|s[21]|s[22]|s[23]|s[24]|s[25]|s[26]|
  1703. s[27]|s[28]|s[29]|s[30]|s[31])-1)>>8)+1 == 0
  1704. }
  1706. // The scalars are GF(2^252 + 27742317777372353535851937790883648493).
  1708. // Input:
  1709. // a[0]+256*a[1]+...+256^31*a[31] = a
  1710. // b[0]+256*b[1]+...+256^31*b[31] = b
  1711. // c[0]+256*c[1]+...+256^31*c[31] = c
  1712. //
  1713. // Output:
  1714. // s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
  1715. // where l = 2^252 + 27742317777372353535851937790883648493.
  1716. func ScMulAdd(s, a, b, c *Key) {
  1717. a0 := 2097151 & load3(a[:])
  1718. a1 := 2097151 & (load4(a[2:]) >> 5)
  1719. a2 := 2097151 & (load3(a[5:]) >> 2)
  1720. a3 := 2097151 & (load4(a[7:]) >> 7)
  1721. a4 := 2097151 & (load4(a[10:]) >> 4)
  1722. a5 := 2097151 & (load3(a[13:]) >> 1)
  1723. a6 := 2097151 & (load4(a[15:]) >> 6)
  1724. a7 := 2097151 & (load3(a[18:]) >> 3)
  1725. a8 := 2097151 & load3(a[21:])
  1726. a9 := 2097151 & (load4(a[23:]) >> 5)
  1727. a10 := 2097151 & (load3(a[26:]) >> 2)
  1728. a11 := (load4(a[28:]) >> 7)
  1729. b0 := 2097151 & load3(b[:])
  1730. b1 := 2097151 & (load4(b[2:]) >> 5)
  1731. b2 := 2097151 & (load3(b[5:]) >> 2)
  1732. b3 := 2097151 & (load4(b[7:]) >> 7)
  1733. b4 := 2097151 & (load4(b[10:]) >> 4)
  1734. b5 := 2097151 & (load3(b[13:]) >> 1)
  1735. b6 := 2097151 & (load4(b[15:]) >> 6)
  1736. b7 := 2097151 & (load3(b[18:]) >> 3)
  1737. b8 := 2097151 & load3(b[21:])
  1738. b9 := 2097151 & (load4(b[23:]) >> 5)
  1739. b10 := 2097151 & (load3(b[26:]) >> 2)
  1740. b11 := (load4(b[28:]) >> 7)
  1741. c0 := 2097151 & load3(c[:])
  1742. c1 := 2097151 & (load4(c[2:]) >> 5)
  1743. c2 := 2097151 & (load3(c[5:]) >> 2)
  1744. c3 := 2097151 & (load4(c[7:]) >> 7)
  1745. c4 := 2097151 & (load4(c[10:]) >> 4)
  1746. c5 := 2097151 & (load3(c[13:]) >> 1)
  1747. c6 := 2097151 & (load4(c[15:]) >> 6)
  1748. c7 := 2097151 & (load3(c[18:]) >> 3)
  1749. c8 := 2097151 & load3(c[21:])
  1750. c9 := 2097151 & (load4(c[23:]) >> 5)
  1751. c10 := 2097151 & (load3(c[26:]) >> 2)
  1752. c11 := (load4(c[28:]) >> 7)
  1753. var carry [23]int64
  1755. s0 := c0 + a0*b0
  1756. s1 := c1 + a0*b1 + a1*b0
  1757. s2 := c2 + a0*b2 + a1*b1 + a2*b0
  1758. s3 := c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0
  1759. s4 := c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0
  1760. s5 := c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0
  1761. s6 := c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0
  1762. s7 := c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0
  1763. s8 := c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0
  1764. s9 := c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0
  1765. s10 := c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0
  1766. s11 := c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0
  1767. s12 := a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1
  1768. s13 := a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2
  1769. s14 := a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3
  1770. s15 := a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4
  1771. s16 := a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5
  1772. s17 := a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6
  1773. s18 := a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7
  1774. s19 := a8*b11 + a9*b10 + a10*b9 + a11*b8
  1775. s20 := a9*b11 + a10*b10 + a11*b9
  1776. s21 := a10*b11 + a11*b10
  1777. s22 := a11 * b11
  1778. s23 := int64(0)
  1780. carry[0] = (s0 + (1 << 20)) >> 21
  1781. s1 += carry[0]
  1782. s0 -= carry[0] << 21
  1783. carry[2] = (s2 + (1 << 20)) >> 21
  1784. s3 += carry[2]
  1785. s2 -= carry[2] << 21
  1786. carry[4] = (s4 + (1 << 20)) >> 21
  1787. s5 += carry[4]
  1788. s4 -= carry[4] << 21
  1789. carry[6] = (s6 + (1 << 20)) >> 21
  1790. s7 += carry[6]
  1791. s6 -= carry[6] << 21
  1792. carry[8] = (s8 + (1 << 20)) >> 21
  1793. s9 += carry[8]
  1794. s8 -= carry[8] << 21
  1795. carry[10] = (s10 + (1 << 20)) >> 21
  1796. s11 += carry[10]
  1797. s10 -= carry[10] << 21
  1798. carry[12] = (s12 + (1 << 20)) >> 21
  1799. s13 += carry[12]
  1800. s12 -= carry[12] << 21
  1801. carry[14] = (s14 + (1 << 20)) >> 21
  1802. s15 += carry[14]
  1803. s14 -= carry[14] << 21
  1804. carry[16] = (s16 + (1 << 20)) >> 21
  1805. s17 += carry[16]
  1806. s16 -= carry[16] << 21
  1807. carry[18] = (s18 + (1 << 20)) >> 21
  1808. s19 += carry[18]
  1809. s18 -= carry[18] << 21
  1810. carry[20] = (s20 + (1 << 20)) >> 21
  1811. s21 += carry[20]
  1812. s20 -= carry[20] << 21
  1813. carry[22] = (s22 + (1 << 20)) >> 21
  1814. s23 += carry[22]
  1815. s22 -= carry[22] << 21
  1817. carry[1] = (s1 + (1 << 20)) >> 21
  1818. s2 += carry[1]
  1819. s1 -= carry[1] << 21
  1820. carry[3] = (s3 + (1 << 20)) >> 21
  1821. s4 += carry[3]
  1822. s3 -= carry[3] << 21
  1823. carry[5] = (s5 + (1 << 20)) >> 21
  1824. s6 += carry[5]
  1825. s5 -= carry[5] << 21
  1826. carry[7] = (s7 + (1 << 20)) >> 21
  1827. s8 += carry[7]
  1828. s7 -= carry[7] << 21
  1829. carry[9] = (s9 + (1 << 20)) >> 21
  1830. s10 += carry[9]
  1831. s9 -= carry[9] << 21
  1832. carry[11] = (s11 + (1 << 20)) >> 21
  1833. s12 += carry[11]
  1834. s11 -= carry[11] << 21
  1835. carry[13] = (s13 + (1 << 20)) >> 21
  1836. s14 += carry[13]
  1837. s13 -= carry[13] << 21
  1838. carry[15] = (s15 + (1 << 20)) >> 21
  1839. s16 += carry[15]
  1840. s15 -= carry[15] << 21
  1841. carry[17] = (s17 + (1 << 20)) >> 21
  1842. s18 += carry[17]
  1843. s17 -= carry[17] << 21
  1844. carry[19] = (s19 + (1 << 20)) >> 21
  1845. s20 += carry[19]
  1846. s19 -= carry[19] << 21
  1847. carry[21] = (s21 + (1 << 20)) >> 21
  1848. s22 += carry[21]
  1849. s21 -= carry[21] << 21
  1851. s11 += s23 * 666643
  1852. s12 += s23 * 470296
  1853. s13 += s23 * 654183
  1854. s14 -= s23 * 997805
  1855. s15 += s23 * 136657
  1856. s16 -= s23 * 683901
  1857. s23 = 0
  1859. s10 += s22 * 666643
  1860. s11 += s22 * 470296
  1861. s12 += s22 * 654183
  1862. s13 -= s22 * 997805
  1863. s14 += s22 * 136657
  1864. s15 -= s22 * 683901
  1865. s22 = 0
  1867. s9 += s21 * 666643
  1868. s10 += s21 * 470296
  1869. s11 += s21 * 654183
  1870. s12 -= s21 * 997805
  1871. s13 += s21 * 136657
  1872. s14 -= s21 * 683901
  1873. s21 = 0
  1875. s8 += s20 * 666643
  1876. s9 += s20 * 470296
  1877. s10 += s20 * 654183
  1878. s11 -= s20 * 997805
  1879. s12 += s20 * 136657
  1880. s13 -= s20 * 683901
  1881. s20 = 0
  1883. s7 += s19 * 666643
  1884. s8 += s19 * 470296
  1885. s9 += s19 * 654183
  1886. s10 -= s19 * 997805
  1887. s11 += s19 * 136657
  1888. s12 -= s19 * 683901
  1889. s19 = 0
  1891. s6 += s18 * 666643
  1892. s7 += s18 * 470296
  1893. s8 += s18 * 654183
  1894. s9 -= s18 * 997805
  1895. s10 += s18 * 136657
  1896. s11 -= s18 * 683901
  1897. s18 = 0
  1899. carry[6] = (s6 + (1 << 20)) >> 21
  1900. s7 += carry[6]
  1901. s6 -= carry[6] << 21
  1902. carry[8] = (s8 + (1 << 20)) >> 21
  1903. s9 += carry[8]
  1904. s8 -= carry[8] << 21
  1905. carry[10] = (s10 + (1 << 20)) >> 21
  1906. s11 += carry[10]
  1907. s10 -= carry[10] << 21
  1908. carry[12] = (s12 + (1 << 20)) >> 21
  1909. s13 += carry[12]
  1910. s12 -= carry[12] << 21
  1911. carry[14] = (s14 + (1 << 20)) >> 21
  1912. s15 += carry[14]
  1913. s14 -= carry[14] << 21
  1914. carry[16] = (s16 + (1 << 20)) >> 21
  1915. s17 += carry[16]
  1916. s16 -= carry[16] << 21
  1918. carry[7] = (s7 + (1 << 20)) >> 21
  1919. s8 += carry[7]
  1920. s7 -= carry[7] << 21
  1921. carry[9] = (s9 + (1 << 20)) >> 21
  1922. s10 += carry[9]
  1923. s9 -= carry[9] << 21
  1924. carry[11] = (s11 + (1 << 20)) >> 21
  1925. s12 += carry[11]
  1926. s11 -= carry[11] << 21
  1927. carry[13] = (s13 + (1 << 20)) >> 21
  1928. s14 += carry[13]
  1929. s13 -= carry[13] << 21
  1930. carry[15] = (s15 + (1 << 20)) >> 21
  1931. s16 += carry[15]
  1932. s15 -= carry[15] << 21
  1934. s5 += s17 * 666643
  1935. s6 += s17 * 470296
  1936. s7 += s17 * 654183
  1937. s8 -= s17 * 997805
  1938. s9 += s17 * 136657
  1939. s10 -= s17 * 683901
  1940. s17 = 0
  1942. s4 += s16 * 666643
  1943. s5 += s16 * 470296
  1944. s6 += s16 * 654183
  1945. s7 -= s16 * 997805
  1946. s8 += s16 * 136657
  1947. s9 -= s16 * 683901
  1948. s16 = 0
  1950. s3 += s15 * 666643
  1951. s4 += s15 * 470296
  1952. s5 += s15 * 654183
  1953. s6 -= s15 * 997805
  1954. s7 += s15 * 136657
  1955. s8 -= s15 * 683901
  1956. s15 = 0
  1958. s2 += s14 * 666643
  1959. s3 += s14 * 470296
  1960. s4 += s14 * 654183
  1961. s5 -= s14 * 997805
  1962. s6 += s14 * 136657
  1963. s7 -= s14 * 683901
  1964. s14 = 0
  1966. s1 += s13 * 666643
  1967. s2 += s13 * 470296
  1968. s3 += s13 * 654183
  1969. s4 -= s13 * 997805
  1970. s5 += s13 * 136657
  1971. s6 -= s13 * 683901
  1972. s13 = 0
  1974. s0 += s12 * 666643
  1975. s1 += s12 * 470296
  1976. s2 += s12 * 654183
  1977. s3 -= s12 * 997805
  1978. s4 += s12 * 136657
  1979. s5 -= s12 * 683901
  1980. s12 = 0
  1982. carry[0] = (s0 + (1 << 20)) >> 21
  1983. s1 += carry[0]
  1984. s0 -= carry[0] << 21
  1985. carry[2] = (s2 + (1 << 20)) >> 21
  1986. s3 += carry[2]
  1987. s2 -= carry[2] << 21
  1988. carry[4] = (s4 + (1 << 20)) >> 21
  1989. s5 += carry[4]
  1990. s4 -= carry[4] << 21
  1991. carry[6] = (s6 + (1 << 20)) >> 21
  1992. s7 += carry[6]
  1993. s6 -= carry[6] << 21
  1994. carry[8] = (s8 + (1 << 20)) >> 21
  1995. s9 += carry[8]
  1996. s8 -= carry[8] << 21
  1997. carry[10] = (s10 + (1 << 20)) >> 21
  1998. s11 += carry[10]
  1999. s10 -= carry[10] << 21
  2001. carry[1] = (s1 + (1 << 20)) >> 21
  2002. s2 += carry[1]
  2003. s1 -= carry[1] << 21
  2004. carry[3] = (s3 + (1 << 20)) >> 21
  2005. s4 += carry[3]
  2006. s3 -= carry[3] << 21
  2007. carry[5] = (s5 + (1 << 20)) >> 21
  2008. s6 += carry[5]
  2009. s5 -= carry[5] << 21
  2010. carry[7] = (s7 + (1 << 20)) >> 21
  2011. s8 += carry[7]
  2012. s7 -= carry[7] << 21
  2013. carry[9] = (s9 + (1 << 20)) >> 21
  2014. s10 += carry[9]
  2015. s9 -= carry[9] << 21
  2016. carry[11] = (s11 + (1 << 20)) >> 21
  2017. s12 += carry[11]
  2018. s11 -= carry[11] << 21
  2020. s0 += s12 * 666643
  2021. s1 += s12 * 470296
  2022. s2 += s12 * 654183
  2023. s3 -= s12 * 997805
  2024. s4 += s12 * 136657
  2025. s5 -= s12 * 683901
  2026. s12 = 0
  2028. carry[0] = s0 >> 21
  2029. s1 += carry[0]
  2030. s0 -= carry[0] << 21
  2031. carry[1] = s1 >> 21
  2032. s2 += carry[1]
  2033. s1 -= carry[1] << 21
  2034. carry[2] = s2 >> 21
  2035. s3 += carry[2]
  2036. s2 -= carry[2] << 21
  2037. carry[3] = s3 >> 21
  2038. s4 += carry[3]
  2039. s3 -= carry[3] << 21
  2040. carry[4] = s4 >> 21
  2041. s5 += carry[4]
  2042. s4 -= carry[4] << 21
  2043. carry[5] = s5 >> 21
  2044. s6 += carry[5]
  2045. s5 -= carry[5] << 21
  2046. carry[6] = s6 >> 21
  2047. s7 += carry[6]
  2048. s6 -= carry[6] << 21
  2049. carry[7] = s7 >> 21
  2050. s8 += carry[7]
  2051. s7 -= carry[7] << 21
  2052. carry[8] = s8 >> 21
  2053. s9 += carry[8]
  2054. s8 -= carry[8] << 21
  2055. carry[9] = s9 >> 21
  2056. s10 += carry[9]
  2057. s9 -= carry[9] << 21
  2058. carry[10] = s10 >> 21
  2059. s11 += carry[10]
  2060. s10 -= carry[10] << 21
  2061. carry[11] = s11 >> 21
  2062. s12 += carry[11]
  2063. s11 -= carry[11] << 21
  2065. s0 += s12 * 666643
  2066. s1 += s12 * 470296
  2067. s2 += s12 * 654183
  2068. s3 -= s12 * 997805
  2069. s4 += s12 * 136657
  2070. s5 -= s12 * 683901
  2071. s12 = 0
  2073. carry[0] = s0 >> 21
  2074. s1 += carry[0]
  2075. s0 -= carry[0] << 21
  2076. carry[1] = s1 >> 21
  2077. s2 += carry[1]
  2078. s1 -= carry[1] << 21
  2079. carry[2] = s2 >> 21
  2080. s3 += carry[2]
  2081. s2 -= carry[2] << 21
  2082. carry[3] = s3 >> 21
  2083. s4 += carry[3]
  2084. s3 -= carry[3] << 21
  2085. carry[4] = s4 >> 21
  2086. s5 += carry[4]
  2087. s4 -= carry[4] << 21
  2088. carry[5] = s5 >> 21
  2089. s6 += carry[5]
  2090. s5 -= carry[5] << 21
  2091. carry[6] = s6 >> 21
  2092. s7 += carry[6]
  2093. s6 -= carry[6] << 21
  2094. carry[7] = s7 >> 21
  2095. s8 += carry[7]
  2096. s7 -= carry[7] << 21
  2097. carry[8] = s8 >> 21
  2098. s9 += carry[8]
  2099. s8 -= carry[8] << 21
  2100. carry[9] = s9 >> 21
  2101. s10 += carry[9]
  2102. s9 -= carry[9] << 21
  2103. carry[10] = s10 >> 21
  2104. s11 += carry[10]
  2105. s10 -= carry[10] << 21
  2107. s[0] = byte(s0 >> 0)
  2108. s[1] = byte(s0 >> 8)
  2109. s[2] = byte((s0 >> 16) | (s1 << 5))
  2110. s[3] = byte(s1 >> 3)
  2111. s[4] = byte(s1 >> 11)
  2112. s[5] = byte((s1 >> 19) | (s2 << 2))
  2113. s[6] = byte(s2 >> 6)
  2114. s[7] = byte((s2 >> 14) | (s3 << 7))
  2115. s[8] = byte(s3 >> 1)
  2116. s[9] = byte(s3 >> 9)
  2117. s[10] = byte((s3 >> 17) | (s4 << 4))
  2118. s[11] = byte(s4 >> 4)
  2119. s[12] = byte(s4 >> 12)
  2120. s[13] = byte((s4 >> 20) | (s5 << 1))
  2121. s[14] = byte(s5 >> 7)
  2122. s[15] = byte((s5 >> 15) | (s6 << 6))
  2123. s[16] = byte(s6 >> 2)
  2124. s[17] = byte(s6 >> 10)
  2125. s[18] = byte((s6 >> 18) | (s7 << 3))
  2126. s[19] = byte(s7 >> 5)
  2127. s[20] = byte(s7 >> 13)
  2128. s[21] = byte(s8 >> 0)
  2129. s[22] = byte(s8 >> 8)
  2130. s[23] = byte((s8 >> 16) | (s9 << 5))
  2131. s[24] = byte(s9 >> 3)
  2132. s[25] = byte(s9 >> 11)
  2133. s[26] = byte((s9 >> 19) | (s10 << 2))
  2134. s[27] = byte(s10 >> 6)
  2135. s[28] = byte((s10 >> 14) | (s11 << 7))
  2136. s[29] = byte(s11 >> 1)
  2137. s[30] = byte(s11 >> 9)
  2138. s[31] = byte(s11 >> 17)
  2139. }
  2141. // Input:
  2142. // a[0]+256*a[1]+...+256^31*a[31] = a
  2143. // b[0]+256*b[1]+...+256^31*b[31] = b
  2144. // c[0]+256*c[1]+...+256^31*c[31] = c
  2145. //
  2146. // Output:
  2147. // s[0]+256*s[1]+...+256^31*s[31] = (c-ab) mod l
  2148. // where l = 2^252 + 27742317777372353535851937790883648493.
  2149. func ScMulSub(s, a, b, c *Key) {
  2150. a0 := 2097151 & load3(a[:])
  2151. a1 := 2097151 & (load4(a[2:]) >> 5)
  2152. a2 := 2097151 & (load3(a[5:]) >> 2)
  2153. a3 := 2097151 & (load4(a[7:]) >> 7)
  2154. a4 := 2097151 & (load4(a[10:]) >> 4)
  2155. a5 := 2097151 & (load3(a[13:]) >> 1)
  2156. a6 := 2097151 & (load4(a[15:]) >> 6)
  2157. a7 := 2097151 & (load3(a[18:]) >> 3)
  2158. a8 := 2097151 & load3(a[21:])
  2159. a9 := 2097151 & (load4(a[23:]) >> 5)
  2160. a10 := 2097151 & (load3(a[26:]) >> 2)
  2161. a11 := (load4(a[28:]) >> 7)
  2162. b0 := 2097151 & load3(b[:])
  2163. b1 := 2097151 & (load4(b[2:]) >> 5)
  2164. b2 := 2097151 & (load3(b[5:]) >> 2)
  2165. b3 := 2097151 & (load4(b[7:]) >> 7)
  2166. b4 := 2097151 & (load4(b[10:]) >> 4)
  2167. b5 := 2097151 & (load3(b[13:]) >> 1)
  2168. b6 := 2097151 & (load4(b[15:]) >> 6)
  2169. b7 := 2097151 & (load3(b[18:]) >> 3)
  2170. b8 := 2097151 & load3(b[21:])
  2171. b9 := 2097151 & (load4(b[23:]) >> 5)
  2172. b10 := 2097151 & (load3(b[26:]) >> 2)
  2173. b11 := (load4(b[28:]) >> 7)
  2174. c0 := 2097151 & load3(c[:])
  2175. c1 := 2097151 & (load4(c[2:]) >> 5)
  2176. c2 := 2097151 & (load3(c[5:]) >> 2)
  2177. c3 := 2097151 & (load4(c[7:]) >> 7)
  2178. c4 := 2097151 & (load4(c[10:]) >> 4)
  2179. c5 := 2097151 & (load3(c[13:]) >> 1)
  2180. c6 := 2097151 & (load4(c[15:]) >> 6)
  2181. c7 := 2097151 & (load3(c[18:]) >> 3)
  2182. c8 := 2097151 & load3(c[21:])
  2183. c9 := 2097151 & (load4(c[23:]) >> 5)
  2184. c10 := 2097151 & (load3(c[26:]) >> 2)
  2185. c11 := (load4(c[28:]) >> 7)
  2186. var carry [23]int64
  2188. s0 := c0 - a0*b0
  2189. s1 := c1 - a0*b1 - a1*b0
  2190. s2 := c2 - a0*b2 - a1*b1 - a2*b0
  2191. s3 := c3 - a0*b3 - a1*b2 - a2*b1 - a3*b0
  2192. s4 := c4 - a0*b4 - a1*b3 - a2*b2 - a3*b1 - a4*b0
  2193. s5 := c5 - a0*b5 - a1*b4 - a2*b3 - a3*b2 - a4*b1 - a5*b0
  2194. s6 := c6 - a0*b6 - a1*b5 - a2*b4 - a3*b3 - a4*b2 - a5*b1 - a6*b0
  2195. s7 := c7 - a0*b7 - a1*b6 - a2*b5 - a3*b4 - a4*b3 - a5*b2 - a6*b1 - a7*b0
  2196. s8 := c8 - a0*b8 - a1*b7 - a2*b6 - a3*b5 - a4*b4 - a5*b3 - a6*b2 - a7*b1 - a8*b0
  2197. s9 := c9 - a0*b9 - a1*b8 - a2*b7 - a3*b6 - a4*b5 - a5*b4 - a6*b3 - a7*b2 - a8*b1 - a9*b0
  2198. s10 := c10 - a0*b10 - a1*b9 - a2*b8 - a3*b7 - a4*b6 - a5*b5 - a6*b4 - a7*b3 - a8*b2 - a9*b1 - a10*b0
  2199. s11 := c11 - a0*b11 - a1*b10 - a2*b9 - a3*b8 - a4*b7 - a5*b6 - a6*b5 - a7*b4 - a8*b3 - a9*b2 - a10*b1 - a11*b0
  2200. s12 := -a1*b11 - a2*b10 - a3*b9 - a4*b8 - a5*b7 - a6*b6 - a7*b5 - a8*b4 - a9*b3 - a10*b2 - a11*b1
  2201. s13 := -a2*b11 - a3*b10 - a4*b9 - a5*b8 - a6*b7 - a7*b6 - a8*b5 - a9*b4 - a10*b3 - a11*b2
  2202. s14 := -a3*b11 - a4*b10 - a5*b9 - a6*b8 - a7*b7 - a8*b6 - a9*b5 - a10*b4 - a11*b3
  2203. s15 := -a4*b11 - a5*b10 - a6*b9 - a7*b8 - a8*b7 - a9*b6 - a10*b5 - a11*b4
  2204. s16 := -a5*b11 - a6*b10 - a7*b9 - a8*b8 - a9*b7 - a10*b6 - a11*b5
  2205. s17 := -a6*b11 - a7*b10 - a8*b9 - a9*b8 - a10*b7 - a11*b6
  2206. s18 := -a7*b11 - a8*b10 - a9*b9 - a10*b8 - a11*b7
  2207. s19 := -a8*b11 - a9*b10 - a10*b9 - a11*b8
  2208. s20 := -a9*b11 - a10*b10 - a11*b9
  2209. s21 := -a10*b11 - a11*b10
  2210. s22 := -a11 * b11
  2211. s23 := int64(0)
  2213. carry[0] = (s0 + (1 << 20)) >> 21
  2214. s1 += carry[0]
  2215. s0 -= carry[0] << 21
  2216. carry[2] = (s2 + (1 << 20)) >> 21
  2217. s3 += carry[2]
  2218. s2 -= carry[2] << 21
  2219. carry[4] = (s4 + (1 << 20)) >> 21
  2220. s5 += carry[4]
  2221. s4 -= carry[4] << 21
  2222. carry[6] = (s6 + (1 << 20)) >> 21
  2223. s7 += carry[6]
  2224. s6 -= carry[6] << 21
  2225. carry[8] = (s8 + (1 << 20)) >> 21
  2226. s9 += carry[8]
  2227. s8 -= carry[8] << 21
  2228. carry[10] = (s10 + (1 << 20)) >> 21
  2229. s11 += carry[10]
  2230. s10 -= carry[10] << 21
  2231. carry[12] = (s12 + (1 << 20)) >> 21
  2232. s13 += carry[12]
  2233. s12 -= carry[12] << 21
  2234. carry[14] = (s14 + (1 << 20)) >> 21
  2235. s15 += carry[14]
  2236. s14 -= carry[14] << 21
  2237. carry[16] = (s16 + (1 << 20)) >> 21
  2238. s17 += carry[16]
  2239. s16 -= carry[16] << 21
  2240. carry[18] = (s18 + (1 << 20)) >> 21
  2241. s19 += carry[18]
  2242. s18 -= carry[18] << 21
  2243. carry[20] = (s20 + (1 << 20)) >> 21
  2244. s21 += carry[20]
  2245. s20 -= carry[20] << 21
  2246. carry[22] = (s22 + (1 << 20)) >> 21
  2247. s23 += carry[22]
  2248. s22 -= carry[22] << 21
  2250. carry[1] = (s1 + (1 << 20)) >> 21
  2251. s2 += carry[1]
  2252. s1 -= carry[1] << 21
  2253. carry[3] = (s3 + (1 << 20)) >> 21
  2254. s4 += carry[3]
  2255. s3 -= carry[3] << 21
  2256. carry[5] = (s5 + (1 << 20)) >> 21
  2257. s6 += carry[5]
  2258. s5 -= carry[5] << 21
  2259. carry[7] = (s7 + (1 << 20)) >> 21
  2260. s8 += carry[7]
  2261. s7 -= carry[7] << 21
  2262. carry[9] = (s9 + (1 << 20)) >> 21
  2263. s10 += carry[9]
  2264. s9 -= carry[9] << 21
  2265. carry[11] = (s11 + (1 << 20)) >> 21
  2266. s12 += carry[11]
  2267. s11 -= carry[11] << 21
  2268. carry[13] = (s13 + (1 << 20)) >> 21
  2269. s14 += carry[13]
  2270. s13 -= carry[13] << 21
  2271. carry[15] = (s15 + (1 << 20)) >> 21
  2272. s16 += carry[15]
  2273. s15 -= carry[15] << 21
  2274. carry[17] = (s17 + (1 << 20)) >> 21
  2275. s18 += carry[17]
  2276. s17 -= carry[17] << 21
  2277. carry[19] = (s19 + (1 << 20)) >> 21
  2278. s20 += carry[19]
  2279. s19 -= carry[19] << 21
  2280. carry[21] = (s21 + (1 << 20)) >> 21
  2281. s22 += carry[21]
  2282. s21 -= carry[21] << 21
  2284. s11 += s23 * 666643
  2285. s12 += s23 * 470296
  2286. s13 += s23 * 654183
  2287. s14 -= s23 * 997805
  2288. s15 += s23 * 136657
  2289. s16 -= s23 * 683901
  2290. s23 = 0
  2292. s10 += s22 * 666643
  2293. s11 += s22 * 470296
  2294. s12 += s22 * 654183
  2295. s13 -= s22 * 997805
  2296. s14 += s22 * 136657
  2297. s15 -= s22 * 683901
  2298. s22 = 0
  2300. s9 += s21 * 666643
  2301. s10 += s21 * 470296
  2302. s11 += s21 * 654183
  2303. s12 -= s21 * 997805
  2304. s13 += s21 * 136657
  2305. s14 -= s21 * 683901
  2306. s21 = 0
  2308. s8 += s20 * 666643
  2309. s9 += s20 * 470296
  2310. s10 += s20 * 654183
  2311. s11 -= s20 * 997805
  2312. s12 += s20 * 136657
  2313. s13 -= s20 * 683901
  2314. s20 = 0
  2316. s7 += s19 * 666643
  2317. s8 += s19 * 470296
  2318. s9 += s19 * 654183
  2319. s10 -= s19 * 997805
  2320. s11 += s19 * 136657
  2321. s12 -= s19 * 683901
  2322. s19 = 0
  2324. s6 += s18 * 666643
  2325. s7 += s18 * 470296
  2326. s8 += s18 * 654183
  2327. s9 -= s18 * 997805
  2328. s10 += s18 * 136657
  2329. s11 -= s18 * 683901
  2330. s18 = 0
  2332. carry[6] = (s6 + (1 << 20)) >> 21
  2333. s7 += carry[6]
  2334. s6 -= carry[6] << 21
  2335. carry[8] = (s8 + (1 << 20)) >> 21
  2336. s9 += carry[8]
  2337. s8 -= carry[8] << 21
  2338. carry[10] = (s10 + (1 << 20)) >> 21
  2339. s11 += carry[10]
  2340. s10 -= carry[10] << 21
  2341. carry[12] = (s12 + (1 << 20)) >> 21
  2342. s13 += carry[12]
  2343. s12 -= carry[12] << 21
  2344. carry[14] = (s14 + (1 << 20)) >> 21
  2345. s15 += carry[14]
  2346. s14 -= carry[14] << 21
  2347. carry[16] = (s16 + (1 << 20)) >> 21
  2348. s17 += carry[16]
  2349. s16 -= carry[16] << 21
  2351. carry[7] = (s7 + (1 << 20)) >> 21
  2352. s8 += carry[7]
  2353. s7 -= carry[7] << 21
  2354. carry[9] = (s9 + (1 << 20)) >> 21
  2355. s10 += carry[9]
  2356. s9 -= carry[9] << 21
  2357. carry[11] = (s11 + (1 << 20)) >> 21
  2358. s12 += carry[11]
  2359. s11 -= carry[11] << 21
  2360. carry[13] = (s13 + (1 << 20)) >> 21
  2361. s14 += carry[13]
  2362. s13 -= carry[13] << 21
  2363. carry[15] = (s15 + (1 << 20)) >> 21
  2364. s16 += carry[15]
  2365. s15 -= carry[15] << 21
  2367. s5 += s17 * 666643
  2368. s6 += s17 * 470296
  2369. s7 += s17 * 654183
  2370. s8 -= s17 * 997805
  2371. s9 += s17 * 136657
  2372. s10 -= s17 * 683901
  2373. s17 = 0
  2375. s4 += s16 * 666643
  2376. s5 += s16 * 470296
  2377. s6 += s16 * 654183
  2378. s7 -= s16 * 997805
  2379. s8 += s16 * 136657
  2380. s9 -= s16 * 683901
  2381. s16 = 0
  2383. s3 += s15 * 666643
  2384. s4 += s15 * 470296
  2385. s5 += s15 * 654183
  2386. s6 -= s15 * 997805
  2387. s7 += s15 * 136657
  2388. s8 -= s15 * 683901
  2389. s15 = 0
  2391. s2 += s14 * 666643
  2392. s3 += s14 * 470296
  2393. s4 += s14 * 654183
  2394. s5 -= s14 * 997805
  2395. s6 += s14 * 136657
  2396. s7 -= s14 * 683901
  2397. s14 = 0
  2399. s1 += s13 * 666643
  2400. s2 += s13 * 470296
  2401. s3 += s13 * 654183
  2402. s4 -= s13 * 997805
  2403. s5 += s13 * 136657
  2404. s6 -= s13 * 683901
  2405. s13 = 0
  2407. s0 += s12 * 666643
  2408. s1 += s12 * 470296
  2409. s2 += s12 * 654183
  2410. s3 -= s12 * 997805
  2411. s4 += s12 * 136657
  2412. s5 -= s12 * 683901
  2413. s12 = 0
  2415. carry[0] = (s0 + (1 << 20)) >> 21
  2416. s1 += carry[0]
  2417. s0 -= carry[0] << 21
  2418. carry[2] = (s2 + (1 << 20)) >> 21
  2419. s3 += carry[2]
  2420. s2 -= carry[2] << 21
  2421. carry[4] = (s4 + (1 << 20)) >> 21
  2422. s5 += carry[4]
  2423. s4 -= carry[4] << 21
  2424. carry[6] = (s6 + (1 << 20)) >> 21
  2425. s7 += carry[6]
  2426. s6 -= carry[6] << 21
  2427. carry[8] = (s8 + (1 << 20)) >> 21
  2428. s9 += carry[8]
  2429. s8 -= carry[8] << 21
  2430. carry[10] = (s10 + (1 << 20)) >> 21
  2431. s11 += carry[10]
  2432. s10 -= carry[10] << 21
  2434. carry[1] = (s1 + (1 << 20)) >> 21
  2435. s2 += carry[1]
  2436. s1 -= carry[1] << 21
  2437. carry[3] = (s3 + (1 << 20)) >> 21
  2438. s4 += carry[3]
  2439. s3 -= carry[3] << 21
  2440. carry[5] = (s5 + (1 << 20)) >> 21
  2441. s6 += carry[5]
  2442. s5 -= carry[5] << 21
  2443. carry[7] = (s7 + (1 << 20)) >> 21
  2444. s8 += carry[7]
  2445. s7 -= carry[7] << 21
  2446. carry[9] = (s9 + (1 << 20)) >> 21
  2447. s10 += carry[9]
  2448. s9 -= carry[9] << 21
  2449. carry[11] = (s11 + (1 << 20)) >> 21
  2450. s12 += carry[11]
  2451. s11 -= carry[11] << 21
  2453. s0 += s12 * 666643
  2454. s1 += s12 * 470296
  2455. s2 += s12 * 654183
  2456. s3 -= s12 * 997805
  2457. s4 += s12 * 136657
  2458. s5 -= s12 * 683901
  2459. s12 = 0
  2461. carry[0] = s0 >> 21
  2462. s1 += carry[0]
  2463. s0 -= carry[0] << 21
  2464. carry[1] = s1 >> 21
  2465. s2 += carry[1]
  2466. s1 -= carry[1] << 21
  2467. carry[2] = s2 >> 21
  2468. s3 += carry[2]
  2469. s2 -= carry[2] << 21
  2470. carry[3] = s3 >> 21
  2471. s4 += carry[3]
  2472. s3 -= carry[3] << 21
  2473. carry[4] = s4 >> 21
  2474. s5 += carry[4]
  2475. s4 -= carry[4] << 21
  2476. carry[5] = s5 >> 21
  2477. s6 += carry[5]
  2478. s5 -= carry[5] << 21
  2479. carry[6] = s6 >> 21
  2480. s7 += carry[6]
  2481. s6 -= carry[6] << 21
  2482. carry[7] = s7 >> 21
  2483. s8 += carry[7]
  2484. s7 -= carry[7] << 21
  2485. carry[8] = s8 >> 21
  2486. s9 += carry[8]
  2487. s8 -= carry[8] << 21
  2488. carry[9] = s9 >> 21
  2489. s10 += carry[9]
  2490. s9 -= carry[9] << 21
  2491. carry[10] = s10 >> 21
  2492. s11 += carry[10]
  2493. s10 -= carry[10] << 21
  2494. carry[11] = s11 >> 21
  2495. s12 += carry[11]
  2496. s11 -= carry[11] << 21
  2498. s0 += s12 * 666643
  2499. s1 += s12 * 470296
  2500. s2 += s12 * 654183
  2501. s3 -= s12 * 997805
  2502. s4 += s12 * 136657
  2503. s5 -= s12 * 683901
  2504. s12 = 0
  2506. carry[0] = s0 >> 21
  2507. s1 += carry[0]
  2508. s0 -= carry[0] << 21
  2509. carry[1] = s1 >> 21
  2510. s2 += carry[1]
  2511. s1 -= carry[1] << 21
  2512. carry[2] = s2 >> 21
  2513. s3 += carry[2]
  2514. s2 -= carry[2] << 21
  2515. carry[3] = s3 >> 21
  2516. s4 += carry[3]
  2517. s3 -= carry[3] << 21
  2518. carry[4] = s4 >> 21
  2519. s5 += carry[4]
  2520. s4 -= carry[4] << 21
  2521. carry[5] = s5 >> 21
  2522. s6 += carry[5]
  2523. s5 -= carry[5] << 21
  2524. carry[6] = s6 >> 21
  2525. s7 += carry[6]
  2526. s6 -= carry[6] << 21
  2527. carry[7] = s7 >> 21
  2528. s8 += carry[7]
  2529. s7 -= carry[7] << 21
  2530. carry[8] = s8 >> 21
  2531. s9 += carry[8]
  2532. s8 -= carry[8] << 21
  2533. carry[9] = s9 >> 21
  2534. s10 += carry[9]
  2535. s9 -= carry[9] << 21
  2536. carry[10] = s10 >> 21
  2537. s11 += carry[10]
  2538. s10 -= carry[10] << 21
  2540. s[0] = byte(s0 >> 0)
  2541. s[1] = byte(s0 >> 8)
  2542. s[2] = byte((s0 >> 16) | (s1 << 5))
  2543. s[3] = byte(s1 >> 3)
  2544. s[4] = byte(s1 >> 11)
  2545. s[5] = byte((s1 >> 19) | (s2 << 2))
  2546. s[6] = byte(s2 >> 6)
  2547. s[7] = byte((s2 >> 14) | (s3 << 7))
  2548. s[8] = byte(s3 >> 1)
  2549. s[9] = byte(s3 >> 9)
  2550. s[10] = byte((s3 >> 17) | (s4 << 4))
  2551. s[11] = byte(s4 >> 4)
  2552. s[12] = byte(s4 >> 12)
  2553. s[13] = byte((s4 >> 20) | (s5 << 1))
  2554. s[14] = byte(s5 >> 7)
  2555. s[15] = byte((s5 >> 15) | (s6 << 6))
  2556. s[16] = byte(s6 >> 2)
  2557. s[17] = byte(s6 >> 10)
  2558. s[18] = byte((s6 >> 18) | (s7 << 3))
  2559. s[19] = byte(s7 >> 5)
  2560. s[20] = byte(s7 >> 13)
  2561. s[21] = byte(s8 >> 0)
  2562. s[22] = byte(s8 >> 8)
  2563. s[23] = byte((s8 >> 16) | (s9 << 5))
  2564. s[24] = byte(s9 >> 3)
  2565. s[25] = byte(s9 >> 11)
  2566. s[26] = byte((s9 >> 19) | (s10 << 2))
  2567. s[27] = byte(s10 >> 6)
  2568. s[28] = byte((s10 >> 14) | (s11 << 7))
  2569. s[29] = byte(s11 >> 1)
  2570. s[30] = byte(s11 >> 9)
  2571. s[31] = byte(s11 >> 17)
  2572. }
  2574. // Input:
  2575. // s[0]+256*s[1]+...+256^63*s[63] = s
  2576. //
  2577. // Output:
  2578. // s[0]+256*s[1]+...+256^31*s[31] = s mod l
  2579. // where l = 2^252 + 27742317777372353535851937790883648493.
  2580. func ScReduce(out *Key, s *[64]byte) {
  2581. s0 := 2097151 & load3(s[:])
  2582. s1 := 2097151 & (load4(s[2:]) >> 5)
  2583. s2 := 2097151 & (load3(s[5:]) >> 2)
  2584. s3 := 2097151 & (load4(s[7:]) >> 7)
  2585. s4 := 2097151 & (load4(s[10:]) >> 4)
  2586. s5 := 2097151 & (load3(s[13:]) >> 1)
  2587. s6 := 2097151 & (load4(s[15:]) >> 6)
  2588. s7 := 2097151 & (load3(s[18:]) >> 3)
  2589. s8 := 2097151 & load3(s[21:])
  2590. s9 := 2097151 & (load4(s[23:]) >> 5)
  2591. s10 := 2097151 & (load3(s[26:]) >> 2)
  2592. s11 := 2097151 & (load4(s[28:]) >> 7)
  2593. s12 := 2097151 & (load4(s[31:]) >> 4)
  2594. s13 := 2097151 & (load3(s[34:]) >> 1)
  2595. s14 := 2097151 & (load4(s[36:]) >> 6)
  2596. s15 := 2097151 & (load3(s[39:]) >> 3)
  2597. s16 := 2097151 & load3(s[42:])
  2598. s17 := 2097151 & (load4(s[44:]) >> 5)
  2599. s18 := 2097151 & (load3(s[47:]) >> 2)
  2600. s19 := 2097151 & (load4(s[49:]) >> 7)
  2601. s20 := 2097151 & (load4(s[52:]) >> 4)
  2602. s21 := 2097151 & (load3(s[55:]) >> 1)
  2603. s22 := 2097151 & (load4(s[57:]) >> 6)
  2604. s23 := (load4(s[60:]) >> 3)
  2606. s11 += s23 * 666643
  2607. s12 += s23 * 470296
  2608. s13 += s23 * 654183
  2609. s14 -= s23 * 997805
  2610. s15 += s23 * 136657
  2611. s16 -= s23 * 683901
  2612. s23 = 0
  2614. s10 += s22 * 666643
  2615. s11 += s22 * 470296
  2616. s12 += s22 * 654183
  2617. s13 -= s22 * 997805
  2618. s14 += s22 * 136657
  2619. s15 -= s22 * 683901
  2620. s22 = 0
  2622. s9 += s21 * 666643
  2623. s10 += s21 * 470296
  2624. s11 += s21 * 654183
  2625. s12 -= s21 * 997805
  2626. s13 += s21 * 136657
  2627. s14 -= s21 * 683901
  2628. s21 = 0
  2630. s8 += s20 * 666643
  2631. s9 += s20 * 470296
  2632. s10 += s20 * 654183
  2633. s11 -= s20 * 997805
  2634. s12 += s20 * 136657
  2635. s13 -= s20 * 683901
  2636. s20 = 0
  2638. s7 += s19 * 666643
  2639. s8 += s19 * 470296
  2640. s9 += s19 * 654183
  2641. s10 -= s19 * 997805
  2642. s11 += s19 * 136657
  2643. s12 -= s19 * 683901
  2644. s19 = 0
  2646. s6 += s18 * 666643
  2647. s7 += s18 * 470296
  2648. s8 += s18 * 654183
  2649. s9 -= s18 * 997805
  2650. s10 += s18 * 136657
  2651. s11 -= s18 * 683901
  2652. s18 = 0
  2654. var carry [17]int64
  2656. carry[6] = (s6 + (1 << 20)) >> 21
  2657. s7 += carry[6]
  2658. s6 -= carry[6] << 21
  2659. carry[8] = (s8 + (1 << 20)) >> 21
  2660. s9 += carry[8]
  2661. s8 -= carry[8] << 21
  2662. carry[10] = (s10 + (1 << 20)) >> 21
  2663. s11 += carry[10]
  2664. s10 -= carry[10] << 21
  2665. carry[12] = (s12 + (1 << 20)) >> 21
  2666. s13 += carry[12]
  2667. s12 -= carry[12] << 21
  2668. carry[14] = (s14 + (1 << 20)) >> 21
  2669. s15 += carry[14]
  2670. s14 -= carry[14] << 21
  2671. carry[16] = (s16 + (1 << 20)) >> 21
  2672. s17 += carry[16]
  2673. s16 -= carry[16] << 21
  2675. carry[7] = (s7 + (1 << 20)) >> 21
  2676. s8 += carry[7]
  2677. s7 -= carry[7] << 21
  2678. carry[9] = (s9 + (1 << 20)) >> 21
  2679. s10 += carry[9]
  2680. s9 -= carry[9] << 21
  2681. carry[11] = (s11 + (1 << 20)) >> 21
  2682. s12 += carry[11]
  2683. s11 -= carry[11] << 21
  2684. carry[13] = (s13 + (1 << 20)) >> 21
  2685. s14 += carry[13]
  2686. s13 -= carry[13] << 21
  2687. carry[15] = (s15 + (1 << 20)) >> 21
  2688. s16 += carry[15]
  2689. s15 -= carry[15] << 21
  2691. s5 += s17 * 666643
  2692. s6 += s17 * 470296
  2693. s7 += s17 * 654183
  2694. s8 -= s17 * 997805
  2695. s9 += s17 * 136657
  2696. s10 -= s17 * 683901
  2697. s17 = 0
  2699. s4 += s16 * 666643
  2700. s5 += s16 * 470296
  2701. s6 += s16 * 654183
  2702. s7 -= s16 * 997805
  2703. s8 += s16 * 136657
  2704. s9 -= s16 * 683901
  2705. s16 = 0
  2707. s3 += s15 * 666643
  2708. s4 += s15 * 470296
  2709. s5 += s15 * 654183
  2710. s6 -= s15 * 997805
  2711. s7 += s15 * 136657
  2712. s8 -= s15 * 683901
  2713. s15 = 0
  2715. s2 += s14 * 666643
  2716. s3 += s14 * 470296
  2717. s4 += s14 * 654183
  2718. s5 -= s14 * 997805
  2719. s6 += s14 * 136657
  2720. s7 -= s14 * 683901
  2721. s14 = 0
  2723. s1 += s13 * 666643
  2724. s2 += s13 * 470296
  2725. s3 += s13 * 654183
  2726. s4 -= s13 * 997805
  2727. s5 += s13 * 136657
  2728. s6 -= s13 * 683901
  2729. s13 = 0
  2731. s0 += s12 * 666643
  2732. s1 += s12 * 470296
  2733. s2 += s12 * 654183
  2734. s3 -= s12 * 997805
  2735. s4 += s12 * 136657
  2736. s5 -= s12 * 683901
  2737. s12 = 0
  2739. carry[0] = (s0 + (1 << 20)) >> 21
  2740. s1 += carry[0]
  2741. s0 -= carry[0] << 21
  2742. carry[2] = (s2 + (1 << 20)) >> 21
  2743. s3 += carry[2]
  2744. s2 -= carry[2] << 21
  2745. carry[4] = (s4 + (1 << 20)) >> 21
  2746. s5 += carry[4]
  2747. s4 -= carry[4] << 21
  2748. carry[6] = (s6 + (1 << 20)) >> 21
  2749. s7 += carry[6]
  2750. s6 -= carry[6] << 21
  2751. carry[8] = (s8 + (1 << 20)) >> 21
  2752. s9 += carry[8]
  2753. s8 -= carry[8] << 21
  2754. carry[10] = (s10 + (1 << 20)) >> 21
  2755. s11 += carry[10]
  2756. s10 -= carry[10] << 21
  2758. carry[1] = (s1 + (1 << 20)) >> 21
  2759. s2 += carry[1]
  2760. s1 -= carry[1] << 21
  2761. carry[3] = (s3 + (1 << 20)) >> 21
  2762. s4 += carry[3]
  2763. s3 -= carry[3] << 21
  2764. carry[5] = (s5 + (1 << 20)) >> 21
  2765. s6 += carry[5]
  2766. s5 -= carry[5] << 21
  2767. carry[7] = (s7 + (1 << 20)) >> 21
  2768. s8 += carry[7]
  2769. s7 -= carry[7] << 21
  2770. carry[9] = (s9 + (1 << 20)) >> 21
  2771. s10 += carry[9]
  2772. s9 -= carry[9] << 21
  2773. carry[11] = (s11 + (1 << 20)) >> 21
  2774. s12 += carry[11]
  2775. s11 -= carry[11] << 21
  2777. s0 += s12 * 666643
  2778. s1 += s12 * 470296
  2779. s2 += s12 * 654183
  2780. s3 -= s12 * 997805
  2781. s4 += s12 * 136657
  2782. s5 -= s12 * 683901
  2783. s12 = 0
  2785. carry[0] = s0 >> 21
  2786. s1 += carry[0]
  2787. s0 -= carry[0] << 21
  2788. carry[1] = s1 >> 21
  2789. s2 += carry[1]
  2790. s1 -= carry[1] << 21
  2791. carry[2] = s2 >> 21
  2792. s3 += carry[2]
  2793. s2 -= carry[2] << 21
  2794. carry[3] = s3 >> 21
  2795. s4 += carry[3]
  2796. s3 -= carry[3] << 21
  2797. carry[4] = s4 >> 21
  2798. s5 += carry[4]
  2799. s4 -= carry[4] << 21
  2800. carry[5] = s5 >> 21
  2801. s6 += carry[5]
  2802. s5 -= carry[5] << 21
  2803. carry[6] = s6 >> 21
  2804. s7 += carry[6]
  2805. s6 -= carry[6] << 21
  2806. carry[7] = s7 >> 21
  2807. s8 += carry[7]
  2808. s7 -= carry[7] << 21
  2809. carry[8] = s8 >> 21
  2810. s9 += carry[8]
  2811. s8 -= carry[8] << 21
  2812. carry[9] = s9 >> 21
  2813. s10 += carry[9]
  2814. s9 -= carry[9] << 21
  2815. carry[10] = s10 >> 21
  2816. s11 += carry[10]
  2817. s10 -= carry[10] << 21
  2818. carry[11] = s11 >> 21
  2819. s12 += carry[11]
  2820. s11 -= carry[11] << 21
  2822. s0 += s12 * 666643
  2823. s1 += s12 * 470296
  2824. s2 += s12 * 654183
  2825. s3 -= s12 * 997805
  2826. s4 += s12 * 136657
  2827. s5 -= s12 * 683901
  2828. s12 = 0
  2830. carry[0] = s0 >> 21
  2831. s1 += carry[0]
  2832. s0 -= carry[0] << 21
  2833. carry[1] = s1 >> 21
  2834. s2 += carry[1]
  2835. s1 -= carry[1] << 21
  2836. carry[2] = s2 >> 21
  2837. s3 += carry[2]
  2838. s2 -= carry[2] << 21
  2839. carry[3] = s3 >> 21
  2840. s4 += carry[3]
  2841. s3 -= carry[3] << 21
  2842. carry[4] = s4 >> 21
  2843. s5 += carry[4]
  2844. s4 -= carry[4] << 21
  2845. carry[5] = s5 >> 21
  2846. s6 += carry[5]
  2847. s5 -= carry[5] << 21
  2848. carry[6] = s6 >> 21
  2849. s7 += carry[6]
  2850. s6 -= carry[6] << 21
  2851. carry[7] = s7 >> 21
  2852. s8 += carry[7]
  2853. s7 -= carry[7] << 21
  2854. carry[8] = s8 >> 21
  2855. s9 += carry[8]
  2856. s8 -= carry[8] << 21
  2857. carry[9] = s9 >> 21
  2858. s10 += carry[9]
  2859. s9 -= carry[9] << 21
  2860. carry[10] = s10 >> 21
  2861. s11 += carry[10]
  2862. s10 -= carry[10] << 21
  2864. out[0] = byte(s0 >> 0)
  2865. out[1] = byte(s0 >> 8)
  2866. out[2] = byte((s0 >> 16) | (s1 << 5))
  2867. out[3] = byte(s1 >> 3)
  2868. out[4] = byte(s1 >> 11)
  2869. out[5] = byte((s1 >> 19) | (s2 << 2))
  2870. out[6] = byte(s2 >> 6)
  2871. out[7] = byte((s2 >> 14) | (s3 << 7))
  2872. out[8] = byte(s3 >> 1)
  2873. out[9] = byte(s3 >> 9)
  2874. out[10] = byte((s3 >> 17) | (s4 << 4))
  2875. out[11] = byte(s4 >> 4)
  2876. out[12] = byte(s4 >> 12)
  2877. out[13] = byte((s4 >> 20) | (s5 << 1))
  2878. out[14] = byte(s5 >> 7)
  2879. out[15] = byte((s5 >> 15) | (s6 << 6))
  2880. out[16] = byte(s6 >> 2)
  2881. out[17] = byte(s6 >> 10)
  2882. out[18] = byte((s6 >> 18) | (s7 << 3))
  2883. out[19] = byte(s7 >> 5)
  2884. out[20] = byte(s7 >> 13)
  2885. out[21] = byte(s8 >> 0)
  2886. out[22] = byte(s8 >> 8)
  2887. out[23] = byte((s8 >> 16) | (s9 << 5))
  2888. out[24] = byte(s9 >> 3)
  2889. out[25] = byte(s9 >> 11)
  2890. out[26] = byte((s9 >> 19) | (s10 << 2))
  2891. out[27] = byte(s10 >> 6)
  2892. out[28] = byte((s10 >> 14) | (s11 << 7))
  2893. out[29] = byte(s11 >> 1)
  2894. out[30] = byte(s11 >> 9)
  2895. out[31] = byte(s11 >> 17)
  2896. }
  2898. func ScReduce32(s *Key) {
  2899. s0 := 2097151 & load3(s[:])
  2900. s1 := 2097151 & (load4(s[2:]) >> 5)
  2901. s2 := 2097151 & (load3(s[5:]) >> 2)
  2902. s3 := 2097151 & (load4(s[7:]) >> 7)
  2903. s4 := 2097151 & (load4(s[10:]) >> 4)
  2904. s5 := 2097151 & (load3(s[13:]) >> 1)
  2905. s6 := 2097151 & (load4(s[15:]) >> 6)
  2906. s7 := 2097151 & (load3(s[18:]) >> 3)
  2907. s8 := 2097151 & load3(s[21:])
  2908. s9 := 2097151 & (load4(s[23:]) >> 5)
  2909. s10 := 2097151 & (load3(s[26:]) >> 2)
  2910. s11 := (load4(s[28:]) >> 7)
  2911. s12 := int64(0)
  2912. var carry [12]int64
  2913. carry[0] = (s0 + (1 << 20)) >> 21
  2914. s1 += carry[0]
  2915. s0 -= carry[0] << 21
  2916. carry[2] = (s2 + (1 << 20)) >> 21
  2917. s3 += carry[2]
  2918. s2 -= carry[2] << 21
  2919. carry[4] = (s4 + (1 << 20)) >> 21
  2920. s5 += carry[4]
  2921. s4 -= carry[4] << 21
  2922. carry[6] = (s6 + (1 << 20)) >> 21
  2923. s7 += carry[6]
  2924. s6 -= carry[6] << 21
  2925. carry[8] = (s8 + (1 << 20)) >> 21
  2926. s9 += carry[8]
  2927. s8 -= carry[8] << 21
  2928. carry[10] = (s10 + (1 << 20)) >> 21
  2929. s11 += carry[10]
  2930. s10 -= carry[10] << 21
  2931. carry[1] = (s1 + (1 << 20)) >> 21
  2932. s2 += carry[1]
  2933. s1 -= carry[1] << 21
  2934. carry[3] = (s3 + (1 << 20)) >> 21
  2935. s4 += carry[3]
  2936. s3 -= carry[3] << 21
  2937. carry[5] = (s5 + (1 << 20)) >> 21
  2938. s6 += carry[5]
  2939. s5 -= carry[5] << 21
  2940. carry[7] = (s7 + (1 << 20)) >> 21
  2941. s8 += carry[7]
  2942. s7 -= carry[7] << 21
  2943. carry[9] = (s9 + (1 << 20)) >> 21
  2944. s10 += carry[9]
  2945. s9 -= carry[9] << 21
  2946. carry[11] = (s11 + (1 << 20)) >> 21
  2947. s12 += carry[11]
  2948. s11 -= carry[11] << 21
  2950. s0 += s12 * 666643
  2951. s1 += s12 * 470296
  2952. s2 += s12 * 654183
  2953. s3 -= s12 * 997805
  2954. s4 += s12 * 136657
  2955. s5 -= s12 * 683901
  2956. s12 = 0
  2958. carry[0] = s0 >> 21
  2959. s1 += carry[0]
  2960. s0 -= carry[0] << 21
  2961. carry[1] = s1 >> 21
  2962. s2 += carry[1]
  2963. s1 -= carry[1] << 21
  2964. carry[2] = s2 >> 21
  2965. s3 += carry[2]
  2966. s2 -= carry[2] << 21
  2967. carry[3] = s3 >> 21
  2968. s4 += carry[3]
  2969. s3 -= carry[3] << 21
  2970. carry[4] = s4 >> 21
  2971. s5 += carry[4]
  2972. s4 -= carry[4] << 21
  2973. carry[5] = s5 >> 21
  2974. s6 += carry[5]
  2975. s5 -= carry[5] << 21
  2976. carry[6] = s6 >> 21
  2977. s7 += carry[6]
  2978. s6 -= carry[6] << 21
  2979. carry[7] = s7 >> 21
  2980. s8 += carry[7]
  2981. s7 -= carry[7] << 21
  2982. carry[8] = s8 >> 21
  2983. s9 += carry[8]
  2984. s8 -= carry[8] << 21
  2985. carry[9] = s9 >> 21
  2986. s10 += carry[9]
  2987. s9 -= carry[9] << 21
  2988. carry[10] = s10 >> 21
  2989. s11 += carry[10]
  2990. s10 -= carry[10] << 21
  2991. carry[11] = s11 >> 21
  2992. s12 += carry[11]
  2993. s11 -= carry[11] << 21
  2995. s0 += s12 * 666643
  2996. s1 += s12 * 470296
  2997. s2 += s12 * 654183
  2998. s3 -= s12 * 997805
  2999. s4 += s12 * 136657
  3000. s5 -= s12 * 683901
  3002. carry[0] = s0 >> 21
  3003. s1 += carry[0]
  3004. s0 -= carry[0] << 21
  3005. carry[1] = s1 >> 21
  3006. s2 += carry[1]
  3007. s1 -= carry[1] << 21
  3008. carry[2] = s2 >> 21
  3009. s3 += carry[2]
  3010. s2 -= carry[2] << 21
  3011. carry[3] = s3 >> 21
  3012. s4 += carry[3]
  3013. s3 -= carry[3] << 21
  3014. carry[4] = s4 >> 21
  3015. s5 += carry[4]
  3016. s4 -= carry[4] << 21
  3017. carry[5] = s5 >> 21
  3018. s6 += carry[5]
  3019. s5 -= carry[5] << 21
  3020. carry[6] = s6 >> 21
  3021. s7 += carry[6]
  3022. s6 -= carry[6] << 21
  3023. carry[7] = s7 >> 21
  3024. s8 += carry[7]
  3025. s7 -= carry[7] << 21
  3026. carry[8] = s8 >> 21
  3027. s9 += carry[8]
  3028. s8 -= carry[8] << 21
  3029. carry[9] = s9 >> 21
  3030. s10 += carry[9]
  3031. s9 -= carry[9] << 21
  3032. carry[10] = s10 >> 21
  3033. s11 += carry[10]
  3034. s10 -= carry[10] << 21
  3036. s[0] = byte(s0 >> 0)
  3037. s[1] = byte(s0 >> 8)
  3038. s[2] = byte((s0 >> 16) | (s1 << 5))
  3039. s[3] = byte(s1 >> 3)
  3040. s[4] = byte(s1 >> 11)
  3041. s[5] = byte((s1 >> 19) | (s2 << 2))
  3042. s[6] = byte(s2 >> 6)
  3043. s[7] = byte((s2 >> 14) | (s3 << 7))
  3044. s[8] = byte(s3 >> 1)
  3045. s[9] = byte(s3 >> 9)
  3046. s[10] = byte((s3 >> 17) | (s4 << 4))
  3047. s[11] = byte(s4 >> 4)
  3048. s[12] = byte(s4 >> 12)
  3049. s[13] = byte((s4 >> 20) | (s5 << 1))
  3050. s[14] = byte(s5 >> 7)
  3051. s[15] = byte((s5 >> 15) | (s6 << 6))
  3052. s[16] = byte(s6 >> 2)
  3053. s[17] = byte(s6 >> 10)
  3054. s[18] = byte((s6 >> 18) | (s7 << 3))
  3055. s[19] = byte(s7 >> 5)
  3056. s[20] = byte(s7 >> 13)
  3057. s[21] = byte(s8 >> 0)
  3058. s[22] = byte(s8 >> 8)
  3059. s[23] = byte((s8 >> 16) | (s9 << 5))
  3060. s[24] = byte(s9 >> 3)
  3061. s[25] = byte(s9 >> 11)
  3062. s[26] = byte((s9 >> 19) | (s10 << 2))
  3063. s[27] = byte(s10 >> 6)
  3064. s[28] = byte((s10 >> 14) | (s11 << 7))
  3065. s[29] = byte(s11 >> 1)
  3066. s[30] = byte(s11 >> 9)
  3067. s[31] = byte(s11 >> 17)
  3068. }