arnaucube
/
derosuite
mirror of https://github.com/arnaucube/derosuite.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
68 MiB
Tree: a390b5e235
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a390b5e235'
${ noResults }
derosuite/crypto/ringct/edwards25519.go

3053 lines
72 KiB
Raw Normal View History

Status update release 1
6 years ago
  2. // Copyright 2013 The Go Authors. All rights reserved.
  3. // Use of this source code is governed by a BSD-style
  4. // license that can be found in the LICENSE-BSD file.
  6. // Most of this is from the golang x/crypto package
  8. // Package edwards25519 implements operations in GF(2**255-19) and on an
  9. // Edwards curve that is isomorphic to curve25519. See
  10. // http://ed25519.cr.yp.to/.
  12. // move this file out of this package and use x/crypto
  13. package ringct
  15. // This code is a port of the public domain, "ref10" implementation of ed25519
  16. // from SUPERCOP.
  18. // FieldElement represents an element of the field GF(2^255 - 19). An element
  19. // t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
  20. // t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
  21. // context.
  22. type FieldElement [10]int32
  24. var FeMa = FieldElement{-486662, 0, 0, 0, 0, 0, 0, 0, 0, 0} /* -A */
  25. var FeMa2 = FieldElement{-12721188, -3529, 0, 0, 0, 0, 0, 0, 0, 0} /* -A^2 */
  26. var FeFffb1 = FieldElement{-31702527, -2466483, -26106795, -12203692, -12169197, -321052, 14850977, -10296299, -16929438, -407568} /* sqrt(-2 * A * (A + 2)) */
  27. var FeFffb2 = FieldElement{8166131, -6741800, -17040804, 3154616, 21461005, 1466302, -30876704, -6368709, 10503587, -13363080} /* sqrt(2 * A * (A + 2)) */
  28. var FeFffb3 = FieldElement{-13620103, 14639558, 4532995, 7679154, 16815101, -15883539, -22863840, -14813421, 13716513, -6477756} /* sqrt(-sqrt(-1) * A * (A + 2)) */
  29. var FeFffb4 = FieldElement{-21786234, -12173074, 21573800, 4524538, -4645904, 16204591, 8012863, -8444712, 3212926, 6885324} /* sqrt(sqrt(-1) * A * (A + 2)) */
  30. var FeSqrtM1 = FieldElement{-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482} /* sqrt(-1) */
  32. var zero FieldElement
  33. var one FieldElement
  35. func init() {
  36. one[0] = 1
  37. }
  39. func (f *FieldElement) Zero() {
  40. copy(f[:], zero[:])
  41. }
  43. func (f *FieldElement) One() {
  44. copy(f[:], one[:])
  45. }
  47. func FeAdd(dst, a, b *FieldElement) {
  48. dst[0] = a[0] + b[0]
  49. dst[1] = a[1] + b[1]
  50. dst[2] = a[2] + b[2]
  51. dst[3] = a[3] + b[3]
  52. dst[4] = a[4] + b[4]
  53. dst[5] = a[5] + b[5]
  54. dst[6] = a[6] + b[6]
  55. dst[7] = a[7] + b[7]
  56. dst[8] = a[8] + b[8]
  57. dst[9] = a[9] + b[9]
  58. }
  60. func FeSub(dst, a, b *FieldElement) {
  61. dst[0] = a[0] - b[0]
  62. dst[1] = a[1] - b[1]
  63. dst[2] = a[2] - b[2]
  64. dst[3] = a[3] - b[3]
  65. dst[4] = a[4] - b[4]
  66. dst[5] = a[5] - b[5]
  67. dst[6] = a[6] - b[6]
  68. dst[7] = a[7] - b[7]
  69. dst[8] = a[8] - b[8]
  70. dst[9] = a[9] - b[9]
  71. }
  73. func FeCopy(dst, src *FieldElement) {
  74. copy(dst[:], src[:])
  75. }
  77. // Replace (f,g) with (g,g) if b == 1;
  78. // replace (f,g) with (f,g) if b == 0.
  79. //
  80. // Preconditions: b in {0,1}.
  81. func FeCMove(f, g *FieldElement, b int32) {
  82. b = -b
  83. f[0] ^= b & (f[0] ^ g[0])
  84. f[1] ^= b & (f[1] ^ g[1])
  85. f[2] ^= b & (f[2] ^ g[2])
  86. f[3] ^= b & (f[3] ^ g[3])
  87. f[4] ^= b & (f[4] ^ g[4])
  88. f[5] ^= b & (f[5] ^ g[5])
  89. f[6] ^= b & (f[6] ^ g[6])
  90. f[7] ^= b & (f[7] ^ g[7])
  91. f[8] ^= b & (f[8] ^ g[8])
  92. f[9] ^= b & (f[9] ^ g[9])
  93. }
  95. func load3(in []byte) (result int64) {
  96. result = int64(in[0]) | (int64(in[1]) << 8) | (int64(in[2]) << 16)
  97. return
  98. }
  100. func load4(in []byte) (result int64) {
  101. result = int64(in[0]) | (int64(in[1]) << 8) | (int64(in[2]) << 16) | (int64(in[3]) << 24)
  102. return
  103. }
  105. func FeFromBytes(dst *FieldElement, src *Key) {
  106. h0 := load4(src[:])
  107. h1 := load3(src[4:]) << 6
  108. h2 := load3(src[7:]) << 5
  109. h3 := load3(src[10:]) << 3
  110. h4 := load3(src[13:]) << 2
  111. h5 := load4(src[16:])
  112. h6 := load3(src[20:]) << 7
  113. h7 := load3(src[23:]) << 5
  114. h8 := load3(src[26:]) << 4
  115. h9 := (load3(src[29:]) & 8388607) << 2
  117. FeCombine(dst, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  118. }
  120. // FeToBytes marshals h to s.
  121. // Preconditions:
  122. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  123. //
  124. // Write p=2^255-19; q=floor(h/p).
  125. // Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
  126. //
  127. // Proof:
  128. // Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
  129. // Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
  130. //
  131. // Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
  132. // Then 0<y<1.
  133. //
  134. // Write r=h-pq.
  135. // Have 0<=r<=p-1=2^255-20.
  136. // Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
  137. //
  138. // Write x=r+19(2^-255)r+y.
  139. // Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
  140. //
  141. // Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
  142. // so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
  143. func FeToBytes(s *Key, h *FieldElement) {
  144. var carry [10]int32
  146. q := (19*h[9] + (1 << 24)) >> 25
  147. q = (h[0] + q) >> 26
  148. q = (h[1] + q) >> 25
  149. q = (h[2] + q) >> 26
  150. q = (h[3] + q) >> 25
  151. q = (h[4] + q) >> 26
  152. q = (h[5] + q) >> 25
  153. q = (h[6] + q) >> 26
  154. q = (h[7] + q) >> 25
  155. q = (h[8] + q) >> 26
  156. q = (h[9] + q) >> 25
  158. // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
  159. h[0] += 19 * q
  160. // Goal: Output h-2^255 q, which is between 0 and 2^255-20.
  162. carry[0] = h[0] >> 26
  163. h[1] += carry[0]
  164. h[0] -= carry[0] << 26
  165. carry[1] = h[1] >> 25
  166. h[2] += carry[1]
  167. h[1] -= carry[1] << 25
  168. carry[2] = h[2] >> 26
  169. h[3] += carry[2]
  170. h[2] -= carry[2] << 26
  171. carry[3] = h[3] >> 25
  172. h[4] += carry[3]
  173. h[3] -= carry[3] << 25
  174. carry[4] = h[4] >> 26
  175. h[5] += carry[4]
  176. h[4] -= carry[4] << 26
  177. carry[5] = h[5] >> 25
  178. h[6] += carry[5]
  179. h[5] -= carry[5] << 25
  180. carry[6] = h[6] >> 26
  181. h[7] += carry[6]
  182. h[6] -= carry[6] << 26
  183. carry[7] = h[7] >> 25
  184. h[8] += carry[7]
  185. h[7] -= carry[7] << 25
  186. carry[8] = h[8] >> 26
  187. h[9] += carry[8]
  188. h[8] -= carry[8] << 26
  189. carry[9] = h[9] >> 25
  190. h[9] -= carry[9] << 25
  191. // h10 = carry9
  193. // Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
  194. // Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
  195. // evidently 2^255 h10-2^255 q = 0.
  196. // Goal: Output h[0]+...+2^230 h[9].
  198. s[0] = byte(h[0] >> 0)
  199. s[1] = byte(h[0] >> 8)
  200. s[2] = byte(h[0] >> 16)
  201. s[3] = byte((h[0] >> 24) | (h[1] << 2))
  202. s[4] = byte(h[1] >> 6)
  203. s[5] = byte(h[1] >> 14)
  204. s[6] = byte((h[1] >> 22) | (h[2] << 3))
  205. s[7] = byte(h[2] >> 5)
  206. s[8] = byte(h[2] >> 13)
  207. s[9] = byte((h[2] >> 21) | (h[3] << 5))
  208. s[10] = byte(h[3] >> 3)
  209. s[11] = byte(h[3] >> 11)
  210. s[12] = byte((h[3] >> 19) | (h[4] << 6))
  211. s[13] = byte(h[4] >> 2)
  212. s[14] = byte(h[4] >> 10)
  213. s[15] = byte(h[4] >> 18)
  214. s[16] = byte(h[5] >> 0)
  215. s[17] = byte(h[5] >> 8)
  216. s[18] = byte(h[5] >> 16)
  217. s[19] = byte((h[5] >> 24) | (h[6] << 1))
  218. s[20] = byte(h[6] >> 7)
  219. s[21] = byte(h[6] >> 15)
  220. s[22] = byte((h[6] >> 23) | (h[7] << 3))
  221. s[23] = byte(h[7] >> 5)
  222. s[24] = byte(h[7] >> 13)
  223. s[25] = byte((h[7] >> 21) | (h[8] << 4))
  224. s[26] = byte(h[8] >> 4)
  225. s[27] = byte(h[8] >> 12)
  226. s[28] = byte((h[8] >> 20) | (h[9] << 6))
  227. s[29] = byte(h[9] >> 2)
  228. s[30] = byte(h[9] >> 10)
  229. s[31] = byte(h[9] >> 18)
  230. }
  232. func (f *FieldElement) IsNegative() byte {
  233. var s Key
  234. FeToBytes(&s, f)
  235. return s[0] & 1
  236. }
  238. func (f *FieldElement) IsNonZero() int32 {
  239. var s Key
  240. FeToBytes(&s, f)
  241. var x uint8
  242. for _, b := range s {
  243. x |= b
  244. }
  245. x |= x >> 4
  246. x |= x >> 2
  247. x |= x >> 1
  248. return int32(x & 1)
  249. }
  251. // FeNeg sets h = -f
  252. //
  253. // Preconditions:
  254. // |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  255. //
  256. // Postconditions:
  257. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  258. func FeNeg(h, f *FieldElement) {
  259. h[0] = -f[0]
  260. h[1] = -f[1]
  261. h[2] = -f[2]
  262. h[3] = -f[3]
  263. h[4] = -f[4]
  264. h[5] = -f[5]
  265. h[6] = -f[6]
  266. h[7] = -f[7]
  267. h[8] = -f[8]
  268. h[9] = -f[9]
  269. }
  271. func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) {
  272. var c0, c1, c2, c3, c4, c5, c6, c7, c8, c9 int64
  274. /*
  275. |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
  276. i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
  277. |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
  278. i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
  279. */
  281. c0 = (h0 + (1 << 25)) >> 26
  282. h1 += c0
  283. h0 -= c0 << 26
  284. c4 = (h4 + (1 << 25)) >> 26
  285. h5 += c4
  286. h4 -= c4 << 26
  287. /* |h0| <= 2^25 */
  288. /* |h4| <= 2^25 */
  289. /* |h1| <= 1.51*2^58 */
  290. /* |h5| <= 1.51*2^58 */
  292. c1 = (h1 + (1 << 24)) >> 25
  293. h2 += c1
  294. h1 -= c1 << 25
  295. c5 = (h5 + (1 << 24)) >> 25
  296. h6 += c5
  297. h5 -= c5 << 25
  298. /* |h1| <= 2^24; from now on fits into int32 */
  299. /* |h5| <= 2^24; from now on fits into int32 */
  300. /* |h2| <= 1.21*2^59 */
  301. /* |h6| <= 1.21*2^59 */
  303. c2 = (h2 + (1 << 25)) >> 26
  304. h3 += c2
  305. h2 -= c2 << 26
  306. c6 = (h6 + (1 << 25)) >> 26
  307. h7 += c6
  308. h6 -= c6 << 26
  309. /* |h2| <= 2^25; from now on fits into int32 unchanged */
  310. /* |h6| <= 2^25; from now on fits into int32 unchanged */
  311. /* |h3| <= 1.51*2^58 */
  312. /* |h7| <= 1.51*2^58 */
  314. c3 = (h3 + (1 << 24)) >> 25
  315. h4 += c3
  316. h3 -= c3 << 25
  317. c7 = (h7 + (1 << 24)) >> 25
  318. h8 += c7
  319. h7 -= c7 << 25
  320. /* |h3| <= 2^24; from now on fits into int32 unchanged */
  321. /* |h7| <= 2^24; from now on fits into int32 unchanged */
  322. /* |h4| <= 1.52*2^33 */
  323. /* |h8| <= 1.52*2^33 */
  325. c4 = (h4 + (1 << 25)) >> 26
  326. h5 += c4
  327. h4 -= c4 << 26
  328. c8 = (h8 + (1 << 25)) >> 26
  329. h9 += c8
  330. h8 -= c8 << 26
  331. /* |h4| <= 2^25; from now on fits into int32 unchanged */
  332. /* |h8| <= 2^25; from now on fits into int32 unchanged */
  333. /* |h5| <= 1.01*2^24 */
  334. /* |h9| <= 1.51*2^58 */
  336. c9 = (h9 + (1 << 24)) >> 25
  337. h0 += c9 * 19
  338. h9 -= c9 << 25
  339. /* |h9| <= 2^24; from now on fits into int32 unchanged */
  340. /* |h0| <= 1.8*2^37 */
  342. c0 = (h0 + (1 << 25)) >> 26
  343. h1 += c0
  344. h0 -= c0 << 26
  345. /* |h0| <= 2^25; from now on fits into int32 unchanged */
  346. /* |h1| <= 1.01*2^24 */
  348. h[0] = int32(h0)
  349. h[1] = int32(h1)
  350. h[2] = int32(h2)
  351. h[3] = int32(h3)
  352. h[4] = int32(h4)
  353. h[5] = int32(h5)
  354. h[6] = int32(h6)
  355. h[7] = int32(h7)
  356. h[8] = int32(h8)
  357. h[9] = int32(h9)
  358. }
  360. // FeMul calculates h = f * g
  361. // Can overlap h with f or g.
  362. //
  363. // Preconditions:
  364. // |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  365. // |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  366. //
  367. // Postconditions:
  368. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  369. //
  370. // Notes on implementation strategy:
  371. //
  372. // Using schoolbook multiplication.
  373. // Karatsuba would save a little in some cost models.
  374. //
  375. // Most multiplications by 2 and 19 are 32-bit precomputations;
  376. // cheaper than 64-bit postcomputations.
  377. //
  378. // There is one remaining multiplication by 19 in the carry chain;
  379. // one *19 precomputation can be merged into this,
  380. // but the resulting data flow is considerably less clean.
  381. //
  382. // There are 12 carries below.
  383. // 10 of them are 2-way parallelizable and vectorizable.
  384. // Can get away with 11 carries, but then data flow is much deeper.
  385. //
  386. // With tighter constraints on inputs can squeeze carries into int32.
  387. func FeMul(h, f, g *FieldElement) {
  388. f0 := int64(f[0])
  389. f1 := int64(f[1])
  390. f2 := int64(f[2])
  391. f3 := int64(f[3])
  392. f4 := int64(f[4])
  393. f5 := int64(f[5])
  394. f6 := int64(f[6])
  395. f7 := int64(f[7])
  396. f8 := int64(f[8])
  397. f9 := int64(f[9])
  399. f1_2 := int64(2 * f[1])
  400. f3_2 := int64(2 * f[3])
  401. f5_2 := int64(2 * f[5])
  402. f7_2 := int64(2 * f[7])
  403. f9_2 := int64(2 * f[9])
  405. g0 := int64(g[0])
  406. g1 := int64(g[1])
  407. g2 := int64(g[2])
  408. g3 := int64(g[3])
  409. g4 := int64(g[4])
  410. g5 := int64(g[5])
  411. g6 := int64(g[6])
  412. g7 := int64(g[7])
  413. g8 := int64(g[8])
  414. g9 := int64(g[9])
  416. g1_19 := int64(19 * g[1]) /* 1.4*2^29 */
  417. g2_19 := int64(19 * g[2]) /* 1.4*2^30; still ok */
  418. g3_19 := int64(19 * g[3])
  419. g4_19 := int64(19 * g[4])
  420. g5_19 := int64(19 * g[5])
  421. g6_19 := int64(19 * g[6])
  422. g7_19 := int64(19 * g[7])
  423. g8_19 := int64(19 * g[8])
  424. g9_19 := int64(19 * g[9])
  426. h0 := f0*g0 + f1_2*g9_19 + f2*g8_19 + f3_2*g7_19 + f4*g6_19 + f5_2*g5_19 + f6*g4_19 + f7_2*g3_19 + f8*g2_19 + f9_2*g1_19
  427. h1 := f0*g1 + f1*g0 + f2*g9_19 + f3*g8_19 + f4*g7_19 + f5*g6_19 + f6*g5_19 + f7*g4_19 + f8*g3_19 + f9*g2_19
  428. h2 := f0*g2 + f1_2*g1 + f2*g0 + f3_2*g9_19 + f4*g8_19 + f5_2*g7_19 + f6*g6_19 + f7_2*g5_19 + f8*g4_19 + f9_2*g3_19
  429. h3 := f0*g3 + f1*g2 + f2*g1 + f3*g0 + f4*g9_19 + f5*g8_19 + f6*g7_19 + f7*g6_19 + f8*g5_19 + f9*g4_19
  430. h4 := f0*g4 + f1_2*g3 + f2*g2 + f3_2*g1 + f4*g0 + f5_2*g9_19 + f6*g8_19 + f7_2*g7_19 + f8*g6_19 + f9_2*g5_19
  431. h5 := f0*g5 + f1*g4 + f2*g3 + f3*g2 + f4*g1 + f5*g0 + f6*g9_19 + f7*g8_19 + f8*g7_19 + f9*g6_19
  432. h6 := f0*g6 + f1_2*g5 + f2*g4 + f3_2*g3 + f4*g2 + f5_2*g1 + f6*g0 + f7_2*g9_19 + f8*g8_19 + f9_2*g7_19
  433. h7 := f0*g7 + f1*g6 + f2*g5 + f3*g4 + f4*g3 + f5*g2 + f6*g1 + f7*g0 + f8*g9_19 + f9*g8_19
  434. h8 := f0*g8 + f1_2*g7 + f2*g6 + f3_2*g5 + f4*g4 + f5_2*g3 + f6*g2 + f7_2*g1 + f8*g0 + f9_2*g9_19
  435. h9 := f0*g9 + f1*g8 + f2*g7 + f3*g6 + f4*g5 + f5*g4 + f6*g3 + f7*g2 + f8*g1 + f9*g0
  437. FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  438. }
  440. func feSquare(f *FieldElement) (h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) {
  441. f0 := int64(f[0])
  442. f1 := int64(f[1])
  443. f2 := int64(f[2])
  444. f3 := int64(f[3])
  445. f4 := int64(f[4])
  446. f5 := int64(f[5])
  447. f6 := int64(f[6])
  448. f7 := int64(f[7])
  449. f8 := int64(f[8])
  450. f9 := int64(f[9])
  451. f0_2 := int64(2 * f[0])
  452. f1_2 := int64(2 * f[1])
  453. f2_2 := int64(2 * f[2])
  454. f3_2 := int64(2 * f[3])
  455. f4_2 := int64(2 * f[4])
  456. f5_2 := int64(2 * f[5])
  457. f6_2 := int64(2 * f[6])
  458. f7_2 := int64(2 * f[7])
  459. f5_38 := 38 * f5 // 1.31*2^30
  460. f6_19 := 19 * f6 // 1.31*2^30
  461. f7_38 := 38 * f7 // 1.31*2^30
  462. f8_19 := 19 * f8 // 1.31*2^30
  463. f9_38 := 38 * f9 // 1.31*2^30
  465. h0 = f0*f0 + f1_2*f9_38 + f2_2*f8_19 + f3_2*f7_38 + f4_2*f6_19 + f5*f5_38
  466. h1 = f0_2*f1 + f2*f9_38 + f3_2*f8_19 + f4*f7_38 + f5_2*f6_19
  467. h2 = f0_2*f2 + f1_2*f1 + f3_2*f9_38 + f4_2*f8_19 + f5_2*f7_38 + f6*f6_19
  468. h3 = f0_2*f3 + f1_2*f2 + f4*f9_38 + f5_2*f8_19 + f6*f7_38
  469. h4 = f0_2*f4 + f1_2*f3_2 + f2*f2 + f5_2*f9_38 + f6_2*f8_19 + f7*f7_38
  470. h5 = f0_2*f5 + f1_2*f4 + f2_2*f3 + f6*f9_38 + f7_2*f8_19
  471. h6 = f0_2*f6 + f1_2*f5_2 + f2_2*f4 + f3_2*f3 + f7_2*f9_38 + f8*f8_19
  472. h7 = f0_2*f7 + f1_2*f6 + f2_2*f5 + f3_2*f4 + f8*f9_38
  473. h8 = f0_2*f8 + f1_2*f7_2 + f2_2*f6 + f3_2*f5_2 + f4*f4 + f9*f9_38
  474. h9 = f0_2*f9 + f1_2*f8 + f2_2*f7 + f3_2*f6 + f4_2*f5
  476. return
  477. }
  479. // FeSquare calculates h = f*f. Can overlap h with f.
  480. //
  481. // Preconditions:
  482. // |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
  483. //
  484. // Postconditions:
  485. // |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
  486. func FeSquare(h, f *FieldElement) {
  487. h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f)
  488. FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  489. }
  491. // FeSquare2 sets h = 2 * f * f
  492. //
  493. // Can overlap h with f.
  494. //
  495. // Preconditions:
  496. // |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
  497. //
  498. // Postconditions:
  499. // |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
  500. // See fe_mul.c for discussion of implementation strategy.
  501. func FeSquare2(h, f *FieldElement) {
  502. h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f)
  504. h0 += h0
  505. h1 += h1
  506. h2 += h2
  507. h3 += h3
  508. h4 += h4
  509. h5 += h5
  510. h6 += h6
  511. h7 += h7
  512. h8 += h8
  513. h9 += h9
  515. FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
  516. }
  518. func FeInvert(out, z *FieldElement) {
  519. var t0, t1, t2, t3 FieldElement
  520. var i int
  522. FeSquare(&t0, z) // 2^1
  523. FeSquare(&t1, &t0) // 2^2
  524. for i = 1; i < 2; i++ { // 2^3
  525. FeSquare(&t1, &t1)
  526. }
  527. FeMul(&t1, z, &t1) // 2^3 + 2^0
  528. FeMul(&t0, &t0, &t1) // 2^3 + 2^1 + 2^0
  529. FeSquare(&t2, &t0) // 2^4 + 2^2 + 2^1
  530. FeMul(&t1, &t1, &t2) // 2^4 + 2^3 + 2^2 + 2^1 + 2^0
  531. FeSquare(&t2, &t1) // 5,4,3,2,1
  532. for i = 1; i < 5; i++ { // 9,8,7,6,5
  533. FeSquare(&t2, &t2)
  534. }
  535. FeMul(&t1, &t2, &t1) // 9,8,7,6,5,4,3,2,1,0
  536. FeSquare(&t2, &t1) // 10..1
  537. for i = 1; i < 10; i++ { // 19..10
  538. FeSquare(&t2, &t2)
  539. }
  540. FeMul(&t2, &t2, &t1) // 19..0
  541. FeSquare(&t3, &t2) // 20..1
  542. for i = 1; i < 20; i++ { // 39..20
  543. FeSquare(&t3, &t3)
  544. }
  545. FeMul(&t2, &t3, &t2) // 39..0
  546. FeSquare(&t2, &t2) // 40..1
  547. for i = 1; i < 10; i++ { // 49..10
  548. FeSquare(&t2, &t2)
  549. }
  550. FeMul(&t1, &t2, &t1) // 49..0
  551. FeSquare(&t2, &t1) // 50..1
  552. for i = 1; i < 50; i++ { // 99..50
  553. FeSquare(&t2, &t2)
  554. }
  555. FeMul(&t2, &t2, &t1) // 99..0
  556. FeSquare(&t3, &t2) // 100..1
  557. for i = 1; i < 100; i++ { // 199..100
  558. FeSquare(&t3, &t3)
  559. }
  560. FeMul(&t2, &t3, &t2) // 199..0
  561. FeSquare(&t2, &t2) // 200..1
  562. for i = 1; i < 50; i++ { // 249..50
  563. FeSquare(&t2, &t2)
  564. }
  565. FeMul(&t1, &t2, &t1) // 249..0
  566. FeSquare(&t1, &t1) // 250..1
  567. for i = 1; i < 5; i++ { // 254..5
  568. FeSquare(&t1, &t1)
  569. }
  570. FeMul(out, &t1, &t0) // 254..5,3,1,0
  571. }
  573. func fePow22523(out, z *FieldElement) {
  574. var t0, t1, t2 FieldElement
  575. var i int
  577. FeSquare(&t0, z)
  578. for i = 1; i < 1; i++ {
  579. FeSquare(&t0, &t0)
  580. }
  581. FeSquare(&t1, &t0)
  582. for i = 1; i < 2; i++ {
  583. FeSquare(&t1, &t1)
  584. }
  585. FeMul(&t1, z, &t1)
  586. FeMul(&t0, &t0, &t1)
  587. FeSquare(&t0, &t0)
  588. for i = 1; i < 1; i++ {
  589. FeSquare(&t0, &t0)
  590. }
  591. FeMul(&t0, &t1, &t0)
  592. FeSquare(&t1, &t0)
  593. for i = 1; i < 5; i++ {
  594. FeSquare(&t1, &t1)
  595. }
  596. FeMul(&t0, &t1, &t0)
  597. FeSquare(&t1, &t0)
  598. for i = 1; i < 10; i++ {
  599. FeSquare(&t1, &t1)
  600. }
  601. FeMul(&t1, &t1, &t0)
  602. FeSquare(&t2, &t1)
  603. for i = 1; i < 20; i++ {
  604. FeSquare(&t2, &t2)
  605. }
  606. FeMul(&t1, &t2, &t1)
  607. FeSquare(&t1, &t1)
  608. for i = 1; i < 10; i++ {
  609. FeSquare(&t1, &t1)
  610. }
  611. FeMul(&t0, &t1, &t0)
  612. FeSquare(&t1, &t0)
  613. for i = 1; i < 50; i++ {
  614. FeSquare(&t1, &t1)
  615. }
  616. FeMul(&t1, &t1, &t0)
  617. FeSquare(&t2, &t1)
  618. for i = 1; i < 100; i++ {
  619. FeSquare(&t2, &t2)
  620. }
  621. FeMul(&t1, &t2, &t1)
  622. FeSquare(&t1, &t1)
  623. for i = 1; i < 50; i++ {
  624. FeSquare(&t1, &t1)
  625. }
  626. FeMul(&t0, &t1, &t0)
  627. FeSquare(&t0, &t0)
  628. for i = 1; i < 2; i++ {
  629. FeSquare(&t0, &t0)
  630. }
  631. FeMul(out, &t0, z)
  632. }
  634. func FeDivPowM1(out, u, v *FieldElement) {
  635. var v3, uv7, t0 FieldElement
  637. FeSquare(&v3, v)
  638. FeMul(&v3, &v3, v) /* v3 = v^3 */
  639. FeSquare(&uv7, &v3)
  640. FeMul(&uv7, &uv7, v)
  641. FeMul(&uv7, &uv7, u) /* uv7 = uv^7 */
  643. fePow22523(&t0, &uv7)
  644. /* t0 = (uv^7)^((q-5)/8) */
  645. FeMul(&t0, &t0, &v3)
  646. FeMul(out, &t0, u) /* u^(m+1)v^(-(m+1)) */
  647. }
  649. // Group elements are members of the elliptic curve -x^2 + y^2 = 1 + d * x^2 *
  650. // y^2 where d = -121665/121666.
  651. //
  652. // Several representations are used:
  653. // ProjectiveGroupElement: (X:Y:Z) satisfying x=X/Z, y=Y/Z
  654. // ExtendedGroupElement: (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
  655. // CompletedGroupElement: ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
  656. // PreComputedGroupElement: (y+x,y-x,2dxy)
  658. type ProjectiveGroupElement struct {
  659. X, Y, Z FieldElement
  660. }
  662. type ExtendedGroupElement struct {
  663. X, Y, Z, T FieldElement
  664. }
  666. type CompletedGroupElement struct {
  667. X, Y, Z, T FieldElement
  668. }
  670. type PreComputedGroupElement struct {
  671. yPlusX, yMinusX, xy2d FieldElement
  672. }
  674. type CachedGroupElement struct {
  675. yPlusX, yMinusX, Z, T2d FieldElement
  676. }
  678. func (p *ProjectiveGroupElement) Zero() {
  679. p.X.Zero()
  680. p.Y.One()
  681. p.Z.One()
  682. }
  684. func (p *ProjectiveGroupElement) Double(r *CompletedGroupElement) {
  685. var t0 FieldElement
  687. FeSquare(&r.X, &p.X)
  688. FeSquare(&r.Z, &p.Y)
  689. FeSquare2(&r.T, &p.Z)
  690. FeAdd(&r.Y, &p.X, &p.Y)
  691. FeSquare(&t0, &r.Y)
  692. FeAdd(&r.Y, &r.Z, &r.X)
  693. FeSub(&r.Z, &r.Z, &r.X)
  694. FeSub(&r.X, &t0, &r.Y)
  695. FeSub(&r.T, &r.T, &r.Z)
  696. }
  698. func (p *ProjectiveGroupElement) ToBytes(s *Key) {
  699. var recip, x, y FieldElement
  701. FeInvert(&recip, &p.Z)
  702. FeMul(&x, &p.X, &recip)
  703. FeMul(&y, &p.Y, &recip)
  704. FeToBytes(s, &y)
  705. s[31] ^= x.IsNegative() << 7
  706. }
  708. func (p *ProjectiveGroupElement) FromBytes(s *Key) {
  709. h0 := load4(s[:])
  710. h1 := load3(s[4:]) << 6
  711. h2 := load3(s[7:]) << 5
  712. h3 := load3(s[10:]) << 3
  713. h4 := load3(s[13:]) << 2
  714. h5 := load4(s[16:])
  715. h6 := load3(s[20:]) << 7
  716. h7 := load3(s[23:]) << 5
  717. h8 := load3(s[26:]) << 4
  718. h9 := load3(s[29:]) << 2
  719. var carry [10]int64
  720. carry[9] = (h9 + int64(1<<24)) >> 25
  721. h0 += carry[9] * 19
  722. h9 -= carry[9] << 25
  723. carry[1] = (h1 + int64(1<<24)) >> 25
  724. h2 += carry[1]
  725. h1 -= carry[1] << 25
  726. carry[3] = (h3 + int64(1<<24)) >> 25
  727. h4 += carry[3]
  728. h3 -= carry[3] << 25
  729. carry[5] = (h5 + int64(1<<24)) >> 25
  730. h6 += carry[5]
  731. h5 -= carry[5] << 25
  732. carry[7] = (h7 + int64(1<<24)) >> 25
  733. h8 += carry[7]
  734. h7 -= carry[7] << 25
  736. carry[0] = (h0 + int64(1<<25)) >> 26
  737. h1 += carry[0]
  738. h0 -= carry[0] << 26
  739. carry[2] = (h2 + int64(1<<25)) >> 26
  740. h3 += carry[2]
  741. h2 -= carry[2] << 26
  742. carry[4] = (h4 + int64(1<<25)) >> 26
  743. h5 += carry[4]
  744. h4 -= carry[4] << 26
  745. carry[6] = (h6 + int64(1<<25)) >> 26
  746. h7 += carry[6]
  747. h6 -= carry[6] << 26
  748. carry[8] = (h8 + int64(1<<25)) >> 26
  749. h9 += carry[8]
  750. h8 -= carry[8] << 26
  752. var u, v, w, x, y, z FieldElement
  753. u[0] = int32(h0)
  754. u[1] = int32(h1)
  755. u[2] = int32(h2)
  756. u[3] = int32(h3)
  757. u[4] = int32(h4)
  758. u[5] = int32(h5)
  759. u[6] = int32(h6)
  760. u[7] = int32(h7)
  761. u[8] = int32(h8)
  762. u[9] = int32(h9)
  763. FeSquare2(&v, &u) /* 2 * u^2 */
  764. w.One()
  765. FeAdd(&w, &v, &w) /* w = 2 * u^2 + 1 */
  766. FeSquare(&x, &w) /* w^2 */
  767. FeMul(&y, &FeMa2, &v) /* -2 * A^2 * u^2 */
  768. FeAdd(&x, &x, &y) /* x = w^2 - 2 * A^2 * u^2 */
  769. FeDivPowM1(&p.X, &w, &x) /* (w / x)^(m + 1) */
  770. FeSquare(&y, &p.X)
  771. FeMul(&x, &y, &x)
  772. FeSub(&y, &w, &x)
  773. FeCopy(&z, &FeMa)
  774. isNegative := false
  775. var sign byte
  776. if y.IsNonZero() != 0 {
  777. FeAdd(&y, &w, &x)
  778. if y.IsNonZero() != 0 {
  779. isNegative = true
  780. } else {
  781. FeMul(&p.X, &p.X, &FeFffb1)
  782. }
  783. } else {
  784. FeMul(&p.X, &p.X, &FeFffb2)
  785. }
  786. if isNegative {
  787. FeMul(&x, &x, &FeSqrtM1)
  788. FeSub(&y, &w, &x)
  789. if y.IsNonZero() != 0 {
  790. FeAdd(&y, &w, &x)
  791. FeMul(&p.X, &p.X, &FeFffb3)
  792. } else {
  793. FeMul(&p.X, &p.X, &FeFffb4)
  794. }
  795. /* p.X = sqrt(A * (A + 2) * w / x) */
  796. /* z = -A */
  797. sign = 1
  798. } else {
  799. FeMul(&p.X, &p.X, &u) /* u * sqrt(2 * A * (A + 2) * w / x) */
  800. FeMul(&z, &z, &v) /* -2 * A * u^2 */
  801. sign = 0
  802. }
  803. if p.X.IsNegative() != sign {
  804. FeNeg(&p.X, &p.X)
  805. }
  806. FeAdd(&p.Z, &z, &w)
  807. FeSub(&p.Y, &z, &w)
  808. FeMul(&p.X, &p.X, &p.Z)
  809. }
  811. func (p *ExtendedGroupElement) Zero() {
  812. p.X.Zero()
  813. p.Y.One()
  814. p.Z.One()
  815. p.T.Zero()
  816. }
  818. func (p *ExtendedGroupElement) Double(r *CompletedGroupElement) {
  819. var q ProjectiveGroupElement
  820. p.ToProjective(&q)
  821. q.Double(r)
  822. }
  824. func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement) {
  825. FeAdd(&r.yPlusX, &p.Y, &p.X)
  826. FeSub(&r.yMinusX, &p.Y, &p.X)
  827. FeCopy(&r.Z, &p.Z)
  828. FeMul(&r.T2d, &p.T, &d2)
  829. }
  831. func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement) {
  832. FeCopy(&r.X, &p.X)
  833. FeCopy(&r.Y, &p.Y)
  834. FeCopy(&r.Z, &p.Z)
  835. }
  837. func (p *ExtendedGroupElement) ToBytes(s *Key) {
  838. var recip, x, y FieldElement
  840. FeInvert(&recip, &p.Z)
  841. FeMul(&x, &p.X, &recip)
  842. FeMul(&y, &p.Y, &recip)
  843. FeToBytes(s, &y)
  844. s[31] ^= x.IsNegative() << 7
  845. }
  847. func (p *ExtendedGroupElement) FromBytes(s *Key) bool {
  848. var u, v, v3, vxx, check FieldElement
  850. FeFromBytes(&p.Y, s)
  851. p.Z.One()
  852. FeSquare(&u, &p.Y)
  853. FeMul(&v, &u, &d)
  854. FeSub(&u, &u, &p.Z) // y = y^2-1
  855. FeAdd(&v, &v, &p.Z) // v = dy^2+1
  857. FeSquare(&v3, &v)
  858. FeMul(&v3, &v3, &v) // v3 = v^3
  859. FeSquare(&p.X, &v3)
  860. FeMul(&p.X, &p.X, &v)
  861. FeMul(&p.X, &p.X, &u) // x = uv^7
  863. fePow22523(&p.X, &p.X) // x = (uv^7)^((q-5)/8)
  864. FeMul(&p.X, &p.X, &v3)
  865. FeMul(&p.X, &p.X, &u) // x = uv^3(uv^7)^((q-5)/8)
  867. var tmpX, tmp2 Key
  869. FeSquare(&vxx, &p.X)
  870. FeMul(&vxx, &vxx, &v)
  871. FeSub(&check, &vxx, &u) // vx^2-u
  872. if check.IsNonZero() == 1 {
  873. FeAdd(&check, &vxx, &u) // vx^2+u
  874. if check.IsNonZero() == 1 {
  875. return false
  876. }
  877. FeMul(&p.X, &p.X, &SqrtM1)
  879. FeToBytes(&tmpX, &p.X)
  880. for i, v := range tmpX {
  881. tmp2[31-i] = v
  882. }
  883. }
  885. if p.X.IsNegative() != (s[31] >> 7) {
  886. FeNeg(&p.X, &p.X)
  887. }
  889. FeMul(&p.T, &p.X, &p.Y)
  890. return true
  891. }
  893. func (p *CompletedGroupElement) ToProjective(r *ProjectiveGroupElement) {
  894. FeMul(&r.X, &p.X, &p.T)
  895. FeMul(&r.Y, &p.Y, &p.Z)
  896. FeMul(&r.Z, &p.Z, &p.T)
  897. }
  899. func (p *CompletedGroupElement) ToExtended(r *ExtendedGroupElement) {
  900. FeMul(&r.X, &p.X, &p.T)
  901. FeMul(&r.Y, &p.Y, &p.Z)
  902. FeMul(&r.Z, &p.Z, &p.T)
  903. FeMul(&r.T, &p.X, &p.Y)
  904. }
  906. func (p *PreComputedGroupElement) Zero() {
  907. p.yPlusX.One()
  908. p.yMinusX.One()
  909. p.xy2d.Zero()
  910. }
  912. func (c *CachedGroupElement) Zero() {
  913. c.yPlusX.One()
  914. c.yMinusX.One()
  915. c.Z.One()
  916. c.T2d.Zero()
  917. }
  919. func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
  920. var t0 FieldElement
  922. FeAdd(&r.X, &p.Y, &p.X)
  923. FeSub(&r.Y, &p.Y, &p.X)
  924. FeMul(&r.Z, &r.X, &q.yPlusX)
  925. FeMul(&r.Y, &r.Y, &q.yMinusX)
  926. FeMul(&r.T, &q.T2d, &p.T)
  927. FeMul(&r.X, &p.Z, &q.Z)
  928. FeAdd(&t0, &r.X, &r.X)
  929. FeSub(&r.X, &r.Z, &r.Y)
  930. FeAdd(&r.Y, &r.Z, &r.Y)
  931. FeAdd(&r.Z, &t0, &r.T)
  932. FeSub(&r.T, &t0, &r.T)
  933. }
  935. func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
  936. var t0 FieldElement
  938. FeAdd(&r.X, &p.Y, &p.X)
  939. FeSub(&r.Y, &p.Y, &p.X)
  940. FeMul(&r.Z, &r.X, &q.yMinusX)
  941. FeMul(&r.Y, &r.Y, &q.yPlusX)
  942. FeMul(&r.T, &q.T2d, &p.T)
  943. FeMul(&r.X, &p.Z, &q.Z)
  944. FeAdd(&t0, &r.X, &r.X)
  945. FeSub(&r.X, &r.Z, &r.Y)
  946. FeAdd(&r.Y, &r.Z, &r.Y)
  947. FeSub(&r.Z, &t0, &r.T)
  948. FeAdd(&r.T, &t0, &r.T)
  949. }
  951. func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
  952. var t0 FieldElement
  954. FeAdd(&r.X, &p.Y, &p.X)
  955. FeSub(&r.Y, &p.Y, &p.X)
  956. FeMul(&r.Z, &r.X, &q.yPlusX)
  957. FeMul(&r.Y, &r.Y, &q.yMinusX)
  958. FeMul(&r.T, &q.xy2d, &p.T)
  959. FeAdd(&t0, &p.Z, &p.Z)
  960. FeSub(&r.X, &r.Z, &r.Y)
  961. FeAdd(&r.Y, &r.Z, &r.Y)
  962. FeAdd(&r.Z, &t0, &r.T)
  963. FeSub(&r.T, &t0, &r.T)
  964. }
  966. func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
  967. var t0 FieldElement
  969. FeAdd(&r.X, &p.Y, &p.X)
  970. FeSub(&r.Y, &p.Y, &p.X)
  971. FeMul(&r.Z, &r.X, &q.yMinusX)
  972. FeMul(&r.Y, &r.Y, &q.yPlusX)
  973. FeMul(&r.T, &q.xy2d, &p.T)
  974. FeAdd(&t0, &p.Z, &p.Z)
  975. FeSub(&r.X, &r.Z, &r.Y)
  976. FeAdd(&r.Y, &r.Z, &r.Y)
  977. FeSub(&r.Z, &t0, &r.T)
  978. FeAdd(&r.T, &t0, &r.T)
  979. }
  981. // r = 8 * t
  982. func GeMul8(r *CompletedGroupElement, t *ProjectiveGroupElement) {
  983. var u ProjectiveGroupElement
  984. t.Double(r)
  985. r.ToProjective(&u)
  986. u.Double(r)
  987. r.ToProjective(&u)
  988. u.Double(r)
  989. }
  991. // caches s into an array of CachedGroupElements for scalar multiplication later
  992. func GePrecompute(r *[8]CachedGroupElement, s *ExtendedGroupElement) {
  993. var t CompletedGroupElement
  994. var s2, u ExtendedGroupElement
  995. s.ToCached(&r[0])
  996. s.Double(&t)
  997. t.ToExtended(&s2)
  998. for i := 0; i < 7; i++ {
  999. geAdd(&t, &s2, &r[i])
  1000. t.ToExtended(&u)
  1001. u.ToCached(&r[i+1])
  1002. }
  1003. }
  1005. func slide(r *[256]int8, a *Key) {
  1006. for i := range r {
  1007. r[i] = int8(1 & (a[i>>3] >> uint(i&7)))
  1008. }
  1010. for i := range r {
  1011. if r[i] != 0 {
  1012. for b := 1; b <= 6 && i+b < 256; b++ {
  1013. if r[i+b] != 0 {
  1014. if r[i]+(r[i+b]<<uint(b)) <= 15 {
  1015. r[i] += r[i+b] << uint(b)
  1016. r[i+b] = 0
  1017. } else if r[i]-(r[i+b]<<uint(b)) >= -15 {
  1018. r[i] -= r[i+b] << uint(b)
  1019. for k := i + b; k < 256; k++ {
  1020. if r[k] == 0 {
  1021. r[k] = 1
  1022. break
  1023. }
  1024. r[k] = 0
  1025. }
  1026. } else {
  1027. break
  1028. }
  1029. }
  1030. }
  1031. }
  1032. }
  1033. }
  1035. // GeDoubleScalarMultVartime sets r = a*A + b*B
  1036. // where a = a[0]+256*a[1]+...+256^31 a[31].
  1037. // and b = b[0]+256*b[1]+...+256^31 b[31].
  1038. // B is the Ed25519 base point (x,4/5) with x positive.
  1039. func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *Key, A *ExtendedGroupElement, b *Key) {
  1040. var aSlide, bSlide [256]int8
  1041. var Ai [8]CachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A
  1042. var t CompletedGroupElement
  1043. var u ExtendedGroupElement
  1044. var i int
  1046. slide(&aSlide, a)
  1047. slide(&bSlide, b)
  1048. GePrecompute(&Ai, A)
  1050. r.Zero()
  1052. for i = 255; i >= 0; i-- {
  1053. if aSlide[i] != 0 || bSlide[i] != 0 {
  1054. break
  1055. }
  1056. }
  1058. for ; i >= 0; i-- {
  1059. r.Double(&t)
  1061. if aSlide[i] > 0 {
  1062. t.ToExtended(&u)
  1063. geAdd(&t, &u, &Ai[aSlide[i]/2])
  1064. } else if aSlide[i] < 0 {
  1065. t.ToExtended(&u)
  1066. geSub(&t, &u, &Ai[(-aSlide[i])/2])
  1067. }
  1069. if bSlide[i] > 0 {
  1070. t.ToExtended(&u)
  1071. geMixedAdd(&t, &u, &bi[bSlide[i]/2])
  1072. } else if bSlide[i] < 0 {
  1073. t.ToExtended(&u)
  1074. geMixedSub(&t, &u, &bi[(-bSlide[i])/2])
  1075. }
  1077. t.ToProjective(r)
  1078. }
  1079. }
  1081. // sets r = a*A + b*B
  1082. // where Bi is the [8]CachedGroupElement consisting of
  1083. // B,3B,5B,7B,9B,11B,13B,15B
  1084. func GeDoubleScalarMultPrecompVartime(r *ProjectiveGroupElement, a *Key, A *ExtendedGroupElement, b *Key, Bi *[8]CachedGroupElement) {
  1085. var aSlide, bSlide [256]int8
  1086. var Ai [8]CachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A
  1087. var t CompletedGroupElement
  1088. var u ExtendedGroupElement
  1089. var i int
  1090. slide(&aSlide, a)
  1091. slide(&bSlide, b)
  1092. GePrecompute(&Ai, A)
  1093. r.Zero()
  1094. for i = 255; i >= 0; i-- {
  1095. if aSlide[i] != 0 || bSlide[i] != 0 {
  1096. break
  1097. }
  1098. }
  1099. for ; i >= 0; i-- {
  1100. r.Double(&t)
  1101. if aSlide[i] > 0 {
  1102. t.ToExtended(&u)
  1103. geAdd(&t, &u, &Ai[aSlide[i]/2])
  1104. } else if aSlide[i] < 0 {
  1105. t.ToExtended(&u)
  1106. geSub(&t, &u, &Ai[(-aSlide[i])/2])
  1107. }
  1108. if bSlide[i] > 0 {
  1109. t.ToExtended(&u)
  1110. geAdd(&t, &u, &Bi[bSlide[i]/2])
  1111. } else if bSlide[i] < 0 {
  1112. t.ToExtended(&u)
  1113. geSub(&t, &u, &Bi[(-bSlide[i])/2])
  1114. }
  1115. t.ToProjective(r)
  1116. }
  1117. return
  1118. }
  1120. // equal returns 1 if b == c and 0 otherwise.
  1121. func equal(b, c int32) int32 {
  1122. x := uint32(b ^ c)
  1123. x--
  1124. return int32(x >> 31)
  1125. }
  1127. // negative returns 1 if b < 0 and 0 otherwise.
  1128. func negative(b int32) int32 {
  1129. return (b >> 31) & 1
  1130. }
  1132. func CachedGroupElementCMove(t, u *CachedGroupElement, b int32) {
  1133. FeCMove(&t.yPlusX, &u.yPlusX, b)
  1134. FeCMove(&t.yMinusX, &u.yMinusX, b)
  1135. FeCMove(&t.Z, &u.Z, b)
  1136. FeCMove(&t.T2d, &u.T2d, b)
  1137. }
  1139. func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32) {
  1140. FeCMove(&t.yPlusX, &u.yPlusX, b)
  1141. FeCMove(&t.yMinusX, &u.yMinusX, b)
  1142. FeCMove(&t.xy2d, &u.xy2d, b)
  1143. }
  1145. func selectPoint(t *PreComputedGroupElement, pos int32, b int32) {
  1146. var minusT PreComputedGroupElement
  1147. bNegative := negative(b)
  1148. bAbs := b - (((-bNegative) & b) << 1)
  1150. t.Zero()
  1151. for i := int32(0); i < 8; i++ {
  1152. PreComputedGroupElementCMove(t, &base[pos][i], equal(bAbs, i+1))
  1153. }
  1154. FeCopy(&minusT.yPlusX, &t.yMinusX)
  1155. FeCopy(&minusT.yMinusX, &t.yPlusX)
  1156. FeNeg(&minusT.xy2d, &t.xy2d)
  1157. PreComputedGroupElementCMove(t, &minusT, bNegative)
  1158. }
  1160. // GeScalarMult computes h = a*A, where
  1161. // a = a[0]+256*a[1]+...+256^31 a[31]
  1162. // A is a point on the curve
  1163. //
  1164. // Preconditions:
  1165. // a[31] <= 127
  1166. func GeScalarMult(r *ProjectiveGroupElement, a *Key, A *ExtendedGroupElement) {
  1167. var e [64]int32
  1168. var carry, carry2 int32
  1169. for i := 0; i < 31; i++ {
  1170. carry += int32(a[i]) /* 0..256 */
  1171. carry2 = (carry + 8) >> 4 /* 0..16 */
  1172. e[2*i] = carry - (carry2 << 4) /* -8..7 */
  1173. carry = (carry2 + 8) >> 4 /* 0..1 */
  1174. e[2*i+1] = carry2 - (carry << 4) /* -8..7 */
  1175. }
  1176. carry += int32(a[31]) /* 0..128 */
  1177. carry2 = (carry + 8) >> 4 /* 0..8 */
  1178. e[62] = carry - (carry2 << 4) /* -8..7 */
  1179. e[63] = carry2 /* 0..8 */
  1181. var Ai [8]CachedGroupElement // A,2A,3A,4A,5A,6A,7A,8A
  1182. t := new(CompletedGroupElement)
  1183. u := new(ExtendedGroupElement)
  1184. A.ToCached(&Ai[0])
  1185. for i := 0; i < 7; i++ {
  1186. geAdd(t, A, &Ai[i])
  1187. t.ToExtended(u)
  1188. u.ToCached(&Ai[i+1])
  1189. }
  1190. r.Zero()
  1191. cur := new(CachedGroupElement)
  1192. minusCur := new(CachedGroupElement)
  1193. for i := 63; i >= 0; i-- {
  1194. b := e[i]
  1195. bNegative := negative(b)
  1196. bAbs := b - (((-bNegative) & b) << 1)
  1197. r.Double(t)
  1198. t.ToProjective(r)
  1199. r.Double(t)
  1200. t.ToProjective(r)
  1201. r.Double(t)
  1202. t.ToProjective(r)
  1203. r.Double(t)
  1204. t.ToExtended(u)
  1205. cur.Zero()
  1206. for j := int32(0); j < 8; j++ {
  1207. CachedGroupElementCMove(cur, &Ai[j], equal(bAbs, j+1))
  1208. }
  1209. FeCopy(&minusCur.yPlusX, &cur.yMinusX)
  1210. FeCopy(&minusCur.yMinusX, &cur.yPlusX)
  1211. FeCopy(&minusCur.Z, &cur.Z)
  1212. FeNeg(&minusCur.T2d, &cur.T2d)
  1213. CachedGroupElementCMove(cur, minusCur, bNegative)
  1214. geAdd(t, u, cur)
  1215. t.ToProjective(r)
  1216. }
  1217. }
  1219. // GeScalarMultBase computes h = a*B, where
  1220. // a = a[0]+256*a[1]+...+256^31 a[31]
  1221. // B is the Ed25519 base point (x,4/5) with x positive.
  1222. //
  1223. // Preconditions:
  1224. // a[31] <= 127
  1225. func GeScalarMultBase(h *ExtendedGroupElement, a *Key) {
  1226. var e [64]int8
  1228. for i, v := range a {
  1229. e[2*i] = int8(v & 15)
  1230. e[2*i+1] = int8((v >> 4) & 15)
  1231. }
  1233. // each e[i] is between 0 and 15 and e[63] is between 0 and 7.
  1235. carry := int8(0)
  1236. for i := 0; i < 63; i++ {
  1237. e[i] += carry
  1238. carry = (e[i] + 8) >> 4
  1239. e[i] -= carry << 4
  1240. }
  1241. e[63] += carry
  1242. // each e[i] is between -8 and 8.
  1244. h.Zero()
  1245. var t PreComputedGroupElement
  1246. var r CompletedGroupElement
  1247. for i := int32(1); i < 64; i += 2 {
  1248. selectPoint(&t, i/2, int32(e[i]))
  1249. geMixedAdd(&r, h, &t)
  1250. r.ToExtended(h)
  1251. }
  1253. var s ProjectiveGroupElement
  1255. h.Double(&r)
  1256. r.ToProjective(&s)
  1257. s.Double(&r)
  1258. r.ToProjective(&s)
  1259. s.Double(&r)
  1260. r.ToProjective(&s)
  1261. s.Double(&r)
  1262. r.ToExtended(h)
  1264. for i := int32(0); i < 64; i += 2 {
  1265. selectPoint(&t, i/2, int32(e[i]))
  1266. geMixedAdd(&r, h, &t)
  1267. r.ToExtended(h)
  1268. }
  1269. }
  1271. func ScAdd(s, a, b *Key) {
  1272. a0 := 2097151 & load3(a[:])
  1273. a1 := 2097151 & (load4(a[2:]) >> 5)
  1274. a2 := 2097151 & (load3(a[5:]) >> 2)
  1275. a3 := 2097151 & (load4(a[7:]) >> 7)
  1276. a4 := 2097151 & (load4(a[10:]) >> 4)
  1277. a5 := 2097151 & (load3(a[13:]) >> 1)
  1278. a6 := 2097151 & (load4(a[15:]) >> 6)
  1279. a7 := 2097151 & (load3(a[18:]) >> 3)
  1280. a8 := 2097151 & load3(a[21:])
  1281. a9 := 2097151 & (load4(a[23:]) >> 5)
  1282. a10 := 2097151 & (load3(a[26:]) >> 2)
  1283. a11 := (load4(a[28:]) >> 7)
  1284. b0 := 2097151 & load3(b[:])
  1285. b1 := 2097151 & (load4(b[2:]) >> 5)
  1286. b2 := 2097151 & (load3(b[5:]) >> 2)
  1287. b3 := 2097151 & (load4(b[7:]) >> 7)
  1288. b4 := 2097151 & (load4(b[10:]) >> 4)
  1289. b5 := 2097151 & (load3(b[13:]) >> 1)
  1290. b6 := 2097151 & (load4(b[15:]) >> 6)
  1291. b7 := 2097151 & (load3(b[18:]) >> 3)
  1292. b8 := 2097151 & load3(b[21:])
  1293. b9 := 2097151 & (load4(b[23:]) >> 5)
  1294. b10 := 2097151 & (load3(b[26:]) >> 2)
  1295. b11 := (load4(b[28:]) >> 7)
  1296. s0 := a0 + b0
  1297. s1 := a1 + b1
  1298. s2 := a2 + b2
  1299. s3 := a3 + b3
  1300. s4 := a4 + b4
  1301. s5 := a5 + b5
  1302. s6 := a6 + b6
  1303. s7 := a7 + b7
  1304. s8 := a8 + b8
  1305. s9 := a9 + b9
  1306. s10 := a10 + b10
  1307. s11 := a11 + b11
  1308. s12 := int64(0)
  1309. var carry [12]int64
  1311. carry[0] = (s0 + (1 << 20)) >> 21
  1312. s1 += carry[0]
  1313. s0 -= carry[0] << 21
  1314. carry[2] = (s2 + (1 << 20)) >> 21
  1315. s3 += carry[2]
  1316. s2 -= carry[2] << 21
  1317. carry[4] = (s4 + (1 << 20)) >> 21
  1318. s5 += carry[4]
  1319. s4 -= carry[4] << 21
  1320. carry[6] = (s6 + (1 << 20)) >> 21
  1321. s7 += carry[6]
  1322. s6 -= carry[6] << 21
  1323. carry[8] = (s8 + (1 << 20)) >> 21
  1324. s9 += carry[8]
  1325. s8 -= carry[8] << 21
  1326. carry[10] = (s10 + (1 << 20)) >> 21
  1327. s11 += carry[10]
  1328. s10 -= carry[10] << 21
  1330. carry[1] = (s1 + (1 << 20)) >> 21
  1331. s2 += carry[1]
  1332. s1 -= carry[1] << 21
  1333. carry[3] = (s3 + (1 << 20)) >> 21
  1334. s4 += carry[3]
  1335. s3 -= carry[3] << 21
  1336. carry[5] = (s5 + (1 << 20)) >> 21
  1337. s6 += carry[5]
  1338. s5 -= carry[5] << 21
  1339. carry[7] = (s7 + (1 << 20)) >> 21
  1340. s8 += carry[7]
  1341. s7 -= carry[7] << 21
  1342. carry[9] = (s9 + (1 << 20)) >> 21
  1343. s10 += carry[9]
  1344. s9 -= carry[9] << 21
  1345. carry[11] = (s11 + (1 << 20)) >> 21
  1346. s12 += carry[11]
  1347. s11 -= carry[11] << 21
  1349. s0 += s12 * 666643
  1350. s1 += s12 * 470296
  1351. s2 += s12 * 654183
  1352. s3 -= s12 * 997805
  1353. s4 += s12 * 136657
  1354. s5 -= s12 * 683901
  1355. s12 = 0
  1357. carry[0] = s0 >> 21
  1358. s1 += carry[0]
  1359. s0 -= carry[0] << 21
  1360. carry[1] = s1 >> 21
  1361. s2 += carry[1]
  1362. s1 -= carry[1] << 21
  1363. carry[2] = s2 >> 21
  1364. s3 += carry[2]
  1365. s2 -= carry[2] << 21
  1366. carry[3] = s3 >> 21
  1367. s4 += carry[3]
  1368. s3 -= carry[3] << 21
  1369. carry[4] = s4 >> 21
  1370. s5 += carry[4]
  1371. s4 -= carry[4] << 21
  1372. carry[5] = s5 >> 21
  1373. s6 += carry[5]
  1374. s5 -= carry[5] << 21
  1375. carry[6] = s6 >> 21
  1376. s7 += carry[6]
  1377. s6 -= carry[6] << 21
  1378. carry[7] = s7 >> 21
  1379. s8 += carry[7]
  1380. s7 -= carry[7] << 21
  1381. carry[8] = s8 >> 21
  1382. s9 += carry[8]
  1383. s8 -= carry[8] << 21
  1384. carry[9] = s9 >> 21
  1385. s10 += carry[9]
  1386. s9 -= carry[9] << 21
  1387. carry[10] = s10 >> 21
  1388. s11 += carry[10]
  1389. s10 -= carry[10] << 21
  1390. carry[11] = s11 >> 21
  1391. s12 += carry[11]
  1392. s11 -= carry[11] << 21
  1394. s0 += s12 * 666643
  1395. s1 += s12 * 470296
  1396. s2 += s12 * 654183
  1397. s3 -= s12 * 997805
  1398. s4 += s12 * 136657
  1399. s5 -= s12 * 683901
  1401. carry[0] = s0 >> 21
  1402. s1 += carry[0]
  1403. s0 -= carry[0] << 21
  1404. carry[1] = s1 >> 21
  1405. s2 += carry[1]
  1406. s1 -= carry[1] << 21
  1407. carry[2] = s2 >> 21
  1408. s3 += carry[2]
  1409. s2 -= carry[2] << 21
  1410. carry[3] = s3 >> 21
  1411. s4 += carry[3]
  1412. s3 -= carry[3] << 21
  1413. carry[4] = s4 >> 21
  1414. s5 += carry[4]
  1415. s4 -= carry[4] << 21
  1416. carry[5] = s5 >> 21
  1417. s6 += carry[5]
  1418. s5 -= carry[5] << 21
  1419. carry[6] = s6 >> 21
  1420. s7 += carry[6]
  1421. s6 -= carry[6] << 21
  1422. carry[7] = s7 >> 21
  1423. s8 += carry[7]
  1424. s7 -= carry[7] << 21
  1425. carry[8] = s8 >> 21
  1426. s9 += carry[8]
  1427. s8 -= carry[8] << 21
  1428. carry[9] = s9 >> 21
  1429. s10 += carry[9]
  1430. s9 -= carry[9] << 21
  1431. carry[10] = s10 >> 21
  1432. s11 += carry[10]
  1433. s10 -= carry[10] << 21
  1435. s[0] = byte(s0 >> 0)
  1436. s[1] = byte(s0 >> 8)
  1437. s[2] = byte((s0 >> 16) | (s1 << 5))
  1438. s[3] = byte(s1 >> 3)
  1439. s[4] = byte(s1 >> 11)
  1440. s[5] = byte((s1 >> 19) | (s2 << 2))
  1441. s[6] = byte(s2 >> 6)
  1442. s[7] = byte((s2 >> 14) | (s3 << 7))
  1443. s[8] = byte(s3 >> 1)
  1444. s[9] = byte(s3 >> 9)
  1445. s[10] = byte((s3 >> 17) | (s4 << 4))
  1446. s[11] = byte(s4 >> 4)
  1447. s[12] = byte(s4 >> 12)
  1448. s[13] = byte((s4 >> 20) | (s5 << 1))
  1449. s[14] = byte(s5 >> 7)
  1450. s[15] = byte((s5 >> 15) | (s6 << 6))
  1451. s[16] = byte(s6 >> 2)
  1452. s[17] = byte(s6 >> 10)
  1453. s[18] = byte((s6 >> 18) | (s7 << 3))
  1454. s[19] = byte(s7 >> 5)
  1455. s[20] = byte(s7 >> 13)
  1456. s[21] = byte(s8 >> 0)
  1457. s[22] = byte(s8 >> 8)
  1458. s[23] = byte((s8 >> 16) | (s9 << 5))
  1459. s[24] = byte(s9 >> 3)
  1460. s[25] = byte(s9 >> 11)
  1461. s[26] = byte((s9 >> 19) | (s10 << 2))
  1462. s[27] = byte(s10 >> 6)
  1463. s[28] = byte((s10 >> 14) | (s11 << 7))
  1464. s[29] = byte(s11 >> 1)
  1465. s[30] = byte(s11 >> 9)
  1466. s[31] = byte(s11 >> 17)
  1467. }
  1469. func ScSub(s, a, b *Key) {
  1470. a0 := 2097151 & load3(a[:])
  1471. a1 := 2097151 & (load4(a[2:]) >> 5)
  1472. a2 := 2097151 & (load3(a[5:]) >> 2)
  1473. a3 := 2097151 & (load4(a[7:]) >> 7)
  1474. a4 := 2097151 & (load4(a[10:]) >> 4)
  1475. a5 := 2097151 & (load3(a[13:]) >> 1)
  1476. a6 := 2097151 & (load4(a[15:]) >> 6)
  1477. a7 := 2097151 & (load3(a[18:]) >> 3)
  1478. a8 := 2097151 & load3(a[21:])
  1479. a9 := 2097151 & (load4(a[23:]) >> 5)
  1480. a10 := 2097151 & (load3(a[26:]) >> 2)
  1481. a11 := (load4(a[28:]) >> 7)
  1482. b0 := 2097151 & load3(b[:])
  1483. b1 := 2097151 & (load4(b[2:]) >> 5)
  1484. b2 := 2097151 & (load3(b[5:]) >> 2)
  1485. b3 := 2097151 & (load4(b[7:]) >> 7)
  1486. b4 := 2097151 & (load4(b[10:]) >> 4)
  1487. b5 := 2097151 & (load3(b[13:]) >> 1)
  1488. b6 := 2097151 & (load4(b[15:]) >> 6)
  1489. b7 := 2097151 & (load3(b[18:]) >> 3)
  1490. b8 := 2097151 & load3(b[21:])
  1491. b9 := 2097151 & (load4(b[23:]) >> 5)
  1492. b10 := 2097151 & (load3(b[26:]) >> 2)
  1493. b11 := (load4(b[28:]) >> 7)
  1494. s0 := a0 - b0
  1495. s1 := a1 - b1
  1496. s2 := a2 - b2
  1497. s3 := a3 - b3
  1498. s4 := a4 - b4
  1499. s5 := a5 - b5
  1500. s6 := a6 - b6
  1501. s7 := a7 - b7
  1502. s8 := a8 - b8
  1503. s9 := a9 - b9
  1504. s10 := a10 - b10
  1505. s11 := a11 - b11
  1506. s12 := int64(0)
  1507. var carry [12]int64
  1509. carry[0] = (s0 + (1 << 20)) >> 21
  1510. s1 += carry[0]
  1511. s0 -= carry[0] << 21
  1512. carry[2] = (s2 + (1 << 20)) >> 21
  1513. s3 += carry[2]
  1514. s2 -= carry[2] << 21
  1515. carry[4] = (s4 + (1 << 20)) >> 21
  1516. s5 += carry[4]
  1517. s4 -= carry[4] << 21
  1518. carry[6] = (s6 + (1 << 20)) >> 21
  1519. s7 += carry[6]
  1520. s6 -= carry[6] << 21
  1521. carry[8] = (s8 + (1 << 20)) >> 21
  1522. s9 += carry[8]
  1523. s8 -= carry[8] << 21
  1524. carry[10] = (s10 + (1 << 20)) >> 21
  1525. s11 += carry[10]
  1526. s10 -= carry[10] << 21
  1528. carry[1] = (s1 + (1 << 20)) >> 21
  1529. s2 += carry[1]
  1530. s1 -= carry[1] << 21
  1531. carry[3] = (s3 + (1 << 20)) >> 21
  1532. s4 += carry[3]
  1533. s3 -= carry[3] << 21
  1534. carry[5] = (s5 + (1 << 20)) >> 21
  1535. s6 += carry[5]
  1536. s5 -= carry[5] << 21
  1537. carry[7] = (s7 + (1 << 20)) >> 21
  1538. s8 += carry[7]
  1539. s7 -= carry[7] << 21
  1540. carry[9] = (s9 + (1 << 20)) >> 21
  1541. s10 += carry[9]
  1542. s9 -= carry[9] << 21
  1543. carry[11] = (s11 + (1 << 20)) >> 21
  1544. s12 += carry[11]
  1545. s11 -= carry[11] << 21
  1547. s0 += s12 * 666643
  1548. s1 += s12 * 470296
  1549. s2 += s12 * 654183
  1550. s3 -= s12 * 997805
  1551. s4 += s12 * 136657
  1552. s5 -= s12 * 683901
  1553. s12 = 0
  1555. carry[0] = s0 >> 21
  1556. s1 += carry[0]
  1557. s0 -= carry[0] << 21
  1558. carry[1] = s1 >> 21
  1559. s2 += carry[1]
  1560. s1 -= carry[1] << 21
  1561. carry[2] = s2 >> 21
  1562. s3 += carry[2]
  1563. s2 -= carry[2] << 21
  1564. carry[3] = s3 >> 21
  1565. s4 += carry[3]
  1566. s3 -= carry[3] << 21
  1567. carry[4] = s4 >> 21
  1568. s5 += carry[4]
  1569. s4 -= carry[4] << 21
  1570. carry[5] = s5 >> 21
  1571. s6 += carry[5]
  1572. s5 -= carry[5] << 21
  1573. carry[6] = s6 >> 21
  1574. s7 += carry[6]
  1575. s6 -= carry[6] << 21
  1576. carry[7] = s7 >> 21
  1577. s8 += carry[7]
  1578. s7 -= carry[7] << 21
  1579. carry[8] = s8 >> 21
  1580. s9 += carry[8]
  1581. s8 -= carry[8] << 21
  1582. carry[9] = s9 >> 21
  1583. s10 += carry[9]
  1584. s9 -= carry[9] << 21
  1585. carry[10] = s10 >> 21
  1586. s11 += carry[10]
  1587. s10 -= carry[10] << 21
  1588. carry[11] = s11 >> 21
  1589. s12 += carry[11]
  1590. s11 -= carry[11] << 21
  1592. s0 += s12 * 666643
  1593. s1 += s12 * 470296
  1594. s2 += s12 * 654183
  1595. s3 -= s12 * 997805
  1596. s4 += s12 * 136657
  1597. s5 -= s12 * 683901
  1599. carry[0] = s0 >> 21
  1600. s1 += carry[0]
  1601. s0 -= carry[0] << 21
  1602. carry[1] = s1 >> 21
  1603. s2 += carry[1]
  1604. s1 -= carry[1] << 21
  1605. carry[2] = s2 >> 21
  1606. s3 += carry[2]
  1607. s2 -= carry[2] << 21
  1608. carry[3] = s3 >> 21
  1609. s4 += carry[3]
  1610. s3 -= carry[3] << 21
  1611. carry[4] = s4 >> 21
  1612. s5 += carry[4]
  1613. s4 -= carry[4] << 21
  1614. carry[5] = s5 >> 21
  1615. s6 += carry[5]
  1616. s5 -= carry[5] << 21
  1617. carry[6] = s6 >> 21
  1618. s7 += carry[6]
  1619. s6 -= carry[6] << 21
  1620. carry[7] = s7 >> 21
  1621. s8 += carry[7]
  1622. s7 -= carry[7] << 21
  1623. carry[8] = s8 >> 21
  1624. s9 += carry[8]
  1625. s8 -= carry[8] << 21
  1626. carry[9] = s9 >> 21
  1627. s10 += carry[9]
  1628. s9 -= carry[9] << 21
  1629. carry[10] = s10 >> 21
  1630. s11 += carry[10]
  1631. s10 -= carry[10] << 21
  1633. s[0] = byte(s0 >> 0)
  1634. s[1] = byte(s0 >> 8)
  1635. s[2] = byte((s0 >> 16) | (s1 << 5))
  1636. s[3] = byte(s1 >> 3)
  1637. s[4] = byte(s1 >> 11)
  1638. s[5] = byte((s1 >> 19) | (s2 << 2))
  1639. s[6] = byte(s2 >> 6)
  1640. s[7] = byte((s2 >> 14) | (s3 << 7))
  1641. s[8] = byte(s3 >> 1)
  1642. s[9] = byte(s3 >> 9)
  1643. s[10] = byte((s3 >> 17) | (s4 << 4))
  1644. s[11] = byte(s4 >> 4)
  1645. s[12] = byte(s4 >> 12)
  1646. s[13] = byte((s4 >> 20) | (s5 << 1))
  1647. s[14] = byte(s5 >> 7)
  1648. s[15] = byte((s5 >> 15) | (s6 << 6))
  1649. s[16] = byte(s6 >> 2)
  1650. s[17] = byte(s6 >> 10)
  1651. s[18] = byte((s6 >> 18) | (s7 << 3))
  1652. s[19] = byte(s7 >> 5)
  1653. s[20] = byte(s7 >> 13)
  1654. s[21] = byte(s8 >> 0)
  1655. s[22] = byte(s8 >> 8)
  1656. s[23] = byte((s8 >> 16) | (s9 << 5))
  1657. s[24] = byte(s9 >> 3)
  1658. s[25] = byte(s9 >> 11)
  1659. s[26] = byte((s9 >> 19) | (s10 << 2))
  1660. s[27] = byte(s10 >> 6)
  1661. s[28] = byte((s10 >> 14) | (s11 << 7))
  1662. s[29] = byte(s11 >> 1)
  1663. s[30] = byte(s11 >> 9)
  1664. s[31] = byte(s11 >> 17)
  1665. }
  1667. func signum(a int64) int64 {
  1668. return a>>63 - ((-a) >> 63)
  1669. }
  1671. func ScValid(s *Key) bool {
  1672. s0 := load4(s[:])
  1673. s1 := load4(s[4:])
  1674. s2 := load4(s[8:])
  1675. s3 := load4(s[12:])
  1676. s4 := load4(s[16:])
  1677. s5 := load4(s[20:])
  1678. s6 := load4(s[24:])
  1679. s7 := load4(s[28:])
  1680. return (signum(1559614444-s0)+(signum(1477600026-s1)<<1)+(signum(2734136534-s2)<<2)+(signum(350157278-s3)<<3)+(signum(-s4)<<4)+(signum(-s5)<<5)+(signum(-s6)<<6)+(signum(268435456-s7)<<7))>>8 == 0
  1682. }
  1684. func ScIsZero(s *Key) bool {
  1685. return ((int(s[0]|s[1]|s[2]|s[3]|s[4]|s[5]|s[6]|s[7]|s[8]|
  1686. s[9]|s[10]|s[11]|s[12]|s[13]|s[14]|s[15]|s[16]|s[17]|
  1687. s[18]|s[19]|s[20]|s[21]|s[22]|s[23]|s[24]|s[25]|s[26]|
  1688. s[27]|s[28]|s[29]|s[30]|s[31])-1)>>8)+1 == 0
  1689. }
  1691. // The scalars are GF(2^252 + 27742317777372353535851937790883648493).
  1693. // Input:
  1694. // a[0]+256*a[1]+...+256^31*a[31] = a
  1695. // b[0]+256*b[1]+...+256^31*b[31] = b
  1696. // c[0]+256*c[1]+...+256^31*c[31] = c
  1697. //
  1698. // Output:
  1699. // s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
  1700. // where l = 2^252 + 27742317777372353535851937790883648493.
  1701. func ScMulAdd(s, a, b, c *Key) {
  1702. a0 := 2097151 & load3(a[:])
  1703. a1 := 2097151 & (load4(a[2:]) >> 5)
  1704. a2 := 2097151 & (load3(a[5:]) >> 2)
  1705. a3 := 2097151 & (load4(a[7:]) >> 7)
  1706. a4 := 2097151 & (load4(a[10:]) >> 4)
  1707. a5 := 2097151 & (load3(a[13:]) >> 1)
  1708. a6 := 2097151 & (load4(a[15:]) >> 6)
  1709. a7 := 2097151 & (load3(a[18:]) >> 3)
  1710. a8 := 2097151 & load3(a[21:])
  1711. a9 := 2097151 & (load4(a[23:]) >> 5)
  1712. a10 := 2097151 & (load3(a[26:]) >> 2)
  1713. a11 := (load4(a[28:]) >> 7)
  1714. b0 := 2097151 & load3(b[:])
  1715. b1 := 2097151 & (load4(b[2:]) >> 5)
  1716. b2 := 2097151 & (load3(b[5:]) >> 2)
  1717. b3 := 2097151 & (load4(b[7:]) >> 7)
  1718. b4 := 2097151 & (load4(b[10:]) >> 4)
  1719. b5 := 2097151 & (load3(b[13:]) >> 1)
  1720. b6 := 2097151 & (load4(b[15:]) >> 6)
  1721. b7 := 2097151 & (load3(b[18:]) >> 3)
  1722. b8 := 2097151 & load3(b[21:])
  1723. b9 := 2097151 & (load4(b[23:]) >> 5)
  1724. b10 := 2097151 & (load3(b[26:]) >> 2)
  1725. b11 := (load4(b[28:]) >> 7)
  1726. c0 := 2097151 & load3(c[:])
  1727. c1 := 2097151 & (load4(c[2:]) >> 5)
  1728. c2 := 2097151 & (load3(c[5:]) >> 2)
  1729. c3 := 2097151 & (load4(c[7:]) >> 7)
  1730. c4 := 2097151 & (load4(c[10:]) >> 4)
  1731. c5 := 2097151 & (load3(c[13:]) >> 1)
  1732. c6 := 2097151 & (load4(c[15:]) >> 6)
  1733. c7 := 2097151 & (load3(c[18:]) >> 3)
  1734. c8 := 2097151 & load3(c[21:])
  1735. c9 := 2097151 & (load4(c[23:]) >> 5)
  1736. c10 := 2097151 & (load3(c[26:]) >> 2)
  1737. c11 := (load4(c[28:]) >> 7)
  1738. var carry [23]int64
  1740. s0 := c0 + a0*b0
  1741. s1 := c1 + a0*b1 + a1*b0
  1742. s2 := c2 + a0*b2 + a1*b1 + a2*b0
  1743. s3 := c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0
  1744. s4 := c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0
  1745. s5 := c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0
  1746. s6 := c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0
  1747. s7 := c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0
  1748. s8 := c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0
  1749. s9 := c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0
  1750. s10 := c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0
  1751. s11 := c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0
  1752. s12 := a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1
  1753. s13 := a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2
  1754. s14 := a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3
  1755. s15 := a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4
  1756. s16 := a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5
  1757. s17 := a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6
  1758. s18 := a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7
  1759. s19 := a8*b11 + a9*b10 + a10*b9 + a11*b8
  1760. s20 := a9*b11 + a10*b10 + a11*b9
  1761. s21 := a10*b11 + a11*b10
  1762. s22 := a11 * b11
  1763. s23 := int64(0)
  1765. carry[0] = (s0 + (1 << 20)) >> 21
  1766. s1 += carry[0]
  1767. s0 -= carry[0] << 21
  1768. carry[2] = (s2 + (1 << 20)) >> 21
  1769. s3 += carry[2]
  1770. s2 -= carry[2] << 21
  1771. carry[4] = (s4 + (1 << 20)) >> 21
  1772. s5 += carry[4]
  1773. s4 -= carry[4] << 21
  1774. carry[6] = (s6 + (1 << 20)) >> 21
  1775. s7 += carry[6]
  1776. s6 -= carry[6] << 21
  1777. carry[8] = (s8 + (1 << 20)) >> 21
  1778. s9 += carry[8]
  1779. s8 -= carry[8] << 21
  1780. carry[10] = (s10 + (1 << 20)) >> 21
  1781. s11 += carry[10]
  1782. s10 -= carry[10] << 21
  1783. carry[12] = (s12 + (1 << 20)) >> 21
  1784. s13 += carry[12]
  1785. s12 -= carry[12] << 21
  1786. carry[14] = (s14 + (1 << 20)) >> 21
  1787. s15 += carry[14]
  1788. s14 -= carry[14] << 21
  1789. carry[16] = (s16 + (1 << 20)) >> 21
  1790. s17 += carry[16]
  1791. s16 -= carry[16] << 21
  1792. carry[18] = (s18 + (1 << 20)) >> 21
  1793. s19 += carry[18]
  1794. s18 -= carry[18] << 21
  1795. carry[20] = (s20 + (1 << 20)) >> 21
  1796. s21 += carry[20]
  1797. s20 -= carry[20] << 21
  1798. carry[22] = (s22 + (1 << 20)) >> 21
  1799. s23 += carry[22]
  1800. s22 -= carry[22] << 21
  1802. carry[1] = (s1 + (1 << 20)) >> 21
  1803. s2 += carry[1]
  1804. s1 -= carry[1] << 21
  1805. carry[3] = (s3 + (1 << 20)) >> 21
  1806. s4 += carry[3]
  1807. s3 -= carry[3] << 21
  1808. carry[5] = (s5 + (1 << 20)) >> 21
  1809. s6 += carry[5]
  1810. s5 -= carry[5] << 21
  1811. carry[7] = (s7 + (1 << 20)) >> 21
  1812. s8 += carry[7]
  1813. s7 -= carry[7] << 21
  1814. carry[9] = (s9 + (1 << 20)) >> 21
  1815. s10 += carry[9]
  1816. s9 -= carry[9] << 21
  1817. carry[11] = (s11 + (1 << 20)) >> 21
  1818. s12 += carry[11]
  1819. s11 -= carry[11] << 21
  1820. carry[13] = (s13 + (1 << 20)) >> 21
  1821. s14 += carry[13]
  1822. s13 -= carry[13] << 21
  1823. carry[15] = (s15 + (1 << 20)) >> 21
  1824. s16 += carry[15]
  1825. s15 -= carry[15] << 21
  1826. carry[17] = (s17 + (1 << 20)) >> 21
  1827. s18 += carry[17]
  1828. s17 -= carry[17] << 21
  1829. carry[19] = (s19 + (1 << 20)) >> 21
  1830. s20 += carry[19]
  1831. s19 -= carry[19] << 21
  1832. carry[21] = (s21 + (1 << 20)) >> 21
  1833. s22 += carry[21]
  1834. s21 -= carry[21] << 21
  1836. s11 += s23 * 666643
  1837. s12 += s23 * 470296
  1838. s13 += s23 * 654183
  1839. s14 -= s23 * 997805
  1840. s15 += s23 * 136657
  1841. s16 -= s23 * 683901
  1842. s23 = 0
  1844. s10 += s22 * 666643
  1845. s11 += s22 * 470296
  1846. s12 += s22 * 654183
  1847. s13 -= s22 * 997805
  1848. s14 += s22 * 136657
  1849. s15 -= s22 * 683901
  1850. s22 = 0
  1852. s9 += s21 * 666643
  1853. s10 += s21 * 470296
  1854. s11 += s21 * 654183
  1855. s12 -= s21 * 997805
  1856. s13 += s21 * 136657
  1857. s14 -= s21 * 683901
  1858. s21 = 0
  1860. s8 += s20 * 666643
  1861. s9 += s20 * 470296
  1862. s10 += s20 * 654183
  1863. s11 -= s20 * 997805
  1864. s12 += s20 * 136657
  1865. s13 -= s20 * 683901
  1866. s20 = 0
  1868. s7 += s19 * 666643
  1869. s8 += s19 * 470296
  1870. s9 += s19 * 654183
  1871. s10 -= s19 * 997805
  1872. s11 += s19 * 136657
  1873. s12 -= s19 * 683901
  1874. s19 = 0
  1876. s6 += s18 * 666643
  1877. s7 += s18 * 470296
  1878. s8 += s18 * 654183
  1879. s9 -= s18 * 997805
  1880. s10 += s18 * 136657
  1881. s11 -= s18 * 683901
  1882. s18 = 0
  1884. carry[6] = (s6 + (1 << 20)) >> 21
  1885. s7 += carry[6]
  1886. s6 -= carry[6] << 21
  1887. carry[8] = (s8 + (1 << 20)) >> 21
  1888. s9 += carry[8]
  1889. s8 -= carry[8] << 21
  1890. carry[10] = (s10 + (1 << 20)) >> 21
  1891. s11 += carry[10]
  1892. s10 -= carry[10] << 21
  1893. carry[12] = (s12 + (1 << 20)) >> 21
  1894. s13 += carry[12]
  1895. s12 -= carry[12] << 21
  1896. carry[14] = (s14 + (1 << 20)) >> 21
  1897. s15 += carry[14]
  1898. s14 -= carry[14] << 21
  1899. carry[16] = (s16 + (1 << 20)) >> 21
  1900. s17 += carry[16]
  1901. s16 -= carry[16] << 21
  1903. carry[7] = (s7 + (1 << 20)) >> 21
  1904. s8 += carry[7]
  1905. s7 -= carry[7] << 21
  1906. carry[9] = (s9 + (1 << 20)) >> 21
  1907. s10 += carry[9]
  1908. s9 -= carry[9] << 21
  1909. carry[11] = (s11 + (1 << 20)) >> 21
  1910. s12 += carry[11]
  1911. s11 -= carry[11] << 21
  1912. carry[13] = (s13 + (1 << 20)) >> 21
  1913. s14 += carry[13]
  1914. s13 -= carry[13] << 21
  1915. carry[15] = (s15 + (1 << 20)) >> 21
  1916. s16 += carry[15]
  1917. s15 -= carry[15] << 21
  1919. s5 += s17 * 666643
  1920. s6 += s17 * 470296
  1921. s7 += s17 * 654183
  1922. s8 -= s17 * 997805
  1923. s9 += s17 * 136657
  1924. s10 -= s17 * 683901
  1925. s17 = 0
  1927. s4 += s16 * 666643
  1928. s5 += s16 * 470296
  1929. s6 += s16 * 654183
  1930. s7 -= s16 * 997805
  1931. s8 += s16 * 136657
  1932. s9 -= s16 * 683901
  1933. s16 = 0
  1935. s3 += s15 * 666643
  1936. s4 += s15 * 470296
  1937. s5 += s15 * 654183
  1938. s6 -= s15 * 997805
  1939. s7 += s15 * 136657
  1940. s8 -= s15 * 683901
  1941. s15 = 0
  1943. s2 += s14 * 666643
  1944. s3 += s14 * 470296
  1945. s4 += s14 * 654183
  1946. s5 -= s14 * 997805
  1947. s6 += s14 * 136657
  1948. s7 -= s14 * 683901
  1949. s14 = 0
  1951. s1 += s13 * 666643
  1952. s2 += s13 * 470296
  1953. s3 += s13 * 654183
  1954. s4 -= s13 * 997805
  1955. s5 += s13 * 136657
  1956. s6 -= s13 * 683901
  1957. s13 = 0
  1959. s0 += s12 * 666643
  1960. s1 += s12 * 470296
  1961. s2 += s12 * 654183
  1962. s3 -= s12 * 997805
  1963. s4 += s12 * 136657
  1964. s5 -= s12 * 683901
  1965. s12 = 0
  1967. carry[0] = (s0 + (1 << 20)) >> 21
  1968. s1 += carry[0]
  1969. s0 -= carry[0] << 21
  1970. carry[2] = (s2 + (1 << 20)) >> 21
  1971. s3 += carry[2]
  1972. s2 -= carry[2] << 21
  1973. carry[4] = (s4 + (1 << 20)) >> 21
  1974. s5 += carry[4]
  1975. s4 -= carry[4] << 21
  1976. carry[6] = (s6 + (1 << 20)) >> 21
  1977. s7 += carry[6]
  1978. s6 -= carry[6] << 21
  1979. carry[8] = (s8 + (1 << 20)) >> 21
  1980. s9 += carry[8]
  1981. s8 -= carry[8] << 21
  1982. carry[10] = (s10 + (1 << 20)) >> 21
  1983. s11 += carry[10]
  1984. s10 -= carry[10] << 21
  1986. carry[1] = (s1 + (1 << 20)) >> 21
  1987. s2 += carry[1]
  1988. s1 -= carry[1] << 21
  1989. carry[3] = (s3 + (1 << 20)) >> 21
  1990. s4 += carry[3]
  1991. s3 -= carry[3] << 21
  1992. carry[5] = (s5 + (1 << 20)) >> 21
  1993. s6 += carry[5]
  1994. s5 -= carry[5] << 21
  1995. carry[7] = (s7 + (1 << 20)) >> 21
  1996. s8 += carry[7]
  1997. s7 -= carry[7] << 21
  1998. carry[9] = (s9 + (1 << 20)) >> 21
  1999. s10 += carry[9]
  2000. s9 -= carry[9] << 21
  2001. carry[11] = (s11 + (1 << 20)) >> 21
  2002. s12 += carry[11]
  2003. s11 -= carry[11] << 21
  2005. s0 += s12 * 666643
  2006. s1 += s12 * 470296
  2007. s2 += s12 * 654183
  2008. s3 -= s12 * 997805
  2009. s4 += s12 * 136657
  2010. s5 -= s12 * 683901
  2011. s12 = 0
  2013. carry[0] = s0 >> 21
  2014. s1 += carry[0]
  2015. s0 -= carry[0] << 21
  2016. carry[1] = s1 >> 21
  2017. s2 += carry[1]
  2018. s1 -= carry[1] << 21
  2019. carry[2] = s2 >> 21
  2020. s3 += carry[2]
  2021. s2 -= carry[2] << 21
  2022. carry[3] = s3 >> 21
  2023. s4 += carry[3]
  2024. s3 -= carry[3] << 21
  2025. carry[4] = s4 >> 21
  2026. s5 += carry[4]
  2027. s4 -= carry[4] << 21
  2028. carry[5] = s5 >> 21
  2029. s6 += carry[5]
  2030. s5 -= carry[5] << 21
  2031. carry[6] = s6 >> 21
  2032. s7 += carry[6]
  2033. s6 -= carry[6] << 21
  2034. carry[7] = s7 >> 21
  2035. s8 += carry[7]
  2036. s7 -= carry[7] << 21
  2037. carry[8] = s8 >> 21
  2038. s9 += carry[8]
  2039. s8 -= carry[8] << 21
  2040. carry[9] = s9 >> 21
  2041. s10 += carry[9]
  2042. s9 -= carry[9] << 21
  2043. carry[10] = s10 >> 21
  2044. s11 += carry[10]
  2045. s10 -= carry[10] << 21
  2046. carry[11] = s11 >> 21
  2047. s12 += carry[11]
  2048. s11 -= carry[11] << 21
  2050. s0 += s12 * 666643
  2051. s1 += s12 * 470296
  2052. s2 += s12 * 654183
  2053. s3 -= s12 * 997805
  2054. s4 += s12 * 136657
  2055. s5 -= s12 * 683901
  2056. s12 = 0
  2058. carry[0] = s0 >> 21
  2059. s1 += carry[0]
  2060. s0 -= carry[0] << 21
  2061. carry[1] = s1 >> 21
  2062. s2 += carry[1]
  2063. s1 -= carry[1] << 21
  2064. carry[2] = s2 >> 21
  2065. s3 += carry[2]
  2066. s2 -= carry[2] << 21
  2067. carry[3] = s3 >> 21
  2068. s4 += carry[3]
  2069. s3 -= carry[3] << 21
  2070. carry[4] = s4 >> 21
  2071. s5 += carry[4]
  2072. s4 -= carry[4] << 21
  2073. carry[5] = s5 >> 21
  2074. s6 += carry[5]
  2075. s5 -= carry[5] << 21
  2076. carry[6] = s6 >> 21
  2077. s7 += carry[6]
  2078. s6 -= carry[6] << 21
  2079. carry[7] = s7 >> 21
  2080. s8 += carry[7]
  2081. s7 -= carry[7] << 21
  2082. carry[8] = s8 >> 21
  2083. s9 += carry[8]
  2084. s8 -= carry[8] << 21
  2085. carry[9] = s9 >> 21
  2086. s10 += carry[9]
  2087. s9 -= carry[9] << 21
  2088. carry[10] = s10 >> 21
  2089. s11 += carry[10]
  2090. s10 -= carry[10] << 21
  2092. s[0] = byte(s0 >> 0)
  2093. s[1] = byte(s0 >> 8)
  2094. s[2] = byte((s0 >> 16) | (s1 << 5))
  2095. s[3] = byte(s1 >> 3)
  2096. s[4] = byte(s1 >> 11)
  2097. s[5] = byte((s1 >> 19) | (s2 << 2))
  2098. s[6] = byte(s2 >> 6)
  2099. s[7] = byte((s2 >> 14) | (s3 << 7))
  2100. s[8] = byte(s3 >> 1)
  2101. s[9] = byte(s3 >> 9)
  2102. s[10] = byte((s3 >> 17) | (s4 << 4))
  2103. s[11] = byte(s4 >> 4)
  2104. s[12] = byte(s4 >> 12)
  2105. s[13] = byte((s4 >> 20) | (s5 << 1))
  2106. s[14] = byte(s5 >> 7)
  2107. s[15] = byte((s5 >> 15) | (s6 << 6))
  2108. s[16] = byte(s6 >> 2)
  2109. s[17] = byte(s6 >> 10)
  2110. s[18] = byte((s6 >> 18) | (s7 << 3))
  2111. s[19] = byte(s7 >> 5)
  2112. s[20] = byte(s7 >> 13)
  2113. s[21] = byte(s8 >> 0)
  2114. s[22] = byte(s8 >> 8)
  2115. s[23] = byte((s8 >> 16) | (s9 << 5))
  2116. s[24] = byte(s9 >> 3)
  2117. s[25] = byte(s9 >> 11)
  2118. s[26] = byte((s9 >> 19) | (s10 << 2))
  2119. s[27] = byte(s10 >> 6)
  2120. s[28] = byte((s10 >> 14) | (s11 << 7))
  2121. s[29] = byte(s11 >> 1)
  2122. s[30] = byte(s11 >> 9)
  2123. s[31] = byte(s11 >> 17)
  2124. }
  2126. // Input:
  2127. // a[0]+256*a[1]+...+256^31*a[31] = a
  2128. // b[0]+256*b[1]+...+256^31*b[31] = b
  2129. // c[0]+256*c[1]+...+256^31*c[31] = c
  2130. //
  2131. // Output:
  2132. // s[0]+256*s[1]+...+256^31*s[31] = (c-ab) mod l
  2133. // where l = 2^252 + 27742317777372353535851937790883648493.
  2134. func ScMulSub(s, a, b, c *Key) {
  2135. a0 := 2097151 & load3(a[:])
  2136. a1 := 2097151 & (load4(a[2:]) >> 5)
  2137. a2 := 2097151 & (load3(a[5:]) >> 2)
  2138. a3 := 2097151 & (load4(a[7:]) >> 7)
  2139. a4 := 2097151 & (load4(a[10:]) >> 4)
  2140. a5 := 2097151 & (load3(a[13:]) >> 1)
  2141. a6 := 2097151 & (load4(a[15:]) >> 6)
  2142. a7 := 2097151 & (load3(a[18:]) >> 3)
  2143. a8 := 2097151 & load3(a[21:])
  2144. a9 := 2097151 & (load4(a[23:]) >> 5)
  2145. a10 := 2097151 & (load3(a[26:]) >> 2)
  2146. a11 := (load4(a[28:]) >> 7)
  2147. b0 := 2097151 & load3(b[:])
  2148. b1 := 2097151 & (load4(b[2:]) >> 5)
  2149. b2 := 2097151 & (load3(b[5:]) >> 2)
  2150. b3 := 2097151 & (load4(b[7:]) >> 7)
  2151. b4 := 2097151 & (load4(b[10:]) >> 4)
  2152. b5 := 2097151 & (load3(b[13:]) >> 1)
  2153. b6 := 2097151 & (load4(b[15:]) >> 6)
  2154. b7 := 2097151 & (load3(b[18:]) >> 3)
  2155. b8 := 2097151 & load3(b[21:])
  2156. b9 := 2097151 & (load4(b[23:]) >> 5)
  2157. b10 := 2097151 & (load3(b[26:]) >> 2)
  2158. b11 := (load4(b[28:]) >> 7)
  2159. c0 := 2097151 & load3(c[:])
  2160. c1 := 2097151 & (load4(c[2:]) >> 5)
  2161. c2 := 2097151 & (load3(c[5:]) >> 2)
  2162. c3 := 2097151 & (load4(c[7:]) >> 7)
  2163. c4 := 2097151 & (load4(c[10:]) >> 4)
  2164. c5 := 2097151 & (load3(c[13:]) >> 1)
  2165. c6 := 2097151 & (load4(c[15:]) >> 6)
  2166. c7 := 2097151 & (load3(c[18:]) >> 3)
  2167. c8 := 2097151 & load3(c[21:])
  2168. c9 := 2097151 & (load4(c[23:]) >> 5)
  2169. c10 := 2097151 & (load3(c[26:]) >> 2)
  2170. c11 := (load4(c[28:]) >> 7)
  2171. var carry [23]int64
  2173. s0 := c0 - a0*b0
  2174. s1 := c1 - a0*b1 - a1*b0
  2175. s2 := c2 - a0*b2 - a1*b1 - a2*b0
  2176. s3 := c3 - a0*b3 - a1*b2 - a2*b1 - a3*b0
  2177. s4 := c4 - a0*b4 - a1*b3 - a2*b2 - a3*b1 - a4*b0
  2178. s5 := c5 - a0*b5 - a1*b4 - a2*b3 - a3*b2 - a4*b1 - a5*b0
  2179. s6 := c6 - a0*b6 - a1*b5 - a2*b4 - a3*b3 - a4*b2 - a5*b1 - a6*b0
  2180. s7 := c7 - a0*b7 - a1*b6 - a2*b5 - a3*b4 - a4*b3 - a5*b2 - a6*b1 - a7*b0
  2181. s8 := c8 - a0*b8 - a1*b7 - a2*b6 - a3*b5 - a4*b4 - a5*b3 - a6*b2 - a7*b1 - a8*b0
  2182. s9 := c9 - a0*b9 - a1*b8 - a2*b7 - a3*b6 - a4*b5 - a5*b4 - a6*b3 - a7*b2 - a8*b1 - a9*b0
  2183. s10 := c10 - a0*b10 - a1*b9 - a2*b8 - a3*b7 - a4*b6 - a5*b5 - a6*b4 - a7*b3 - a8*b2 - a9*b1 - a10*b0
  2184. s11 := c11 - a0*b11 - a1*b10 - a2*b9 - a3*b8 - a4*b7 - a5*b6 - a6*b5 - a7*b4 - a8*b3 - a9*b2 - a10*b1 - a11*b0
  2185. s12 := -a1*b11 - a2*b10 - a3*b9 - a4*b8 - a5*b7 - a6*b6 - a7*b5 - a8*b4 - a9*b3 - a10*b2 - a11*b1
  2186. s13 := -a2*b11 - a3*b10 - a4*b9 - a5*b8 - a6*b7 - a7*b6 - a8*b5 - a9*b4 - a10*b3 - a11*b2
  2187. s14 := -a3*b11 - a4*b10 - a5*b9 - a6*b8 - a7*b7 - a8*b6 - a9*b5 - a10*b4 - a11*b3
  2188. s15 := -a4*b11 - a5*b10 - a6*b9 - a7*b8 - a8*b7 - a9*b6 - a10*b5 - a11*b4
  2189. s16 := -a5*b11 - a6*b10 - a7*b9 - a8*b8 - a9*b7 - a10*b6 - a11*b5
  2190. s17 := -a6*b11 - a7*b10 - a8*b9 - a9*b8 - a10*b7 - a11*b6
  2191. s18 := -a7*b11 - a8*b10 - a9*b9 - a10*b8 - a11*b7
  2192. s19 := -a8*b11 - a9*b10 - a10*b9 - a11*b8
  2193. s20 := -a9*b11 - a10*b10 - a11*b9
  2194. s21 := -a10*b11 - a11*b10
  2195. s22 := -a11 * b11
  2196. s23 := int64(0)
  2198. carry[0] = (s0 + (1 << 20)) >> 21
  2199. s1 += carry[0]
  2200. s0 -= carry[0] << 21
  2201. carry[2] = (s2 + (1 << 20)) >> 21
  2202. s3 += carry[2]
  2203. s2 -= carry[2] << 21
  2204. carry[4] = (s4 + (1 << 20)) >> 21
  2205. s5 += carry[4]
  2206. s4 -= carry[4] << 21
  2207. carry[6] = (s6 + (1 << 20)) >> 21
  2208. s7 += carry[6]
  2209. s6 -= carry[6] << 21
  2210. carry[8] = (s8 + (1 << 20)) >> 21
  2211. s9 += carry[8]
  2212. s8 -= carry[8] << 21
  2213. carry[10] = (s10 + (1 << 20)) >> 21
  2214. s11 += carry[10]
  2215. s10 -= carry[10] << 21
  2216. carry[12] = (s12 + (1 << 20)) >> 21
  2217. s13 += carry[12]
  2218. s12 -= carry[12] << 21
  2219. carry[14] = (s14 + (1 << 20)) >> 21
  2220. s15 += carry[14]
  2221. s14 -= carry[14] << 21
  2222. carry[16] = (s16 + (1 << 20)) >> 21
  2223. s17 += carry[16]
  2224. s16 -= carry[16] << 21
  2225. carry[18] = (s18 + (1 << 20)) >> 21
  2226. s19 += carry[18]
  2227. s18 -= carry[18] << 21
  2228. carry[20] = (s20 + (1 << 20)) >> 21
  2229. s21 += carry[20]
  2230. s20 -= carry[20] << 21
  2231. carry[22] = (s22 + (1 << 20)) >> 21
  2232. s23 += carry[22]
  2233. s22 -= carry[22] << 21
  2235. carry[1] = (s1 + (1 << 20)) >> 21
  2236. s2 += carry[1]
  2237. s1 -= carry[1] << 21
  2238. carry[3] = (s3 + (1 << 20)) >> 21
  2239. s4 += carry[3]
  2240. s3 -= carry[3] << 21
  2241. carry[5] = (s5 + (1 << 20)) >> 21
  2242. s6 += carry[5]
  2243. s5 -= carry[5] << 21
  2244. carry[7] = (s7 + (1 << 20)) >> 21
  2245. s8 += carry[7]
  2246. s7 -= carry[7] << 21
  2247. carry[9] = (s9 + (1 << 20)) >> 21
  2248. s10 += carry[9]
  2249. s9 -= carry[9] << 21
  2250. carry[11] = (s11 + (1 << 20)) >> 21
  2251. s12 += carry[11]
  2252. s11 -= carry[11] << 21
  2253. carry[13] = (s13 + (1 << 20)) >> 21
  2254. s14 += carry[13]
  2255. s13 -= carry[13] << 21
  2256. carry[15] = (s15 + (1 << 20)) >> 21
  2257. s16 += carry[15]
  2258. s15 -= carry[15] << 21
  2259. carry[17] = (s17 + (1 << 20)) >> 21
  2260. s18 += carry[17]
  2261. s17 -= carry[17] << 21
  2262. carry[19] = (s19 + (1 << 20)) >> 21
  2263. s20 += carry[19]
  2264. s19 -= carry[19] << 21
  2265. carry[21] = (s21 + (1 << 20)) >> 21
  2266. s22 += carry[21]
  2267. s21 -= carry[21] << 21
  2269. s11 += s23 * 666643
  2270. s12 += s23 * 470296
  2271. s13 += s23 * 654183
  2272. s14 -= s23 * 997805
  2273. s15 += s23 * 136657
  2274. s16 -= s23 * 683901
  2275. s23 = 0
  2277. s10 += s22 * 666643
  2278. s11 += s22 * 470296
  2279. s12 += s22 * 654183
  2280. s13 -= s22 * 997805
  2281. s14 += s22 * 136657
  2282. s15 -= s22 * 683901
  2283. s22 = 0
  2285. s9 += s21 * 666643
  2286. s10 += s21 * 470296
  2287. s11 += s21 * 654183
  2288. s12 -= s21 * 997805
  2289. s13 += s21 * 136657
  2290. s14 -= s21 * 683901
  2291. s21 = 0
  2293. s8 += s20 * 666643
  2294. s9 += s20 * 470296
  2295. s10 += s20 * 654183
  2296. s11 -= s20 * 997805
  2297. s12 += s20 * 136657
  2298. s13 -= s20 * 683901
  2299. s20 = 0
  2301. s7 += s19 * 666643
  2302. s8 += s19 * 470296
  2303. s9 += s19 * 654183
  2304. s10 -= s19 * 997805
  2305. s11 += s19 * 136657
  2306. s12 -= s19 * 683901
  2307. s19 = 0
  2309. s6 += s18 * 666643
  2310. s7 += s18 * 470296
  2311. s8 += s18 * 654183
  2312. s9 -= s18 * 997805
  2313. s10 += s18 * 136657
  2314. s11 -= s18 * 683901
  2315. s18 = 0
  2317. carry[6] = (s6 + (1 << 20)) >> 21
  2318. s7 += carry[6]
  2319. s6 -= carry[6] << 21
  2320. carry[8] = (s8 + (1 << 20)) >> 21
  2321. s9 += carry[8]
  2322. s8 -= carry[8] << 21
  2323. carry[10] = (s10 + (1 << 20)) >> 21
  2324. s11 += carry[10]
  2325. s10 -= carry[10] << 21
  2326. carry[12] = (s12 + (1 << 20)) >> 21
  2327. s13 += carry[12]
  2328. s12 -= carry[12] << 21
  2329. carry[14] = (s14 + (1 << 20)) >> 21
  2330. s15 += carry[14]
  2331. s14 -= carry[14] << 21
  2332. carry[16] = (s16 + (1 << 20)) >> 21
  2333. s17 += carry[16]
  2334. s16 -= carry[16] << 21
  2336. carry[7] = (s7 + (1 << 20)) >> 21
  2337. s8 += carry[7]
  2338. s7 -= carry[7] << 21
  2339. carry[9] = (s9 + (1 << 20)) >> 21
  2340. s10 += carry[9]
  2341. s9 -= carry[9] << 21
  2342. carry[11] = (s11 + (1 << 20)) >> 21
  2343. s12 += carry[11]
  2344. s11 -= carry[11] << 21
  2345. carry[13] = (s13 + (1 << 20)) >> 21
  2346. s14 += carry[13]
  2347. s13 -= carry[13] << 21
  2348. carry[15] = (s15 + (1 << 20)) >> 21
  2349. s16 += carry[15]
  2350. s15 -= carry[15] << 21
  2352. s5 += s17 * 666643
  2353. s6 += s17 * 470296
  2354. s7 += s17 * 654183
  2355. s8 -= s17 * 997805
  2356. s9 += s17 * 136657
  2357. s10 -= s17 * 683901
  2358. s17 = 0
  2360. s4 += s16 * 666643
  2361. s5 += s16 * 470296
  2362. s6 += s16 * 654183
  2363. s7 -= s16 * 997805
  2364. s8 += s16 * 136657
  2365. s9 -= s16 * 683901
  2366. s16 = 0
  2368. s3 += s15 * 666643
  2369. s4 += s15 * 470296
  2370. s5 += s15 * 654183
  2371. s6 -= s15 * 997805
  2372. s7 += s15 * 136657
  2373. s8 -= s15 * 683901
  2374. s15 = 0
  2376. s2 += s14 * 666643
  2377. s3 += s14 * 470296
  2378. s4 += s14 * 654183
  2379. s5 -= s14 * 997805
  2380. s6 += s14 * 136657
  2381. s7 -= s14 * 683901
  2382. s14 = 0
  2384. s1 += s13 * 666643
  2385. s2 += s13 * 470296
  2386. s3 += s13 * 654183
  2387. s4 -= s13 * 997805
  2388. s5 += s13 * 136657
  2389. s6 -= s13 * 683901
  2390. s13 = 0
  2392. s0 += s12 * 666643
  2393. s1 += s12 * 470296
  2394. s2 += s12 * 654183
  2395. s3 -= s12 * 997805
  2396. s4 += s12 * 136657
  2397. s5 -= s12 * 683901
  2398. s12 = 0
  2400. carry[0] = (s0 + (1 << 20)) >> 21
  2401. s1 += carry[0]
  2402. s0 -= carry[0] << 21
  2403. carry[2] = (s2 + (1 << 20)) >> 21
  2404. s3 += carry[2]
  2405. s2 -= carry[2] << 21
  2406. carry[4] = (s4 + (1 << 20)) >> 21
  2407. s5 += carry[4]
  2408. s4 -= carry[4] << 21
  2409. carry[6] = (s6 + (1 << 20)) >> 21
  2410. s7 += carry[6]
  2411. s6 -= carry[6] << 21
  2412. carry[8] = (s8 + (1 << 20)) >> 21
  2413. s9 += carry[8]
  2414. s8 -= carry[8] << 21
  2415. carry[10] = (s10 + (1 << 20)) >> 21
  2416. s11 += carry[10]
  2417. s10 -= carry[10] << 21
  2419. carry[1] = (s1 + (1 << 20)) >> 21
  2420. s2 += carry[1]
  2421. s1 -= carry[1] << 21
  2422. carry[3] = (s3 + (1 << 20)) >> 21
  2423. s4 += carry[3]
  2424. s3 -= carry[3] << 21
  2425. carry[5] = (s5 + (1 << 20)) >> 21
  2426. s6 += carry[5]
  2427. s5 -= carry[5] << 21
  2428. carry[7] = (s7 + (1 << 20)) >> 21
  2429. s8 += carry[7]
  2430. s7 -= carry[7] << 21
  2431. carry[9] = (s9 + (1 << 20)) >> 21
  2432. s10 += carry[9]
  2433. s9 -= carry[9] << 21
  2434. carry[11] = (s11 + (1 << 20)) >> 21
  2435. s12 += carry[11]
  2436. s11 -= carry[11] << 21
  2438. s0 += s12 * 666643
  2439. s1 += s12 * 470296
  2440. s2 += s12 * 654183
  2441. s3 -= s12 * 997805
  2442. s4 += s12 * 136657
  2443. s5 -= s12 * 683901
  2444. s12 = 0
  2446. carry[0] = s0 >> 21
  2447. s1 += carry[0]
  2448. s0 -= carry[0] << 21
  2449. carry[1] = s1 >> 21
  2450. s2 += carry[1]
  2451. s1 -= carry[1] << 21
  2452. carry[2] = s2 >> 21
  2453. s3 += carry[2]
  2454. s2 -= carry[2] << 21
  2455. carry[3] = s3 >> 21
  2456. s4 += carry[3]
  2457. s3 -= carry[3] << 21
  2458. carry[4] = s4 >> 21
  2459. s5 += carry[4]
  2460. s4 -= carry[4] << 21
  2461. carry[5] = s5 >> 21
  2462. s6 += carry[5]
  2463. s5 -= carry[5] << 21
  2464. carry[6] = s6 >> 21
  2465. s7 += carry[6]
  2466. s6 -= carry[6] << 21
  2467. carry[7] = s7 >> 21
  2468. s8 += carry[7]
  2469. s7 -= carry[7] << 21
  2470. carry[8] = s8 >> 21
  2471. s9 += carry[8]
  2472. s8 -= carry[8] << 21
  2473. carry[9] = s9 >> 21
  2474. s10 += carry[9]
  2475. s9 -= carry[9] << 21
  2476. carry[10] = s10 >> 21
  2477. s11 += carry[10]
  2478. s10 -= carry[10] << 21
  2479. carry[11] = s11 >> 21
  2480. s12 += carry[11]
  2481. s11 -= carry[11] << 21
  2483. s0 += s12 * 666643
  2484. s1 += s12 * 470296
  2485. s2 += s12 * 654183
  2486. s3 -= s12 * 997805
  2487. s4 += s12 * 136657
  2488. s5 -= s12 * 683901
  2489. s12 = 0
  2491. carry[0] = s0 >> 21
  2492. s1 += carry[0]
  2493. s0 -= carry[0] << 21
  2494. carry[1] = s1 >> 21
  2495. s2 += carry[1]
  2496. s1 -= carry[1] << 21
  2497. carry[2] = s2 >> 21
  2498. s3 += carry[2]
  2499. s2 -= carry[2] << 21
  2500. carry[3] = s3 >> 21
  2501. s4 += carry[3]
  2502. s3 -= carry[3] << 21
  2503. carry[4] = s4 >> 21
  2504. s5 += carry[4]
  2505. s4 -= carry[4] << 21
  2506. carry[5] = s5 >> 21
  2507. s6 += carry[5]
  2508. s5 -= carry[5] << 21
  2509. carry[6] = s6 >> 21
  2510. s7 += carry[6]
  2511. s6 -= carry[6] << 21
  2512. carry[7] = s7 >> 21
  2513. s8 += carry[7]
  2514. s7 -= carry[7] << 21
  2515. carry[8] = s8 >> 21
  2516. s9 += carry[8]
  2517. s8 -= carry[8] << 21
  2518. carry[9] = s9 >> 21
  2519. s10 += carry[9]
  2520. s9 -= carry[9] << 21
  2521. carry[10] = s10 >> 21
  2522. s11 += carry[10]
  2523. s10 -= carry[10] << 21
  2525. s[0] = byte(s0 >> 0)
  2526. s[1] = byte(s0 >> 8)
  2527. s[2] = byte((s0 >> 16) | (s1 << 5))
  2528. s[3] = byte(s1 >> 3)
  2529. s[4] = byte(s1 >> 11)
  2530. s[5] = byte((s1 >> 19) | (s2 << 2))
  2531. s[6] = byte(s2 >> 6)
  2532. s[7] = byte((s2 >> 14) | (s3 << 7))
  2533. s[8] = byte(s3 >> 1)
  2534. s[9] = byte(s3 >> 9)
  2535. s[10] = byte((s3 >> 17) | (s4 << 4))
  2536. s[11] = byte(s4 >> 4)
  2537. s[12] = byte(s4 >> 12)
  2538. s[13] = byte((s4 >> 20) | (s5 << 1))
  2539. s[14] = byte(s5 >> 7)
  2540. s[15] = byte((s5 >> 15) | (s6 << 6))
  2541. s[16] = byte(s6 >> 2)
  2542. s[17] = byte(s6 >> 10)
  2543. s[18] = byte((s6 >> 18) | (s7 << 3))
  2544. s[19] = byte(s7 >> 5)
  2545. s[20] = byte(s7 >> 13)
  2546. s[21] = byte(s8 >> 0)
  2547. s[22] = byte(s8 >> 8)
  2548. s[23] = byte((s8 >> 16) | (s9 << 5))
  2549. s[24] = byte(s9 >> 3)
  2550. s[25] = byte(s9 >> 11)
  2551. s[26] = byte((s9 >> 19) | (s10 << 2))
  2552. s[27] = byte(s10 >> 6)
  2553. s[28] = byte((s10 >> 14) | (s11 << 7))
  2554. s[29] = byte(s11 >> 1)
  2555. s[30] = byte(s11 >> 9)
  2556. s[31] = byte(s11 >> 17)
  2557. }
  2559. // Input:
  2560. // s[0]+256*s[1]+...+256^63*s[63] = s
  2561. //
  2562. // Output:
  2563. // s[0]+256*s[1]+...+256^31*s[31] = s mod l
  2564. // where l = 2^252 + 27742317777372353535851937790883648493.
  2565. func ScReduce(out *Key, s *[64]byte) {
  2566. s0 := 2097151 & load3(s[:])
  2567. s1 := 2097151 & (load4(s[2:]) >> 5)
  2568. s2 := 2097151 & (load3(s[5:]) >> 2)
  2569. s3 := 2097151 & (load4(s[7:]) >> 7)
  2570. s4 := 2097151 & (load4(s[10:]) >> 4)
  2571. s5 := 2097151 & (load3(s[13:]) >> 1)
  2572. s6 := 2097151 & (load4(s[15:]) >> 6)
  2573. s7 := 2097151 & (load3(s[18:]) >> 3)
  2574. s8 := 2097151 & load3(s[21:])
  2575. s9 := 2097151 & (load4(s[23:]) >> 5)
  2576. s10 := 2097151 & (load3(s[26:]) >> 2)
  2577. s11 := 2097151 & (load4(s[28:]) >> 7)
  2578. s12 := 2097151 & (load4(s[31:]) >> 4)
  2579. s13 := 2097151 & (load3(s[34:]) >> 1)
  2580. s14 := 2097151 & (load4(s[36:]) >> 6)
  2581. s15 := 2097151 & (load3(s[39:]) >> 3)
  2582. s16 := 2097151 & load3(s[42:])
  2583. s17 := 2097151 & (load4(s[44:]) >> 5)
  2584. s18 := 2097151 & (load3(s[47:]) >> 2)
  2585. s19 := 2097151 & (load4(s[49:]) >> 7)
  2586. s20 := 2097151 & (load4(s[52:]) >> 4)
  2587. s21 := 2097151 & (load3(s[55:]) >> 1)
  2588. s22 := 2097151 & (load4(s[57:]) >> 6)
  2589. s23 := (load4(s[60:]) >> 3)
  2591. s11 += s23 * 666643
  2592. s12 += s23 * 470296
  2593. s13 += s23 * 654183
  2594. s14 -= s23 * 997805
  2595. s15 += s23 * 136657
  2596. s16 -= s23 * 683901
  2597. s23 = 0
  2599. s10 += s22 * 666643
  2600. s11 += s22 * 470296
  2601. s12 += s22 * 654183
  2602. s13 -= s22 * 997805
  2603. s14 += s22 * 136657
  2604. s15 -= s22 * 683901
  2605. s22 = 0
  2607. s9 += s21 * 666643
  2608. s10 += s21 * 470296
  2609. s11 += s21 * 654183
  2610. s12 -= s21 * 997805
  2611. s13 += s21 * 136657
  2612. s14 -= s21 * 683901
  2613. s21 = 0
  2615. s8 += s20 * 666643
  2616. s9 += s20 * 470296
  2617. s10 += s20 * 654183
  2618. s11 -= s20 * 997805
  2619. s12 += s20 * 136657
  2620. s13 -= s20 * 683901
  2621. s20 = 0
  2623. s7 += s19 * 666643
  2624. s8 += s19 * 470296
  2625. s9 += s19 * 654183
  2626. s10 -= s19 * 997805
  2627. s11 += s19 * 136657
  2628. s12 -= s19 * 683901
  2629. s19 = 0
  2631. s6 += s18 * 666643
  2632. s7 += s18 * 470296
  2633. s8 += s18 * 654183
  2634. s9 -= s18 * 997805
  2635. s10 += s18 * 136657
  2636. s11 -= s18 * 683901
  2637. s18 = 0
  2639. var carry [17]int64
  2641. carry[6] = (s6 + (1 << 20)) >> 21
  2642. s7 += carry[6]
  2643. s6 -= carry[6] << 21
  2644. carry[8] = (s8 + (1 << 20)) >> 21
  2645. s9 += carry[8]
  2646. s8 -= carry[8] << 21
  2647. carry[10] = (s10 + (1 << 20)) >> 21
  2648. s11 += carry[10]
  2649. s10 -= carry[10] << 21
  2650. carry[12] = (s12 + (1 << 20)) >> 21
  2651. s13 += carry[12]
  2652. s12 -= carry[12] << 21
  2653. carry[14] = (s14 + (1 << 20)) >> 21
  2654. s15 += carry[14]
  2655. s14 -= carry[14] << 21
  2656. carry[16] = (s16 + (1 << 20)) >> 21
  2657. s17 += carry[16]
  2658. s16 -= carry[16] << 21
  2660. carry[7] = (s7 + (1 << 20)) >> 21
  2661. s8 += carry[7]
  2662. s7 -= carry[7] << 21
  2663. carry[9] = (s9 + (1 << 20)) >> 21
  2664. s10 += carry[9]
  2665. s9 -= carry[9] << 21
  2666. carry[11] = (s11 + (1 << 20)) >> 21
  2667. s12 += carry[11]
  2668. s11 -= carry[11] << 21
  2669. carry[13] = (s13 + (1 << 20)) >> 21
  2670. s14 += carry[13]
  2671. s13 -= carry[13] << 21
  2672. carry[15] = (s15 + (1 << 20)) >> 21
  2673. s16 += carry[15]
  2674. s15 -= carry[15] << 21
  2676. s5 += s17 * 666643
  2677. s6 += s17 * 470296
  2678. s7 += s17 * 654183
  2679. s8 -= s17 * 997805
  2680. s9 += s17 * 136657
  2681. s10 -= s17 * 683901
  2682. s17 = 0
  2684. s4 += s16 * 666643
  2685. s5 += s16 * 470296
  2686. s6 += s16 * 654183
  2687. s7 -= s16 * 997805
  2688. s8 += s16 * 136657
  2689. s9 -= s16 * 683901
  2690. s16 = 0
  2692. s3 += s15 * 666643
  2693. s4 += s15 * 470296
  2694. s5 += s15 * 654183
  2695. s6 -= s15 * 997805
  2696. s7 += s15 * 136657
  2697. s8 -= s15 * 683901
  2698. s15 = 0
  2700. s2 += s14 * 666643
  2701. s3 += s14 * 470296
  2702. s4 += s14 * 654183
  2703. s5 -= s14 * 997805
  2704. s6 += s14 * 136657
  2705. s7 -= s14 * 683901
  2706. s14 = 0
  2708. s1 += s13 * 666643
  2709. s2 += s13 * 470296
  2710. s3 += s13 * 654183
  2711. s4 -= s13 * 997805
  2712. s5 += s13 * 136657
  2713. s6 -= s13 * 683901
  2714. s13 = 0
  2716. s0 += s12 * 666643
  2717. s1 += s12 * 470296
  2718. s2 += s12 * 654183
  2719. s3 -= s12 * 997805
  2720. s4 += s12 * 136657
  2721. s5 -= s12 * 683901
  2722. s12 = 0
  2724. carry[0] = (s0 + (1 << 20)) >> 21
  2725. s1 += carry[0]
  2726. s0 -= carry[0] << 21
  2727. carry[2] = (s2 + (1 << 20)) >> 21
  2728. s3 += carry[2]
  2729. s2 -= carry[2] << 21
  2730. carry[4] = (s4 + (1 << 20)) >> 21
  2731. s5 += carry[4]
  2732. s4 -= carry[4] << 21
  2733. carry[6] = (s6 + (1 << 20)) >> 21
  2734. s7 += carry[6]
  2735. s6 -= carry[6] << 21
  2736. carry[8] = (s8 + (1 << 20)) >> 21
  2737. s9 += carry[8]
  2738. s8 -= carry[8] << 21
  2739. carry[10] = (s10 + (1 << 20)) >> 21
  2740. s11 += carry[10]
  2741. s10 -= carry[10] << 21
  2743. carry[1] = (s1 + (1 << 20)) >> 21
  2744. s2 += carry[1]
  2745. s1 -= carry[1] << 21
  2746. carry[3] = (s3 + (1 << 20)) >> 21
  2747. s4 += carry[3]
  2748. s3 -= carry[3] << 21
  2749. carry[5] = (s5 + (1 << 20)) >> 21
  2750. s6 += carry[5]
  2751. s5 -= carry[5] << 21
  2752. carry[7] = (s7 + (1 << 20)) >> 21
  2753. s8 += carry[7]
  2754. s7 -= carry[7] << 21
  2755. carry[9] = (s9 + (1 << 20)) >> 21
  2756. s10 += carry[9]
  2757. s9 -= carry[9] << 21
  2758. carry[11] = (s11 + (1 << 20)) >> 21
  2759. s12 += carry[11]
  2760. s11 -= carry[11] << 21
  2762. s0 += s12 * 666643
  2763. s1 += s12 * 470296
  2764. s2 += s12 * 654183
  2765. s3 -= s12 * 997805
  2766. s4 += s12 * 136657
  2767. s5 -= s12 * 683901
  2768. s12 = 0
  2770. carry[0] = s0 >> 21
  2771. s1 += carry[0]
  2772. s0 -= carry[0] << 21
  2773. carry[1] = s1 >> 21
  2774. s2 += carry[1]
  2775. s1 -= carry[1] << 21
  2776. carry[2] = s2 >> 21
  2777. s3 += carry[2]
  2778. s2 -= carry[2] << 21
  2779. carry[3] = s3 >> 21
  2780. s4 += carry[3]
  2781. s3 -= carry[3] << 21
  2782. carry[4] = s4 >> 21
  2783. s5 += carry[4]
  2784. s4 -= carry[4] << 21
  2785. carry[5] = s5 >> 21
  2786. s6 += carry[5]
  2787. s5 -= carry[5] << 21
  2788. carry[6] = s6 >> 21
  2789. s7 += carry[6]
  2790. s6 -= carry[6] << 21
  2791. carry[7] = s7 >> 21
  2792. s8 += carry[7]
  2793. s7 -= carry[7] << 21
  2794. carry[8] = s8 >> 21
  2795. s9 += carry[8]
  2796. s8 -= carry[8] << 21
  2797. carry[9] = s9 >> 21
  2798. s10 += carry[9]
  2799. s9 -= carry[9] << 21
  2800. carry[10] = s10 >> 21
  2801. s11 += carry[10]
  2802. s10 -= carry[10] << 21
  2803. carry[11] = s11 >> 21
  2804. s12 += carry[11]
  2805. s11 -= carry[11] << 21
  2807. s0 += s12 * 666643
  2808. s1 += s12 * 470296
  2809. s2 += s12 * 654183
  2810. s3 -= s12 * 997805
  2811. s4 += s12 * 136657
  2812. s5 -= s12 * 683901
  2813. s12 = 0
  2815. carry[0] = s0 >> 21
  2816. s1 += carry[0]
  2817. s0 -= carry[0] << 21
  2818. carry[1] = s1 >> 21
  2819. s2 += carry[1]
  2820. s1 -= carry[1] << 21
  2821. carry[2] = s2 >> 21
  2822. s3 += carry[2]
  2823. s2 -= carry[2] << 21
  2824. carry[3] = s3 >> 21
  2825. s4 += carry[3]
  2826. s3 -= carry[3] << 21
  2827. carry[4] = s4 >> 21
  2828. s5 += carry[4]
  2829. s4 -= carry[4] << 21
  2830. carry[5] = s5 >> 21
  2831. s6 += carry[5]
  2832. s5 -= carry[5] << 21
  2833. carry[6] = s6 >> 21
  2834. s7 += carry[6]
  2835. s6 -= carry[6] << 21
  2836. carry[7] = s7 >> 21
  2837. s8 += carry[7]
  2838. s7 -= carry[7] << 21
  2839. carry[8] = s8 >> 21
  2840. s9 += carry[8]
  2841. s8 -= carry[8] << 21
  2842. carry[9] = s9 >> 21
  2843. s10 += carry[9]
  2844. s9 -= carry[9] << 21
  2845. carry[10] = s10 >> 21
  2846. s11 += carry[10]
  2847. s10 -= carry[10] << 21
  2849. out[0] = byte(s0 >> 0)
  2850. out[1] = byte(s0 >> 8)
  2851. out[2] = byte((s0 >> 16) | (s1 << 5))
  2852. out[3] = byte(s1 >> 3)
  2853. out[4] = byte(s1 >> 11)
  2854. out[5] = byte((s1 >> 19) | (s2 << 2))
  2855. out[6] = byte(s2 >> 6)
  2856. out[7] = byte((s2 >> 14) | (s3 << 7))
  2857. out[8] = byte(s3 >> 1)
  2858. out[9] = byte(s3 >> 9)
  2859. out[10] = byte((s3 >> 17) | (s4 << 4))
  2860. out[11] = byte(s4 >> 4)
  2861. out[12] = byte(s4 >> 12)
  2862. out[13] = byte((s4 >> 20) | (s5 << 1))
  2863. out[14] = byte(s5 >> 7)
  2864. out[15] = byte((s5 >> 15) | (s6 << 6))
  2865. out[16] = byte(s6 >> 2)
  2866. out[17] = byte(s6 >> 10)
  2867. out[18] = byte((s6 >> 18) | (s7 << 3))
  2868. out[19] = byte(s7 >> 5)
  2869. out[20] = byte(s7 >> 13)
  2870. out[21] = byte(s8 >> 0)
  2871. out[22] = byte(s8 >> 8)
  2872. out[23] = byte((s8 >> 16) | (s9 << 5))
  2873. out[24] = byte(s9 >> 3)
  2874. out[25] = byte(s9 >> 11)
  2875. out[26] = byte((s9 >> 19) | (s10 << 2))
  2876. out[27] = byte(s10 >> 6)
  2877. out[28] = byte((s10 >> 14) | (s11 << 7))
  2878. out[29] = byte(s11 >> 1)
  2879. out[30] = byte(s11 >> 9)
  2880. out[31] = byte(s11 >> 17)
  2881. }
  2883. func ScReduce32(s *Key) {
  2884. s0 := 2097151 & load3(s[:])
  2885. s1 := 2097151 & (load4(s[2:]) >> 5)
  2886. s2 := 2097151 & (load3(s[5:]) >> 2)
  2887. s3 := 2097151 & (load4(s[7:]) >> 7)
  2888. s4 := 2097151 & (load4(s[10:]) >> 4)
  2889. s5 := 2097151 & (load3(s[13:]) >> 1)
  2890. s6 := 2097151 & (load4(s[15:]) >> 6)
  2891. s7 := 2097151 & (load3(s[18:]) >> 3)
  2892. s8 := 2097151 & load3(s[21:])
  2893. s9 := 2097151 & (load4(s[23:]) >> 5)
  2894. s10 := 2097151 & (load3(s[26:]) >> 2)
  2895. s11 := (load4(s[28:]) >> 7)
  2896. s12 := int64(0)
  2897. var carry [12]int64
  2898. carry[0] = (s0 + (1 << 20)) >> 21
  2899. s1 += carry[0]
  2900. s0 -= carry[0] << 21
  2901. carry[2] = (s2 + (1 << 20)) >> 21
  2902. s3 += carry[2]
  2903. s2 -= carry[2] << 21
  2904. carry[4] = (s4 + (1 << 20)) >> 21
  2905. s5 += carry[4]
  2906. s4 -= carry[4] << 21
  2907. carry[6] = (s6 + (1 << 20)) >> 21
  2908. s7 += carry[6]
  2909. s6 -= carry[6] << 21
  2910. carry[8] = (s8 + (1 << 20)) >> 21
  2911. s9 += carry[8]
  2912. s8 -= carry[8] << 21
  2913. carry[10] = (s10 + (1 << 20)) >> 21
  2914. s11 += carry[10]
  2915. s10 -= carry[10] << 21
  2916. carry[1] = (s1 + (1 << 20)) >> 21
  2917. s2 += carry[1]
  2918. s1 -= carry[1] << 21
  2919. carry[3] = (s3 + (1 << 20)) >> 21
  2920. s4 += carry[3]
  2921. s3 -= carry[3] << 21
  2922. carry[5] = (s5 + (1 << 20)) >> 21
  2923. s6 += carry[5]
  2924. s5 -= carry[5] << 21
  2925. carry[7] = (s7 + (1 << 20)) >> 21
  2926. s8 += carry[7]
  2927. s7 -= carry[7] << 21
  2928. carry[9] = (s9 + (1 << 20)) >> 21
  2929. s10 += carry[9]
  2930. s9 -= carry[9] << 21
  2931. carry[11] = (s11 + (1 << 20)) >> 21
  2932. s12 += carry[11]
  2933. s11 -= carry[11] << 21
  2935. s0 += s12 * 666643
  2936. s1 += s12 * 470296
  2937. s2 += s12 * 654183
  2938. s3 -= s12 * 997805
  2939. s4 += s12 * 136657
  2940. s5 -= s12 * 683901
  2941. s12 = 0
  2943. carry[0] = s0 >> 21
  2944. s1 += carry[0]
  2945. s0 -= carry[0] << 21
  2946. carry[1] = s1 >> 21
  2947. s2 += carry[1]
  2948. s1 -= carry[1] << 21
  2949. carry[2] = s2 >> 21
  2950. s3 += carry[2]
  2951. s2 -= carry[2] << 21
  2952. carry[3] = s3 >> 21
  2953. s4 += carry[3]
  2954. s3 -= carry[3] << 21
  2955. carry[4] = s4 >> 21
  2956. s5 += carry[4]
  2957. s4 -= carry[4] << 21
  2958. carry[5] = s5 >> 21
  2959. s6 += carry[5]
  2960. s5 -= carry[5] << 21
  2961. carry[6] = s6 >> 21
  2962. s7 += carry[6]
  2963. s6 -= carry[6] << 21
  2964. carry[7] = s7 >> 21
  2965. s8 += carry[7]
  2966. s7 -= carry[7] << 21
  2967. carry[8] = s8 >> 21
  2968. s9 += carry[8]
  2969. s8 -= carry[8] << 21
  2970. carry[9] = s9 >> 21
  2971. s10 += carry[9]
  2972. s9 -= carry[9] << 21
  2973. carry[10] = s10 >> 21
  2974. s11 += carry[10]
  2975. s10 -= carry[10] << 21
  2976. carry[11] = s11 >> 21
  2977. s12 += carry[11]
  2978. s11 -= carry[11] << 21
  2980. s0 += s12 * 666643
  2981. s1 += s12 * 470296
  2982. s2 += s12 * 654183
  2983. s3 -= s12 * 997805
  2984. s4 += s12 * 136657
  2985. s5 -= s12 * 683901
  2987. carry[0] = s0 >> 21
  2988. s1 += carry[0]
  2989. s0 -= carry[0] << 21
  2990. carry[1] = s1 >> 21
  2991. s2 += carry[1]
  2992. s1 -= carry[1] << 21
  2993. carry[2] = s2 >> 21
  2994. s3 += carry[2]
  2995. s2 -= carry[2] << 21
  2996. carry[3] = s3 >> 21
  2997. s4 += carry[3]
  2998. s3 -= carry[3] << 21
  2999. carry[4] = s4 >> 21
  3000. s5 += carry[4]
  3001. s4 -= carry[4] << 21
  3002. carry[5] = s5 >> 21
  3003. s6 += carry[5]
  3004. s5 -= carry[5] << 21
  3005. carry[6] = s6 >> 21
  3006. s7 += carry[6]
  3007. s6 -= carry[6] << 21
  3008. carry[7] = s7 >> 21
  3009. s8 += carry[7]
  3010. s7 -= carry[7] << 21
  3011. carry[8] = s8 >> 21
  3012. s9 += carry[8]
  3013. s8 -= carry[8] << 21
  3014. carry[9] = s9 >> 21
  3015. s10 += carry[9]
  3016. s9 -= carry[9] << 21
  3017. carry[10] = s10 >> 21
  3018. s11 += carry[10]
  3019. s10 -= carry[10] << 21
  3021. s[0] = byte(s0 >> 0)
  3022. s[1] = byte(s0 >> 8)
  3023. s[2] = byte((s0 >> 16) | (s1 << 5))
  3024. s[3] = byte(s1 >> 3)
  3025. s[4] = byte(s1 >> 11)
  3026. s[5] = byte((s1 >> 19) | (s2 << 2))
  3027. s[6] = byte(s2 >> 6)
  3028. s[7] = byte((s2 >> 14) | (s3 << 7))
  3029. s[8] = byte(s3 >> 1)
  3030. s[9] = byte(s3 >> 9)
  3031. s[10] = byte((s3 >> 17) | (s4 << 4))
  3032. s[11] = byte(s4 >> 4)
  3033. s[12] = byte(s4 >> 12)
  3034. s[13] = byte((s4 >> 20) | (s5 << 1))
  3035. s[14] = byte(s5 >> 7)
  3036. s[15] = byte((s5 >> 15) | (s6 << 6))
  3037. s[16] = byte(s6 >> 2)
  3038. s[17] = byte(s6 >> 10)
  3039. s[18] = byte((s6 >> 18) | (s7 << 3))
  3040. s[19] = byte(s7 >> 5)
  3041. s[20] = byte(s7 >> 13)
  3042. s[21] = byte(s8 >> 0)
  3043. s[22] = byte(s8 >> 8)
  3044. s[23] = byte((s8 >> 16) | (s9 << 5))
  3045. s[24] = byte(s9 >> 3)
  3046. s[25] = byte(s9 >> 11)
  3047. s[26] = byte((s9 >> 19) | (s10 << 2))
  3048. s[27] = byte(s10 >> 6)
  3049. s[28] = byte((s10 >> 14) | (s11 << 7))
  3050. s[29] = byte(s11 >> 1)
  3051. s[30] = byte(s11 >> 9)
  3052. s[31] = byte(s11 >> 17)
  3053. }