#define WINDOWSIZE 1
#define WINDOWMASK ((1<<WINDOWSIZE)-1)
#include "fe25519.h"
static crypto_uint32 equal(crypto_uint32 a,crypto_uint32 b)
{
crypto_uint32 x = a ^ b;
x -= 1;
x >>= 31;
return x;
}
static crypto_uint32 ge(crypto_uint32 a,crypto_uint32 b)
{
unsigned int x = a;
x -= (unsigned int) b;
x >>= 31;
x ^= 1;
return x;
}
static crypto_uint32 times19(crypto_uint32 a)
{
return (a << 4) + (a << 1) + a;
}
static crypto_uint32 times38(crypto_uint32 a)
{
return (a << 5) + (a << 2) + (a << 1);
}
static void reduce_add_sub(fe25519 *r)
{
crypto_uint32 t;
int i,rep;
for(rep=0;rep<4;rep++)
{
t = r->v[31] >> 7;
r->v[31] &= 127;
t = times19(t);
r->v[0] += t;
for(i=0;i<31;i++)
{
t = r->v[i] >> 8;
r->v[i+1] += t;
r->v[i] &= 255;
}
}
}
static void reduce_mul(fe25519 *r)
{
crypto_uint32 t;
int i,rep;
for(rep=0;rep<2;rep++)
{
t = r->v[31] >> 7;
r->v[31] &= 127;
t = times19(t);
r->v[0] += t;
for(i=0;i<31;i++)
{
t = r->v[i] >> 8;
r->v[i+1] += t;
r->v[i] &= 255;
}
}
}
void fe25519_freeze(fe25519 *r)
{
int i;
crypto_uint32 m = equal(r->v[31],127);
for(i=30;i>0;i--)
m &= equal(r->v[i],255);
m &= ge(r->v[0],237);
m = -m;
r->v[31] -= m&127;
for(i=30;i>0;i--)
r->v[i] -= m&255;
r->v[0] -= m&237;
}
void fe25519_unpack(fe25519 *r, const unsigned char x[32])
{
int i;
for(i=0;i<32;i++) r->v[i] = x[i];
r->v[31] &= 127;
}
void fe25519_pack(unsigned char r[32], const fe25519 *x)
{
int i;
fe25519 y = *x;
fe25519_freeze(&y);
for(i=0;i<32;i++)
r[i] = y.v[i];
}
int fe25519_iszero(const fe25519 *x)
{
int i;
int r;
fe25519 t = *x;
fe25519_freeze(&t);
r = equal(t.v[0],0);
for(i=1;i<32;i++)
r &= equal(t.v[i],0);
return r;
}
int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y)
{
int i;
fe25519 t1 = *x;
fe25519 t2 = *y;
fe25519_freeze(&t1);
fe25519_freeze(&t2);
for(i=0;i<32;i++)
if(t1.v[i] != t2.v[i]) return 0;
return 1;
}
void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b)
{
int i;
crypto_uint32 mask = b;
mask = -mask;
for(i=0;i<32;i++) r->v[i] ^= mask & (x->v[i] ^ r->v[i]);
}
unsigned char fe25519_getparity(const fe25519 *x)
{
fe25519 t = *x;
fe25519_freeze(&t);
return t.v[0] & 1;
}
void fe25519_setone(fe25519 *r)
{
int i;
r->v[0] = 1;
for(i=1;i<32;i++) r->v[i]=0;
}
void fe25519_setzero(fe25519 *r)
{
int i;
for(i=0;i<32;i++) r->v[i]=0;
}
void fe25519_neg(fe25519 *r, const fe25519 *x)
{
fe25519 t;
int i;
for(i=0;i<32;i++) t.v[i]=x->v[i];
fe25519_setzero(r);
fe25519_sub(r, r, &t);
}
void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y)
{
int i;
for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
reduce_add_sub(r);
}
void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y)
{
int i;
crypto_uint32 t[32];
t[0] = x->v[0] + 0x1da;
t[31] = x->v[31] + 0xfe;
for(i=1;i<31;i++) t[i] = x->v[i] + 0x1fe;
for(i=0;i<32;i++) r->v[i] = t[i] - y->v[i];
reduce_add_sub(r);
}
void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y)
{
int i,j;
crypto_uint32 t[63];
for(i=0;i<63;i++)t[i] = 0;
for(i=0;i<32;i++)
for(j=0;j<32;j++)
t[i+j] += x->v[i] * y->v[j];
for(i=32;i<63;i++)
r->v[i-32] = t[i-32] + times38(t[i]);
r->v[31] = t[31];
reduce_mul(r);
}
void fe25519_square(fe25519 *r, const fe25519 *x)
{
fe25519_mul(r, x, x);
}
void fe25519_invert(fe25519 *r, const fe25519 *x)
{
fe25519 z2;
fe25519 z9;
fe25519 z11;
fe25519 z2_5_0;
fe25519 z2_10_0;
fe25519 z2_20_0;
fe25519 z2_50_0;
fe25519 z2_100_0;
fe25519 t0;
fe25519 t1;
int i;
fe25519_square(&z2,x);
fe25519_square(&t1,&z2);
fe25519_square(&t0,&t1);
fe25519_mul(&z9,&t0,x);
fe25519_mul(&z11,&z9,&z2);
fe25519_square(&t0,&z11);
fe25519_mul(&z2_5_0,&t0,&z9);
fe25519_square(&t0,&z2_5_0);
fe25519_square(&t1,&t0);
fe25519_square(&t0,&t1);
fe25519_square(&t1,&t0);
fe25519_square(&t0,&t1);
fe25519_mul(&z2_10_0,&t0,&z2_5_0);
fe25519_square(&t0,&z2_10_0);
fe25519_square(&t1,&t0);
for (i = 2;i < 10;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
fe25519_mul(&z2_20_0,&t1,&z2_10_0);
fe25519_square(&t0,&z2_20_0);
fe25519_square(&t1,&t0);
for (i = 2;i < 20;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
fe25519_mul(&t0,&t1,&z2_20_0);
fe25519_square(&t1,&t0);
fe25519_square(&t0,&t1);
for (i = 2;i < 10;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
fe25519_mul(&z2_50_0,&t0,&z2_10_0);
fe25519_square(&t0,&z2_50_0);
fe25519_square(&t1,&t0);
for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
fe25519_mul(&z2_100_0,&t1,&z2_50_0);
fe25519_square(&t1,&z2_100_0);
fe25519_square(&t0,&t1);
for (i = 2;i < 100;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
fe25519_mul(&t1,&t0,&z2_100_0);
fe25519_square(&t0,&t1);
fe25519_square(&t1,&t0);
for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
fe25519_mul(&t0,&t1,&z2_50_0);
fe25519_square(&t1,&t0);
fe25519_square(&t0,&t1);
fe25519_square(&t1,&t0);
fe25519_square(&t0,&t1);
fe25519_square(&t1,&t0);
fe25519_mul(r,&t1,&z11);
}
void fe25519_pow2523(fe25519 *r, const fe25519 *x)
{
fe25519 z2;
fe25519 z9;
fe25519 z11;
fe25519 z2_5_0;
fe25519 z2_10_0;
fe25519 z2_20_0;
fe25519 z2_50_0;
fe25519 z2_100_0;
fe25519 t;
int i;
fe25519_square(&z2,x);
fe25519_square(&t,&z2);
fe25519_square(&t,&t);
fe25519_mul(&z9,&t,x);
fe25519_mul(&z11,&z9,&z2);
fe25519_square(&t,&z11);
fe25519_mul(&z2_5_0,&t,&z9);
fe25519_square(&t,&z2_5_0);
for (i = 1;i < 5;i++) { fe25519_square(&t,&t); }
fe25519_mul(&z2_10_0,&t,&z2_5_0);
fe25519_square(&t,&z2_10_0);
for (i = 1;i < 10;i++) { fe25519_square(&t,&t); }
fe25519_mul(&z2_20_0,&t,&z2_10_0);
fe25519_square(&t,&z2_20_0);
for (i = 1;i < 20;i++) { fe25519_square(&t,&t); }
fe25519_mul(&t,&t,&z2_20_0);
fe25519_square(&t,&t);
for (i = 1;i < 10;i++) { fe25519_square(&t,&t); }
fe25519_mul(&z2_50_0,&t,&z2_10_0);
fe25519_square(&t,&z2_50_0);
for (i = 1;i < 50;i++) { fe25519_square(&t,&t); }
fe25519_mul(&z2_100_0,&t,&z2_50_0);
fe25519_square(&t,&z2_100_0);
for (i = 1;i < 100;i++) { fe25519_square(&t,&t); }
fe25519_mul(&t,&t,&z2_100_0);
fe25519_square(&t,&t);
for (i = 1;i < 50;i++) { fe25519_square(&t,&t); }
fe25519_mul(&t,&t,&z2_50_0);
fe25519_square(&t,&t);
fe25519_square(&t,&t);
fe25519_mul(r,&t,x);
}
