lokinet/crypto/include/sodium/private/ed25519_ref10_fe_25_5.h
2018-10-23 07:29:37 -04:00

1051 lines
28 KiB
C

#include <string.h>
#include <sodium/private/common.h>
#include <sodium/utils.h>
/*
h = 0
*/
static inline void
fe25519_0(fe25519 h)
{
memset(&h[0], 0, 10 * sizeof h[0]);
}
/*
h = 1
*/
static inline void
fe25519_1(fe25519 h)
{
h[0] = 1;
h[1] = 0;
memset(&h[2], 0, 8 * sizeof h[0]);
}
/*
h = f + g
Can overlap h with f or g.
*
Preconditions:
|f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
*
Postconditions:
|h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
static inline void
fe25519_add(fe25519 h, const fe25519 f, const fe25519 g)
{
int32_t h0 = f[0] + g[0];
int32_t h1 = f[1] + g[1];
int32_t h2 = f[2] + g[2];
int32_t h3 = f[3] + g[3];
int32_t h4 = f[4] + g[4];
int32_t h5 = f[5] + g[5];
int32_t h6 = f[6] + g[6];
int32_t h7 = f[7] + g[7];
int32_t h8 = f[8] + g[8];
int32_t h9 = f[9] + g[9];
h[0] = h0;
h[1] = h1;
h[2] = h2;
h[3] = h3;
h[4] = h4;
h[5] = h5;
h[6] = h6;
h[7] = h7;
h[8] = h8;
h[9] = h9;
}
/*
h = f - g
Can overlap h with f or g.
*
Preconditions:
|f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
*
Postconditions:
|h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
static void
fe25519_sub(fe25519 h, const fe25519 f, const fe25519 g)
{
int32_t h0 = f[0] - g[0];
int32_t h1 = f[1] - g[1];
int32_t h2 = f[2] - g[2];
int32_t h3 = f[3] - g[3];
int32_t h4 = f[4] - g[4];
int32_t h5 = f[5] - g[5];
int32_t h6 = f[6] - g[6];
int32_t h7 = f[7] - g[7];
int32_t h8 = f[8] - g[8];
int32_t h9 = f[9] - g[9];
h[0] = h0;
h[1] = h1;
h[2] = h2;
h[3] = h3;
h[4] = h4;
h[5] = h5;
h[6] = h6;
h[7] = h7;
h[8] = h8;
h[9] = h9;
}
/*
h = -f
*
Preconditions:
|f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
*
Postconditions:
|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
*/
static inline void
fe25519_neg(fe25519 h, const fe25519 f)
{
int32_t h0 = -f[0];
int32_t h1 = -f[1];
int32_t h2 = -f[2];
int32_t h3 = -f[3];
int32_t h4 = -f[4];
int32_t h5 = -f[5];
int32_t h6 = -f[6];
int32_t h7 = -f[7];
int32_t h8 = -f[8];
int32_t h9 = -f[9];
h[0] = h0;
h[1] = h1;
h[2] = h2;
h[3] = h3;
h[4] = h4;
h[5] = h5;
h[6] = h6;
h[7] = h7;
h[8] = h8;
h[9] = h9;
}
/*
Replace (f,g) with (g,g) if b == 1;
replace (f,g) with (f,g) if b == 0.
*
Preconditions: b in {0,1}.
*/
static void
fe25519_cmov(fe25519 f, const fe25519 g, unsigned int b)
{
const uint32_t mask = (uint32_t)(-(int32_t)b);
int32_t f0 = f[0];
int32_t f1 = f[1];
int32_t f2 = f[2];
int32_t f3 = f[3];
int32_t f4 = f[4];
int32_t f5 = f[5];
int32_t f6 = f[6];
int32_t f7 = f[7];
int32_t f8 = f[8];
int32_t f9 = f[9];
int32_t x0 = f0 ^ g[0];
int32_t x1 = f1 ^ g[1];
int32_t x2 = f2 ^ g[2];
int32_t x3 = f3 ^ g[3];
int32_t x4 = f4 ^ g[4];
int32_t x5 = f5 ^ g[5];
int32_t x6 = f6 ^ g[6];
int32_t x7 = f7 ^ g[7];
int32_t x8 = f8 ^ g[8];
int32_t x9 = f9 ^ g[9];
x0 &= mask;
x1 &= mask;
x2 &= mask;
x3 &= mask;
x4 &= mask;
x5 &= mask;
x6 &= mask;
x7 &= mask;
x8 &= mask;
x9 &= mask;
f[0] = f0 ^ x0;
f[1] = f1 ^ x1;
f[2] = f2 ^ x2;
f[3] = f3 ^ x3;
f[4] = f4 ^ x4;
f[5] = f5 ^ x5;
f[6] = f6 ^ x6;
f[7] = f7 ^ x7;
f[8] = f8 ^ x8;
f[9] = f9 ^ x9;
}
static void
fe25519_cswap(fe25519 f, fe25519 g, unsigned int b)
{
const uint32_t mask = (uint32_t)(-(int64_t)b);
int32_t f0 = f[0];
int32_t f1 = f[1];
int32_t f2 = f[2];
int32_t f3 = f[3];
int32_t f4 = f[4];
int32_t f5 = f[5];
int32_t f6 = f[6];
int32_t f7 = f[7];
int32_t f8 = f[8];
int32_t f9 = f[9];
int32_t g0 = g[0];
int32_t g1 = g[1];
int32_t g2 = g[2];
int32_t g3 = g[3];
int32_t g4 = g[4];
int32_t g5 = g[5];
int32_t g6 = g[6];
int32_t g7 = g[7];
int32_t g8 = g[8];
int32_t g9 = g[9];
int32_t x0 = f0 ^ g0;
int32_t x1 = f1 ^ g1;
int32_t x2 = f2 ^ g2;
int32_t x3 = f3 ^ g3;
int32_t x4 = f4 ^ g4;
int32_t x5 = f5 ^ g5;
int32_t x6 = f6 ^ g6;
int32_t x7 = f7 ^ g7;
int32_t x8 = f8 ^ g8;
int32_t x9 = f9 ^ g9;
x0 &= mask;
x1 &= mask;
x2 &= mask;
x3 &= mask;
x4 &= mask;
x5 &= mask;
x6 &= mask;
x7 &= mask;
x8 &= mask;
x9 &= mask;
f[0] = f0 ^ x0;
f[1] = f1 ^ x1;
f[2] = f2 ^ x2;
f[3] = f3 ^ x3;
f[4] = f4 ^ x4;
f[5] = f5 ^ x5;
f[6] = f6 ^ x6;
f[7] = f7 ^ x7;
f[8] = f8 ^ x8;
f[9] = f9 ^ x9;
g[0] = g0 ^ x0;
g[1] = g1 ^ x1;
g[2] = g2 ^ x2;
g[3] = g3 ^ x3;
g[4] = g4 ^ x4;
g[5] = g5 ^ x5;
g[6] = g6 ^ x6;
g[7] = g7 ^ x7;
g[8] = g8 ^ x8;
g[9] = g9 ^ x9;
}
/*
h = f
*/
static inline void
fe25519_copy(fe25519 h, const fe25519 f)
{
int32_t f0 = f[0];
int32_t f1 = f[1];
int32_t f2 = f[2];
int32_t f3 = f[3];
int32_t f4 = f[4];
int32_t f5 = f[5];
int32_t f6 = f[6];
int32_t f7 = f[7];
int32_t f8 = f[8];
int32_t f9 = f[9];
h[0] = f0;
h[1] = f1;
h[2] = f2;
h[3] = f3;
h[4] = f4;
h[5] = f5;
h[6] = f6;
h[7] = f7;
h[8] = f8;
h[9] = f9;
}
/*
return 1 if f is in {1,3,5,...,q-2}
return 0 if f is in {0,2,4,...,q-1}
Preconditions:
|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
static inline int
fe25519_isnegative(const fe25519 f)
{
unsigned char s[32];
fe25519_tobytes(s, f);
return s[0] & 1;
}
/*
return 1 if f == 0
return 0 if f != 0
Preconditions:
|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
static inline int
fe25519_iszero(const fe25519 f)
{
unsigned char s[32];
fe25519_tobytes(s, f);
return sodium_is_zero(s, 32);
}
/*
h = f * g
Can overlap h with f or g.
*
Preconditions:
|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
|g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
*
Postconditions:
|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
*/
/*
Notes on implementation strategy:
*
Using schoolbook multiplication.
Karatsuba would save a little in some cost models.
*
Most multiplications by 2 and 19 are 32-bit precomputations;
cheaper than 64-bit postcomputations.
*
There is one remaining multiplication by 19 in the carry chain;
one *19 precomputation can be merged into this,
but the resulting data flow is considerably less clean.
*
There are 12 carries below.
10 of them are 2-way parallelizable and vectorizable.
Can get away with 11 carries, but then data flow is much deeper.
*
With tighter constraints on inputs can squeeze carries into int32.
*/
static void
fe25519_mul(fe25519 h, const fe25519 f, const fe25519 g)
{
int32_t f0 = f[0];
int32_t f1 = f[1];
int32_t f2 = f[2];
int32_t f3 = f[3];
int32_t f4 = f[4];
int32_t f5 = f[5];
int32_t f6 = f[6];
int32_t f7 = f[7];
int32_t f8 = f[8];
int32_t f9 = f[9];
int32_t g0 = g[0];
int32_t g1 = g[1];
int32_t g2 = g[2];
int32_t g3 = g[3];
int32_t g4 = g[4];
int32_t g5 = g[5];
int32_t g6 = g[6];
int32_t g7 = g[7];
int32_t g8 = g[8];
int32_t g9 = g[9];
int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
int32_t g3_19 = 19 * g3;
int32_t g4_19 = 19 * g4;
int32_t g5_19 = 19 * g5;
int32_t g6_19 = 19 * g6;
int32_t g7_19 = 19 * g7;
int32_t g8_19 = 19 * g8;
int32_t g9_19 = 19 * g9;
int32_t f1_2 = 2 * f1;
int32_t f3_2 = 2 * f3;
int32_t f5_2 = 2 * f5;
int32_t f7_2 = 2 * f7;
int32_t f9_2 = 2 * f9;
int64_t f0g0 = f0 * (int64_t)g0;
int64_t f0g1 = f0 * (int64_t)g1;
int64_t f0g2 = f0 * (int64_t)g2;
int64_t f0g3 = f0 * (int64_t)g3;
int64_t f0g4 = f0 * (int64_t)g4;
int64_t f0g5 = f0 * (int64_t)g5;
int64_t f0g6 = f0 * (int64_t)g6;
int64_t f0g7 = f0 * (int64_t)g7;
int64_t f0g8 = f0 * (int64_t)g8;
int64_t f0g9 = f0 * (int64_t)g9;
int64_t f1g0 = f1 * (int64_t)g0;
int64_t f1g1_2 = f1_2 * (int64_t)g1;
int64_t f1g2 = f1 * (int64_t)g2;
int64_t f1g3_2 = f1_2 * (int64_t)g3;
int64_t f1g4 = f1 * (int64_t)g4;
int64_t f1g5_2 = f1_2 * (int64_t)g5;
int64_t f1g6 = f1 * (int64_t)g6;
int64_t f1g7_2 = f1_2 * (int64_t)g7;
int64_t f1g8 = f1 * (int64_t)g8;
int64_t f1g9_38 = f1_2 * (int64_t)g9_19;
int64_t f2g0 = f2 * (int64_t)g0;
int64_t f2g1 = f2 * (int64_t)g1;
int64_t f2g2 = f2 * (int64_t)g2;
int64_t f2g3 = f2 * (int64_t)g3;
int64_t f2g4 = f2 * (int64_t)g4;
int64_t f2g5 = f2 * (int64_t)g5;
int64_t f2g6 = f2 * (int64_t)g6;
int64_t f2g7 = f2 * (int64_t)g7;
int64_t f2g8_19 = f2 * (int64_t)g8_19;
int64_t f2g9_19 = f2 * (int64_t)g9_19;
int64_t f3g0 = f3 * (int64_t)g0;
int64_t f3g1_2 = f3_2 * (int64_t)g1;
int64_t f3g2 = f3 * (int64_t)g2;
int64_t f3g3_2 = f3_2 * (int64_t)g3;
int64_t f3g4 = f3 * (int64_t)g4;
int64_t f3g5_2 = f3_2 * (int64_t)g5;
int64_t f3g6 = f3 * (int64_t)g6;
int64_t f3g7_38 = f3_2 * (int64_t)g7_19;
int64_t f3g8_19 = f3 * (int64_t)g8_19;
int64_t f3g9_38 = f3_2 * (int64_t)g9_19;
int64_t f4g0 = f4 * (int64_t)g0;
int64_t f4g1 = f4 * (int64_t)g1;
int64_t f4g2 = f4 * (int64_t)g2;
int64_t f4g3 = f4 * (int64_t)g3;
int64_t f4g4 = f4 * (int64_t)g4;
int64_t f4g5 = f4 * (int64_t)g5;
int64_t f4g6_19 = f4 * (int64_t)g6_19;
int64_t f4g7_19 = f4 * (int64_t)g7_19;
int64_t f4g8_19 = f4 * (int64_t)g8_19;
int64_t f4g9_19 = f4 * (int64_t)g9_19;
int64_t f5g0 = f5 * (int64_t)g0;
int64_t f5g1_2 = f5_2 * (int64_t)g1;
int64_t f5g2 = f5 * (int64_t)g2;
int64_t f5g3_2 = f5_2 * (int64_t)g3;
int64_t f5g4 = f5 * (int64_t)g4;
int64_t f5g5_38 = f5_2 * (int64_t)g5_19;
int64_t f5g6_19 = f5 * (int64_t)g6_19;
int64_t f5g7_38 = f5_2 * (int64_t)g7_19;
int64_t f5g8_19 = f5 * (int64_t)g8_19;
int64_t f5g9_38 = f5_2 * (int64_t)g9_19;
int64_t f6g0 = f6 * (int64_t)g0;
int64_t f6g1 = f6 * (int64_t)g1;
int64_t f6g2 = f6 * (int64_t)g2;
int64_t f6g3 = f6 * (int64_t)g3;
int64_t f6g4_19 = f6 * (int64_t)g4_19;
int64_t f6g5_19 = f6 * (int64_t)g5_19;
int64_t f6g6_19 = f6 * (int64_t)g6_19;
int64_t f6g7_19 = f6 * (int64_t)g7_19;
int64_t f6g8_19 = f6 * (int64_t)g8_19;
int64_t f6g9_19 = f6 * (int64_t)g9_19;
int64_t f7g0 = f7 * (int64_t)g0;
int64_t f7g1_2 = f7_2 * (int64_t)g1;
int64_t f7g2 = f7 * (int64_t)g2;
int64_t f7g3_38 = f7_2 * (int64_t)g3_19;
int64_t f7g4_19 = f7 * (int64_t)g4_19;
int64_t f7g5_38 = f7_2 * (int64_t)g5_19;
int64_t f7g6_19 = f7 * (int64_t)g6_19;
int64_t f7g7_38 = f7_2 * (int64_t)g7_19;
int64_t f7g8_19 = f7 * (int64_t)g8_19;
int64_t f7g9_38 = f7_2 * (int64_t)g9_19;
int64_t f8g0 = f8 * (int64_t)g0;
int64_t f8g1 = f8 * (int64_t)g1;
int64_t f8g2_19 = f8 * (int64_t)g2_19;
int64_t f8g3_19 = f8 * (int64_t)g3_19;
int64_t f8g4_19 = f8 * (int64_t)g4_19;
int64_t f8g5_19 = f8 * (int64_t)g5_19;
int64_t f8g6_19 = f8 * (int64_t)g6_19;
int64_t f8g7_19 = f8 * (int64_t)g7_19;
int64_t f8g8_19 = f8 * (int64_t)g8_19;
int64_t f8g9_19 = f8 * (int64_t)g9_19;
int64_t f9g0 = f9 * (int64_t)g0;
int64_t f9g1_38 = f9_2 * (int64_t)g1_19;
int64_t f9g2_19 = f9 * (int64_t)g2_19;
int64_t f9g3_38 = f9_2 * (int64_t)g3_19;
int64_t f9g4_19 = f9 * (int64_t)g4_19;
int64_t f9g5_38 = f9_2 * (int64_t)g5_19;
int64_t f9g6_19 = f9 * (int64_t)g6_19;
int64_t f9g7_38 = f9_2 * (int64_t)g7_19;
int64_t f9g8_19 = f9 * (int64_t)g8_19;
int64_t f9g9_38 = f9_2 * (int64_t)g9_19;
int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19
+ f7g3_38 + f8g2_19 + f9g1_38;
int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19
+ f7g4_19 + f8g3_19 + f9g2_19;
int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19
+ f7g5_38 + f8g4_19 + f9g3_38;
int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19
+ f8g5_19 + f9g4_19;
int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19
+ f7g7_38 + f8g6_19 + f9g5_38;
int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19
+ f8g7_19 + f9g6_19;
int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38
+ f8g8_19 + f9g7_38;
int64_t h7 =
f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19;
int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2
+ f8g0 + f9g9_38;
int64_t h9 =
f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0;
int64_t carry0;
int64_t carry1;
int64_t carry2;
int64_t carry3;
int64_t carry4;
int64_t carry5;
int64_t carry6;
int64_t carry7;
int64_t carry8;
int64_t carry9;
/*
|h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
|h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
*/
carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
h1 += carry0;
h0 -= carry0 * ((uint64_t)1L << 26);
carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
h5 += carry4;
h4 -= carry4 * ((uint64_t)1L << 26);
/* |h0| <= 2^25 */
/* |h4| <= 2^25 */
/* |h1| <= 1.71*2^59 */
/* |h5| <= 1.71*2^59 */
carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
h2 += carry1;
h1 -= carry1 * ((uint64_t)1L << 25);
carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
h6 += carry5;
h5 -= carry5 * ((uint64_t)1L << 25);
/* |h1| <= 2^24; from now on fits into int32 */
/* |h5| <= 2^24; from now on fits into int32 */
/* |h2| <= 1.41*2^60 */
/* |h6| <= 1.41*2^60 */
carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
h3 += carry2;
h2 -= carry2 * ((uint64_t)1L << 26);
carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
h7 += carry6;
h6 -= carry6 * ((uint64_t)1L << 26);
/* |h2| <= 2^25; from now on fits into int32 unchanged */
/* |h6| <= 2^25; from now on fits into int32 unchanged */
/* |h3| <= 1.71*2^59 */
/* |h7| <= 1.71*2^59 */
carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
h4 += carry3;
h3 -= carry3 * ((uint64_t)1L << 25);
carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
h8 += carry7;
h7 -= carry7 * ((uint64_t)1L << 25);
/* |h3| <= 2^24; from now on fits into int32 unchanged */
/* |h7| <= 2^24; from now on fits into int32 unchanged */
/* |h4| <= 1.72*2^34 */
/* |h8| <= 1.41*2^60 */
carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
h5 += carry4;
h4 -= carry4 * ((uint64_t)1L << 26);
carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
h9 += carry8;
h8 -= carry8 * ((uint64_t)1L << 26);
/* |h4| <= 2^25; from now on fits into int32 unchanged */
/* |h8| <= 2^25; from now on fits into int32 unchanged */
/* |h5| <= 1.01*2^24 */
/* |h9| <= 1.71*2^59 */
carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
h0 += carry9 * 19;
h9 -= carry9 * ((uint64_t)1L << 25);
/* |h9| <= 2^24; from now on fits into int32 unchanged */
/* |h0| <= 1.1*2^39 */
carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
h1 += carry0;
h0 -= carry0 * ((uint64_t)1L << 26);
/* |h0| <= 2^25; from now on fits into int32 unchanged */
/* |h1| <= 1.01*2^24 */
h[0] = (int32_t)h0;
h[1] = (int32_t)h1;
h[2] = (int32_t)h2;
h[3] = (int32_t)h3;
h[4] = (int32_t)h4;
h[5] = (int32_t)h5;
h[6] = (int32_t)h6;
h[7] = (int32_t)h7;
h[8] = (int32_t)h8;
h[9] = (int32_t)h9;
}
/*
h = f * f
Can overlap h with f.
*
Preconditions:
|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
*
Postconditions:
|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
*/
static void
fe25519_sq(fe25519 h, const fe25519 f)
{
int32_t f0 = f[0];
int32_t f1 = f[1];
int32_t f2 = f[2];
int32_t f3 = f[3];
int32_t f4 = f[4];
int32_t f5 = f[5];
int32_t f6 = f[6];
int32_t f7 = f[7];
int32_t f8 = f[8];
int32_t f9 = f[9];
int32_t f0_2 = 2 * f0;
int32_t f1_2 = 2 * f1;
int32_t f2_2 = 2 * f2;
int32_t f3_2 = 2 * f3;
int32_t f4_2 = 2 * f4;
int32_t f5_2 = 2 * f5;
int32_t f6_2 = 2 * f6;
int32_t f7_2 = 2 * f7;
int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
int64_t f0f0 = f0 * (int64_t)f0;
int64_t f0f1_2 = f0_2 * (int64_t)f1;
int64_t f0f2_2 = f0_2 * (int64_t)f2;
int64_t f0f3_2 = f0_2 * (int64_t)f3;
int64_t f0f4_2 = f0_2 * (int64_t)f4;
int64_t f0f5_2 = f0_2 * (int64_t)f5;
int64_t f0f6_2 = f0_2 * (int64_t)f6;
int64_t f0f7_2 = f0_2 * (int64_t)f7;
int64_t f0f8_2 = f0_2 * (int64_t)f8;
int64_t f0f9_2 = f0_2 * (int64_t)f9;
int64_t f1f1_2 = f1_2 * (int64_t)f1;
int64_t f1f2_2 = f1_2 * (int64_t)f2;
int64_t f1f3_4 = f1_2 * (int64_t)f3_2;
int64_t f1f4_2 = f1_2 * (int64_t)f4;
int64_t f1f5_4 = f1_2 * (int64_t)f5_2;
int64_t f1f6_2 = f1_2 * (int64_t)f6;
int64_t f1f7_4 = f1_2 * (int64_t)f7_2;
int64_t f1f8_2 = f1_2 * (int64_t)f8;
int64_t f1f9_76 = f1_2 * (int64_t)f9_38;
int64_t f2f2 = f2 * (int64_t)f2;
int64_t f2f3_2 = f2_2 * (int64_t)f3;
int64_t f2f4_2 = f2_2 * (int64_t)f4;
int64_t f2f5_2 = f2_2 * (int64_t)f5;
int64_t f2f6_2 = f2_2 * (int64_t)f6;
int64_t f2f7_2 = f2_2 * (int64_t)f7;
int64_t f2f8_38 = f2_2 * (int64_t)f8_19;
int64_t f2f9_38 = f2 * (int64_t)f9_38;
int64_t f3f3_2 = f3_2 * (int64_t)f3;
int64_t f3f4_2 = f3_2 * (int64_t)f4;
int64_t f3f5_4 = f3_2 * (int64_t)f5_2;
int64_t f3f6_2 = f3_2 * (int64_t)f6;
int64_t f3f7_76 = f3_2 * (int64_t)f7_38;
int64_t f3f8_38 = f3_2 * (int64_t)f8_19;
int64_t f3f9_76 = f3_2 * (int64_t)f9_38;
int64_t f4f4 = f4 * (int64_t)f4;
int64_t f4f5_2 = f4_2 * (int64_t)f5;
int64_t f4f6_38 = f4_2 * (int64_t)f6_19;
int64_t f4f7_38 = f4 * (int64_t)f7_38;
int64_t f4f8_38 = f4_2 * (int64_t)f8_19;
int64_t f4f9_38 = f4 * (int64_t)f9_38;
int64_t f5f5_38 = f5 * (int64_t)f5_38;
int64_t f5f6_38 = f5_2 * (int64_t)f6_19;
int64_t f5f7_76 = f5_2 * (int64_t)f7_38;
int64_t f5f8_38 = f5_2 * (int64_t)f8_19;
int64_t f5f9_76 = f5_2 * (int64_t)f9_38;
int64_t f6f6_19 = f6 * (int64_t)f6_19;
int64_t f6f7_38 = f6 * (int64_t)f7_38;
int64_t f6f8_38 = f6_2 * (int64_t)f8_19;
int64_t f6f9_38 = f6 * (int64_t)f9_38;
int64_t f7f7_38 = f7 * (int64_t)f7_38;
int64_t f7f8_38 = f7_2 * (int64_t)f8_19;
int64_t f7f9_76 = f7_2 * (int64_t)f9_38;
int64_t f8f8_19 = f8 * (int64_t)f8_19;
int64_t f8f9_38 = f8 * (int64_t)f9_38;
int64_t f9f9_38 = f9 * (int64_t)f9_38;
int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
int64_t carry0;
int64_t carry1;
int64_t carry2;
int64_t carry3;
int64_t carry4;
int64_t carry5;
int64_t carry6;
int64_t carry7;
int64_t carry8;
int64_t carry9;
carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
h1 += carry0;
h0 -= carry0 * ((uint64_t)1L << 26);
carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
h5 += carry4;
h4 -= carry4 * ((uint64_t)1L << 26);
carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
h2 += carry1;
h1 -= carry1 * ((uint64_t)1L << 25);
carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
h6 += carry5;
h5 -= carry5 * ((uint64_t)1L << 25);
carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
h3 += carry2;
h2 -= carry2 * ((uint64_t)1L << 26);
carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
h7 += carry6;
h6 -= carry6 * ((uint64_t)1L << 26);
carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
h4 += carry3;
h3 -= carry3 * ((uint64_t)1L << 25);
carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
h8 += carry7;
h7 -= carry7 * ((uint64_t)1L << 25);
carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
h5 += carry4;
h4 -= carry4 * ((uint64_t)1L << 26);
carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
h9 += carry8;
h8 -= carry8 * ((uint64_t)1L << 26);
carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
h0 += carry9 * 19;
h9 -= carry9 * ((uint64_t)1L << 25);
carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
h1 += carry0;
h0 -= carry0 * ((uint64_t)1L << 26);
h[0] = (int32_t)h0;
h[1] = (int32_t)h1;
h[2] = (int32_t)h2;
h[3] = (int32_t)h3;
h[4] = (int32_t)h4;
h[5] = (int32_t)h5;
h[6] = (int32_t)h6;
h[7] = (int32_t)h7;
h[8] = (int32_t)h8;
h[9] = (int32_t)h9;
}
/*
h = 2 * f * f
Can overlap h with f.
*
Preconditions:
|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
*
Postconditions:
|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
*/
static void
fe25519_sq2(fe25519 h, const fe25519 f)
{
int32_t f0 = f[0];
int32_t f1 = f[1];
int32_t f2 = f[2];
int32_t f3 = f[3];
int32_t f4 = f[4];
int32_t f5 = f[5];
int32_t f6 = f[6];
int32_t f7 = f[7];
int32_t f8 = f[8];
int32_t f9 = f[9];
int32_t f0_2 = 2 * f0;
int32_t f1_2 = 2 * f1;
int32_t f2_2 = 2 * f2;
int32_t f3_2 = 2 * f3;
int32_t f4_2 = 2 * f4;
int32_t f5_2 = 2 * f5;
int32_t f6_2 = 2 * f6;
int32_t f7_2 = 2 * f7;
int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
int64_t f0f0 = f0 * (int64_t)f0;
int64_t f0f1_2 = f0_2 * (int64_t)f1;
int64_t f0f2_2 = f0_2 * (int64_t)f2;
int64_t f0f3_2 = f0_2 * (int64_t)f3;
int64_t f0f4_2 = f0_2 * (int64_t)f4;
int64_t f0f5_2 = f0_2 * (int64_t)f5;
int64_t f0f6_2 = f0_2 * (int64_t)f6;
int64_t f0f7_2 = f0_2 * (int64_t)f7;
int64_t f0f8_2 = f0_2 * (int64_t)f8;
int64_t f0f9_2 = f0_2 * (int64_t)f9;
int64_t f1f1_2 = f1_2 * (int64_t)f1;
int64_t f1f2_2 = f1_2 * (int64_t)f2;
int64_t f1f3_4 = f1_2 * (int64_t)f3_2;
int64_t f1f4_2 = f1_2 * (int64_t)f4;
int64_t f1f5_4 = f1_2 * (int64_t)f5_2;
int64_t f1f6_2 = f1_2 * (int64_t)f6;
int64_t f1f7_4 = f1_2 * (int64_t)f7_2;
int64_t f1f8_2 = f1_2 * (int64_t)f8;
int64_t f1f9_76 = f1_2 * (int64_t)f9_38;
int64_t f2f2 = f2 * (int64_t)f2;
int64_t f2f3_2 = f2_2 * (int64_t)f3;
int64_t f2f4_2 = f2_2 * (int64_t)f4;
int64_t f2f5_2 = f2_2 * (int64_t)f5;
int64_t f2f6_2 = f2_2 * (int64_t)f6;
int64_t f2f7_2 = f2_2 * (int64_t)f7;
int64_t f2f8_38 = f2_2 * (int64_t)f8_19;
int64_t f2f9_38 = f2 * (int64_t)f9_38;
int64_t f3f3_2 = f3_2 * (int64_t)f3;
int64_t f3f4_2 = f3_2 * (int64_t)f4;
int64_t f3f5_4 = f3_2 * (int64_t)f5_2;
int64_t f3f6_2 = f3_2 * (int64_t)f6;
int64_t f3f7_76 = f3_2 * (int64_t)f7_38;
int64_t f3f8_38 = f3_2 * (int64_t)f8_19;
int64_t f3f9_76 = f3_2 * (int64_t)f9_38;
int64_t f4f4 = f4 * (int64_t)f4;
int64_t f4f5_2 = f4_2 * (int64_t)f5;
int64_t f4f6_38 = f4_2 * (int64_t)f6_19;
int64_t f4f7_38 = f4 * (int64_t)f7_38;
int64_t f4f8_38 = f4_2 * (int64_t)f8_19;
int64_t f4f9_38 = f4 * (int64_t)f9_38;
int64_t f5f5_38 = f5 * (int64_t)f5_38;
int64_t f5f6_38 = f5_2 * (int64_t)f6_19;
int64_t f5f7_76 = f5_2 * (int64_t)f7_38;
int64_t f5f8_38 = f5_2 * (int64_t)f8_19;
int64_t f5f9_76 = f5_2 * (int64_t)f9_38;
int64_t f6f6_19 = f6 * (int64_t)f6_19;
int64_t f6f7_38 = f6 * (int64_t)f7_38;
int64_t f6f8_38 = f6_2 * (int64_t)f8_19;
int64_t f6f9_38 = f6 * (int64_t)f9_38;
int64_t f7f7_38 = f7 * (int64_t)f7_38;
int64_t f7f8_38 = f7_2 * (int64_t)f8_19;
int64_t f7f9_76 = f7_2 * (int64_t)f9_38;
int64_t f8f8_19 = f8 * (int64_t)f8_19;
int64_t f8f9_38 = f8 * (int64_t)f9_38;
int64_t f9f9_38 = f9 * (int64_t)f9_38;
int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
int64_t carry0;
int64_t carry1;
int64_t carry2;
int64_t carry3;
int64_t carry4;
int64_t carry5;
int64_t carry6;
int64_t carry7;
int64_t carry8;
int64_t carry9;
h0 += h0;
h1 += h1;
h2 += h2;
h3 += h3;
h4 += h4;
h5 += h5;
h6 += h6;
h7 += h7;
h8 += h8;
h9 += h9;
carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
h1 += carry0;
h0 -= carry0 * ((uint64_t)1L << 26);
carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
h5 += carry4;
h4 -= carry4 * ((uint64_t)1L << 26);
carry1 = (h1 + (int64_t)(1L << 24)) >> 25;
h2 += carry1;
h1 -= carry1 * ((uint64_t)1L << 25);
carry5 = (h5 + (int64_t)(1L << 24)) >> 25;
h6 += carry5;
h5 -= carry5 * ((uint64_t)1L << 25);
carry2 = (h2 + (int64_t)(1L << 25)) >> 26;
h3 += carry2;
h2 -= carry2 * ((uint64_t)1L << 26);
carry6 = (h6 + (int64_t)(1L << 25)) >> 26;
h7 += carry6;
h6 -= carry6 * ((uint64_t)1L << 26);
carry3 = (h3 + (int64_t)(1L << 24)) >> 25;
h4 += carry3;
h3 -= carry3 * ((uint64_t)1L << 25);
carry7 = (h7 + (int64_t)(1L << 24)) >> 25;
h8 += carry7;
h7 -= carry7 * ((uint64_t)1L << 25);
carry4 = (h4 + (int64_t)(1L << 25)) >> 26;
h5 += carry4;
h4 -= carry4 * ((uint64_t)1L << 26);
carry8 = (h8 + (int64_t)(1L << 25)) >> 26;
h9 += carry8;
h8 -= carry8 * ((uint64_t)1L << 26);
carry9 = (h9 + (int64_t)(1L << 24)) >> 25;
h0 += carry9 * 19;
h9 -= carry9 * ((uint64_t)1L << 25);
carry0 = (h0 + (int64_t)(1L << 25)) >> 26;
h1 += carry0;
h0 -= carry0 * ((uint64_t)1L << 26);
h[0] = (int32_t)h0;
h[1] = (int32_t)h1;
h[2] = (int32_t)h2;
h[3] = (int32_t)h3;
h[4] = (int32_t)h4;
h[5] = (int32_t)h5;
h[6] = (int32_t)h6;
h[7] = (int32_t)h7;
h[8] = (int32_t)h8;
h[9] = (int32_t)h9;
}
static void
fe25519_scalar_product(fe25519 h, const fe25519 f, uint32_t n)
{
int64_t sn = (int64_t)n;
int32_t f0 = f[0];
int32_t f1 = f[1];
int32_t f2 = f[2];
int32_t f3 = f[3];
int32_t f4 = f[4];
int32_t f5 = f[5];
int32_t f6 = f[6];
int32_t f7 = f[7];
int32_t f8 = f[8];
int32_t f9 = f[9];
int64_t h0 = f0 * sn;
int64_t h1 = f1 * sn;
int64_t h2 = f2 * sn;
int64_t h3 = f3 * sn;
int64_t h4 = f4 * sn;
int64_t h5 = f5 * sn;
int64_t h6 = f6 * sn;
int64_t h7 = f7 * sn;
int64_t h8 = f8 * sn;
int64_t h9 = f9 * sn;
int64_t carry0, carry1, carry2, carry3, carry4, carry5, carry6, carry7,
carry8, carry9;
carry9 = (h9 + ((int64_t)1 << 24)) >> 25;
h0 += carry9 * 19;
h9 -= carry9 * ((int64_t)1 << 25);
carry1 = (h1 + ((int64_t)1 << 24)) >> 25;
h2 += carry1;
h1 -= carry1 * ((int64_t)1 << 25);
carry3 = (h3 + ((int64_t)1 << 24)) >> 25;
h4 += carry3;
h3 -= carry3 * ((int64_t)1 << 25);
carry5 = (h5 + ((int64_t)1 << 24)) >> 25;
h6 += carry5;
h5 -= carry5 * ((int64_t)1 << 25);
carry7 = (h7 + ((int64_t)1 << 24)) >> 25;
h8 += carry7;
h7 -= carry7 * ((int64_t)1 << 25);
carry0 = (h0 + ((int64_t)1 << 25)) >> 26;
h1 += carry0;
h0 -= carry0 * ((int64_t)1 << 26);
carry2 = (h2 + ((int64_t)1 << 25)) >> 26;
h3 += carry2;
h2 -= carry2 * ((int64_t)1 << 26);
carry4 = (h4 + ((int64_t)1 << 25)) >> 26;
h5 += carry4;
h4 -= carry4 * ((int64_t)1 << 26);
carry6 = (h6 + ((int64_t)1 << 25)) >> 26;
h7 += carry6;
h6 -= carry6 * ((int64_t)1 << 26);
carry8 = (h8 + ((int64_t)1 << 25)) >> 26;
h9 += carry8;
h8 -= carry8 * ((int64_t)1 << 26);
h[0] = (int32_t)h0;
h[1] = (int32_t)h1;
h[2] = (int32_t)h2;
h[3] = (int32_t)h3;
h[4] = (int32_t)h4;
h[5] = (int32_t)h5;
h[6] = (int32_t)h6;
h[7] = (int32_t)h7;
h[8] = (int32_t)h8;
h[9] = (int32_t)h9;
}