├── .gitignore ├── README.md ├── ed25519-supercop-ref10 ├── Makefile ├── api.h ├── base.h ├── base.py ├── base2.h ├── base2.py ├── crypto_hash_sha512.h ├── crypto_int32.h ├── crypto_int64.h ├── crypto_sign.h ├── crypto_uint32.h ├── crypto_uint64.h ├── crypto_verify_32.h ├── d.h ├── d.py ├── d2.h ├── d2.py ├── fe.h ├── fe_0.c ├── fe_1.c ├── fe_add.c ├── fe_cmov.c ├── fe_copy.c ├── fe_frombytes.c ├── fe_invert.c ├── fe_isnegative.c ├── fe_isnonzero.c ├── fe_mul.c ├── fe_neg.c ├── fe_pow22523.c ├── fe_sq.c ├── fe_sq2.c ├── fe_sub.c ├── fe_tobytes.c ├── ge.h ├── ge_add.c ├── ge_add.h ├── ge_add.q ├── ge_double_scalarmult.c ├── ge_frombytes.c ├── ge_madd.c ├── ge_madd.h ├── ge_madd.q ├── ge_msub.c ├── ge_msub.h ├── ge_msub.q ├── ge_p1p1_to_p2.c ├── ge_p1p1_to_p3.c ├── ge_p2_0.c ├── ge_p2_dbl.c ├── ge_p2_dbl.h ├── ge_p2_dbl.q ├── ge_p3_0.c ├── ge_p3_dbl.c ├── ge_p3_to_cached.c ├── ge_p3_to_p2.c ├── ge_p3_tobytes.c ├── ge_precomp_0.c ├── ge_scalarmult_base.c ├── ge_sub.c ├── ge_sub.h ├── ge_sub.q ├── ge_tobytes.c ├── keypair.c ├── open.c ├── pow22523.h ├── pow22523.q ├── pow225521.h ├── pow225521.q ├── publickey.c ├── q2h.sh ├── sc.h ├── sc_muladd.c ├── sc_reduce.c ├── sha512-blocks.c ├── sha512-hash.c ├── sha512.h ├── sign.c ├── sqrtm1.h ├── sqrtm1.py └── verify.c ├── keccakf.c ├── keccakf.h └── main.c /.gitignore: -------------------------------------------------------------------------------- 1 | main 2 | 3 | # Object files 4 | *.o 5 | *.ko 6 | *.obj 7 | *.elf 8 | 9 | # Precompiled Headers 10 | *.gch 11 | *.pch 12 | 13 | # Libraries 14 | *.lib 15 | *.a 16 | *.la 17 | *.lo 18 | 19 | # Shared objects (inc. Windows DLLs) 20 | *.dll 21 | *.so 22 | *.so.* 23 | *.dylib 24 | 25 | # Executables 26 | *.exe 27 | *.out 28 | *.app 29 | *.i*86 30 | *.x86_64 31 | *.hex 32 | 33 | # Debug files 34 | *.dSYM/ 35 | *.su 36 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # oniongen-c 2 | 3 | v3 .onion vanity URL generator written in C 4 | 5 | ## Usage 6 | 7 | Compile ed25519 objects: 8 | ``` 9 | cd ed25519-supercop-ref10 ; gcc -std=c99 -Wall -pedantic -c $(find . -name '*.c' -a ! -name 'keypair.c') ; cd .. 10 | ``` 11 | 12 | Compile and run: 13 | ``` 14 | gcc -std=c99 -Wall -pedantic -o main *.c ed25519-supercop-ref10/*.o && ./main 15 | ``` 16 | 17 | ## TODO 18 | 19 | ### Short term 20 | 21 | Replicate functionality of [oniongen-go](https://github.com/rdkr/oniongen-go): 22 | 23 | - [ ] Makefile 24 | - [ ] ed25519 25 | - [x] sha3 26 | - [ ] base32 27 | - [ ] regex 28 | - [ ] cli arguments 29 | - [ ] parallelise 30 | 31 | ### Longer term 32 | 33 | Parallelise using CUDA: 34 | 35 | - [ ] locally (GeForce) 36 | - [ ] AWS cluster (Tesla) 37 | 38 | ## References 39 | 40 | ### v3 onion addresses 41 | 42 | * tor-dev mailing list discussion - https://lists.torproject.org/pipermail/tor-dev/2017-January/011883.html 43 | 44 | ### sha3 45 | 46 | * NIST FIPS SHA3 specification - http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf 47 | * A C implementaiton - https://github.com/brainhub/SHA3IUF 48 | * Official keccak implementation collection - https://github.com/gvanas/KeccakCodePackage 49 | * A Python implementaiton - https://github.com/moshekaplan/python-sha3/blob/master/python_sha3.py 50 | 51 | 52 | ### ed25519 53 | 54 | * IETF RFC on EdDSA - https://tools.ietf.org/html/rfc8032 55 | * Bernstein paper - http://ed25519.cr.yp.to/ed25519-20110926.pdf 56 | * Warner blog on keys and implementations - https://blog.mozilla.org/warner/2011/11/29/ed25519-keys/ 57 | * supercop-ref10 implementation - https://github.com/warner/python-ed25519/tree/ref10 58 | 59 | ## Acknowledgements 60 | 61 | * keccakf implementation - https://github.com/brainhub/SHA3IUF 62 | * ed25519 implementation - https://github.com/warner/python-ed25519/tree/ref10 63 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/Makefile: -------------------------------------------------------------------------------- 1 | all: d.h d2.h sqrtm1.h base.h base2.h \ 2 | ge_add.h ge_sub.h \ 3 | ge_madd.h ge_msub.h \ 4 | ge_p2_dbl.h \ 5 | pow225521.h pow22523.h 6 | 7 | d.h: d.py 8 | python d.py > d.h 9 | 10 | d2.h: d2.py 11 | python d2.py > d2.h 12 | 13 | sqrtm1.h: sqrtm1.py 14 | python sqrtm1.py > sqrtm1.h 15 | 16 | base.h: base.py 17 | python base.py > base.h 18 | 19 | base2.h: base2.py 20 | python base2.py > base2.h 21 | 22 | ge_add.h: ge_add.q q2h.sh 23 | ./q2h.sh < ge_add.q > ge_add.h 24 | 25 | ge_sub.h: ge_sub.q q2h.sh 26 | ./q2h.sh < ge_sub.q > ge_sub.h 27 | 28 | ge_madd.h: ge_madd.q q2h.sh 29 | ./q2h.sh < ge_madd.q > ge_madd.h 30 | 31 | ge_msub.h: ge_msub.q q2h.sh 32 | ./q2h.sh < ge_msub.q > ge_msub.h 33 | 34 | ge_p2_dbl.h: ge_p2_dbl.q q2h.sh 35 | ./q2h.sh < ge_p2_dbl.q > ge_p2_dbl.h 36 | 37 | pow22523.h: pow22523.q q2h.sh 38 | ./q2h.sh < pow22523.q > pow22523.h 39 | 40 | pow225521.h: pow225521.q q2h.sh 41 | ./q2h.sh < pow225521.q > pow225521.h 42 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_SECRETKEYBYTES 64 2 | #define CRYPTO_PUBLICKEYBYTES 32 3 | #define CRYPTO_BYTES 64 4 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/base.py: -------------------------------------------------------------------------------- 1 | b = 256 2 | q = 2**255 - 19 3 | l = 2**252 + 27742317777372353535851937790883648493 4 | 5 | def expmod(b,e,m): 6 | if e == 0: return 1 7 | t = expmod(b,e/2,m)**2 % m 8 | if e & 1: t = (t*b) % m 9 | return t 10 | 11 | def inv(x): 12 | return expmod(x,q-2,q) 13 | 14 | d = -121665 * inv(121666) 15 | I = expmod(2,(q-1)/4,q) 16 | 17 | def xrecover(y): 18 | xx = (y*y-1) * inv(d*y*y+1) 19 | x = expmod(xx,(q+3)/8,q) 20 | if (x*x - xx) % q != 0: x = (x*I) % q 21 | if x % 2 != 0: x = q-x 22 | return x 23 | 24 | By = 4 * inv(5) 25 | Bx = xrecover(By) 26 | B = [Bx % q,By % q] 27 | 28 | def edwards(P,Q): 29 | x1 = P[0] 30 | y1 = P[1] 31 | x2 = Q[0] 32 | y2 = Q[1] 33 | x3 = (x1*y2+x2*y1) * inv(1+d*x1*x2*y1*y2) 34 | y3 = (y1*y2+x1*x2) * inv(1-d*x1*x2*y1*y2) 35 | return [x3 % q,y3 % q] 36 | 37 | def radix255(x): 38 | x = x % q 39 | if x + x > q: x -= q 40 | x = [x,0,0,0,0,0,0,0,0,0] 41 | bits = [26,25,26,25,26,25,26,25,26,25] 42 | for i in range(9): 43 | carry = (x[i] + 2**(bits[i]-1)) / 2**bits[i] 44 | x[i] -= carry * 2**bits[i] 45 | x[i + 1] += carry 46 | result = "" 47 | for i in range(9): 48 | result = result+str(x[i])+"," 49 | result = result+str(x[9]) 50 | return result 51 | 52 | Bi = B 53 | for i in range(32): 54 | print "{" 55 | Bij = Bi 56 | for j in range(8): 57 | print " {" 58 | print " {",radix255(Bij[1]+Bij[0]),"}," 59 | print " {",radix255(Bij[1]-Bij[0]),"}," 60 | print " {",radix255(2*d*Bij[0]*Bij[1]),"}," 61 | Bij = edwards(Bij,Bi) 62 | print " }," 63 | print "}," 64 | for k in range(8): 65 | Bi = edwards(Bi,Bi) 66 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/base2.h: -------------------------------------------------------------------------------- 1 | { 2 | { 25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605 }, 3 | { -12545711,934262,-2722910,3049990,-727428,9406986,12720692,5043384,19500929,-15469378 }, 4 | { -8738181,4489570,9688441,-14785194,10184609,-12363380,29287919,11864899,-24514362,-4438546 }, 5 | }, 6 | { 7 | { 15636291,-9688557,24204773,-7912398,616977,-16685262,27787600,-14772189,28944400,-1550024 }, 8 | { 16568933,4717097,-11556148,-1102322,15682896,-11807043,16354577,-11775962,7689662,11199574 }, 9 | { 30464156,-5976125,-11779434,-15670865,23220365,15915852,7512774,10017326,-17749093,-9920357 }, 10 | }, 11 | { 12 | { 10861363,11473154,27284546,1981175,-30064349,12577861,32867885,14515107,-15438304,10819380 }, 13 | { 4708026,6336745,20377586,9066809,-11272109,6594696,-25653668,12483688,-12668491,5581306 }, 14 | { 19563160,16186464,-29386857,4097519,10237984,-4348115,28542350,13850243,-23678021,-15815942 }, 15 | }, 16 | { 17 | { 5153746,9909285,1723747,-2777874,30523605,5516873,19480852,5230134,-23952439,-15175766 }, 18 | { -30269007,-3463509,7665486,10083793,28475525,1649722,20654025,16520125,30598449,7715701 }, 19 | { 28881845,14381568,9657904,3680757,-20181635,7843316,-31400660,1370708,29794553,-1409300 }, 20 | }, 21 | { 22 | { -22518993,-6692182,14201702,-8745502,-23510406,8844726,18474211,-1361450,-13062696,13821877 }, 23 | { -6455177,-7839871,3374702,-4740862,-27098617,-10571707,31655028,-7212327,18853322,-14220951 }, 24 | { 4566830,-12963868,-28974889,-12240689,-7602672,-2830569,-8514358,-10431137,2207753,-3209784 }, 25 | }, 26 | { 27 | { -25154831,-4185821,29681144,7868801,-6854661,-9423865,-12437364,-663000,-31111463,-16132436 }, 28 | { 25576264,-2703214,7349804,-11814844,16472782,9300885,3844789,15725684,171356,6466918 }, 29 | { 23103977,13316479,9739013,-16149481,817875,-15038942,8965339,-14088058,-30714912,16193877 }, 30 | }, 31 | { 32 | { -33521811,3180713,-2394130,14003687,-16903474,-16270840,17238398,4729455,-18074513,9256800 }, 33 | { -25182317,-4174131,32336398,5036987,-21236817,11360617,22616405,9761698,-19827198,630305 }, 34 | { -13720693,2639453,-24237460,-7406481,9494427,-5774029,-6554551,-15960994,-2449256,-14291300 }, 35 | }, 36 | { 37 | { -3151181,-5046075,9282714,6866145,-31907062,-863023,-18940575,15033784,25105118,-7894876 }, 38 | { -24326370,15950226,-31801215,-14592823,-11662737,-5090925,1573892,-2625887,2198790,-15804619 }, 39 | { -3099351,10324967,-2241613,7453183,-5446979,-2735503,-13812022,-16236442,-32461234,-12290683 }, 40 | }, 41 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/base2.py: -------------------------------------------------------------------------------- 1 | b = 256 2 | q = 2**255 - 19 3 | l = 2**252 + 27742317777372353535851937790883648493 4 | 5 | def expmod(b,e,m): 6 | if e == 0: return 1 7 | t = expmod(b,e/2,m)**2 % m 8 | if e & 1: t = (t*b) % m 9 | return t 10 | 11 | def inv(x): 12 | return expmod(x,q-2,q) 13 | 14 | d = -121665 * inv(121666) 15 | I = expmod(2,(q-1)/4,q) 16 | 17 | def xrecover(y): 18 | xx = (y*y-1) * inv(d*y*y+1) 19 | x = expmod(xx,(q+3)/8,q) 20 | if (x*x - xx) % q != 0: x = (x*I) % q 21 | if x % 2 != 0: x = q-x 22 | return x 23 | 24 | By = 4 * inv(5) 25 | Bx = xrecover(By) 26 | B = [Bx % q,By % q] 27 | 28 | def edwards(P,Q): 29 | x1 = P[0] 30 | y1 = P[1] 31 | x2 = Q[0] 32 | y2 = Q[1] 33 | x3 = (x1*y2+x2*y1) * inv(1+d*x1*x2*y1*y2) 34 | y3 = (y1*y2+x1*x2) * inv(1-d*x1*x2*y1*y2) 35 | return [x3 % q,y3 % q] 36 | 37 | def radix255(x): 38 | x = x % q 39 | if x + x > q: x -= q 40 | x = [x,0,0,0,0,0,0,0,0,0] 41 | bits = [26,25,26,25,26,25,26,25,26,25] 42 | for i in range(9): 43 | carry = (x[i] + 2**(bits[i]-1)) / 2**bits[i] 44 | x[i] -= carry * 2**bits[i] 45 | x[i + 1] += carry 46 | result = "" 47 | for i in range(9): 48 | result = result+str(x[i])+"," 49 | result = result+str(x[9]) 50 | return result 51 | 52 | Bi = B 53 | 54 | for i in range(8): 55 | print " {" 56 | print " {",radix255(Bi[1]+Bi[0]),"}," 57 | print " {",radix255(Bi[1]-Bi[0]),"}," 58 | print " {",radix255(2*d*Bi[0]*Bi[1]),"}," 59 | print " }," 60 | Bi = edwards(B,edwards(B,Bi)) 61 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/crypto_hash_sha512.h: -------------------------------------------------------------------------------- 1 | #include "sha512.h" 2 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/crypto_int32.h: -------------------------------------------------------------------------------- 1 | #ifndef crypto_int32_h 2 | #define crypto_int32_h 3 | 4 | typedef int crypto_int32; 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/crypto_int64.h: -------------------------------------------------------------------------------- 1 | #ifndef crypto_int64_h 2 | #define crypto_int64_h 3 | 4 | typedef long long crypto_int64; 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/crypto_sign.h: -------------------------------------------------------------------------------- 1 | #ifndef crypto_sign_edwards25519sha512batch_H 2 | #define crypto_sign_edwards25519sha512batch_H 3 | 4 | #define SECRETKEYBYTES 64 5 | #define PUBLICKEYBYTES 32 6 | #define SIGNATUREBYTES 64 7 | 8 | extern int crypto_sign(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *); 9 | extern int crypto_sign_open(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *); 10 | extern int crypto_sign_keypair(unsigned char *,unsigned char *); 11 | extern int crypto_sign_publickey(unsigned char *pk, unsigned char *sk, unsigned char *seed); 12 | 13 | #endif 14 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/crypto_uint32.h: -------------------------------------------------------------------------------- 1 | #ifndef crypto_uint32_h 2 | #define crypto_uint32_h 3 | 4 | typedef unsigned int crypto_uint32; 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/crypto_uint64.h: -------------------------------------------------------------------------------- 1 | #ifndef crypto_uint64_h 2 | #define crypto_uint64_h 3 | 4 | typedef unsigned long long crypto_uint64; 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/crypto_verify_32.h: -------------------------------------------------------------------------------- 1 | #ifndef crypto_verify_32_H 2 | #define crypto_verify_32_H 3 | 4 | #define crypto_verify_32_ref_BYTES 32 5 | extern int crypto_verify_32(const unsigned char *,const unsigned char *); 6 | 7 | #endif 8 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/d.h: -------------------------------------------------------------------------------- 1 | -10913610,13857413,-15372611,6949391,114729,-8787816,-6275908,-3247719,-18696448,-12055116 2 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/d.py: -------------------------------------------------------------------------------- 1 | q = 2**255 - 19 2 | 3 | def expmod(b,e,m): 4 | if e == 0: return 1 5 | t = expmod(b,e/2,m)**2 % m 6 | if e & 1: t = (t*b) % m 7 | return t 8 | 9 | def inv(x): 10 | return expmod(x,q-2,q) 11 | 12 | def radix255(x): 13 | x = x % q 14 | if x + x > q: x -= q 15 | x = [x,0,0,0,0,0,0,0,0,0] 16 | bits = [26,25,26,25,26,25,26,25,26,25] 17 | for i in range(9): 18 | carry = (x[i] + 2**(bits[i]-1)) / 2**bits[i] 19 | x[i] -= carry * 2**bits[i] 20 | x[i + 1] += carry 21 | result = "" 22 | for i in range(9): 23 | result = result+str(x[i])+"," 24 | result = result+str(x[9]) 25 | return result 26 | 27 | d = -121665 * inv(121666) 28 | print radix255(d) 29 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/d2.h: -------------------------------------------------------------------------------- 1 | -21827239,-5839606,-30745221,13898782,229458,15978800,-12551817,-6495438,29715968,9444199 2 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/d2.py: -------------------------------------------------------------------------------- 1 | q = 2**255 - 19 2 | 3 | def expmod(b,e,m): 4 | if e == 0: return 1 5 | t = expmod(b,e/2,m)**2 % m 6 | if e & 1: t = (t*b) % m 7 | return t 8 | 9 | def inv(x): 10 | return expmod(x,q-2,q) 11 | 12 | def radix255(x): 13 | x = x % q 14 | if x + x > q: x -= q 15 | x = [x,0,0,0,0,0,0,0,0,0] 16 | bits = [26,25,26,25,26,25,26,25,26,25] 17 | for i in range(9): 18 | carry = (x[i] + 2**(bits[i]-1)) / 2**bits[i] 19 | x[i] -= carry * 2**bits[i] 20 | x[i + 1] += carry 21 | result = "" 22 | for i in range(9): 23 | result = result+str(x[i])+"," 24 | result = result+str(x[9]) 25 | return result 26 | 27 | d = -121665 * inv(121666) 28 | print radix255(d*2) 29 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe.h: -------------------------------------------------------------------------------- 1 | #ifndef FE_H 2 | #define FE_H 3 | 4 | #include "crypto_int32.h" 5 | 6 | typedef crypto_int32 fe[10]; 7 | 8 | /* 9 | fe means field element. 10 | Here the field is \Z/(2^255-19). 11 | An element t, entries t[0]...t[9], represents the integer 12 | t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. 13 | Bounds on each t[i] vary depending on context. 14 | */ 15 | 16 | #define fe_frombytes crypto_sign_ed25519_ref10_fe_frombytes 17 | #define fe_tobytes crypto_sign_ed25519_ref10_fe_tobytes 18 | #define fe_copy crypto_sign_ed25519_ref10_fe_copy 19 | #define fe_isnonzero crypto_sign_ed25519_ref10_fe_isnonzero 20 | #define fe_isnegative crypto_sign_ed25519_ref10_fe_isnegative 21 | #define fe_0 crypto_sign_ed25519_ref10_fe_0 22 | #define fe_1 crypto_sign_ed25519_ref10_fe_1 23 | #define fe_cswap crypto_sign_ed25519_ref10_fe_cswap 24 | #define fe_cmov crypto_sign_ed25519_ref10_fe_cmov 25 | #define fe_add crypto_sign_ed25519_ref10_fe_add 26 | #define fe_sub crypto_sign_ed25519_ref10_fe_sub 27 | #define fe_neg crypto_sign_ed25519_ref10_fe_neg 28 | #define fe_mul crypto_sign_ed25519_ref10_fe_mul 29 | #define fe_sq crypto_sign_ed25519_ref10_fe_sq 30 | #define fe_sq2 crypto_sign_ed25519_ref10_fe_sq2 31 | #define fe_mul121666 crypto_sign_ed25519_ref10_fe_mul121666 32 | #define fe_invert crypto_sign_ed25519_ref10_fe_invert 33 | #define fe_pow22523 crypto_sign_ed25519_ref10_fe_pow22523 34 | 35 | extern void fe_frombytes(fe,const unsigned char *); 36 | extern void fe_tobytes(unsigned char *,const fe); 37 | 38 | extern void fe_copy(fe,const fe); 39 | extern int fe_isnonzero(const fe); 40 | extern int fe_isnegative(const fe); 41 | extern void fe_0(fe); 42 | extern void fe_1(fe); 43 | extern void fe_cswap(fe,fe,unsigned int); 44 | extern void fe_cmov(fe,const fe,unsigned int); 45 | 46 | extern void fe_add(fe,const fe,const fe); 47 | extern void fe_sub(fe,const fe,const fe); 48 | extern void fe_neg(fe,const fe); 49 | extern void fe_mul(fe,const fe,const fe); 50 | extern void fe_sq(fe,const fe); 51 | extern void fe_sq2(fe,const fe); 52 | extern void fe_mul121666(fe,const fe); 53 | extern void fe_invert(fe,const fe); 54 | extern void fe_pow22523(fe,const fe); 55 | 56 | #endif 57 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_0.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = 0 5 | */ 6 | 7 | void fe_0(fe h) 8 | { 9 | h[0] = 0; 10 | h[1] = 0; 11 | h[2] = 0; 12 | h[3] = 0; 13 | h[4] = 0; 14 | h[5] = 0; 15 | h[6] = 0; 16 | h[7] = 0; 17 | h[8] = 0; 18 | h[9] = 0; 19 | } 20 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_1.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = 1 5 | */ 6 | 7 | void fe_1(fe h) 8 | { 9 | h[0] = 1; 10 | h[1] = 0; 11 | h[2] = 0; 12 | h[3] = 0; 13 | h[4] = 0; 14 | h[5] = 0; 15 | h[6] = 0; 16 | h[7] = 0; 17 | h[8] = 0; 18 | h[9] = 0; 19 | } 20 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_add.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = f + g 5 | Can overlap h with f or g. 6 | 7 | Preconditions: 8 | |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 9 | |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 10 | 11 | Postconditions: 12 | |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 13 | */ 14 | 15 | void fe_add(fe h,const fe f,const fe g) 16 | { 17 | crypto_int32 f0 = f[0]; 18 | crypto_int32 f1 = f[1]; 19 | crypto_int32 f2 = f[2]; 20 | crypto_int32 f3 = f[3]; 21 | crypto_int32 f4 = f[4]; 22 | crypto_int32 f5 = f[5]; 23 | crypto_int32 f6 = f[6]; 24 | crypto_int32 f7 = f[7]; 25 | crypto_int32 f8 = f[8]; 26 | crypto_int32 f9 = f[9]; 27 | crypto_int32 g0 = g[0]; 28 | crypto_int32 g1 = g[1]; 29 | crypto_int32 g2 = g[2]; 30 | crypto_int32 g3 = g[3]; 31 | crypto_int32 g4 = g[4]; 32 | crypto_int32 g5 = g[5]; 33 | crypto_int32 g6 = g[6]; 34 | crypto_int32 g7 = g[7]; 35 | crypto_int32 g8 = g[8]; 36 | crypto_int32 g9 = g[9]; 37 | crypto_int32 h0 = f0 + g0; 38 | crypto_int32 h1 = f1 + g1; 39 | crypto_int32 h2 = f2 + g2; 40 | crypto_int32 h3 = f3 + g3; 41 | crypto_int32 h4 = f4 + g4; 42 | crypto_int32 h5 = f5 + g5; 43 | crypto_int32 h6 = f6 + g6; 44 | crypto_int32 h7 = f7 + g7; 45 | crypto_int32 h8 = f8 + g8; 46 | crypto_int32 h9 = f9 + g9; 47 | h[0] = h0; 48 | h[1] = h1; 49 | h[2] = h2; 50 | h[3] = h3; 51 | h[4] = h4; 52 | h[5] = h5; 53 | h[6] = h6; 54 | h[7] = h7; 55 | h[8] = h8; 56 | h[9] = h9; 57 | } 58 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_cmov.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | Replace (f,g) with (g,g) if b == 1; 5 | replace (f,g) with (f,g) if b == 0. 6 | 7 | Preconditions: b in {0,1}. 8 | */ 9 | 10 | void fe_cmov(fe f,const fe g,unsigned int b) 11 | { 12 | crypto_int32 f0 = f[0]; 13 | crypto_int32 f1 = f[1]; 14 | crypto_int32 f2 = f[2]; 15 | crypto_int32 f3 = f[3]; 16 | crypto_int32 f4 = f[4]; 17 | crypto_int32 f5 = f[5]; 18 | crypto_int32 f6 = f[6]; 19 | crypto_int32 f7 = f[7]; 20 | crypto_int32 f8 = f[8]; 21 | crypto_int32 f9 = f[9]; 22 | crypto_int32 g0 = g[0]; 23 | crypto_int32 g1 = g[1]; 24 | crypto_int32 g2 = g[2]; 25 | crypto_int32 g3 = g[3]; 26 | crypto_int32 g4 = g[4]; 27 | crypto_int32 g5 = g[5]; 28 | crypto_int32 g6 = g[6]; 29 | crypto_int32 g7 = g[7]; 30 | crypto_int32 g8 = g[8]; 31 | crypto_int32 g9 = g[9]; 32 | crypto_int32 x0 = f0 ^ g0; 33 | crypto_int32 x1 = f1 ^ g1; 34 | crypto_int32 x2 = f2 ^ g2; 35 | crypto_int32 x3 = f3 ^ g3; 36 | crypto_int32 x4 = f4 ^ g4; 37 | crypto_int32 x5 = f5 ^ g5; 38 | crypto_int32 x6 = f6 ^ g6; 39 | crypto_int32 x7 = f7 ^ g7; 40 | crypto_int32 x8 = f8 ^ g8; 41 | crypto_int32 x9 = f9 ^ g9; 42 | b = -b; 43 | x0 &= b; 44 | x1 &= b; 45 | x2 &= b; 46 | x3 &= b; 47 | x4 &= b; 48 | x5 &= b; 49 | x6 &= b; 50 | x7 &= b; 51 | x8 &= b; 52 | x9 &= b; 53 | f[0] = f0 ^ x0; 54 | f[1] = f1 ^ x1; 55 | f[2] = f2 ^ x2; 56 | f[3] = f3 ^ x3; 57 | f[4] = f4 ^ x4; 58 | f[5] = f5 ^ x5; 59 | f[6] = f6 ^ x6; 60 | f[7] = f7 ^ x7; 61 | f[8] = f8 ^ x8; 62 | f[9] = f9 ^ x9; 63 | } 64 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_copy.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = f 5 | */ 6 | 7 | void fe_copy(fe h,const fe f) 8 | { 9 | crypto_int32 f0 = f[0]; 10 | crypto_int32 f1 = f[1]; 11 | crypto_int32 f2 = f[2]; 12 | crypto_int32 f3 = f[3]; 13 | crypto_int32 f4 = f[4]; 14 | crypto_int32 f5 = f[5]; 15 | crypto_int32 f6 = f[6]; 16 | crypto_int32 f7 = f[7]; 17 | crypto_int32 f8 = f[8]; 18 | crypto_int32 f9 = f[9]; 19 | h[0] = f0; 20 | h[1] = f1; 21 | h[2] = f2; 22 | h[3] = f3; 23 | h[4] = f4; 24 | h[5] = f5; 25 | h[6] = f6; 26 | h[7] = f7; 27 | h[8] = f8; 28 | h[9] = f9; 29 | } 30 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_frombytes.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | #include "crypto_int64.h" 3 | #include "crypto_uint64.h" 4 | 5 | static crypto_uint64 load_3(const unsigned char *in) 6 | { 7 | crypto_uint64 result; 8 | result = (crypto_uint64) in[0]; 9 | result |= ((crypto_uint64) in[1]) << 8; 10 | result |= ((crypto_uint64) in[2]) << 16; 11 | return result; 12 | } 13 | 14 | static crypto_uint64 load_4(const unsigned char *in) 15 | { 16 | crypto_uint64 result; 17 | result = (crypto_uint64) in[0]; 18 | result |= ((crypto_uint64) in[1]) << 8; 19 | result |= ((crypto_uint64) in[2]) << 16; 20 | result |= ((crypto_uint64) in[3]) << 24; 21 | return result; 22 | } 23 | 24 | /* 25 | Ignores top bit of h. 26 | */ 27 | 28 | void fe_frombytes(fe h,const unsigned char *s) 29 | { 30 | crypto_int64 h0 = load_4(s); 31 | crypto_int64 h1 = load_3(s + 4) << 6; 32 | crypto_int64 h2 = load_3(s + 7) << 5; 33 | crypto_int64 h3 = load_3(s + 10) << 3; 34 | crypto_int64 h4 = load_3(s + 13) << 2; 35 | crypto_int64 h5 = load_4(s + 16); 36 | crypto_int64 h6 = load_3(s + 20) << 7; 37 | crypto_int64 h7 = load_3(s + 23) << 5; 38 | crypto_int64 h8 = load_3(s + 26) << 4; 39 | crypto_int64 h9 = (load_3(s + 29) & 8388607) << 2; 40 | crypto_int64 carry0; 41 | crypto_int64 carry1; 42 | crypto_int64 carry2; 43 | crypto_int64 carry3; 44 | crypto_int64 carry4; 45 | crypto_int64 carry5; 46 | crypto_int64 carry6; 47 | crypto_int64 carry7; 48 | crypto_int64 carry8; 49 | crypto_int64 carry9; 50 | 51 | carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; 52 | carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; 53 | carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; 54 | carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; 55 | carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; 56 | 57 | carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; 58 | carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; 59 | carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; 60 | carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; 61 | carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; 62 | 63 | h[0] = h0; 64 | h[1] = h1; 65 | h[2] = h2; 66 | h[3] = h3; 67 | h[4] = h4; 68 | h[5] = h5; 69 | h[6] = h6; 70 | h[7] = h7; 71 | h[8] = h8; 72 | h[9] = h9; 73 | } 74 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_invert.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | void fe_invert(fe out,const fe z) 4 | { 5 | fe t0; 6 | fe t1; 7 | fe t2; 8 | fe t3; 9 | int i; 10 | 11 | #include "pow225521.h" 12 | 13 | return; 14 | } 15 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_isnegative.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | return 1 if f is in {1,3,5,...,q-2} 5 | return 0 if f is in {0,2,4,...,q-1} 6 | 7 | Preconditions: 8 | |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 9 | */ 10 | 11 | int fe_isnegative(const fe f) 12 | { 13 | unsigned char s[32]; 14 | fe_tobytes(s,f); 15 | return s[0] & 1; 16 | } 17 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_isnonzero.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | #include "crypto_verify_32.h" 3 | 4 | /* 5 | return 1 if f == 0 6 | return 0 if f != 0 7 | 8 | Preconditions: 9 | |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 10 | */ 11 | 12 | static const unsigned char zero[32]; 13 | 14 | int fe_isnonzero(const fe f) 15 | { 16 | unsigned char s[32]; 17 | fe_tobytes(s,f); 18 | return crypto_verify_32(s,zero); 19 | } 20 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_mul.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | #include "crypto_int64.h" 3 | 4 | /* 5 | h = f * g 6 | Can overlap h with f or g. 7 | 8 | Preconditions: 9 | |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. 10 | |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. 11 | 12 | Postconditions: 13 | |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. 14 | */ 15 | 16 | /* 17 | Notes on implementation strategy: 18 | 19 | Using schoolbook multiplication. 20 | Karatsuba would save a little in some cost models. 21 | 22 | Most multiplications by 2 and 19 are 32-bit precomputations; 23 | cheaper than 64-bit postcomputations. 24 | 25 | There is one remaining multiplication by 19 in the carry chain; 26 | one *19 precomputation can be merged into this, 27 | but the resulting data flow is considerably less clean. 28 | 29 | There are 12 carries below. 30 | 10 of them are 2-way parallelizable and vectorizable. 31 | Can get away with 11 carries, but then data flow is much deeper. 32 | 33 | With tighter constraints on inputs can squeeze carries into int32. 34 | */ 35 | 36 | void fe_mul(fe h,const fe f,const fe g) 37 | { 38 | crypto_int32 f0 = f[0]; 39 | crypto_int32 f1 = f[1]; 40 | crypto_int32 f2 = f[2]; 41 | crypto_int32 f3 = f[3]; 42 | crypto_int32 f4 = f[4]; 43 | crypto_int32 f5 = f[5]; 44 | crypto_int32 f6 = f[6]; 45 | crypto_int32 f7 = f[7]; 46 | crypto_int32 f8 = f[8]; 47 | crypto_int32 f9 = f[9]; 48 | crypto_int32 g0 = g[0]; 49 | crypto_int32 g1 = g[1]; 50 | crypto_int32 g2 = g[2]; 51 | crypto_int32 g3 = g[3]; 52 | crypto_int32 g4 = g[4]; 53 | crypto_int32 g5 = g[5]; 54 | crypto_int32 g6 = g[6]; 55 | crypto_int32 g7 = g[7]; 56 | crypto_int32 g8 = g[8]; 57 | crypto_int32 g9 = g[9]; 58 | crypto_int32 g1_19 = 19 * g1; /* 1.959375*2^29 */ 59 | crypto_int32 g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ 60 | crypto_int32 g3_19 = 19 * g3; 61 | crypto_int32 g4_19 = 19 * g4; 62 | crypto_int32 g5_19 = 19 * g5; 63 | crypto_int32 g6_19 = 19 * g6; 64 | crypto_int32 g7_19 = 19 * g7; 65 | crypto_int32 g8_19 = 19 * g8; 66 | crypto_int32 g9_19 = 19 * g9; 67 | crypto_int32 f1_2 = 2 * f1; 68 | crypto_int32 f3_2 = 2 * f3; 69 | crypto_int32 f5_2 = 2 * f5; 70 | crypto_int32 f7_2 = 2 * f7; 71 | crypto_int32 f9_2 = 2 * f9; 72 | crypto_int64 f0g0 = f0 * (crypto_int64) g0; 73 | crypto_int64 f0g1 = f0 * (crypto_int64) g1; 74 | crypto_int64 f0g2 = f0 * (crypto_int64) g2; 75 | crypto_int64 f0g3 = f0 * (crypto_int64) g3; 76 | crypto_int64 f0g4 = f0 * (crypto_int64) g4; 77 | crypto_int64 f0g5 = f0 * (crypto_int64) g5; 78 | crypto_int64 f0g6 = f0 * (crypto_int64) g6; 79 | crypto_int64 f0g7 = f0 * (crypto_int64) g7; 80 | crypto_int64 f0g8 = f0 * (crypto_int64) g8; 81 | crypto_int64 f0g9 = f0 * (crypto_int64) g9; 82 | crypto_int64 f1g0 = f1 * (crypto_int64) g0; 83 | crypto_int64 f1g1_2 = f1_2 * (crypto_int64) g1; 84 | crypto_int64 f1g2 = f1 * (crypto_int64) g2; 85 | crypto_int64 f1g3_2 = f1_2 * (crypto_int64) g3; 86 | crypto_int64 f1g4 = f1 * (crypto_int64) g4; 87 | crypto_int64 f1g5_2 = f1_2 * (crypto_int64) g5; 88 | crypto_int64 f1g6 = f1 * (crypto_int64) g6; 89 | crypto_int64 f1g7_2 = f1_2 * (crypto_int64) g7; 90 | crypto_int64 f1g8 = f1 * (crypto_int64) g8; 91 | crypto_int64 f1g9_38 = f1_2 * (crypto_int64) g9_19; 92 | crypto_int64 f2g0 = f2 * (crypto_int64) g0; 93 | crypto_int64 f2g1 = f2 * (crypto_int64) g1; 94 | crypto_int64 f2g2 = f2 * (crypto_int64) g2; 95 | crypto_int64 f2g3 = f2 * (crypto_int64) g3; 96 | crypto_int64 f2g4 = f2 * (crypto_int64) g4; 97 | crypto_int64 f2g5 = f2 * (crypto_int64) g5; 98 | crypto_int64 f2g6 = f2 * (crypto_int64) g6; 99 | crypto_int64 f2g7 = f2 * (crypto_int64) g7; 100 | crypto_int64 f2g8_19 = f2 * (crypto_int64) g8_19; 101 | crypto_int64 f2g9_19 = f2 * (crypto_int64) g9_19; 102 | crypto_int64 f3g0 = f3 * (crypto_int64) g0; 103 | crypto_int64 f3g1_2 = f3_2 * (crypto_int64) g1; 104 | crypto_int64 f3g2 = f3 * (crypto_int64) g2; 105 | crypto_int64 f3g3_2 = f3_2 * (crypto_int64) g3; 106 | crypto_int64 f3g4 = f3 * (crypto_int64) g4; 107 | crypto_int64 f3g5_2 = f3_2 * (crypto_int64) g5; 108 | crypto_int64 f3g6 = f3 * (crypto_int64) g6; 109 | crypto_int64 f3g7_38 = f3_2 * (crypto_int64) g7_19; 110 | crypto_int64 f3g8_19 = f3 * (crypto_int64) g8_19; 111 | crypto_int64 f3g9_38 = f3_2 * (crypto_int64) g9_19; 112 | crypto_int64 f4g0 = f4 * (crypto_int64) g0; 113 | crypto_int64 f4g1 = f4 * (crypto_int64) g1; 114 | crypto_int64 f4g2 = f4 * (crypto_int64) g2; 115 | crypto_int64 f4g3 = f4 * (crypto_int64) g3; 116 | crypto_int64 f4g4 = f4 * (crypto_int64) g4; 117 | crypto_int64 f4g5 = f4 * (crypto_int64) g5; 118 | crypto_int64 f4g6_19 = f4 * (crypto_int64) g6_19; 119 | crypto_int64 f4g7_19 = f4 * (crypto_int64) g7_19; 120 | crypto_int64 f4g8_19 = f4 * (crypto_int64) g8_19; 121 | crypto_int64 f4g9_19 = f4 * (crypto_int64) g9_19; 122 | crypto_int64 f5g0 = f5 * (crypto_int64) g0; 123 | crypto_int64 f5g1_2 = f5_2 * (crypto_int64) g1; 124 | crypto_int64 f5g2 = f5 * (crypto_int64) g2; 125 | crypto_int64 f5g3_2 = f5_2 * (crypto_int64) g3; 126 | crypto_int64 f5g4 = f5 * (crypto_int64) g4; 127 | crypto_int64 f5g5_38 = f5_2 * (crypto_int64) g5_19; 128 | crypto_int64 f5g6_19 = f5 * (crypto_int64) g6_19; 129 | crypto_int64 f5g7_38 = f5_2 * (crypto_int64) g7_19; 130 | crypto_int64 f5g8_19 = f5 * (crypto_int64) g8_19; 131 | crypto_int64 f5g9_38 = f5_2 * (crypto_int64) g9_19; 132 | crypto_int64 f6g0 = f6 * (crypto_int64) g0; 133 | crypto_int64 f6g1 = f6 * (crypto_int64) g1; 134 | crypto_int64 f6g2 = f6 * (crypto_int64) g2; 135 | crypto_int64 f6g3 = f6 * (crypto_int64) g3; 136 | crypto_int64 f6g4_19 = f6 * (crypto_int64) g4_19; 137 | crypto_int64 f6g5_19 = f6 * (crypto_int64) g5_19; 138 | crypto_int64 f6g6_19 = f6 * (crypto_int64) g6_19; 139 | crypto_int64 f6g7_19 = f6 * (crypto_int64) g7_19; 140 | crypto_int64 f6g8_19 = f6 * (crypto_int64) g8_19; 141 | crypto_int64 f6g9_19 = f6 * (crypto_int64) g9_19; 142 | crypto_int64 f7g0 = f7 * (crypto_int64) g0; 143 | crypto_int64 f7g1_2 = f7_2 * (crypto_int64) g1; 144 | crypto_int64 f7g2 = f7 * (crypto_int64) g2; 145 | crypto_int64 f7g3_38 = f7_2 * (crypto_int64) g3_19; 146 | crypto_int64 f7g4_19 = f7 * (crypto_int64) g4_19; 147 | crypto_int64 f7g5_38 = f7_2 * (crypto_int64) g5_19; 148 | crypto_int64 f7g6_19 = f7 * (crypto_int64) g6_19; 149 | crypto_int64 f7g7_38 = f7_2 * (crypto_int64) g7_19; 150 | crypto_int64 f7g8_19 = f7 * (crypto_int64) g8_19; 151 | crypto_int64 f7g9_38 = f7_2 * (crypto_int64) g9_19; 152 | crypto_int64 f8g0 = f8 * (crypto_int64) g0; 153 | crypto_int64 f8g1 = f8 * (crypto_int64) g1; 154 | crypto_int64 f8g2_19 = f8 * (crypto_int64) g2_19; 155 | crypto_int64 f8g3_19 = f8 * (crypto_int64) g3_19; 156 | crypto_int64 f8g4_19 = f8 * (crypto_int64) g4_19; 157 | crypto_int64 f8g5_19 = f8 * (crypto_int64) g5_19; 158 | crypto_int64 f8g6_19 = f8 * (crypto_int64) g6_19; 159 | crypto_int64 f8g7_19 = f8 * (crypto_int64) g7_19; 160 | crypto_int64 f8g8_19 = f8 * (crypto_int64) g8_19; 161 | crypto_int64 f8g9_19 = f8 * (crypto_int64) g9_19; 162 | crypto_int64 f9g0 = f9 * (crypto_int64) g0; 163 | crypto_int64 f9g1_38 = f9_2 * (crypto_int64) g1_19; 164 | crypto_int64 f9g2_19 = f9 * (crypto_int64) g2_19; 165 | crypto_int64 f9g3_38 = f9_2 * (crypto_int64) g3_19; 166 | crypto_int64 f9g4_19 = f9 * (crypto_int64) g4_19; 167 | crypto_int64 f9g5_38 = f9_2 * (crypto_int64) g5_19; 168 | crypto_int64 f9g6_19 = f9 * (crypto_int64) g6_19; 169 | crypto_int64 f9g7_38 = f9_2 * (crypto_int64) g7_19; 170 | crypto_int64 f9g8_19 = f9 * (crypto_int64) g8_19; 171 | crypto_int64 f9g9_38 = f9_2 * (crypto_int64) g9_19; 172 | crypto_int64 h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38; 173 | crypto_int64 h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19; 174 | crypto_int64 h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38; 175 | crypto_int64 h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19; 176 | crypto_int64 h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38; 177 | crypto_int64 h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19; 178 | crypto_int64 h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38; 179 | crypto_int64 h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19; 180 | crypto_int64 h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38; 181 | crypto_int64 h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ; 182 | crypto_int64 carry0; 183 | crypto_int64 carry1; 184 | crypto_int64 carry2; 185 | crypto_int64 carry3; 186 | crypto_int64 carry4; 187 | crypto_int64 carry5; 188 | crypto_int64 carry6; 189 | crypto_int64 carry7; 190 | crypto_int64 carry8; 191 | crypto_int64 carry9; 192 | 193 | /* 194 | |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) 195 | i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 196 | |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) 197 | i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 198 | */ 199 | 200 | carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; 201 | carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; 202 | /* |h0| <= 2^25 */ 203 | /* |h4| <= 2^25 */ 204 | /* |h1| <= 1.71*2^59 */ 205 | /* |h5| <= 1.71*2^59 */ 206 | 207 | carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; 208 | carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; 209 | /* |h1| <= 2^24; from now on fits into int32 */ 210 | /* |h5| <= 2^24; from now on fits into int32 */ 211 | /* |h2| <= 1.41*2^60 */ 212 | /* |h6| <= 1.41*2^60 */ 213 | 214 | carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; 215 | carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; 216 | /* |h2| <= 2^25; from now on fits into int32 unchanged */ 217 | /* |h6| <= 2^25; from now on fits into int32 unchanged */ 218 | /* |h3| <= 1.71*2^59 */ 219 | /* |h7| <= 1.71*2^59 */ 220 | 221 | carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; 222 | carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; 223 | /* |h3| <= 2^24; from now on fits into int32 unchanged */ 224 | /* |h7| <= 2^24; from now on fits into int32 unchanged */ 225 | /* |h4| <= 1.72*2^34 */ 226 | /* |h8| <= 1.41*2^60 */ 227 | 228 | carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; 229 | carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; 230 | /* |h4| <= 2^25; from now on fits into int32 unchanged */ 231 | /* |h8| <= 2^25; from now on fits into int32 unchanged */ 232 | /* |h5| <= 1.01*2^24 */ 233 | /* |h9| <= 1.71*2^59 */ 234 | 235 | carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; 236 | /* |h9| <= 2^24; from now on fits into int32 unchanged */ 237 | /* |h0| <= 1.1*2^39 */ 238 | 239 | carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; 240 | /* |h0| <= 2^25; from now on fits into int32 unchanged */ 241 | /* |h1| <= 1.01*2^24 */ 242 | 243 | h[0] = h0; 244 | h[1] = h1; 245 | h[2] = h2; 246 | h[3] = h3; 247 | h[4] = h4; 248 | h[5] = h5; 249 | h[6] = h6; 250 | h[7] = h7; 251 | h[8] = h8; 252 | h[9] = h9; 253 | } 254 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_neg.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = -f 5 | 6 | Preconditions: 7 | |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 8 | 9 | Postconditions: 10 | |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 11 | */ 12 | 13 | void fe_neg(fe h,const fe f) 14 | { 15 | crypto_int32 f0 = f[0]; 16 | crypto_int32 f1 = f[1]; 17 | crypto_int32 f2 = f[2]; 18 | crypto_int32 f3 = f[3]; 19 | crypto_int32 f4 = f[4]; 20 | crypto_int32 f5 = f[5]; 21 | crypto_int32 f6 = f[6]; 22 | crypto_int32 f7 = f[7]; 23 | crypto_int32 f8 = f[8]; 24 | crypto_int32 f9 = f[9]; 25 | crypto_int32 h0 = -f0; 26 | crypto_int32 h1 = -f1; 27 | crypto_int32 h2 = -f2; 28 | crypto_int32 h3 = -f3; 29 | crypto_int32 h4 = -f4; 30 | crypto_int32 h5 = -f5; 31 | crypto_int32 h6 = -f6; 32 | crypto_int32 h7 = -f7; 33 | crypto_int32 h8 = -f8; 34 | crypto_int32 h9 = -f9; 35 | h[0] = h0; 36 | h[1] = h1; 37 | h[2] = h2; 38 | h[3] = h3; 39 | h[4] = h4; 40 | h[5] = h5; 41 | h[6] = h6; 42 | h[7] = h7; 43 | h[8] = h8; 44 | h[9] = h9; 45 | } 46 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_pow22523.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | void fe_pow22523(fe out,const fe z) 4 | { 5 | fe t0; 6 | fe t1; 7 | fe t2; 8 | int i; 9 | 10 | #include "pow22523.h" 11 | 12 | return; 13 | } 14 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_sq.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | #include "crypto_int64.h" 3 | 4 | /* 5 | h = f * f 6 | Can overlap h with f. 7 | 8 | Preconditions: 9 | |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. 10 | 11 | Postconditions: 12 | |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. 13 | */ 14 | 15 | /* 16 | See fe_mul.c for discussion of implementation strategy. 17 | */ 18 | 19 | void fe_sq(fe h,const fe f) 20 | { 21 | crypto_int32 f0 = f[0]; 22 | crypto_int32 f1 = f[1]; 23 | crypto_int32 f2 = f[2]; 24 | crypto_int32 f3 = f[3]; 25 | crypto_int32 f4 = f[4]; 26 | crypto_int32 f5 = f[5]; 27 | crypto_int32 f6 = f[6]; 28 | crypto_int32 f7 = f[7]; 29 | crypto_int32 f8 = f[8]; 30 | crypto_int32 f9 = f[9]; 31 | crypto_int32 f0_2 = 2 * f0; 32 | crypto_int32 f1_2 = 2 * f1; 33 | crypto_int32 f2_2 = 2 * f2; 34 | crypto_int32 f3_2 = 2 * f3; 35 | crypto_int32 f4_2 = 2 * f4; 36 | crypto_int32 f5_2 = 2 * f5; 37 | crypto_int32 f6_2 = 2 * f6; 38 | crypto_int32 f7_2 = 2 * f7; 39 | crypto_int32 f5_38 = 38 * f5; /* 1.959375*2^30 */ 40 | crypto_int32 f6_19 = 19 * f6; /* 1.959375*2^30 */ 41 | crypto_int32 f7_38 = 38 * f7; /* 1.959375*2^30 */ 42 | crypto_int32 f8_19 = 19 * f8; /* 1.959375*2^30 */ 43 | crypto_int32 f9_38 = 38 * f9; /* 1.959375*2^30 */ 44 | crypto_int64 f0f0 = f0 * (crypto_int64) f0; 45 | crypto_int64 f0f1_2 = f0_2 * (crypto_int64) f1; 46 | crypto_int64 f0f2_2 = f0_2 * (crypto_int64) f2; 47 | crypto_int64 f0f3_2 = f0_2 * (crypto_int64) f3; 48 | crypto_int64 f0f4_2 = f0_2 * (crypto_int64) f4; 49 | crypto_int64 f0f5_2 = f0_2 * (crypto_int64) f5; 50 | crypto_int64 f0f6_2 = f0_2 * (crypto_int64) f6; 51 | crypto_int64 f0f7_2 = f0_2 * (crypto_int64) f7; 52 | crypto_int64 f0f8_2 = f0_2 * (crypto_int64) f8; 53 | crypto_int64 f0f9_2 = f0_2 * (crypto_int64) f9; 54 | crypto_int64 f1f1_2 = f1_2 * (crypto_int64) f1; 55 | crypto_int64 f1f2_2 = f1_2 * (crypto_int64) f2; 56 | crypto_int64 f1f3_4 = f1_2 * (crypto_int64) f3_2; 57 | crypto_int64 f1f4_2 = f1_2 * (crypto_int64) f4; 58 | crypto_int64 f1f5_4 = f1_2 * (crypto_int64) f5_2; 59 | crypto_int64 f1f6_2 = f1_2 * (crypto_int64) f6; 60 | crypto_int64 f1f7_4 = f1_2 * (crypto_int64) f7_2; 61 | crypto_int64 f1f8_2 = f1_2 * (crypto_int64) f8; 62 | crypto_int64 f1f9_76 = f1_2 * (crypto_int64) f9_38; 63 | crypto_int64 f2f2 = f2 * (crypto_int64) f2; 64 | crypto_int64 f2f3_2 = f2_2 * (crypto_int64) f3; 65 | crypto_int64 f2f4_2 = f2_2 * (crypto_int64) f4; 66 | crypto_int64 f2f5_2 = f2_2 * (crypto_int64) f5; 67 | crypto_int64 f2f6_2 = f2_2 * (crypto_int64) f6; 68 | crypto_int64 f2f7_2 = f2_2 * (crypto_int64) f7; 69 | crypto_int64 f2f8_38 = f2_2 * (crypto_int64) f8_19; 70 | crypto_int64 f2f9_38 = f2 * (crypto_int64) f9_38; 71 | crypto_int64 f3f3_2 = f3_2 * (crypto_int64) f3; 72 | crypto_int64 f3f4_2 = f3_2 * (crypto_int64) f4; 73 | crypto_int64 f3f5_4 = f3_2 * (crypto_int64) f5_2; 74 | crypto_int64 f3f6_2 = f3_2 * (crypto_int64) f6; 75 | crypto_int64 f3f7_76 = f3_2 * (crypto_int64) f7_38; 76 | crypto_int64 f3f8_38 = f3_2 * (crypto_int64) f8_19; 77 | crypto_int64 f3f9_76 = f3_2 * (crypto_int64) f9_38; 78 | crypto_int64 f4f4 = f4 * (crypto_int64) f4; 79 | crypto_int64 f4f5_2 = f4_2 * (crypto_int64) f5; 80 | crypto_int64 f4f6_38 = f4_2 * (crypto_int64) f6_19; 81 | crypto_int64 f4f7_38 = f4 * (crypto_int64) f7_38; 82 | crypto_int64 f4f8_38 = f4_2 * (crypto_int64) f8_19; 83 | crypto_int64 f4f9_38 = f4 * (crypto_int64) f9_38; 84 | crypto_int64 f5f5_38 = f5 * (crypto_int64) f5_38; 85 | crypto_int64 f5f6_38 = f5_2 * (crypto_int64) f6_19; 86 | crypto_int64 f5f7_76 = f5_2 * (crypto_int64) f7_38; 87 | crypto_int64 f5f8_38 = f5_2 * (crypto_int64) f8_19; 88 | crypto_int64 f5f9_76 = f5_2 * (crypto_int64) f9_38; 89 | crypto_int64 f6f6_19 = f6 * (crypto_int64) f6_19; 90 | crypto_int64 f6f7_38 = f6 * (crypto_int64) f7_38; 91 | crypto_int64 f6f8_38 = f6_2 * (crypto_int64) f8_19; 92 | crypto_int64 f6f9_38 = f6 * (crypto_int64) f9_38; 93 | crypto_int64 f7f7_38 = f7 * (crypto_int64) f7_38; 94 | crypto_int64 f7f8_38 = f7_2 * (crypto_int64) f8_19; 95 | crypto_int64 f7f9_76 = f7_2 * (crypto_int64) f9_38; 96 | crypto_int64 f8f8_19 = f8 * (crypto_int64) f8_19; 97 | crypto_int64 f8f9_38 = f8 * (crypto_int64) f9_38; 98 | crypto_int64 f9f9_38 = f9 * (crypto_int64) f9_38; 99 | crypto_int64 h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; 100 | crypto_int64 h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; 101 | crypto_int64 h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; 102 | crypto_int64 h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; 103 | crypto_int64 h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; 104 | crypto_int64 h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; 105 | crypto_int64 h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; 106 | crypto_int64 h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; 107 | crypto_int64 h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; 108 | crypto_int64 h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; 109 | crypto_int64 carry0; 110 | crypto_int64 carry1; 111 | crypto_int64 carry2; 112 | crypto_int64 carry3; 113 | crypto_int64 carry4; 114 | crypto_int64 carry5; 115 | crypto_int64 carry6; 116 | crypto_int64 carry7; 117 | crypto_int64 carry8; 118 | crypto_int64 carry9; 119 | 120 | carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; 121 | carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; 122 | 123 | carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; 124 | carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; 125 | 126 | carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; 127 | carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; 128 | 129 | carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; 130 | carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; 131 | 132 | carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; 133 | carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; 134 | 135 | carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; 136 | 137 | carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; 138 | 139 | h[0] = h0; 140 | h[1] = h1; 141 | h[2] = h2; 142 | h[3] = h3; 143 | h[4] = h4; 144 | h[5] = h5; 145 | h[6] = h6; 146 | h[7] = h7; 147 | h[8] = h8; 148 | h[9] = h9; 149 | } 150 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_sq2.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | #include "crypto_int64.h" 3 | 4 | /* 5 | h = 2 * f * f 6 | Can overlap h with f. 7 | 8 | Preconditions: 9 | |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. 10 | 11 | Postconditions: 12 | |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. 13 | */ 14 | 15 | /* 16 | See fe_mul.c for discussion of implementation strategy. 17 | */ 18 | 19 | void fe_sq2(fe h,const fe f) 20 | { 21 | crypto_int32 f0 = f[0]; 22 | crypto_int32 f1 = f[1]; 23 | crypto_int32 f2 = f[2]; 24 | crypto_int32 f3 = f[3]; 25 | crypto_int32 f4 = f[4]; 26 | crypto_int32 f5 = f[5]; 27 | crypto_int32 f6 = f[6]; 28 | crypto_int32 f7 = f[7]; 29 | crypto_int32 f8 = f[8]; 30 | crypto_int32 f9 = f[9]; 31 | crypto_int32 f0_2 = 2 * f0; 32 | crypto_int32 f1_2 = 2 * f1; 33 | crypto_int32 f2_2 = 2 * f2; 34 | crypto_int32 f3_2 = 2 * f3; 35 | crypto_int32 f4_2 = 2 * f4; 36 | crypto_int32 f5_2 = 2 * f5; 37 | crypto_int32 f6_2 = 2 * f6; 38 | crypto_int32 f7_2 = 2 * f7; 39 | crypto_int32 f5_38 = 38 * f5; /* 1.959375*2^30 */ 40 | crypto_int32 f6_19 = 19 * f6; /* 1.959375*2^30 */ 41 | crypto_int32 f7_38 = 38 * f7; /* 1.959375*2^30 */ 42 | crypto_int32 f8_19 = 19 * f8; /* 1.959375*2^30 */ 43 | crypto_int32 f9_38 = 38 * f9; /* 1.959375*2^30 */ 44 | crypto_int64 f0f0 = f0 * (crypto_int64) f0; 45 | crypto_int64 f0f1_2 = f0_2 * (crypto_int64) f1; 46 | crypto_int64 f0f2_2 = f0_2 * (crypto_int64) f2; 47 | crypto_int64 f0f3_2 = f0_2 * (crypto_int64) f3; 48 | crypto_int64 f0f4_2 = f0_2 * (crypto_int64) f4; 49 | crypto_int64 f0f5_2 = f0_2 * (crypto_int64) f5; 50 | crypto_int64 f0f6_2 = f0_2 * (crypto_int64) f6; 51 | crypto_int64 f0f7_2 = f0_2 * (crypto_int64) f7; 52 | crypto_int64 f0f8_2 = f0_2 * (crypto_int64) f8; 53 | crypto_int64 f0f9_2 = f0_2 * (crypto_int64) f9; 54 | crypto_int64 f1f1_2 = f1_2 * (crypto_int64) f1; 55 | crypto_int64 f1f2_2 = f1_2 * (crypto_int64) f2; 56 | crypto_int64 f1f3_4 = f1_2 * (crypto_int64) f3_2; 57 | crypto_int64 f1f4_2 = f1_2 * (crypto_int64) f4; 58 | crypto_int64 f1f5_4 = f1_2 * (crypto_int64) f5_2; 59 | crypto_int64 f1f6_2 = f1_2 * (crypto_int64) f6; 60 | crypto_int64 f1f7_4 = f1_2 * (crypto_int64) f7_2; 61 | crypto_int64 f1f8_2 = f1_2 * (crypto_int64) f8; 62 | crypto_int64 f1f9_76 = f1_2 * (crypto_int64) f9_38; 63 | crypto_int64 f2f2 = f2 * (crypto_int64) f2; 64 | crypto_int64 f2f3_2 = f2_2 * (crypto_int64) f3; 65 | crypto_int64 f2f4_2 = f2_2 * (crypto_int64) f4; 66 | crypto_int64 f2f5_2 = f2_2 * (crypto_int64) f5; 67 | crypto_int64 f2f6_2 = f2_2 * (crypto_int64) f6; 68 | crypto_int64 f2f7_2 = f2_2 * (crypto_int64) f7; 69 | crypto_int64 f2f8_38 = f2_2 * (crypto_int64) f8_19; 70 | crypto_int64 f2f9_38 = f2 * (crypto_int64) f9_38; 71 | crypto_int64 f3f3_2 = f3_2 * (crypto_int64) f3; 72 | crypto_int64 f3f4_2 = f3_2 * (crypto_int64) f4; 73 | crypto_int64 f3f5_4 = f3_2 * (crypto_int64) f5_2; 74 | crypto_int64 f3f6_2 = f3_2 * (crypto_int64) f6; 75 | crypto_int64 f3f7_76 = f3_2 * (crypto_int64) f7_38; 76 | crypto_int64 f3f8_38 = f3_2 * (crypto_int64) f8_19; 77 | crypto_int64 f3f9_76 = f3_2 * (crypto_int64) f9_38; 78 | crypto_int64 f4f4 = f4 * (crypto_int64) f4; 79 | crypto_int64 f4f5_2 = f4_2 * (crypto_int64) f5; 80 | crypto_int64 f4f6_38 = f4_2 * (crypto_int64) f6_19; 81 | crypto_int64 f4f7_38 = f4 * (crypto_int64) f7_38; 82 | crypto_int64 f4f8_38 = f4_2 * (crypto_int64) f8_19; 83 | crypto_int64 f4f9_38 = f4 * (crypto_int64) f9_38; 84 | crypto_int64 f5f5_38 = f5 * (crypto_int64) f5_38; 85 | crypto_int64 f5f6_38 = f5_2 * (crypto_int64) f6_19; 86 | crypto_int64 f5f7_76 = f5_2 * (crypto_int64) f7_38; 87 | crypto_int64 f5f8_38 = f5_2 * (crypto_int64) f8_19; 88 | crypto_int64 f5f9_76 = f5_2 * (crypto_int64) f9_38; 89 | crypto_int64 f6f6_19 = f6 * (crypto_int64) f6_19; 90 | crypto_int64 f6f7_38 = f6 * (crypto_int64) f7_38; 91 | crypto_int64 f6f8_38 = f6_2 * (crypto_int64) f8_19; 92 | crypto_int64 f6f9_38 = f6 * (crypto_int64) f9_38; 93 | crypto_int64 f7f7_38 = f7 * (crypto_int64) f7_38; 94 | crypto_int64 f7f8_38 = f7_2 * (crypto_int64) f8_19; 95 | crypto_int64 f7f9_76 = f7_2 * (crypto_int64) f9_38; 96 | crypto_int64 f8f8_19 = f8 * (crypto_int64) f8_19; 97 | crypto_int64 f8f9_38 = f8 * (crypto_int64) f9_38; 98 | crypto_int64 f9f9_38 = f9 * (crypto_int64) f9_38; 99 | crypto_int64 h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; 100 | crypto_int64 h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; 101 | crypto_int64 h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; 102 | crypto_int64 h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; 103 | crypto_int64 h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; 104 | crypto_int64 h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; 105 | crypto_int64 h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; 106 | crypto_int64 h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; 107 | crypto_int64 h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; 108 | crypto_int64 h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; 109 | crypto_int64 carry0; 110 | crypto_int64 carry1; 111 | crypto_int64 carry2; 112 | crypto_int64 carry3; 113 | crypto_int64 carry4; 114 | crypto_int64 carry5; 115 | crypto_int64 carry6; 116 | crypto_int64 carry7; 117 | crypto_int64 carry8; 118 | crypto_int64 carry9; 119 | 120 | h0 += h0; 121 | h1 += h1; 122 | h2 += h2; 123 | h3 += h3; 124 | h4 += h4; 125 | h5 += h5; 126 | h6 += h6; 127 | h7 += h7; 128 | h8 += h8; 129 | h9 += h9; 130 | 131 | carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; 132 | carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; 133 | 134 | carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; 135 | carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; 136 | 137 | carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; 138 | carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; 139 | 140 | carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; 141 | carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; 142 | 143 | carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; 144 | carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; 145 | 146 | carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; 147 | 148 | carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; 149 | 150 | h[0] = h0; 151 | h[1] = h1; 152 | h[2] = h2; 153 | h[3] = h3; 154 | h[4] = h4; 155 | h[5] = h5; 156 | h[6] = h6; 157 | h[7] = h7; 158 | h[8] = h8; 159 | h[9] = h9; 160 | } 161 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_sub.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = f - g 5 | Can overlap h with f or g. 6 | 7 | Preconditions: 8 | |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 9 | |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 10 | 11 | Postconditions: 12 | |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 13 | */ 14 | 15 | void fe_sub(fe h,const fe f,const fe g) 16 | { 17 | crypto_int32 f0 = f[0]; 18 | crypto_int32 f1 = f[1]; 19 | crypto_int32 f2 = f[2]; 20 | crypto_int32 f3 = f[3]; 21 | crypto_int32 f4 = f[4]; 22 | crypto_int32 f5 = f[5]; 23 | crypto_int32 f6 = f[6]; 24 | crypto_int32 f7 = f[7]; 25 | crypto_int32 f8 = f[8]; 26 | crypto_int32 f9 = f[9]; 27 | crypto_int32 g0 = g[0]; 28 | crypto_int32 g1 = g[1]; 29 | crypto_int32 g2 = g[2]; 30 | crypto_int32 g3 = g[3]; 31 | crypto_int32 g4 = g[4]; 32 | crypto_int32 g5 = g[5]; 33 | crypto_int32 g6 = g[6]; 34 | crypto_int32 g7 = g[7]; 35 | crypto_int32 g8 = g[8]; 36 | crypto_int32 g9 = g[9]; 37 | crypto_int32 h0 = f0 - g0; 38 | crypto_int32 h1 = f1 - g1; 39 | crypto_int32 h2 = f2 - g2; 40 | crypto_int32 h3 = f3 - g3; 41 | crypto_int32 h4 = f4 - g4; 42 | crypto_int32 h5 = f5 - g5; 43 | crypto_int32 h6 = f6 - g6; 44 | crypto_int32 h7 = f7 - g7; 45 | crypto_int32 h8 = f8 - g8; 46 | crypto_int32 h9 = f9 - g9; 47 | h[0] = h0; 48 | h[1] = h1; 49 | h[2] = h2; 50 | h[3] = h3; 51 | h[4] = h4; 52 | h[5] = h5; 53 | h[6] = h6; 54 | h[7] = h7; 55 | h[8] = h8; 56 | h[9] = h9; 57 | } 58 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/fe_tobytes.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | Preconditions: 5 | |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 6 | 7 | Write p=2^255-19; q=floor(h/p). 8 | Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). 9 | 10 | Proof: 11 | Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. 12 | Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4. 13 | 14 | Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). 15 | Then 0> 25; 53 | q = (h0 + q) >> 26; 54 | q = (h1 + q) >> 25; 55 | q = (h2 + q) >> 26; 56 | q = (h3 + q) >> 25; 57 | q = (h4 + q) >> 26; 58 | q = (h5 + q) >> 25; 59 | q = (h6 + q) >> 26; 60 | q = (h7 + q) >> 25; 61 | q = (h8 + q) >> 26; 62 | q = (h9 + q) >> 25; 63 | 64 | /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ 65 | h0 += 19 * q; 66 | /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ 67 | 68 | carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26; 69 | carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25; 70 | carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26; 71 | carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25; 72 | carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26; 73 | carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25; 74 | carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26; 75 | carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25; 76 | carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26; 77 | carry9 = h9 >> 25; h9 -= carry9 << 25; 78 | /* h10 = carry9 */ 79 | 80 | /* 81 | Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. 82 | Have h0+...+2^230 h9 between 0 and 2^255-1; 83 | evidently 2^255 h10-2^255 q = 0. 84 | Goal: Output h0+...+2^230 h9. 85 | */ 86 | 87 | s[0] = h0 >> 0; 88 | s[1] = h0 >> 8; 89 | s[2] = h0 >> 16; 90 | s[3] = (h0 >> 24) | (h1 << 2); 91 | s[4] = h1 >> 6; 92 | s[5] = h1 >> 14; 93 | s[6] = (h1 >> 22) | (h2 << 3); 94 | s[7] = h2 >> 5; 95 | s[8] = h2 >> 13; 96 | s[9] = (h2 >> 21) | (h3 << 5); 97 | s[10] = h3 >> 3; 98 | s[11] = h3 >> 11; 99 | s[12] = (h3 >> 19) | (h4 << 6); 100 | s[13] = h4 >> 2; 101 | s[14] = h4 >> 10; 102 | s[15] = h4 >> 18; 103 | s[16] = h5 >> 0; 104 | s[17] = h5 >> 8; 105 | s[18] = h5 >> 16; 106 | s[19] = (h5 >> 24) | (h6 << 1); 107 | s[20] = h6 >> 7; 108 | s[21] = h6 >> 15; 109 | s[22] = (h6 >> 23) | (h7 << 3); 110 | s[23] = h7 >> 5; 111 | s[24] = h7 >> 13; 112 | s[25] = (h7 >> 21) | (h8 << 4); 113 | s[26] = h8 >> 4; 114 | s[27] = h8 >> 12; 115 | s[28] = (h8 >> 20) | (h9 << 6); 116 | s[29] = h9 >> 2; 117 | s[30] = h9 >> 10; 118 | s[31] = h9 >> 18; 119 | } 120 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge.h: -------------------------------------------------------------------------------- 1 | #ifndef GE_H 2 | #define GE_H 3 | 4 | /* 5 | ge means group element. 6 | 7 | Here the group is the set of pairs (x,y) of field elements (see fe.h) 8 | satisfying -x^2 + y^2 = 1 + d x^2y^2 9 | where d = -121665/121666. 10 | 11 | Representations: 12 | ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z 13 | ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT 14 | ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T 15 | ge_precomp (Duif): (y+x,y-x,2dxy) 16 | */ 17 | 18 | #include "fe.h" 19 | 20 | typedef struct { 21 | fe X; 22 | fe Y; 23 | fe Z; 24 | } ge_p2; 25 | 26 | typedef struct { 27 | fe X; 28 | fe Y; 29 | fe Z; 30 | fe T; 31 | } ge_p3; 32 | 33 | typedef struct { 34 | fe X; 35 | fe Y; 36 | fe Z; 37 | fe T; 38 | } ge_p1p1; 39 | 40 | typedef struct { 41 | fe yplusx; 42 | fe yminusx; 43 | fe xy2d; 44 | } ge_precomp; 45 | 46 | typedef struct { 47 | fe YplusX; 48 | fe YminusX; 49 | fe Z; 50 | fe T2d; 51 | } ge_cached; 52 | 53 | #define ge_frombytes_negate_vartime crypto_sign_ed25519_ref10_ge_frombytes_negate_vartime 54 | #define ge_tobytes crypto_sign_ed25519_ref10_ge_tobytes 55 | #define ge_p3_tobytes crypto_sign_ed25519_ref10_ge_p3_tobytes 56 | 57 | #define ge_p2_0 crypto_sign_ed25519_ref10_ge_p2_0 58 | #define ge_p3_0 crypto_sign_ed25519_ref10_ge_p3_0 59 | #define ge_precomp_0 crypto_sign_ed25519_ref10_ge_precomp_0 60 | #define ge_p3_to_p2 crypto_sign_ed25519_ref10_ge_p3_to_p2 61 | #define ge_p3_to_cached crypto_sign_ed25519_ref10_ge_p3_to_cached 62 | #define ge_p1p1_to_p2 crypto_sign_ed25519_ref10_ge_p1p1_to_p2 63 | #define ge_p1p1_to_p3 crypto_sign_ed25519_ref10_ge_p1p1_to_p3 64 | #define ge_p2_dbl crypto_sign_ed25519_ref10_ge_p2_dbl 65 | #define ge_p3_dbl crypto_sign_ed25519_ref10_ge_p3_dbl 66 | 67 | #define ge_madd crypto_sign_ed25519_ref10_ge_madd 68 | #define ge_msub crypto_sign_ed25519_ref10_ge_msub 69 | #define ge_add crypto_sign_ed25519_ref10_ge_add 70 | #define ge_sub crypto_sign_ed25519_ref10_ge_sub 71 | #define ge_scalarmult_base crypto_sign_ed25519_ref10_ge_scalarmult_base 72 | #define ge_double_scalarmult_vartime crypto_sign_ed25519_ref10_ge_double_scalarmult_vartime 73 | 74 | extern void ge_tobytes(unsigned char *,const ge_p2 *); 75 | extern void ge_p3_tobytes(unsigned char *,const ge_p3 *); 76 | extern int ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *); 77 | 78 | extern void ge_p2_0(ge_p2 *); 79 | extern void ge_p3_0(ge_p3 *); 80 | extern void ge_precomp_0(ge_precomp *); 81 | extern void ge_p3_to_p2(ge_p2 *,const ge_p3 *); 82 | extern void ge_p3_to_cached(ge_cached *,const ge_p3 *); 83 | extern void ge_p1p1_to_p2(ge_p2 *,const ge_p1p1 *); 84 | extern void ge_p1p1_to_p3(ge_p3 *,const ge_p1p1 *); 85 | extern void ge_p2_dbl(ge_p1p1 *,const ge_p2 *); 86 | extern void ge_p3_dbl(ge_p1p1 *,const ge_p3 *); 87 | 88 | extern void ge_madd(ge_p1p1 *,const ge_p3 *,const ge_precomp *); 89 | extern void ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *); 90 | extern void ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *); 91 | extern void ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *); 92 | extern void ge_scalarmult_base(ge_p3 *,const unsigned char *); 93 | extern void ge_double_scalarmult_vartime(ge_p2 *,const unsigned char *,const ge_p3 *,const unsigned char *); 94 | 95 | #endif 96 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_add.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p + q 5 | */ 6 | 7 | void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) 8 | { 9 | fe t0; 10 | #include "ge_add.h" 11 | } 12 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_add.h: -------------------------------------------------------------------------------- 1 | 2 | /* qhasm: enter ge_add */ 3 | 4 | /* qhasm: fe X1 */ 5 | 6 | /* qhasm: fe Y1 */ 7 | 8 | /* qhasm: fe Z1 */ 9 | 10 | /* qhasm: fe Z2 */ 11 | 12 | /* qhasm: fe T1 */ 13 | 14 | /* qhasm: fe ZZ */ 15 | 16 | /* qhasm: fe YpX2 */ 17 | 18 | /* qhasm: fe YmX2 */ 19 | 20 | /* qhasm: fe T2d2 */ 21 | 22 | /* qhasm: fe X3 */ 23 | 24 | /* qhasm: fe Y3 */ 25 | 26 | /* qhasm: fe Z3 */ 27 | 28 | /* qhasm: fe T3 */ 29 | 30 | /* qhasm: fe YpX1 */ 31 | 32 | /* qhasm: fe YmX1 */ 33 | 34 | /* qhasm: fe A */ 35 | 36 | /* qhasm: fe B */ 37 | 38 | /* qhasm: fe C */ 39 | 40 | /* qhasm: fe D */ 41 | 42 | /* qhasm: YpX1 = Y1+X1 */ 43 | /* asm 1: fe_add(>YpX1=fe#1,YpX1=r->X,Y,X); */ 45 | fe_add(r->X,p->Y,p->X); 46 | 47 | /* qhasm: YmX1 = Y1-X1 */ 48 | /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ 50 | fe_sub(r->Y,p->Y,p->X); 51 | 52 | /* qhasm: A = YpX1*YpX2 */ 53 | /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,YplusX); */ 55 | fe_mul(r->Z,r->X,q->YplusX); 56 | 57 | /* qhasm: B = YmX1*YmX2 */ 58 | /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,YminusX); */ 60 | fe_mul(r->Y,r->Y,q->YminusX); 61 | 62 | /* qhasm: C = T2d2*T1 */ 63 | /* asm 1: fe_mul(>C=fe#4,C=r->T,T2d,T); */ 65 | fe_mul(r->T,q->T2d,p->T); 66 | 67 | /* qhasm: ZZ = Z1*Z2 */ 68 | /* asm 1: fe_mul(>ZZ=fe#1,ZZ=r->X,Z,Z); */ 70 | fe_mul(r->X,p->Z,q->Z); 71 | 72 | /* qhasm: D = 2*ZZ */ 73 | /* asm 1: fe_add(>D=fe#5,D=t0,X,X); */ 75 | fe_add(t0,r->X,r->X); 76 | 77 | /* qhasm: X3 = A-B */ 78 | /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ 80 | fe_sub(r->X,r->Z,r->Y); 81 | 82 | /* qhasm: Y3 = A+B */ 83 | /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ 85 | fe_add(r->Y,r->Z,r->Y); 86 | 87 | /* qhasm: Z3 = D+C */ 88 | /* asm 1: fe_add(>Z3=fe#3,Z3=r->Z,T); */ 90 | fe_add(r->Z,t0,r->T); 91 | 92 | /* qhasm: T3 = D-C */ 93 | /* asm 1: fe_sub(>T3=fe#4,T3=r->T,T); */ 95 | fe_sub(r->T,t0,r->T); 96 | 97 | /* qhasm: return */ 98 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_add.q: -------------------------------------------------------------------------------- 1 | :name:fe:r->X:r->Y:r->Z:r->T:t0:t1:t2:t3:t4:t5:p->X:p->Y:p->Z:p->T:q->YplusX:q->YminusX:q->Z:q->T2d: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>X1=fe#11:>Y1=fe#12:>Z1=fe#13:>T1=fe#14:>YpX2=fe#15:>YmX2=fe#16:>Z2=fe#17:>T2d2=fe#18: 5 | return:nofallthrough:h=fe:asm/fe_add(>h,h=fe:asm/fe_sub(>h,h=fe:asm/fe_mul(>h,h=fe:asm/fe_sq(>h,h=fe:asm/fe_add(>h,> 3] >> (i & 7)); 11 | 12 | for (i = 0;i < 256;++i) 13 | if (r[i]) { 14 | for (b = 1;b <= 6 && i + b < 256;++b) { 15 | if (r[i + b]) { 16 | if (r[i] + (r[i + b] << b) <= 15) { 17 | r[i] += r[i + b] << b; r[i + b] = 0; 18 | } else if (r[i] - (r[i + b] << b) >= -15) { 19 | r[i] -= r[i + b] << b; 20 | for (k = i + b;k < 256;++k) { 21 | if (!r[k]) { 22 | r[k] = 1; 23 | break; 24 | } 25 | r[k] = 0; 26 | } 27 | } else 28 | break; 29 | } 30 | } 31 | } 32 | 33 | } 34 | 35 | static ge_precomp Bi[8] = { 36 | #include "base2.h" 37 | } ; 38 | 39 | /* 40 | r = a * A + b * B 41 | where a = a[0]+256*a[1]+...+256^31 a[31]. 42 | and b = b[0]+256*b[1]+...+256^31 b[31]. 43 | B is the Ed25519 base point (x,4/5) with x positive. 44 | */ 45 | 46 | void ge_double_scalarmult_vartime(ge_p2 *r,const unsigned char *a,const ge_p3 *A,const unsigned char *b) 47 | { 48 | signed char aslide[256]; 49 | signed char bslide[256]; 50 | ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ 51 | ge_p1p1 t; 52 | ge_p3 u; 53 | ge_p3 A2; 54 | int i; 55 | 56 | slide(aslide,a); 57 | slide(bslide,b); 58 | 59 | ge_p3_to_cached(&Ai[0],A); 60 | ge_p3_dbl(&t,A); ge_p1p1_to_p3(&A2,&t); 61 | ge_add(&t,&A2,&Ai[0]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[1],&u); 62 | ge_add(&t,&A2,&Ai[1]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[2],&u); 63 | ge_add(&t,&A2,&Ai[2]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[3],&u); 64 | ge_add(&t,&A2,&Ai[3]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[4],&u); 65 | ge_add(&t,&A2,&Ai[4]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[5],&u); 66 | ge_add(&t,&A2,&Ai[5]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[6],&u); 67 | ge_add(&t,&A2,&Ai[6]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[7],&u); 68 | 69 | ge_p2_0(r); 70 | 71 | for (i = 255;i >= 0;--i) { 72 | if (aslide[i] || bslide[i]) break; 73 | } 74 | 75 | for (;i >= 0;--i) { 76 | ge_p2_dbl(&t,r); 77 | 78 | if (aslide[i] > 0) { 79 | ge_p1p1_to_p3(&u,&t); 80 | ge_add(&t,&u,&Ai[aslide[i]/2]); 81 | } else if (aslide[i] < 0) { 82 | ge_p1p1_to_p3(&u,&t); 83 | ge_sub(&t,&u,&Ai[(-aslide[i])/2]); 84 | } 85 | 86 | if (bslide[i] > 0) { 87 | ge_p1p1_to_p3(&u,&t); 88 | ge_madd(&t,&u,&Bi[bslide[i]/2]); 89 | } else if (bslide[i] < 0) { 90 | ge_p1p1_to_p3(&u,&t); 91 | ge_msub(&t,&u,&Bi[(-bslide[i])/2]); 92 | } 93 | 94 | ge_p1p1_to_p2(r,&t); 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_frombytes.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | static const fe d = { 4 | #include "d.h" 5 | } ; 6 | 7 | static const fe sqrtm1 = { 8 | #include "sqrtm1.h" 9 | } ; 10 | 11 | int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s) 12 | { 13 | fe u; 14 | fe v; 15 | fe v3; 16 | fe vxx; 17 | fe check; 18 | 19 | fe_frombytes(h->Y,s); 20 | fe_1(h->Z); 21 | fe_sq(u,h->Y); 22 | fe_mul(v,u,d); 23 | fe_sub(u,u,h->Z); /* u = y^2-1 */ 24 | fe_add(v,v,h->Z); /* v = dy^2+1 */ 25 | 26 | fe_sq(v3,v); 27 | fe_mul(v3,v3,v); /* v3 = v^3 */ 28 | fe_sq(h->X,v3); 29 | fe_mul(h->X,h->X,v); 30 | fe_mul(h->X,h->X,u); /* x = uv^7 */ 31 | 32 | fe_pow22523(h->X,h->X); /* x = (uv^7)^((q-5)/8) */ 33 | fe_mul(h->X,h->X,v3); 34 | fe_mul(h->X,h->X,u); /* x = uv^3(uv^7)^((q-5)/8) */ 35 | 36 | fe_sq(vxx,h->X); 37 | fe_mul(vxx,vxx,v); 38 | fe_sub(check,vxx,u); /* vx^2-u */ 39 | if (fe_isnonzero(check)) { 40 | fe_add(check,vxx,u); /* vx^2+u */ 41 | if (fe_isnonzero(check)) return -1; 42 | fe_mul(h->X,h->X,sqrtm1); 43 | } 44 | 45 | if (fe_isnegative(h->X) == (s[31] >> 7)) 46 | fe_neg(h->X,h->X); 47 | 48 | fe_mul(h->T,h->X,h->Y); 49 | return 0; 50 | } 51 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_madd.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p + q 5 | */ 6 | 7 | void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) 8 | { 9 | fe t0; 10 | #include "ge_madd.h" 11 | } 12 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_madd.h: -------------------------------------------------------------------------------- 1 | 2 | /* qhasm: enter ge_madd */ 3 | 4 | /* qhasm: fe X1 */ 5 | 6 | /* qhasm: fe Y1 */ 7 | 8 | /* qhasm: fe Z1 */ 9 | 10 | /* qhasm: fe T1 */ 11 | 12 | /* qhasm: fe ypx2 */ 13 | 14 | /* qhasm: fe ymx2 */ 15 | 16 | /* qhasm: fe xy2d2 */ 17 | 18 | /* qhasm: fe X3 */ 19 | 20 | /* qhasm: fe Y3 */ 21 | 22 | /* qhasm: fe Z3 */ 23 | 24 | /* qhasm: fe T3 */ 25 | 26 | /* qhasm: fe YpX1 */ 27 | 28 | /* qhasm: fe YmX1 */ 29 | 30 | /* qhasm: fe A */ 31 | 32 | /* qhasm: fe B */ 33 | 34 | /* qhasm: fe C */ 35 | 36 | /* qhasm: fe D */ 37 | 38 | /* qhasm: YpX1 = Y1+X1 */ 39 | /* asm 1: fe_add(>YpX1=fe#1,YpX1=r->X,Y,X); */ 41 | fe_add(r->X,p->Y,p->X); 42 | 43 | /* qhasm: YmX1 = Y1-X1 */ 44 | /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ 46 | fe_sub(r->Y,p->Y,p->X); 47 | 48 | /* qhasm: A = YpX1*ypx2 */ 49 | /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,yplusx); */ 51 | fe_mul(r->Z,r->X,q->yplusx); 52 | 53 | /* qhasm: B = YmX1*ymx2 */ 54 | /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,yminusx); */ 56 | fe_mul(r->Y,r->Y,q->yminusx); 57 | 58 | /* qhasm: C = xy2d2*T1 */ 59 | /* asm 1: fe_mul(>C=fe#4,C=r->T,xy2d,T); */ 61 | fe_mul(r->T,q->xy2d,p->T); 62 | 63 | /* qhasm: D = 2*Z1 */ 64 | /* asm 1: fe_add(>D=fe#5,D=t0,Z,Z); */ 66 | fe_add(t0,p->Z,p->Z); 67 | 68 | /* qhasm: X3 = A-B */ 69 | /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ 71 | fe_sub(r->X,r->Z,r->Y); 72 | 73 | /* qhasm: Y3 = A+B */ 74 | /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ 76 | fe_add(r->Y,r->Z,r->Y); 77 | 78 | /* qhasm: Z3 = D+C */ 79 | /* asm 1: fe_add(>Z3=fe#3,Z3=r->Z,T); */ 81 | fe_add(r->Z,t0,r->T); 82 | 83 | /* qhasm: T3 = D-C */ 84 | /* asm 1: fe_sub(>T3=fe#4,T3=r->T,T); */ 86 | fe_sub(r->T,t0,r->T); 87 | 88 | /* qhasm: return */ 89 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_madd.q: -------------------------------------------------------------------------------- 1 | :name:fe:r->X:r->Y:r->Z:r->T:t0:t1:t2:t3:t4:t5:p->X:p->Y:p->Z:p->T:q->yplusx:q->yminusx:q->xy2d: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>X1=fe#11:>Y1=fe#12:>Z1=fe#13:>T1=fe#14:>ypx2=fe#15:>ymx2=fe#16:>xy2d2=fe#17: 5 | return:nofallthrough:h=fe:asm/fe_add(>h,h=fe:asm/fe_sub(>h,h=fe:asm/fe_mul(>h,h=fe:asm/fe_sq(>h,h=fe:asm/fe_add(>h,YpX1=fe#1,YpX1=r->X,Y,X); */ 41 | fe_add(r->X,p->Y,p->X); 42 | 43 | /* qhasm: YmX1 = Y1-X1 */ 44 | /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ 46 | fe_sub(r->Y,p->Y,p->X); 47 | 48 | /* qhasm: A = YpX1*ymx2 */ 49 | /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,yminusx); */ 51 | fe_mul(r->Z,r->X,q->yminusx); 52 | 53 | /* qhasm: B = YmX1*ypx2 */ 54 | /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,yplusx); */ 56 | fe_mul(r->Y,r->Y,q->yplusx); 57 | 58 | /* qhasm: C = xy2d2*T1 */ 59 | /* asm 1: fe_mul(>C=fe#4,C=r->T,xy2d,T); */ 61 | fe_mul(r->T,q->xy2d,p->T); 62 | 63 | /* qhasm: D = 2*Z1 */ 64 | /* asm 1: fe_add(>D=fe#5,D=t0,Z,Z); */ 66 | fe_add(t0,p->Z,p->Z); 67 | 68 | /* qhasm: X3 = A-B */ 69 | /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ 71 | fe_sub(r->X,r->Z,r->Y); 72 | 73 | /* qhasm: Y3 = A+B */ 74 | /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ 76 | fe_add(r->Y,r->Z,r->Y); 77 | 78 | /* qhasm: Z3 = D-C */ 79 | /* asm 1: fe_sub(>Z3=fe#3,Z3=r->Z,T); */ 81 | fe_sub(r->Z,t0,r->T); 82 | 83 | /* qhasm: T3 = D+C */ 84 | /* asm 1: fe_add(>T3=fe#4,T3=r->T,T); */ 86 | fe_add(r->T,t0,r->T); 87 | 88 | /* qhasm: return */ 89 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_msub.q: -------------------------------------------------------------------------------- 1 | :name:fe:r->X:r->Y:r->Z:r->T:t0:t1:t2:t3:t4:t5:p->X:p->Y:p->Z:p->T:q->yplusx:q->yminusx:q->xy2d: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>X1=fe#11:>Y1=fe#12:>Z1=fe#13:>T1=fe#14:>ypx2=fe#15:>ymx2=fe#16:>xy2d2=fe#17: 5 | return:nofallthrough:h=fe:asm/fe_add(>h,h=fe:asm/fe_sub(>h,h=fe:asm/fe_mul(>h,h=fe:asm/fe_sq(>h,h=fe:asm/fe_add(>h,X,p->X,p->T); 10 | fe_mul(r->Y,p->Y,p->Z); 11 | fe_mul(r->Z,p->Z,p->T); 12 | } 13 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_p1p1_to_p3.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p 5 | */ 6 | 7 | extern void ge_p1p1_to_p3(ge_p3 *r,const ge_p1p1 *p) 8 | { 9 | fe_mul(r->X,p->X,p->T); 10 | fe_mul(r->Y,p->Y,p->Z); 11 | fe_mul(r->Z,p->Z,p->T); 12 | fe_mul(r->T,p->X,p->Y); 13 | } 14 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_p2_0.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | void ge_p2_0(ge_p2 *h) 4 | { 5 | fe_0(h->X); 6 | fe_1(h->Y); 7 | fe_1(h->Z); 8 | } 9 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_p2_dbl.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = 2 * p 5 | */ 6 | 7 | void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p) 8 | { 9 | fe t0; 10 | #include "ge_p2_dbl.h" 11 | } 12 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_p2_dbl.h: -------------------------------------------------------------------------------- 1 | 2 | /* qhasm: enter ge_p2_dbl */ 3 | 4 | /* qhasm: fe X1 */ 5 | 6 | /* qhasm: fe Y1 */ 7 | 8 | /* qhasm: fe Z1 */ 9 | 10 | /* qhasm: fe A */ 11 | 12 | /* qhasm: fe AA */ 13 | 14 | /* qhasm: fe XX */ 15 | 16 | /* qhasm: fe YY */ 17 | 18 | /* qhasm: fe B */ 19 | 20 | /* qhasm: fe X3 */ 21 | 22 | /* qhasm: fe Y3 */ 23 | 24 | /* qhasm: fe Z3 */ 25 | 26 | /* qhasm: fe T3 */ 27 | 28 | /* qhasm: XX=X1^2 */ 29 | /* asm 1: fe_sq(>XX=fe#1,XX=r->X,X); */ 31 | fe_sq(r->X,p->X); 32 | 33 | /* qhasm: YY=Y1^2 */ 34 | /* asm 1: fe_sq(>YY=fe#3,YY=r->Z,Y); */ 36 | fe_sq(r->Z,p->Y); 37 | 38 | /* qhasm: B=2*Z1^2 */ 39 | /* asm 1: fe_sq2(>B=fe#4,B=r->T,Z); */ 41 | fe_sq2(r->T,p->Z); 42 | 43 | /* qhasm: A=X1+Y1 */ 44 | /* asm 1: fe_add(>A=fe#2,A=r->Y,X,Y); */ 46 | fe_add(r->Y,p->X,p->Y); 47 | 48 | /* qhasm: AA=A^2 */ 49 | /* asm 1: fe_sq(>AA=fe#5,AA=t0,Y); */ 51 | fe_sq(t0,r->Y); 52 | 53 | /* qhasm: Y3=YY+XX */ 54 | /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,X); */ 56 | fe_add(r->Y,r->Z,r->X); 57 | 58 | /* qhasm: Z3=YY-XX */ 59 | /* asm 1: fe_sub(>Z3=fe#3,Z3=r->Z,Z,X); */ 61 | fe_sub(r->Z,r->Z,r->X); 62 | 63 | /* qhasm: X3=AA-Y3 */ 64 | /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Y); */ 66 | fe_sub(r->X,t0,r->Y); 67 | 68 | /* qhasm: T3=B-Z3 */ 69 | /* asm 1: fe_sub(>T3=fe#4,T3=r->T,T,Z); */ 71 | fe_sub(r->T,r->T,r->Z); 72 | 73 | /* qhasm: return */ 74 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_p2_dbl.q: -------------------------------------------------------------------------------- 1 | :name:fe:r->X:r->Y:r->Z:r->T:t0:t1:t2:t3:t4:t5:p->X:p->Y:p->Z: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>X1=fe#11:>Y1=fe#12:>Z1=fe#13: 5 | return:nofallthrough:h=fe:asm/fe_add(>h,h=fe:asm/fe_sub(>h,h=fe:asm/fe_mul(>h,h=fe:asm/fe_sq(>h,h=fe:asm/fe_sq2(>h,h=fe:asm/fe_add(>h,X); 6 | fe_1(h->Y); 7 | fe_1(h->Z); 8 | fe_0(h->T); 9 | } 10 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_p3_dbl.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = 2 * p 5 | */ 6 | 7 | void ge_p3_dbl(ge_p1p1 *r,const ge_p3 *p) 8 | { 9 | ge_p2 q; 10 | ge_p3_to_p2(&q,p); 11 | ge_p2_dbl(r,&q); 12 | } 13 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_p3_to_cached.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p 5 | */ 6 | 7 | static const fe d2 = { 8 | #include "d2.h" 9 | } ; 10 | 11 | extern void ge_p3_to_cached(ge_cached *r,const ge_p3 *p) 12 | { 13 | fe_add(r->YplusX,p->Y,p->X); 14 | fe_sub(r->YminusX,p->Y,p->X); 15 | fe_copy(r->Z,p->Z); 16 | fe_mul(r->T2d,p->T,d2); 17 | } 18 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_p3_to_p2.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p 5 | */ 6 | 7 | extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p) 8 | { 9 | fe_copy(r->X,p->X); 10 | fe_copy(r->Y,p->Y); 11 | fe_copy(r->Z,p->Z); 12 | } 13 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_p3_tobytes.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | void ge_p3_tobytes(unsigned char *s,const ge_p3 *h) 4 | { 5 | fe recip; 6 | fe x; 7 | fe y; 8 | 9 | fe_invert(recip,h->Z); 10 | fe_mul(x,h->X,recip); 11 | fe_mul(y,h->Y,recip); 12 | fe_tobytes(s,y); 13 | s[31] ^= fe_isnegative(x) << 7; 14 | } 15 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_precomp_0.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | void ge_precomp_0(ge_precomp *h) 4 | { 5 | fe_1(h->yplusx); 6 | fe_1(h->yminusx); 7 | fe_0(h->xy2d); 8 | } 9 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_scalarmult_base.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | #include "crypto_uint32.h" 3 | 4 | static unsigned char equal(signed char b,signed char c) 5 | { 6 | unsigned char ub = b; 7 | unsigned char uc = c; 8 | unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ 9 | crypto_uint32 y = x; /* 0: yes; 1..255: no */ 10 | y -= 1; /* 4294967295: yes; 0..254: no */ 11 | y >>= 31; /* 1: yes; 0: no */ 12 | return y; 13 | } 14 | 15 | static unsigned char negative(signed char b) 16 | { 17 | unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ 18 | x >>= 63; /* 1: yes; 0: no */ 19 | return x; 20 | } 21 | 22 | static void cmov(ge_precomp *t,ge_precomp *u,unsigned char b) 23 | { 24 | fe_cmov(t->yplusx,u->yplusx,b); 25 | fe_cmov(t->yminusx,u->yminusx,b); 26 | fe_cmov(t->xy2d,u->xy2d,b); 27 | } 28 | 29 | /* base[i][j] = (j+1)*256^i*B */ 30 | static ge_precomp base[32][8] = { 31 | #include "base.h" 32 | } ; 33 | 34 | static void select(ge_precomp *t,int pos,signed char b) 35 | { 36 | ge_precomp minust; 37 | unsigned char bnegative = negative(b); 38 | unsigned char babs = b - (((-bnegative) & b) << 1); 39 | 40 | ge_precomp_0(t); 41 | cmov(t,&base[pos][0],equal(babs,1)); 42 | cmov(t,&base[pos][1],equal(babs,2)); 43 | cmov(t,&base[pos][2],equal(babs,3)); 44 | cmov(t,&base[pos][3],equal(babs,4)); 45 | cmov(t,&base[pos][4],equal(babs,5)); 46 | cmov(t,&base[pos][5],equal(babs,6)); 47 | cmov(t,&base[pos][6],equal(babs,7)); 48 | cmov(t,&base[pos][7],equal(babs,8)); 49 | fe_copy(minust.yplusx,t->yminusx); 50 | fe_copy(minust.yminusx,t->yplusx); 51 | fe_neg(minust.xy2d,t->xy2d); 52 | cmov(t,&minust,bnegative); 53 | } 54 | 55 | /* 56 | h = a * B 57 | where a = a[0]+256*a[1]+...+256^31 a[31] 58 | B is the Ed25519 base point (x,4/5) with x positive. 59 | 60 | Preconditions: 61 | a[31] <= 127 62 | */ 63 | 64 | void ge_scalarmult_base(ge_p3 *h,const unsigned char *a) 65 | { 66 | signed char e[64]; 67 | signed char carry; 68 | ge_p1p1 r; 69 | ge_p2 s; 70 | ge_precomp t; 71 | int i; 72 | 73 | for (i = 0;i < 32;++i) { 74 | e[2 * i + 0] = (a[i] >> 0) & 15; 75 | e[2 * i + 1] = (a[i] >> 4) & 15; 76 | } 77 | /* each e[i] is between 0 and 15 */ 78 | /* e[63] is between 0 and 7 */ 79 | 80 | carry = 0; 81 | for (i = 0;i < 63;++i) { 82 | e[i] += carry; 83 | carry = e[i] + 8; 84 | carry >>= 4; 85 | e[i] -= carry << 4; 86 | } 87 | e[63] += carry; 88 | /* each e[i] is between -8 and 8 */ 89 | 90 | ge_p3_0(h); 91 | for (i = 1;i < 64;i += 2) { 92 | select(&t,i / 2,e[i]); 93 | ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r); 94 | } 95 | 96 | ge_p3_dbl(&r,h); ge_p1p1_to_p2(&s,&r); 97 | ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); 98 | ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); 99 | ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r); 100 | 101 | for (i = 0;i < 64;i += 2) { 102 | select(&t,i / 2,e[i]); 103 | ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r); 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_sub.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p - q 5 | */ 6 | 7 | void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) 8 | { 9 | fe t0; 10 | #include "ge_sub.h" 11 | } 12 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_sub.h: -------------------------------------------------------------------------------- 1 | 2 | /* qhasm: enter ge_sub */ 3 | 4 | /* qhasm: fe X1 */ 5 | 6 | /* qhasm: fe Y1 */ 7 | 8 | /* qhasm: fe Z1 */ 9 | 10 | /* qhasm: fe Z2 */ 11 | 12 | /* qhasm: fe T1 */ 13 | 14 | /* qhasm: fe ZZ */ 15 | 16 | /* qhasm: fe YpX2 */ 17 | 18 | /* qhasm: fe YmX2 */ 19 | 20 | /* qhasm: fe T2d2 */ 21 | 22 | /* qhasm: fe X3 */ 23 | 24 | /* qhasm: fe Y3 */ 25 | 26 | /* qhasm: fe Z3 */ 27 | 28 | /* qhasm: fe T3 */ 29 | 30 | /* qhasm: fe YpX1 */ 31 | 32 | /* qhasm: fe YmX1 */ 33 | 34 | /* qhasm: fe A */ 35 | 36 | /* qhasm: fe B */ 37 | 38 | /* qhasm: fe C */ 39 | 40 | /* qhasm: fe D */ 41 | 42 | /* qhasm: YpX1 = Y1+X1 */ 43 | /* asm 1: fe_add(>YpX1=fe#1,YpX1=r->X,Y,X); */ 45 | fe_add(r->X,p->Y,p->X); 46 | 47 | /* qhasm: YmX1 = Y1-X1 */ 48 | /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ 50 | fe_sub(r->Y,p->Y,p->X); 51 | 52 | /* qhasm: A = YpX1*YmX2 */ 53 | /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,YminusX); */ 55 | fe_mul(r->Z,r->X,q->YminusX); 56 | 57 | /* qhasm: B = YmX1*YpX2 */ 58 | /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,YplusX); */ 60 | fe_mul(r->Y,r->Y,q->YplusX); 61 | 62 | /* qhasm: C = T2d2*T1 */ 63 | /* asm 1: fe_mul(>C=fe#4,C=r->T,T2d,T); */ 65 | fe_mul(r->T,q->T2d,p->T); 66 | 67 | /* qhasm: ZZ = Z1*Z2 */ 68 | /* asm 1: fe_mul(>ZZ=fe#1,ZZ=r->X,Z,Z); */ 70 | fe_mul(r->X,p->Z,q->Z); 71 | 72 | /* qhasm: D = 2*ZZ */ 73 | /* asm 1: fe_add(>D=fe#5,D=t0,X,X); */ 75 | fe_add(t0,r->X,r->X); 76 | 77 | /* qhasm: X3 = A-B */ 78 | /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ 80 | fe_sub(r->X,r->Z,r->Y); 81 | 82 | /* qhasm: Y3 = A+B */ 83 | /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ 85 | fe_add(r->Y,r->Z,r->Y); 86 | 87 | /* qhasm: Z3 = D-C */ 88 | /* asm 1: fe_sub(>Z3=fe#3,Z3=r->Z,T); */ 90 | fe_sub(r->Z,t0,r->T); 91 | 92 | /* qhasm: T3 = D+C */ 93 | /* asm 1: fe_add(>T3=fe#4,T3=r->T,T); */ 95 | fe_add(r->T,t0,r->T); 96 | 97 | /* qhasm: return */ 98 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/ge_sub.q: -------------------------------------------------------------------------------- 1 | :name:fe:r->X:r->Y:r->Z:r->T:t0:t1:t2:t3:t4:t5:p->X:p->Y:p->Z:p->T:q->YplusX:q->YminusX:q->Z:q->T2d: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>X1=fe#11:>Y1=fe#12:>Z1=fe#13:>T1=fe#14:>YpX2=fe#15:>YmX2=fe#16:>Z2=fe#17:>T2d2=fe#18: 5 | return:nofallthrough:h=fe:asm/fe_add(>h,h=fe:asm/fe_sub(>h,h=fe:asm/fe_mul(>h,h=fe:asm/fe_sq(>h,h=fe:asm/fe_add(>h,Z); 10 | fe_mul(x,h->X,recip); 11 | fe_mul(y,h->Y,recip); 12 | fe_tobytes(s,y); 13 | s[31] ^= fe_isnegative(x) << 7; 14 | } 15 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/keypair.c: -------------------------------------------------------------------------------- 1 | #include "crypto_sign.h" 2 | #include "crypto_hash_sha512.h" 3 | #include "ge.h" 4 | 5 | int crypto_sign_keypair(unsigned char *pk,unsigned char *sk) 6 | { 7 | unsigned char h[64]; 8 | ge_p3 A; 9 | int i; 10 | 11 | randombytes(sk,32); 12 | crypto_hash_sha512(h,sk,32); 13 | h[0] &= 248; 14 | h[31] &= 63; 15 | h[31] |= 64; 16 | 17 | ge_scalarmult_base(&A,h); 18 | ge_p3_tobytes(pk,&A); 19 | 20 | for (i = 0;i < 32;++i) sk[32 + i] = pk[i]; 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/open.c: -------------------------------------------------------------------------------- 1 | #include "crypto_sign.h" 2 | #include "crypto_hash_sha512.h" 3 | #include "crypto_verify_32.h" 4 | #include "ge.h" 5 | #include "sc.h" 6 | 7 | int crypto_sign_open( 8 | unsigned char *m,unsigned long long *mlen, 9 | const unsigned char *sm,unsigned long long smlen, 10 | const unsigned char *pk 11 | ) 12 | { 13 | unsigned char h[64]; 14 | unsigned char checkr[32]; 15 | ge_p3 A; 16 | ge_p2 R; 17 | unsigned long long i; 18 | 19 | *mlen = -1; 20 | if (smlen < 64) return -1; 21 | if (sm[63] & 224) return -1; 22 | if (ge_frombytes_negate_vartime(&A,pk) != 0) return -1; 23 | 24 | for (i = 0;i < smlen;++i) m[i] = sm[i]; 25 | for (i = 0;i < 32;++i) m[32 + i] = pk[i]; 26 | crypto_hash_sha512(h,m,smlen); 27 | sc_reduce(h); 28 | 29 | ge_double_scalarmult_vartime(&R,h,&A,sm + 32); 30 | ge_tobytes(checkr,&R); 31 | if (crypto_verify_32(checkr,sm) != 0) { 32 | for (i = 0;i < smlen;++i) m[i] = 0; 33 | return -1; 34 | } 35 | 36 | for (i = 0;i < smlen - 64;++i) m[i] = sm[64 + i]; 37 | for (i = smlen - 64;i < smlen;++i) m[i] = 0; 38 | *mlen = smlen - 64; 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/pow22523.h: -------------------------------------------------------------------------------- 1 | 2 | /* qhasm: fe z1 */ 3 | 4 | /* qhasm: fe z2 */ 5 | 6 | /* qhasm: fe z8 */ 7 | 8 | /* qhasm: fe z9 */ 9 | 10 | /* qhasm: fe z11 */ 11 | 12 | /* qhasm: fe z22 */ 13 | 14 | /* qhasm: fe z_5_0 */ 15 | 16 | /* qhasm: fe z_10_5 */ 17 | 18 | /* qhasm: fe z_10_0 */ 19 | 20 | /* qhasm: fe z_20_10 */ 21 | 22 | /* qhasm: fe z_20_0 */ 23 | 24 | /* qhasm: fe z_40_20 */ 25 | 26 | /* qhasm: fe z_40_0 */ 27 | 28 | /* qhasm: fe z_50_10 */ 29 | 30 | /* qhasm: fe z_50_0 */ 31 | 32 | /* qhasm: fe z_100_50 */ 33 | 34 | /* qhasm: fe z_100_0 */ 35 | 36 | /* qhasm: fe z_200_100 */ 37 | 38 | /* qhasm: fe z_200_0 */ 39 | 40 | /* qhasm: fe z_250_50 */ 41 | 42 | /* qhasm: fe z_250_0 */ 43 | 44 | /* qhasm: fe z_252_2 */ 45 | 46 | /* qhasm: fe z_252_3 */ 47 | 48 | /* qhasm: enter pow22523 */ 49 | 50 | /* qhasm: z2 = z1^2^1 */ 51 | /* asm 1: fe_sq(>z2=fe#1,z2=fe#1,>z2=fe#1); */ 52 | /* asm 2: fe_sq(>z2=t0,z2=t0,>z2=t0); */ 53 | fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0); 54 | 55 | /* qhasm: z8 = z2^2^2 */ 56 | /* asm 1: fe_sq(>z8=fe#2,z8=fe#2,>z8=fe#2); */ 57 | /* asm 2: fe_sq(>z8=t1,z8=t1,>z8=t1); */ 58 | fe_sq(t1,t0); for (i = 1;i < 2;++i) fe_sq(t1,t1); 59 | 60 | /* qhasm: z9 = z1*z8 */ 61 | /* asm 1: fe_mul(>z9=fe#2,z9=t1,z11=fe#1,z11=t0,z22=fe#1,z22=fe#1,>z22=fe#1); */ 72 | /* asm 2: fe_sq(>z22=t0,z22=t0,>z22=t0); */ 73 | fe_sq(t0,t0); for (i = 1;i < 1;++i) fe_sq(t0,t0); 74 | 75 | /* qhasm: z_5_0 = z9*z22 */ 76 | /* asm 1: fe_mul(>z_5_0=fe#1,z_5_0=t0,z_10_5=fe#2,z_10_5=fe#2,>z_10_5=fe#2); */ 82 | /* asm 2: fe_sq(>z_10_5=t1,z_10_5=t1,>z_10_5=t1); */ 83 | fe_sq(t1,t0); for (i = 1;i < 5;++i) fe_sq(t1,t1); 84 | 85 | /* qhasm: z_10_0 = z_10_5*z_5_0 */ 86 | /* asm 1: fe_mul(>z_10_0=fe#1,z_10_0=t0,z_20_10=fe#2,z_20_10=fe#2,>z_20_10=fe#2); */ 92 | /* asm 2: fe_sq(>z_20_10=t1,z_20_10=t1,>z_20_10=t1); */ 93 | fe_sq(t1,t0); for (i = 1;i < 10;++i) fe_sq(t1,t1); 94 | 95 | /* qhasm: z_20_0 = z_20_10*z_10_0 */ 96 | /* asm 1: fe_mul(>z_20_0=fe#2,z_20_0=t1,z_40_20=fe#3,z_40_20=fe#3,>z_40_20=fe#3); */ 102 | /* asm 2: fe_sq(>z_40_20=t2,z_40_20=t2,>z_40_20=t2); */ 103 | fe_sq(t2,t1); for (i = 1;i < 20;++i) fe_sq(t2,t2); 104 | 105 | /* qhasm: z_40_0 = z_40_20*z_20_0 */ 106 | /* asm 1: fe_mul(>z_40_0=fe#2,z_40_0=t1,z_50_10=fe#2,z_50_10=fe#2,>z_50_10=fe#2); */ 112 | /* asm 2: fe_sq(>z_50_10=t1,z_50_10=t1,>z_50_10=t1); */ 113 | fe_sq(t1,t1); for (i = 1;i < 10;++i) fe_sq(t1,t1); 114 | 115 | /* qhasm: z_50_0 = z_50_10*z_10_0 */ 116 | /* asm 1: fe_mul(>z_50_0=fe#1,z_50_0=t0,z_100_50=fe#2,z_100_50=fe#2,>z_100_50=fe#2); */ 122 | /* asm 2: fe_sq(>z_100_50=t1,z_100_50=t1,>z_100_50=t1); */ 123 | fe_sq(t1,t0); for (i = 1;i < 50;++i) fe_sq(t1,t1); 124 | 125 | /* qhasm: z_100_0 = z_100_50*z_50_0 */ 126 | /* asm 1: fe_mul(>z_100_0=fe#2,z_100_0=t1,z_200_100=fe#3,z_200_100=fe#3,>z_200_100=fe#3); */ 132 | /* asm 2: fe_sq(>z_200_100=t2,z_200_100=t2,>z_200_100=t2); */ 133 | fe_sq(t2,t1); for (i = 1;i < 100;++i) fe_sq(t2,t2); 134 | 135 | /* qhasm: z_200_0 = z_200_100*z_100_0 */ 136 | /* asm 1: fe_mul(>z_200_0=fe#2,z_200_0=t1,z_250_50=fe#2,z_250_50=fe#2,>z_250_50=fe#2); */ 142 | /* asm 2: fe_sq(>z_250_50=t1,z_250_50=t1,>z_250_50=t1); */ 143 | fe_sq(t1,t1); for (i = 1;i < 50;++i) fe_sq(t1,t1); 144 | 145 | /* qhasm: z_250_0 = z_250_50*z_50_0 */ 146 | /* asm 1: fe_mul(>z_250_0=fe#1,z_250_0=t0,z_252_2=fe#1,z_252_2=fe#1,>z_252_2=fe#1); */ 152 | /* asm 2: fe_sq(>z_252_2=t0,z_252_2=t0,>z_252_2=t0); */ 153 | fe_sq(t0,t0); for (i = 1;i < 2;++i) fe_sq(t0,t0); 154 | 155 | /* qhasm: z_252_3 = z_252_2*z1 */ 156 | /* asm 1: fe_mul(>z_252_3=fe#12,z_252_3=out,z1=fe#11: 5 | return:nofallthrough:h=fe:asm/fe_mul(>h,h=fe:#k:asm/fe_sq(>h,h,>h);: 9 | 10 | : 11 | 12 | fe z1 13 | fe z2 14 | fe z8 15 | fe z9 16 | fe z11 17 | fe z22 18 | fe z_5_0 19 | fe z_10_5 20 | fe z_10_0 21 | fe z_20_10 22 | fe z_20_0 23 | fe z_40_20 24 | fe z_40_0 25 | fe z_50_10 26 | fe z_50_0 27 | fe z_100_50 28 | fe z_100_0 29 | fe z_200_100 30 | fe z_200_0 31 | fe z_250_50 32 | fe z_250_0 33 | fe z_252_2 34 | fe z_252_3 35 | 36 | enter pow22523 37 | 38 | z2 = z1^2^1 39 | z8 = z2^2^2 40 | z9 = z1*z8 41 | z11 = z2*z9 42 | z22 = z11^2^1 43 | z_5_0 = z9*z22 44 | z_10_5 = z_5_0^2^5 45 | z_10_0 = z_10_5*z_5_0 46 | z_20_10 = z_10_0^2^10 47 | z_20_0 = z_20_10*z_10_0 48 | z_40_20 = z_20_0^2^20 49 | z_40_0 = z_40_20*z_20_0 50 | z_50_10 = z_40_0^2^10 51 | z_50_0 = z_50_10*z_10_0 52 | z_100_50 = z_50_0^2^50 53 | z_100_0 = z_100_50*z_50_0 54 | z_200_100 = z_100_0^2^100 55 | z_200_0 = z_200_100*z_100_0 56 | z_250_50 = z_200_0^2^50 57 | z_250_0 = z_250_50*z_50_0 58 | z_252_2 = z_250_0^2^2 59 | z_252_3 = z_252_2*z1 60 | 61 | return 62 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/pow225521.h: -------------------------------------------------------------------------------- 1 | 2 | /* qhasm: fe z1 */ 3 | 4 | /* qhasm: fe z2 */ 5 | 6 | /* qhasm: fe z8 */ 7 | 8 | /* qhasm: fe z9 */ 9 | 10 | /* qhasm: fe z11 */ 11 | 12 | /* qhasm: fe z22 */ 13 | 14 | /* qhasm: fe z_5_0 */ 15 | 16 | /* qhasm: fe z_10_5 */ 17 | 18 | /* qhasm: fe z_10_0 */ 19 | 20 | /* qhasm: fe z_20_10 */ 21 | 22 | /* qhasm: fe z_20_0 */ 23 | 24 | /* qhasm: fe z_40_20 */ 25 | 26 | /* qhasm: fe z_40_0 */ 27 | 28 | /* qhasm: fe z_50_10 */ 29 | 30 | /* qhasm: fe z_50_0 */ 31 | 32 | /* qhasm: fe z_100_50 */ 33 | 34 | /* qhasm: fe z_100_0 */ 35 | 36 | /* qhasm: fe z_200_100 */ 37 | 38 | /* qhasm: fe z_200_0 */ 39 | 40 | /* qhasm: fe z_250_50 */ 41 | 42 | /* qhasm: fe z_250_0 */ 43 | 44 | /* qhasm: fe z_255_5 */ 45 | 46 | /* qhasm: fe z_255_21 */ 47 | 48 | /* qhasm: enter pow225521 */ 49 | 50 | /* qhasm: z2 = z1^2^1 */ 51 | /* asm 1: fe_sq(>z2=fe#1,z2=fe#1,>z2=fe#1); */ 52 | /* asm 2: fe_sq(>z2=t0,z2=t0,>z2=t0); */ 53 | fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0); 54 | 55 | /* qhasm: z8 = z2^2^2 */ 56 | /* asm 1: fe_sq(>z8=fe#2,z8=fe#2,>z8=fe#2); */ 57 | /* asm 2: fe_sq(>z8=t1,z8=t1,>z8=t1); */ 58 | fe_sq(t1,t0); for (i = 1;i < 2;++i) fe_sq(t1,t1); 59 | 60 | /* qhasm: z9 = z1*z8 */ 61 | /* asm 1: fe_mul(>z9=fe#2,z9=t1,z11=fe#1,z11=t0,z22=fe#3,z22=fe#3,>z22=fe#3); */ 72 | /* asm 2: fe_sq(>z22=t2,z22=t2,>z22=t2); */ 73 | fe_sq(t2,t0); for (i = 1;i < 1;++i) fe_sq(t2,t2); 74 | 75 | /* qhasm: z_5_0 = z9*z22 */ 76 | /* asm 1: fe_mul(>z_5_0=fe#2,z_5_0=t1,z_10_5=fe#3,z_10_5=fe#3,>z_10_5=fe#3); */ 82 | /* asm 2: fe_sq(>z_10_5=t2,z_10_5=t2,>z_10_5=t2); */ 83 | fe_sq(t2,t1); for (i = 1;i < 5;++i) fe_sq(t2,t2); 84 | 85 | /* qhasm: z_10_0 = z_10_5*z_5_0 */ 86 | /* asm 1: fe_mul(>z_10_0=fe#2,z_10_0=t1,z_20_10=fe#3,z_20_10=fe#3,>z_20_10=fe#3); */ 92 | /* asm 2: fe_sq(>z_20_10=t2,z_20_10=t2,>z_20_10=t2); */ 93 | fe_sq(t2,t1); for (i = 1;i < 10;++i) fe_sq(t2,t2); 94 | 95 | /* qhasm: z_20_0 = z_20_10*z_10_0 */ 96 | /* asm 1: fe_mul(>z_20_0=fe#3,z_20_0=t2,z_40_20=fe#4,z_40_20=fe#4,>z_40_20=fe#4); */ 102 | /* asm 2: fe_sq(>z_40_20=t3,z_40_20=t3,>z_40_20=t3); */ 103 | fe_sq(t3,t2); for (i = 1;i < 20;++i) fe_sq(t3,t3); 104 | 105 | /* qhasm: z_40_0 = z_40_20*z_20_0 */ 106 | /* asm 1: fe_mul(>z_40_0=fe#3,z_40_0=t2,z_50_10=fe#3,z_50_10=fe#3,>z_50_10=fe#3); */ 112 | /* asm 2: fe_sq(>z_50_10=t2,z_50_10=t2,>z_50_10=t2); */ 113 | fe_sq(t2,t2); for (i = 1;i < 10;++i) fe_sq(t2,t2); 114 | 115 | /* qhasm: z_50_0 = z_50_10*z_10_0 */ 116 | /* asm 1: fe_mul(>z_50_0=fe#2,z_50_0=t1,z_100_50=fe#3,z_100_50=fe#3,>z_100_50=fe#3); */ 122 | /* asm 2: fe_sq(>z_100_50=t2,z_100_50=t2,>z_100_50=t2); */ 123 | fe_sq(t2,t1); for (i = 1;i < 50;++i) fe_sq(t2,t2); 124 | 125 | /* qhasm: z_100_0 = z_100_50*z_50_0 */ 126 | /* asm 1: fe_mul(>z_100_0=fe#3,z_100_0=t2,z_200_100=fe#4,z_200_100=fe#4,>z_200_100=fe#4); */ 132 | /* asm 2: fe_sq(>z_200_100=t3,z_200_100=t3,>z_200_100=t3); */ 133 | fe_sq(t3,t2); for (i = 1;i < 100;++i) fe_sq(t3,t3); 134 | 135 | /* qhasm: z_200_0 = z_200_100*z_100_0 */ 136 | /* asm 1: fe_mul(>z_200_0=fe#3,z_200_0=t2,z_250_50=fe#3,z_250_50=fe#3,>z_250_50=fe#3); */ 142 | /* asm 2: fe_sq(>z_250_50=t2,z_250_50=t2,>z_250_50=t2); */ 143 | fe_sq(t2,t2); for (i = 1;i < 50;++i) fe_sq(t2,t2); 144 | 145 | /* qhasm: z_250_0 = z_250_50*z_50_0 */ 146 | /* asm 1: fe_mul(>z_250_0=fe#2,z_250_0=t1,z_255_5=fe#2,z_255_5=fe#2,>z_255_5=fe#2); */ 152 | /* asm 2: fe_sq(>z_255_5=t1,z_255_5=t1,>z_255_5=t1); */ 153 | fe_sq(t1,t1); for (i = 1;i < 5;++i) fe_sq(t1,t1); 154 | 155 | /* qhasm: z_255_21 = z_255_5*z11 */ 156 | /* asm 1: fe_mul(>z_255_21=fe#12,z_255_21=out,z1=fe#11: 5 | return:nofallthrough:h=fe:asm/fe_mul(>h,h=fe:#k:asm/fe_sq(>h,h,>h);: 9 | 10 | : 11 | 12 | fe z1 13 | fe z2 14 | fe z8 15 | fe z9 16 | fe z11 17 | fe z22 18 | fe z_5_0 19 | fe z_10_5 20 | fe z_10_0 21 | fe z_20_10 22 | fe z_20_0 23 | fe z_40_20 24 | fe z_40_0 25 | fe z_50_10 26 | fe z_50_0 27 | fe z_100_50 28 | fe z_100_0 29 | fe z_200_100 30 | fe z_200_0 31 | fe z_250_50 32 | fe z_250_0 33 | fe z_255_5 34 | fe z_255_21 35 | 36 | enter pow225521 37 | 38 | z2 = z1^2^1 39 | z8 = z2^2^2 40 | z9 = z1*z8 41 | z11 = z2*z9 42 | z22 = z11^2^1 43 | z_5_0 = z9*z22 44 | z_10_5 = z_5_0^2^5 45 | z_10_0 = z_10_5*z_5_0 46 | z_20_10 = z_10_0^2^10 47 | z_20_0 = z_20_10*z_10_0 48 | z_40_20 = z_20_0^2^20 49 | z_40_0 = z_40_20*z_20_0 50 | z_50_10 = z_40_0^2^10 51 | z_50_0 = z_50_10*z_10_0 52 | z_100_50 = z_50_0^2^50 53 | z_100_0 = z_100_50*z_50_0 54 | z_200_100 = z_100_0^2^100 55 | z_200_0 = z_200_100*z_100_0 56 | z_250_50 = z_200_0^2^50 57 | z_250_0 = z_250_50*z_50_0 58 | z_255_5 = z_250_0^2^5 59 | z_255_21 = z_255_5*z11 60 | 61 | return 62 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/publickey.c: -------------------------------------------------------------------------------- 1 | #include "crypto_sign.h" 2 | #include "crypto_hash_sha512.h" 3 | #include "ge.h" 4 | 5 | int crypto_sign_publickey( 6 | unsigned char *pk, // write 32 bytes into this 7 | unsigned char *sk, // write 64 bytes into this (seed+pubkey) 8 | unsigned char *seed // 32 bytes input 9 | ) 10 | { 11 | unsigned char h[64]; 12 | ge_p3 A; 13 | int i; 14 | 15 | crypto_hash_sha512(h,seed,32); 16 | h[0] &= 248; 17 | h[31] &= 63; 18 | h[31] |= 64; 19 | 20 | ge_scalarmult_base(&A,h); 21 | ge_p3_tobytes(pk,&A); 22 | 23 | for (i = 0;i < 32;++i) sk[i] = seed[i]; 24 | for (i = 0;i < 32;++i) sk[32 + i] = pk[i]; 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/q2h.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | sed 's/^#.*//' \ 3 | | qhasm-generic \ 4 | | sed 's_//\(.*\)$_/*\1 */_' 5 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/sc.h: -------------------------------------------------------------------------------- 1 | #ifndef SC_H 2 | #define SC_H 3 | 4 | /* 5 | The set of scalars is \Z/l 6 | where l = 2^252 + 27742317777372353535851937790883648493. 7 | */ 8 | 9 | #define sc_reduce crypto_sign_ed25519_ref10_sc_reduce 10 | #define sc_muladd crypto_sign_ed25519_ref10_sc_muladd 11 | 12 | extern void sc_reduce(unsigned char *); 13 | extern void sc_muladd(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *); 14 | 15 | #endif 16 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/sc_muladd.c: -------------------------------------------------------------------------------- 1 | #include "sc.h" 2 | #include "crypto_int64.h" 3 | #include "crypto_uint32.h" 4 | #include "crypto_uint64.h" 5 | 6 | static crypto_uint64 load_3(const unsigned char *in) 7 | { 8 | crypto_uint64 result; 9 | result = (crypto_uint64) in[0]; 10 | result |= ((crypto_uint64) in[1]) << 8; 11 | result |= ((crypto_uint64) in[2]) << 16; 12 | return result; 13 | } 14 | 15 | static crypto_uint64 load_4(const unsigned char *in) 16 | { 17 | crypto_uint64 result; 18 | result = (crypto_uint64) in[0]; 19 | result |= ((crypto_uint64) in[1]) << 8; 20 | result |= ((crypto_uint64) in[2]) << 16; 21 | result |= ((crypto_uint64) in[3]) << 24; 22 | return result; 23 | } 24 | 25 | /* 26 | Input: 27 | a[0]+256*a[1]+...+256^31*a[31] = a 28 | b[0]+256*b[1]+...+256^31*b[31] = b 29 | c[0]+256*c[1]+...+256^31*c[31] = c 30 | 31 | Output: 32 | s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l 33 | where l = 2^252 + 27742317777372353535851937790883648493. 34 | */ 35 | 36 | void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,const unsigned char *c) 37 | { 38 | crypto_int64 a0 = 2097151 & load_3(a); 39 | crypto_int64 a1 = 2097151 & (load_4(a + 2) >> 5); 40 | crypto_int64 a2 = 2097151 & (load_3(a + 5) >> 2); 41 | crypto_int64 a3 = 2097151 & (load_4(a + 7) >> 7); 42 | crypto_int64 a4 = 2097151 & (load_4(a + 10) >> 4); 43 | crypto_int64 a5 = 2097151 & (load_3(a + 13) >> 1); 44 | crypto_int64 a6 = 2097151 & (load_4(a + 15) >> 6); 45 | crypto_int64 a7 = 2097151 & (load_3(a + 18) >> 3); 46 | crypto_int64 a8 = 2097151 & load_3(a + 21); 47 | crypto_int64 a9 = 2097151 & (load_4(a + 23) >> 5); 48 | crypto_int64 a10 = 2097151 & (load_3(a + 26) >> 2); 49 | crypto_int64 a11 = (load_4(a + 28) >> 7); 50 | crypto_int64 b0 = 2097151 & load_3(b); 51 | crypto_int64 b1 = 2097151 & (load_4(b + 2) >> 5); 52 | crypto_int64 b2 = 2097151 & (load_3(b + 5) >> 2); 53 | crypto_int64 b3 = 2097151 & (load_4(b + 7) >> 7); 54 | crypto_int64 b4 = 2097151 & (load_4(b + 10) >> 4); 55 | crypto_int64 b5 = 2097151 & (load_3(b + 13) >> 1); 56 | crypto_int64 b6 = 2097151 & (load_4(b + 15) >> 6); 57 | crypto_int64 b7 = 2097151 & (load_3(b + 18) >> 3); 58 | crypto_int64 b8 = 2097151 & load_3(b + 21); 59 | crypto_int64 b9 = 2097151 & (load_4(b + 23) >> 5); 60 | crypto_int64 b10 = 2097151 & (load_3(b + 26) >> 2); 61 | crypto_int64 b11 = (load_4(b + 28) >> 7); 62 | crypto_int64 c0 = 2097151 & load_3(c); 63 | crypto_int64 c1 = 2097151 & (load_4(c + 2) >> 5); 64 | crypto_int64 c2 = 2097151 & (load_3(c + 5) >> 2); 65 | crypto_int64 c3 = 2097151 & (load_4(c + 7) >> 7); 66 | crypto_int64 c4 = 2097151 & (load_4(c + 10) >> 4); 67 | crypto_int64 c5 = 2097151 & (load_3(c + 13) >> 1); 68 | crypto_int64 c6 = 2097151 & (load_4(c + 15) >> 6); 69 | crypto_int64 c7 = 2097151 & (load_3(c + 18) >> 3); 70 | crypto_int64 c8 = 2097151 & load_3(c + 21); 71 | crypto_int64 c9 = 2097151 & (load_4(c + 23) >> 5); 72 | crypto_int64 c10 = 2097151 & (load_3(c + 26) >> 2); 73 | crypto_int64 c11 = (load_4(c + 28) >> 7); 74 | crypto_int64 s0; 75 | crypto_int64 s1; 76 | crypto_int64 s2; 77 | crypto_int64 s3; 78 | crypto_int64 s4; 79 | crypto_int64 s5; 80 | crypto_int64 s6; 81 | crypto_int64 s7; 82 | crypto_int64 s8; 83 | crypto_int64 s9; 84 | crypto_int64 s10; 85 | crypto_int64 s11; 86 | crypto_int64 s12; 87 | crypto_int64 s13; 88 | crypto_int64 s14; 89 | crypto_int64 s15; 90 | crypto_int64 s16; 91 | crypto_int64 s17; 92 | crypto_int64 s18; 93 | crypto_int64 s19; 94 | crypto_int64 s20; 95 | crypto_int64 s21; 96 | crypto_int64 s22; 97 | crypto_int64 s23; 98 | crypto_int64 carry0; 99 | crypto_int64 carry1; 100 | crypto_int64 carry2; 101 | crypto_int64 carry3; 102 | crypto_int64 carry4; 103 | crypto_int64 carry5; 104 | crypto_int64 carry6; 105 | crypto_int64 carry7; 106 | crypto_int64 carry8; 107 | crypto_int64 carry9; 108 | crypto_int64 carry10; 109 | crypto_int64 carry11; 110 | crypto_int64 carry12; 111 | crypto_int64 carry13; 112 | crypto_int64 carry14; 113 | crypto_int64 carry15; 114 | crypto_int64 carry16; 115 | crypto_int64 carry17; 116 | crypto_int64 carry18; 117 | crypto_int64 carry19; 118 | crypto_int64 carry20; 119 | crypto_int64 carry21; 120 | crypto_int64 carry22; 121 | 122 | s0 = c0 + a0*b0; 123 | s1 = c1 + a0*b1 + a1*b0; 124 | s2 = c2 + a0*b2 + a1*b1 + a2*b0; 125 | s3 = c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0; 126 | s4 = c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0; 127 | s5 = c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0; 128 | s6 = c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0; 129 | s7 = c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0; 130 | s8 = c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0; 131 | s9 = c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0; 132 | s10 = c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0; 133 | s11 = c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0; 134 | s12 = a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1; 135 | s13 = a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2; 136 | s14 = a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3; 137 | s15 = a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4; 138 | s16 = a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5; 139 | s17 = a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6; 140 | s18 = a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7; 141 | s19 = a8*b11 + a9*b10 + a10*b9 + a11*b8; 142 | s20 = a9*b11 + a10*b10 + a11*b9; 143 | s21 = a10*b11 + a11*b10; 144 | s22 = a11*b11; 145 | s23 = 0; 146 | 147 | carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; 148 | carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; 149 | carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; 150 | carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; 151 | carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; 152 | carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; 153 | carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21; 154 | carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21; 155 | carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21; 156 | carry18 = (s18 + (1<<20)) >> 21; s19 += carry18; s18 -= carry18 << 21; 157 | carry20 = (s20 + (1<<20)) >> 21; s21 += carry20; s20 -= carry20 << 21; 158 | carry22 = (s22 + (1<<20)) >> 21; s23 += carry22; s22 -= carry22 << 21; 159 | 160 | carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; 161 | carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; 162 | carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; 163 | carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; 164 | carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; 165 | carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; 166 | carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21; 167 | carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21; 168 | carry17 = (s17 + (1<<20)) >> 21; s18 += carry17; s17 -= carry17 << 21; 169 | carry19 = (s19 + (1<<20)) >> 21; s20 += carry19; s19 -= carry19 << 21; 170 | carry21 = (s21 + (1<<20)) >> 21; s22 += carry21; s21 -= carry21 << 21; 171 | 172 | s11 += s23 * 666643; 173 | s12 += s23 * 470296; 174 | s13 += s23 * 654183; 175 | s14 -= s23 * 997805; 176 | s15 += s23 * 136657; 177 | s16 -= s23 * 683901; 178 | s23 = 0; 179 | 180 | s10 += s22 * 666643; 181 | s11 += s22 * 470296; 182 | s12 += s22 * 654183; 183 | s13 -= s22 * 997805; 184 | s14 += s22 * 136657; 185 | s15 -= s22 * 683901; 186 | s22 = 0; 187 | 188 | s9 += s21 * 666643; 189 | s10 += s21 * 470296; 190 | s11 += s21 * 654183; 191 | s12 -= s21 * 997805; 192 | s13 += s21 * 136657; 193 | s14 -= s21 * 683901; 194 | s21 = 0; 195 | 196 | s8 += s20 * 666643; 197 | s9 += s20 * 470296; 198 | s10 += s20 * 654183; 199 | s11 -= s20 * 997805; 200 | s12 += s20 * 136657; 201 | s13 -= s20 * 683901; 202 | s20 = 0; 203 | 204 | s7 += s19 * 666643; 205 | s8 += s19 * 470296; 206 | s9 += s19 * 654183; 207 | s10 -= s19 * 997805; 208 | s11 += s19 * 136657; 209 | s12 -= s19 * 683901; 210 | s19 = 0; 211 | 212 | s6 += s18 * 666643; 213 | s7 += s18 * 470296; 214 | s8 += s18 * 654183; 215 | s9 -= s18 * 997805; 216 | s10 += s18 * 136657; 217 | s11 -= s18 * 683901; 218 | s18 = 0; 219 | 220 | carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; 221 | carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; 222 | carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; 223 | carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21; 224 | carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21; 225 | carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21; 226 | 227 | carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; 228 | carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; 229 | carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; 230 | carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21; 231 | carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21; 232 | 233 | s5 += s17 * 666643; 234 | s6 += s17 * 470296; 235 | s7 += s17 * 654183; 236 | s8 -= s17 * 997805; 237 | s9 += s17 * 136657; 238 | s10 -= s17 * 683901; 239 | s17 = 0; 240 | 241 | s4 += s16 * 666643; 242 | s5 += s16 * 470296; 243 | s6 += s16 * 654183; 244 | s7 -= s16 * 997805; 245 | s8 += s16 * 136657; 246 | s9 -= s16 * 683901; 247 | s16 = 0; 248 | 249 | s3 += s15 * 666643; 250 | s4 += s15 * 470296; 251 | s5 += s15 * 654183; 252 | s6 -= s15 * 997805; 253 | s7 += s15 * 136657; 254 | s8 -= s15 * 683901; 255 | s15 = 0; 256 | 257 | s2 += s14 * 666643; 258 | s3 += s14 * 470296; 259 | s4 += s14 * 654183; 260 | s5 -= s14 * 997805; 261 | s6 += s14 * 136657; 262 | s7 -= s14 * 683901; 263 | s14 = 0; 264 | 265 | s1 += s13 * 666643; 266 | s2 += s13 * 470296; 267 | s3 += s13 * 654183; 268 | s4 -= s13 * 997805; 269 | s5 += s13 * 136657; 270 | s6 -= s13 * 683901; 271 | s13 = 0; 272 | 273 | s0 += s12 * 666643; 274 | s1 += s12 * 470296; 275 | s2 += s12 * 654183; 276 | s3 -= s12 * 997805; 277 | s4 += s12 * 136657; 278 | s5 -= s12 * 683901; 279 | s12 = 0; 280 | 281 | carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; 282 | carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; 283 | carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; 284 | carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; 285 | carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; 286 | carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; 287 | 288 | carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; 289 | carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; 290 | carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; 291 | carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; 292 | carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; 293 | carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; 294 | 295 | s0 += s12 * 666643; 296 | s1 += s12 * 470296; 297 | s2 += s12 * 654183; 298 | s3 -= s12 * 997805; 299 | s4 += s12 * 136657; 300 | s5 -= s12 * 683901; 301 | s12 = 0; 302 | 303 | carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; 304 | carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; 305 | carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; 306 | carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; 307 | carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; 308 | carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; 309 | carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; 310 | carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; 311 | carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; 312 | carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; 313 | carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; 314 | carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; 315 | 316 | s0 += s12 * 666643; 317 | s1 += s12 * 470296; 318 | s2 += s12 * 654183; 319 | s3 -= s12 * 997805; 320 | s4 += s12 * 136657; 321 | s5 -= s12 * 683901; 322 | s12 = 0; 323 | 324 | carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; 325 | carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; 326 | carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; 327 | carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; 328 | carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; 329 | carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; 330 | carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; 331 | carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; 332 | carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; 333 | carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; 334 | carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; 335 | 336 | s[0] = s0 >> 0; 337 | s[1] = s0 >> 8; 338 | s[2] = (s0 >> 16) | (s1 << 5); 339 | s[3] = s1 >> 3; 340 | s[4] = s1 >> 11; 341 | s[5] = (s1 >> 19) | (s2 << 2); 342 | s[6] = s2 >> 6; 343 | s[7] = (s2 >> 14) | (s3 << 7); 344 | s[8] = s3 >> 1; 345 | s[9] = s3 >> 9; 346 | s[10] = (s3 >> 17) | (s4 << 4); 347 | s[11] = s4 >> 4; 348 | s[12] = s4 >> 12; 349 | s[13] = (s4 >> 20) | (s5 << 1); 350 | s[14] = s5 >> 7; 351 | s[15] = (s5 >> 15) | (s6 << 6); 352 | s[16] = s6 >> 2; 353 | s[17] = s6 >> 10; 354 | s[18] = (s6 >> 18) | (s7 << 3); 355 | s[19] = s7 >> 5; 356 | s[20] = s7 >> 13; 357 | s[21] = s8 >> 0; 358 | s[22] = s8 >> 8; 359 | s[23] = (s8 >> 16) | (s9 << 5); 360 | s[24] = s9 >> 3; 361 | s[25] = s9 >> 11; 362 | s[26] = (s9 >> 19) | (s10 << 2); 363 | s[27] = s10 >> 6; 364 | s[28] = (s10 >> 14) | (s11 << 7); 365 | s[29] = s11 >> 1; 366 | s[30] = s11 >> 9; 367 | s[31] = s11 >> 17; 368 | } 369 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/sc_reduce.c: -------------------------------------------------------------------------------- 1 | #include "sc.h" 2 | #include "crypto_int64.h" 3 | #include "crypto_uint32.h" 4 | #include "crypto_uint64.h" 5 | 6 | static crypto_uint64 load_3(const unsigned char *in) 7 | { 8 | crypto_uint64 result; 9 | result = (crypto_uint64) in[0]; 10 | result |= ((crypto_uint64) in[1]) << 8; 11 | result |= ((crypto_uint64) in[2]) << 16; 12 | return result; 13 | } 14 | 15 | static crypto_uint64 load_4(const unsigned char *in) 16 | { 17 | crypto_uint64 result; 18 | result = (crypto_uint64) in[0]; 19 | result |= ((crypto_uint64) in[1]) << 8; 20 | result |= ((crypto_uint64) in[2]) << 16; 21 | result |= ((crypto_uint64) in[3]) << 24; 22 | return result; 23 | } 24 | 25 | /* 26 | Input: 27 | s[0]+256*s[1]+...+256^63*s[63] = s 28 | 29 | Output: 30 | s[0]+256*s[1]+...+256^31*s[31] = s mod l 31 | where l = 2^252 + 27742317777372353535851937790883648493. 32 | Overwrites s in place. 33 | */ 34 | 35 | void sc_reduce(unsigned char *s) 36 | { 37 | crypto_int64 s0 = 2097151 & load_3(s); 38 | crypto_int64 s1 = 2097151 & (load_4(s + 2) >> 5); 39 | crypto_int64 s2 = 2097151 & (load_3(s + 5) >> 2); 40 | crypto_int64 s3 = 2097151 & (load_4(s + 7) >> 7); 41 | crypto_int64 s4 = 2097151 & (load_4(s + 10) >> 4); 42 | crypto_int64 s5 = 2097151 & (load_3(s + 13) >> 1); 43 | crypto_int64 s6 = 2097151 & (load_4(s + 15) >> 6); 44 | crypto_int64 s7 = 2097151 & (load_3(s + 18) >> 3); 45 | crypto_int64 s8 = 2097151 & load_3(s + 21); 46 | crypto_int64 s9 = 2097151 & (load_4(s + 23) >> 5); 47 | crypto_int64 s10 = 2097151 & (load_3(s + 26) >> 2); 48 | crypto_int64 s11 = 2097151 & (load_4(s + 28) >> 7); 49 | crypto_int64 s12 = 2097151 & (load_4(s + 31) >> 4); 50 | crypto_int64 s13 = 2097151 & (load_3(s + 34) >> 1); 51 | crypto_int64 s14 = 2097151 & (load_4(s + 36) >> 6); 52 | crypto_int64 s15 = 2097151 & (load_3(s + 39) >> 3); 53 | crypto_int64 s16 = 2097151 & load_3(s + 42); 54 | crypto_int64 s17 = 2097151 & (load_4(s + 44) >> 5); 55 | crypto_int64 s18 = 2097151 & (load_3(s + 47) >> 2); 56 | crypto_int64 s19 = 2097151 & (load_4(s + 49) >> 7); 57 | crypto_int64 s20 = 2097151 & (load_4(s + 52) >> 4); 58 | crypto_int64 s21 = 2097151 & (load_3(s + 55) >> 1); 59 | crypto_int64 s22 = 2097151 & (load_4(s + 57) >> 6); 60 | crypto_int64 s23 = (load_4(s + 60) >> 3); 61 | crypto_int64 carry0; 62 | crypto_int64 carry1; 63 | crypto_int64 carry2; 64 | crypto_int64 carry3; 65 | crypto_int64 carry4; 66 | crypto_int64 carry5; 67 | crypto_int64 carry6; 68 | crypto_int64 carry7; 69 | crypto_int64 carry8; 70 | crypto_int64 carry9; 71 | crypto_int64 carry10; 72 | crypto_int64 carry11; 73 | crypto_int64 carry12; 74 | crypto_int64 carry13; 75 | crypto_int64 carry14; 76 | crypto_int64 carry15; 77 | crypto_int64 carry16; 78 | 79 | s11 += s23 * 666643; 80 | s12 += s23 * 470296; 81 | s13 += s23 * 654183; 82 | s14 -= s23 * 997805; 83 | s15 += s23 * 136657; 84 | s16 -= s23 * 683901; 85 | s23 = 0; 86 | 87 | s10 += s22 * 666643; 88 | s11 += s22 * 470296; 89 | s12 += s22 * 654183; 90 | s13 -= s22 * 997805; 91 | s14 += s22 * 136657; 92 | s15 -= s22 * 683901; 93 | s22 = 0; 94 | 95 | s9 += s21 * 666643; 96 | s10 += s21 * 470296; 97 | s11 += s21 * 654183; 98 | s12 -= s21 * 997805; 99 | s13 += s21 * 136657; 100 | s14 -= s21 * 683901; 101 | s21 = 0; 102 | 103 | s8 += s20 * 666643; 104 | s9 += s20 * 470296; 105 | s10 += s20 * 654183; 106 | s11 -= s20 * 997805; 107 | s12 += s20 * 136657; 108 | s13 -= s20 * 683901; 109 | s20 = 0; 110 | 111 | s7 += s19 * 666643; 112 | s8 += s19 * 470296; 113 | s9 += s19 * 654183; 114 | s10 -= s19 * 997805; 115 | s11 += s19 * 136657; 116 | s12 -= s19 * 683901; 117 | s19 = 0; 118 | 119 | s6 += s18 * 666643; 120 | s7 += s18 * 470296; 121 | s8 += s18 * 654183; 122 | s9 -= s18 * 997805; 123 | s10 += s18 * 136657; 124 | s11 -= s18 * 683901; 125 | s18 = 0; 126 | 127 | carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; 128 | carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; 129 | carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; 130 | carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21; 131 | carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21; 132 | carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21; 133 | 134 | carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; 135 | carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; 136 | carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; 137 | carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21; 138 | carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21; 139 | 140 | s5 += s17 * 666643; 141 | s6 += s17 * 470296; 142 | s7 += s17 * 654183; 143 | s8 -= s17 * 997805; 144 | s9 += s17 * 136657; 145 | s10 -= s17 * 683901; 146 | s17 = 0; 147 | 148 | s4 += s16 * 666643; 149 | s5 += s16 * 470296; 150 | s6 += s16 * 654183; 151 | s7 -= s16 * 997805; 152 | s8 += s16 * 136657; 153 | s9 -= s16 * 683901; 154 | s16 = 0; 155 | 156 | s3 += s15 * 666643; 157 | s4 += s15 * 470296; 158 | s5 += s15 * 654183; 159 | s6 -= s15 * 997805; 160 | s7 += s15 * 136657; 161 | s8 -= s15 * 683901; 162 | s15 = 0; 163 | 164 | s2 += s14 * 666643; 165 | s3 += s14 * 470296; 166 | s4 += s14 * 654183; 167 | s5 -= s14 * 997805; 168 | s6 += s14 * 136657; 169 | s7 -= s14 * 683901; 170 | s14 = 0; 171 | 172 | s1 += s13 * 666643; 173 | s2 += s13 * 470296; 174 | s3 += s13 * 654183; 175 | s4 -= s13 * 997805; 176 | s5 += s13 * 136657; 177 | s6 -= s13 * 683901; 178 | s13 = 0; 179 | 180 | s0 += s12 * 666643; 181 | s1 += s12 * 470296; 182 | s2 += s12 * 654183; 183 | s3 -= s12 * 997805; 184 | s4 += s12 * 136657; 185 | s5 -= s12 * 683901; 186 | s12 = 0; 187 | 188 | carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; 189 | carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; 190 | carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; 191 | carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; 192 | carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; 193 | carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; 194 | 195 | carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; 196 | carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; 197 | carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; 198 | carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; 199 | carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; 200 | carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; 201 | 202 | s0 += s12 * 666643; 203 | s1 += s12 * 470296; 204 | s2 += s12 * 654183; 205 | s3 -= s12 * 997805; 206 | s4 += s12 * 136657; 207 | s5 -= s12 * 683901; 208 | s12 = 0; 209 | 210 | carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; 211 | carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; 212 | carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; 213 | carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; 214 | carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; 215 | carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; 216 | carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; 217 | carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; 218 | carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; 219 | carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; 220 | carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; 221 | carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; 222 | 223 | s0 += s12 * 666643; 224 | s1 += s12 * 470296; 225 | s2 += s12 * 654183; 226 | s3 -= s12 * 997805; 227 | s4 += s12 * 136657; 228 | s5 -= s12 * 683901; 229 | s12 = 0; 230 | 231 | carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; 232 | carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; 233 | carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; 234 | carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; 235 | carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; 236 | carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; 237 | carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; 238 | carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; 239 | carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; 240 | carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; 241 | carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; 242 | 243 | s[0] = s0 >> 0; 244 | s[1] = s0 >> 8; 245 | s[2] = (s0 >> 16) | (s1 << 5); 246 | s[3] = s1 >> 3; 247 | s[4] = s1 >> 11; 248 | s[5] = (s1 >> 19) | (s2 << 2); 249 | s[6] = s2 >> 6; 250 | s[7] = (s2 >> 14) | (s3 << 7); 251 | s[8] = s3 >> 1; 252 | s[9] = s3 >> 9; 253 | s[10] = (s3 >> 17) | (s4 << 4); 254 | s[11] = s4 >> 4; 255 | s[12] = s4 >> 12; 256 | s[13] = (s4 >> 20) | (s5 << 1); 257 | s[14] = s5 >> 7; 258 | s[15] = (s5 >> 15) | (s6 << 6); 259 | s[16] = s6 >> 2; 260 | s[17] = s6 >> 10; 261 | s[18] = (s6 >> 18) | (s7 << 3); 262 | s[19] = s7 >> 5; 263 | s[20] = s7 >> 13; 264 | s[21] = s8 >> 0; 265 | s[22] = s8 >> 8; 266 | s[23] = (s8 >> 16) | (s9 << 5); 267 | s[24] = s9 >> 3; 268 | s[25] = s9 >> 11; 269 | s[26] = (s9 >> 19) | (s10 << 2); 270 | s[27] = s10 >> 6; 271 | s[28] = (s10 >> 14) | (s11 << 7); 272 | s[29] = s11 >> 1; 273 | s[30] = s11 >> 9; 274 | s[31] = s11 >> 17; 275 | } 276 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/sha512-blocks.c: -------------------------------------------------------------------------------- 1 | //#include "crypto_hashblocks.h" 2 | 3 | typedef unsigned long long uint64; 4 | 5 | static uint64 load_bigendian(const unsigned char *x) 6 | { 7 | return 8 | (uint64) (x[7]) \ 9 | | (((uint64) (x[6])) << 8) \ 10 | | (((uint64) (x[5])) << 16) \ 11 | | (((uint64) (x[4])) << 24) \ 12 | | (((uint64) (x[3])) << 32) \ 13 | | (((uint64) (x[2])) << 40) \ 14 | | (((uint64) (x[1])) << 48) \ 15 | | (((uint64) (x[0])) << 56) 16 | ; 17 | } 18 | 19 | static void store_bigendian(unsigned char *x,uint64 u) 20 | { 21 | x[7] = u; u >>= 8; 22 | x[6] = u; u >>= 8; 23 | x[5] = u; u >>= 8; 24 | x[4] = u; u >>= 8; 25 | x[3] = u; u >>= 8; 26 | x[2] = u; u >>= 8; 27 | x[1] = u; u >>= 8; 28 | x[0] = u; 29 | } 30 | 31 | #define SHR(x,c) ((x) >> (c)) 32 | #define ROTR(x,c) (((x) >> (c)) | ((x) << (64 - (c)))) 33 | 34 | #define Ch(x,y,z) ((x & y) ^ (~x & z)) 35 | #define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z)) 36 | #define Sigma0(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39)) 37 | #define Sigma1(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41)) 38 | #define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x,7)) 39 | #define sigma1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x,6)) 40 | 41 | #define M(w0,w14,w9,w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0; 42 | 43 | #define EXPAND \ 44 | M(w0 ,w14,w9 ,w1 ) \ 45 | M(w1 ,w15,w10,w2 ) \ 46 | M(w2 ,w0 ,w11,w3 ) \ 47 | M(w3 ,w1 ,w12,w4 ) \ 48 | M(w4 ,w2 ,w13,w5 ) \ 49 | M(w5 ,w3 ,w14,w6 ) \ 50 | M(w6 ,w4 ,w15,w7 ) \ 51 | M(w7 ,w5 ,w0 ,w8 ) \ 52 | M(w8 ,w6 ,w1 ,w9 ) \ 53 | M(w9 ,w7 ,w2 ,w10) \ 54 | M(w10,w8 ,w3 ,w11) \ 55 | M(w11,w9 ,w4 ,w12) \ 56 | M(w12,w10,w5 ,w13) \ 57 | M(w13,w11,w6 ,w14) \ 58 | M(w14,w12,w7 ,w15) \ 59 | M(w15,w13,w8 ,w0 ) 60 | 61 | #define F(w,k) \ 62 | T1 = h + Sigma1(e) + Ch(e,f,g) + k + w; \ 63 | T2 = Sigma0(a) + Maj(a,b,c); \ 64 | h = g; \ 65 | g = f; \ 66 | f = e; \ 67 | e = d + T1; \ 68 | d = c; \ 69 | c = b; \ 70 | b = a; \ 71 | a = T1 + T2; 72 | 73 | int crypto_hashblocks(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen) 74 | { 75 | uint64 state[8]; 76 | uint64 a; 77 | uint64 b; 78 | uint64 c; 79 | uint64 d; 80 | uint64 e; 81 | uint64 f; 82 | uint64 g; 83 | uint64 h; 84 | uint64 T1; 85 | uint64 T2; 86 | 87 | a = load_bigendian(statebytes + 0); state[0] = a; 88 | b = load_bigendian(statebytes + 8); state[1] = b; 89 | c = load_bigendian(statebytes + 16); state[2] = c; 90 | d = load_bigendian(statebytes + 24); state[3] = d; 91 | e = load_bigendian(statebytes + 32); state[4] = e; 92 | f = load_bigendian(statebytes + 40); state[5] = f; 93 | g = load_bigendian(statebytes + 48); state[6] = g; 94 | h = load_bigendian(statebytes + 56); state[7] = h; 95 | 96 | while (inlen >= 128) { 97 | uint64 w0 = load_bigendian(in + 0); 98 | uint64 w1 = load_bigendian(in + 8); 99 | uint64 w2 = load_bigendian(in + 16); 100 | uint64 w3 = load_bigendian(in + 24); 101 | uint64 w4 = load_bigendian(in + 32); 102 | uint64 w5 = load_bigendian(in + 40); 103 | uint64 w6 = load_bigendian(in + 48); 104 | uint64 w7 = load_bigendian(in + 56); 105 | uint64 w8 = load_bigendian(in + 64); 106 | uint64 w9 = load_bigendian(in + 72); 107 | uint64 w10 = load_bigendian(in + 80); 108 | uint64 w11 = load_bigendian(in + 88); 109 | uint64 w12 = load_bigendian(in + 96); 110 | uint64 w13 = load_bigendian(in + 104); 111 | uint64 w14 = load_bigendian(in + 112); 112 | uint64 w15 = load_bigendian(in + 120); 113 | 114 | F(w0 ,0x428a2f98d728ae22ULL) 115 | F(w1 ,0x7137449123ef65cdULL) 116 | F(w2 ,0xb5c0fbcfec4d3b2fULL) 117 | F(w3 ,0xe9b5dba58189dbbcULL) 118 | F(w4 ,0x3956c25bf348b538ULL) 119 | F(w5 ,0x59f111f1b605d019ULL) 120 | F(w6 ,0x923f82a4af194f9bULL) 121 | F(w7 ,0xab1c5ed5da6d8118ULL) 122 | F(w8 ,0xd807aa98a3030242ULL) 123 | F(w9 ,0x12835b0145706fbeULL) 124 | F(w10,0x243185be4ee4b28cULL) 125 | F(w11,0x550c7dc3d5ffb4e2ULL) 126 | F(w12,0x72be5d74f27b896fULL) 127 | F(w13,0x80deb1fe3b1696b1ULL) 128 | F(w14,0x9bdc06a725c71235ULL) 129 | F(w15,0xc19bf174cf692694ULL) 130 | 131 | EXPAND 132 | 133 | F(w0 ,0xe49b69c19ef14ad2ULL) 134 | F(w1 ,0xefbe4786384f25e3ULL) 135 | F(w2 ,0x0fc19dc68b8cd5b5ULL) 136 | F(w3 ,0x240ca1cc77ac9c65ULL) 137 | F(w4 ,0x2de92c6f592b0275ULL) 138 | F(w5 ,0x4a7484aa6ea6e483ULL) 139 | F(w6 ,0x5cb0a9dcbd41fbd4ULL) 140 | F(w7 ,0x76f988da831153b5ULL) 141 | F(w8 ,0x983e5152ee66dfabULL) 142 | F(w9 ,0xa831c66d2db43210ULL) 143 | F(w10,0xb00327c898fb213fULL) 144 | F(w11,0xbf597fc7beef0ee4ULL) 145 | F(w12,0xc6e00bf33da88fc2ULL) 146 | F(w13,0xd5a79147930aa725ULL) 147 | F(w14,0x06ca6351e003826fULL) 148 | F(w15,0x142929670a0e6e70ULL) 149 | 150 | EXPAND 151 | 152 | F(w0 ,0x27b70a8546d22ffcULL) 153 | F(w1 ,0x2e1b21385c26c926ULL) 154 | F(w2 ,0x4d2c6dfc5ac42aedULL) 155 | F(w3 ,0x53380d139d95b3dfULL) 156 | F(w4 ,0x650a73548baf63deULL) 157 | F(w5 ,0x766a0abb3c77b2a8ULL) 158 | F(w6 ,0x81c2c92e47edaee6ULL) 159 | F(w7 ,0x92722c851482353bULL) 160 | F(w8 ,0xa2bfe8a14cf10364ULL) 161 | F(w9 ,0xa81a664bbc423001ULL) 162 | F(w10,0xc24b8b70d0f89791ULL) 163 | F(w11,0xc76c51a30654be30ULL) 164 | F(w12,0xd192e819d6ef5218ULL) 165 | F(w13,0xd69906245565a910ULL) 166 | F(w14,0xf40e35855771202aULL) 167 | F(w15,0x106aa07032bbd1b8ULL) 168 | 169 | EXPAND 170 | 171 | F(w0 ,0x19a4c116b8d2d0c8ULL) 172 | F(w1 ,0x1e376c085141ab53ULL) 173 | F(w2 ,0x2748774cdf8eeb99ULL) 174 | F(w3 ,0x34b0bcb5e19b48a8ULL) 175 | F(w4 ,0x391c0cb3c5c95a63ULL) 176 | F(w5 ,0x4ed8aa4ae3418acbULL) 177 | F(w6 ,0x5b9cca4f7763e373ULL) 178 | F(w7 ,0x682e6ff3d6b2b8a3ULL) 179 | F(w8 ,0x748f82ee5defb2fcULL) 180 | F(w9 ,0x78a5636f43172f60ULL) 181 | F(w10,0x84c87814a1f0ab72ULL) 182 | F(w11,0x8cc702081a6439ecULL) 183 | F(w12,0x90befffa23631e28ULL) 184 | F(w13,0xa4506cebde82bde9ULL) 185 | F(w14,0xbef9a3f7b2c67915ULL) 186 | F(w15,0xc67178f2e372532bULL) 187 | 188 | EXPAND 189 | 190 | F(w0 ,0xca273eceea26619cULL) 191 | F(w1 ,0xd186b8c721c0c207ULL) 192 | F(w2 ,0xeada7dd6cde0eb1eULL) 193 | F(w3 ,0xf57d4f7fee6ed178ULL) 194 | F(w4 ,0x06f067aa72176fbaULL) 195 | F(w5 ,0x0a637dc5a2c898a6ULL) 196 | F(w6 ,0x113f9804bef90daeULL) 197 | F(w7 ,0x1b710b35131c471bULL) 198 | F(w8 ,0x28db77f523047d84ULL) 199 | F(w9 ,0x32caab7b40c72493ULL) 200 | F(w10,0x3c9ebe0a15c9bebcULL) 201 | F(w11,0x431d67c49c100d4cULL) 202 | F(w12,0x4cc5d4becb3e42b6ULL) 203 | F(w13,0x597f299cfc657e2aULL) 204 | F(w14,0x5fcb6fab3ad6faecULL) 205 | F(w15,0x6c44198c4a475817ULL) 206 | 207 | a += state[0]; 208 | b += state[1]; 209 | c += state[2]; 210 | d += state[3]; 211 | e += state[4]; 212 | f += state[5]; 213 | g += state[6]; 214 | h += state[7]; 215 | 216 | state[0] = a; 217 | state[1] = b; 218 | state[2] = c; 219 | state[3] = d; 220 | state[4] = e; 221 | state[5] = f; 222 | state[6] = g; 223 | state[7] = h; 224 | 225 | in += 128; 226 | inlen -= 128; 227 | } 228 | 229 | store_bigendian(statebytes + 0,state[0]); 230 | store_bigendian(statebytes + 8,state[1]); 231 | store_bigendian(statebytes + 16,state[2]); 232 | store_bigendian(statebytes + 24,state[3]); 233 | store_bigendian(statebytes + 32,state[4]); 234 | store_bigendian(statebytes + 40,state[5]); 235 | store_bigendian(statebytes + 48,state[6]); 236 | store_bigendian(statebytes + 56,state[7]); 237 | 238 | return inlen; 239 | } 240 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/sha512-hash.c: -------------------------------------------------------------------------------- 1 | /* 2 | 20080913 3 | D. J. Bernstein 4 | Public domain. 5 | */ 6 | 7 | #include "sha512.h" 8 | 9 | extern int crypto_hashblocks(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen); 10 | 11 | #define blocks crypto_hashblocks 12 | 13 | static const unsigned char iv[64] = { 14 | 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, 15 | 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, 16 | 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, 17 | 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, 18 | 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, 19 | 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, 20 | 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, 21 | 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 22 | } ; 23 | 24 | typedef unsigned long long uint64; 25 | 26 | int crypto_hash_sha512(unsigned char *out,const unsigned char *in,unsigned long long inlen) 27 | { 28 | unsigned char h[64]; 29 | unsigned char padded[256]; 30 | int i; 31 | unsigned long long bytes = inlen; 32 | 33 | for (i = 0;i < 64;++i) h[i] = iv[i]; 34 | 35 | blocks(h,in,inlen); 36 | in += inlen; 37 | inlen &= 127; 38 | in -= inlen; 39 | 40 | for (i = 0;i < inlen;++i) padded[i] = in[i]; 41 | padded[inlen] = 0x80; 42 | 43 | if (inlen < 112) { 44 | for (i = inlen + 1;i < 119;++i) padded[i] = 0; 45 | padded[119] = bytes >> 61; 46 | padded[120] = bytes >> 53; 47 | padded[121] = bytes >> 45; 48 | padded[122] = bytes >> 37; 49 | padded[123] = bytes >> 29; 50 | padded[124] = bytes >> 21; 51 | padded[125] = bytes >> 13; 52 | padded[126] = bytes >> 5; 53 | padded[127] = bytes << 3; 54 | blocks(h,padded,128); 55 | } else { 56 | for (i = inlen + 1;i < 247;++i) padded[i] = 0; 57 | padded[247] = bytes >> 61; 58 | padded[248] = bytes >> 53; 59 | padded[249] = bytes >> 45; 60 | padded[250] = bytes >> 37; 61 | padded[251] = bytes >> 29; 62 | padded[252] = bytes >> 21; 63 | padded[253] = bytes >> 13; 64 | padded[254] = bytes >> 5; 65 | padded[255] = bytes << 3; 66 | blocks(h,padded,256); 67 | } 68 | 69 | for (i = 0;i < 64;++i) out[i] = h[i]; 70 | 71 | return 0; 72 | } 73 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/sha512.h: -------------------------------------------------------------------------------- 1 | extern int crypto_hashblocks(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen); 2 | extern int crypto_hash_sha512(unsigned char *out,const unsigned char *in,unsigned long long inlen); 3 | 4 | #define crypto_hash_sha512_BYTES 64 5 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/sign.c: -------------------------------------------------------------------------------- 1 | #include "crypto_sign.h" 2 | #include "crypto_hash_sha512.h" 3 | #include "ge.h" 4 | #include "sc.h" 5 | 6 | int crypto_sign( 7 | unsigned char *sm,unsigned long long *smlen, 8 | const unsigned char *m,unsigned long long mlen, 9 | const unsigned char *sk 10 | ) 11 | { 12 | unsigned char az[64]; 13 | unsigned char r[64]; 14 | unsigned char hram[64]; 15 | ge_p3 R; 16 | unsigned long long i; 17 | 18 | crypto_hash_sha512(az,sk,32); 19 | az[0] &= 248; 20 | az[31] &= 63; 21 | az[31] |= 64; 22 | 23 | *smlen = mlen + 64; 24 | for (i = 0;i < mlen;++i) sm[64 + i] = m[i]; 25 | for (i = 0;i < 32;++i) sm[32 + i] = az[32 + i]; 26 | crypto_hash_sha512(r,sm + 32,mlen + 32); 27 | for (i = 0;i < 32;++i) sm[32 + i] = sk[32 + i]; 28 | 29 | sc_reduce(r); 30 | ge_scalarmult_base(&R,r); 31 | ge_p3_tobytes(sm,&R); 32 | 33 | crypto_hash_sha512(hram,sm,mlen + 64); 34 | sc_reduce(hram); 35 | sc_muladd(sm + 32,hram,az,r); 36 | 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/sqrtm1.h: -------------------------------------------------------------------------------- 1 | -32595792,-7943725,9377950,3500415,12389472,-272473,-25146209,-2005654,326686,11406482 2 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/sqrtm1.py: -------------------------------------------------------------------------------- 1 | q = 2**255 - 19 2 | 3 | def expmod(b,e,m): 4 | if e == 0: return 1 5 | t = expmod(b,e/2,m)**2 % m 6 | if e & 1: t = (t*b) % m 7 | return t 8 | 9 | def inv(x): 10 | return expmod(x,q-2,q) 11 | 12 | def radix255(x): 13 | x = x % q 14 | if x + x > q: x -= q 15 | x = [x,0,0,0,0,0,0,0,0,0] 16 | bits = [26,25,26,25,26,25,26,25,26,25] 17 | for i in range(9): 18 | carry = (x[i] + 2**(bits[i]-1)) / 2**bits[i] 19 | x[i] -= carry * 2**bits[i] 20 | x[i + 1] += carry 21 | result = "" 22 | for i in range(9): 23 | result = result+str(x[i])+"," 24 | result = result+str(x[9]) 25 | return result 26 | 27 | I = expmod(2,(q-1)/4,q) 28 | print radix255(I) 29 | -------------------------------------------------------------------------------- /ed25519-supercop-ref10/verify.c: -------------------------------------------------------------------------------- 1 | #include "crypto_verify_32.h" 2 | 3 | int crypto_verify_32(const unsigned char *x,const unsigned char *y) 4 | { 5 | unsigned int differentbits = 0; 6 | #define F(i) differentbits |= x[i] ^ y[i]; 7 | F(0) 8 | F(1) 9 | F(2) 10 | F(3) 11 | F(4) 12 | F(5) 13 | F(6) 14 | F(7) 15 | F(8) 16 | F(9) 17 | F(10) 18 | F(11) 19 | F(12) 20 | F(13) 21 | F(14) 22 | F(15) 23 | F(16) 24 | F(17) 25 | F(18) 26 | F(19) 27 | F(20) 28 | F(21) 29 | F(22) 30 | F(23) 31 | F(24) 32 | F(25) 33 | F(26) 34 | F(27) 35 | F(28) 36 | F(29) 37 | F(30) 38 | F(31) 39 | return (1 & ((differentbits - 1) >> 8)) - 1; 40 | } 41 | -------------------------------------------------------------------------------- /keccakf.c: -------------------------------------------------------------------------------- 1 | #include "keccakf.h" 2 | 3 | void keccakf(uint64_t s[25]) 4 | { 5 | int i, j, round; 6 | uint64_t t, bc[5]; 7 | 8 | for(round = 0; round < 24; round++) { 9 | 10 | /* Theta */ 11 | for(i = 0; i < 5; i++) 12 | bc[i] = s[i] ^ s[i + 5] ^ s[i + 10] ^ s[i + 15] ^ s[i + 20]; 13 | 14 | for(i = 0; i < 5; i++) { 15 | t = bc[(i + 4) % 5] ^ SHA3_ROTL64(bc[(i + 1) % 5], 1); 16 | for(j = 0; j < 25; j += 5) 17 | s[j + i] ^= t; 18 | } 19 | 20 | /* Rho Pi */ 21 | t = s[1]; 22 | for(i = 0; i < 24; i++) { 23 | j = keccakf_piln[i]; 24 | bc[0] = s[j]; 25 | s[j] = SHA3_ROTL64(t, keccakf_rotc[i]); 26 | t = bc[0]; 27 | } 28 | 29 | /* Chi */ 30 | for(j = 0; j < 25; j += 5) { 31 | for(i = 0; i < 5; i++) 32 | bc[i] = s[j + i]; 33 | for(i = 0; i < 5; i++) 34 | s[j + i] ^= (~bc[(i + 1) % 5]) & bc[(i + 2) % 5]; 35 | } 36 | 37 | /* Iota */ 38 | s[0] ^= keccakf_rndc[round]; 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /keccakf.h: -------------------------------------------------------------------------------- 1 | #ifndef keccakf_header 2 | #define keccakf_header 3 | 4 | #include 5 | 6 | #define SHA3_CONST(x) x##L 7 | #define SHA3_ROTL64(x, y) \ 8 | (((x) << (y)) | ((x) >> ((sizeof(uint64_t)*8) - (y)))) 9 | 10 | static const uint64_t keccakf_rndc[24] = { 11 | SHA3_CONST(0x0000000000000001UL), SHA3_CONST(0x0000000000008082UL), 12 | SHA3_CONST(0x800000000000808aUL), SHA3_CONST(0x8000000080008000UL), 13 | SHA3_CONST(0x000000000000808bUL), SHA3_CONST(0x0000000080000001UL), 14 | SHA3_CONST(0x8000000080008081UL), SHA3_CONST(0x8000000000008009UL), 15 | SHA3_CONST(0x000000000000008aUL), SHA3_CONST(0x0000000000000088UL), 16 | SHA3_CONST(0x0000000080008009UL), SHA3_CONST(0x000000008000000aUL), 17 | SHA3_CONST(0x000000008000808bUL), SHA3_CONST(0x800000000000008bUL), 18 | SHA3_CONST(0x8000000000008089UL), SHA3_CONST(0x8000000000008003UL), 19 | SHA3_CONST(0x8000000000008002UL), SHA3_CONST(0x8000000000000080UL), 20 | SHA3_CONST(0x000000000000800aUL), SHA3_CONST(0x800000008000000aUL), 21 | SHA3_CONST(0x8000000080008081UL), SHA3_CONST(0x8000000000008080UL), 22 | SHA3_CONST(0x0000000080000001UL), SHA3_CONST(0x8000000080008008UL) 23 | }; 24 | 25 | static const unsigned keccakf_rotc[24] = { 26 | 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, 27, 41, 56, 8, 25, 43, 62, 27 | 18, 39, 61, 20, 44 28 | }; 29 | 30 | static const unsigned keccakf_piln[24] = { 31 | 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, 15, 23, 19, 13, 12, 2, 20, 32 | 14, 22, 9, 6, 1 33 | }; 34 | 35 | void keccakf(uint64_t s[25]); 36 | 37 | #endif 38 | -------------------------------------------------------------------------------- /main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "ed25519-supercop-ref10/crypto_sign.h" 5 | #include "ed25519-supercop-ref10/crypto_hash_sha512.h" 6 | #include "ed25519-supercop-ref10/ge.h" 7 | 8 | #include "keccakf.h" 9 | 10 | void hash(uint8_t *checksum) 11 | { 12 | 13 | // H = SHA3-256 = SPONGE[f, pad, r](N, d) = Z, such that len(Z) = d 14 | // 15 | // f = KECCAK-f[b] 16 | // b = 1600 17 | // pad = pad10*1 18 | // r = 1088 19 | // N = M || 01 20 | // d = 256 21 | // 22 | // 1. Let P = N || pad(r, len(N)) 23 | // P = N || pad(pad10*1, len(N)) 24 | // P = M || 0b011[0...0]1 = checksum[0:136] 25 | // 2. Let n = len(P) / r 26 | // n = 136*8 / 1088 = 1 27 | // 3. Let c = b - r 28 | // c = 1600 - 1088 = 512 29 | // 4. Let P_0, ..., P_(n-1) be the unique sequence of strings 30 | // of length r such that P = P_0 || ... || P_(n-1). 31 | // P_(n-1) = P_(1-1) = P_0 = P_n = P 32 | // 5. Let S = 0^b 33 | // 6. For i from 0 to n-1, let S = f(S xor (P_i || 0^c)) 34 | // 7. Let Z be the empty string 35 | // 8. Let Z = Z || Trunc_r(Z) 36 | // 9. If d <= |Z|, then return Trunc_d(Z)... 37 | // 38 | // as the message to be hashed is less than the size of P_i 39 | // we only need one string of bits, of length b, to perform 40 | // the hashing. 41 | // steps 1 - 4 all occur in the first r bits. 42 | // steps 5 - 6 are not needed as x xor 0 = x and there is only 43 | // steps 7 - 9 are simply reading the result of applying keccakf 44 | 45 | // pad checksum up r bits 46 | checksum[48] = 0x01; // pad10*1 start 47 | checksum[135] = 0x80; // pad10*1 end 48 | 49 | // cast checksum to S for keccakf implementation (blocks of 64 bits) 50 | uint64_t *S[25]; 51 | for (size_t i = 0; i < 25; i++) { 52 | S[i] = (uint64_t *)&checksum[i * 8]; 53 | } 54 | 55 | // run the keccakf transformation 56 | keccakf(*S); 57 | 58 | } 59 | 60 | void pubkey(uint8_t *seed, uint8_t *pk) 61 | { 62 | 63 | uint8_t h[64]; 64 | ge_p3 A; 65 | crypto_hash_sha512(h,seed,32); 66 | h[0] &= 248; 67 | h[31] &= 63; 68 | h[31] |= 64; 69 | ge_scalarmult_base(&A,h); 70 | ge_p3_tobytes(pk,&A); 71 | 72 | } 73 | 74 | int main(void) 75 | { 76 | 77 | uint8_t pk[32]; 78 | uint8_t seed[32]; 79 | 80 | // generate public key from seed 81 | pubkey(seed, pk); 82 | 83 | // v3 checksum = H(".onion checksum" || pubkey || version) 84 | 85 | // create bit string of length b and build message in first 48 bytes 86 | uint8_t checksum[200] = ".onion checksum"; 87 | for (int i = 0; i < 32; ++i) checksum[15 + i] = pk[i]; 88 | checksum[47] = 0x03; 89 | 90 | // hash the message 91 | hash(checksum); 92 | 93 | // v3 onion_address = base32(pubkey || checksum || version) 94 | 95 | return 0; 96 | 97 | } 98 | --------------------------------------------------------------------------------