public static void ge_montx_to_p2(Ge_p2 p, int[] u, byte ed_sign_bit) { int[] x = new int[10]; int[] y = new int[10]; int[] A = new int[10]; int[] v = new int[10]; int[] v2 = new int[10]; int[] iv = new int[10]; int[] nx = new int[10]; Fe_frombytes.fe_frombytes(A, A_bytes); /* given u, recover edwards y */ /* given u, recover v */ /* given u and v, recover edwards x */ Fe_montx_to_edy.fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */ Fe_mont_rhs.fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */ Fe_sqrt.fe_sqrt(v, v2); /* v = sqrt(v^2) */ Fe_mul.fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */ Fe_invert.fe_invert(iv, v); /* 1/v */ Fe_mul.fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */ Fe_neg.fe_neg(nx, x); /* negate x to match sign bit */ Fe_cmov.fe_cmov(x, nx, Fe_isnegative.fe_isnegative(x) ^ ed_sign_bit); Fe_copy.fe_copy(p.X, x); Fe_copy.fe_copy(p.Y, y); Fe_1.fe_1(p.Z); /* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */ /* -x^2 + y^2 = 1 + dx^2y^2 */ //#ifndef NDEBUG //{ //fe one, d, x2, y2, x2y2, dx2y2; // //unsigned char dbytes[32] = { //0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75, //0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00, //0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c, //0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52 //}; // //fe_frombytes(d, dbytes); //fe_1(one); //fe_sq(x2, p->X); /* x^2 */ //fe_sq(y2, p->Y); /* y^2 */ // //fe_mul(dx2y2, x2, y2); /* x^2y^2 */ //fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */ //fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */ //fe_neg(x2y2, x2); /* -x^2 */ //fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */ // //assert(fe_isequal(x2y2, dx2y2)); //} //#endif }
//CONVERT #include "ge.h" /* * r = 2 * p */ public static void ge_p3_dbl(Ge_p1p1 r, Ge_p3 p) { Ge_p2 q = new Ge_p2(); Ge_p3_to_p2.ge_p3_to_p2(q, p); Ge_p2_dbl.ge_p2_dbl(r, q); }
//CONVERT #include "ge.h" public static void ge_tobytes(byte[] s, Ge_p2 h) { int[] recip = new int[10]; int[] x = new int[10]; int[] y = new int[10]; Fe_invert.fe_invert(recip, h.Z); Fe_mul.fe_mul(x, h.X, recip); Fe_mul.fe_mul(y, h.Y, recip); Fe_tobytes.fe_tobytes(s, y); s[31] = (byte)(s[31] ^ Fe_isnegative.fe_isnegative(x) << 7); }
/* * return 8 * p */ public static void ge_scalarmult_cofactor(Ge_p3 q, Ge_p3 p) { Ge_p1p1 p1p1 = new Ge_p1p1(); Ge_p2 p2 = new Ge_p2(); Ge_p3_dbl.ge_p3_dbl(p1p1, p); Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1); Ge_p2_dbl.ge_p2_dbl(p1p1, p2); Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1); Ge_p2_dbl.ge_p2_dbl(p1p1, p2); Ge_p1p1_to_p3.ge_p1p1_to_p3(q, p1p1); }
/* * h = a * B * where a = a[0]+256*a[1]+...+256^31 a[31] * B is the Ed25519 base point (x,4/5) with x positive. * * Preconditions: * a[31] <= 127 */ public static void ge_scalarmult_base(Ge_p3 h, byte[] a) { byte[] e = new byte[64]; byte carry; Ge_p1p1 r = new Ge_p1p1(); Ge_p2 s = new Ge_p2(); Ge_precomp t = new Ge_precomp(); int i; for (i = 0; i < 32; ++i) { e[2 * i + 0] = (byte)((((uint)a[i]) >> 0) & 15); e[2 * i + 1] = (byte)((((uint)a[i]) >> 4) & 15); } /* each e[i] is between 0 and 15 */ /* e[63] is between 0 and 7 */ carry = 0; for (i = 0; i < 63; ++i) { e[i] += carry; carry = (byte)(e[i] + 8); carry >>= 4; e[i] -= (byte)(carry << 4); } e[63] += carry; /* each e[i] is between -8 and 8 */ Ge_p3_0.ge_p3_0(h); for (i = 1; i < 64; i += 2) { select(t, i / 2, e[i]); Ge_madd.ge_madd(r, h, t); Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r); } Ge_p3_dbl.ge_p3_dbl(r, h); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r); Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r); Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r); Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r); for (i = 0; i < 64; i += 2) { select(t, i / 2, e[i]); Ge_madd.ge_madd(r, h, t); Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r); } }
/* * return 1 if f == g * return 0 if f != g */ public static int ge_is_small_order(Ge_p3 p) { Ge_p1p1 p1p1 = new Ge_p1p1(); Ge_p2 p2 = new Ge_p2(); int[] zero = new int[10]; Ge_p3_dbl.ge_p3_dbl(p1p1, p); Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1); Ge_p2_dbl.ge_p2_dbl(p1p1, p2); Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1); Ge_p2_dbl.ge_p2_dbl(p1p1, p2); Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1); Fe_0.fe_0(zero); /* Check if 8*p == neutral element == (0, 1) */ return(Fe_isequal.fe_isequal(p2.X, zero) & Fe_isequal.fe_isequal(p2.Y, p2.Z)); }
/* * h = a * B * where a = a[0]+256*a[1]+...+256^31 a[31] * B is the Ed25519 base point (x,4/5) with x positive. * * Preconditions: * a[31] <= 127 */ public static void ge_scalarmult(Ge_p3 h, byte[] a, Ge_p3 A) { byte[] e = new byte[64]; byte carry; Ge_p1p1 r = new Ge_p1p1(); Ge_p2 s = new Ge_p2(); Ge_p3 t0 = new Ge_p3(); Ge_p3 t1 = new Ge_p3(); Ge_p3 t2 = new Ge_p3(); Ge_cached t = new Ge_cached(); Ge_cached[] pre = new Ge_cached[8]; for (int count = 0; count < pre.Length; count++) { pre[count] = new Ge_cached(); } int i; for (i = 0; i < 32; ++i) { e[2 * i + 0] = (byte)((((uint)a[i]) >> 0) & 15); e[2 * i + 1] = (byte)((((uint)a[i]) >> 4) & 15); } /* each e[i] is between 0 and 15 */ /* e[63] is between 0 and 7 */ carry = 0; for (i = 0; i < 63; ++i) { e[i] += carry; carry = (byte)(e[i] + 8); carry >>= 4; e[i] -= (byte)(carry << 4); } e[63] += carry; /* each e[i] is between -8 and 8 */ // Precomputation: Ge_p3_to_cached.ge_p3_to_cached(pre[0], A); // A Ge_p3_dbl.ge_p3_dbl(r, A); Ge_p1p1_to_p3.ge_p1p1_to_p3(t0, r); Ge_p3_to_cached.ge_p3_to_cached(pre[1], t0); // 2A Ge_add.ge_add(r, A, pre[1]); Ge_p1p1_to_p3.ge_p1p1_to_p3(t1, r); Ge_p3_to_cached.ge_p3_to_cached(pre[2], t1); // 3A Ge_p3_dbl.ge_p3_dbl(r, t0); Ge_p1p1_to_p3.ge_p1p1_to_p3(t0, r); Ge_p3_to_cached.ge_p3_to_cached(pre[3], t0); // 4A Ge_add.ge_add(r, A, pre[3]); Ge_p1p1_to_p3.ge_p1p1_to_p3(t2, r); Ge_p3_to_cached.ge_p3_to_cached(pre[4], t2); // 5A Ge_p3_dbl.ge_p3_dbl(r, t1); Ge_p1p1_to_p3.ge_p1p1_to_p3(t1, r); Ge_p3_to_cached.ge_p3_to_cached(pre[5], t1); // 6A Ge_add.ge_add(r, A, pre[5]); Ge_p1p1_to_p3.ge_p1p1_to_p3(t1, r); Ge_p3_to_cached.ge_p3_to_cached(pre[6], t1); // 7A Ge_p3_dbl.ge_p3_dbl(r, t0); Ge_p1p1_to_p3.ge_p1p1_to_p3(t0, r); Ge_p3_to_cached.ge_p3_to_cached(pre[7], t0); // 8A Ge_p3_0.ge_p3_0(h); for (i = 63; i > 0; i--) { select(t, pre, e[i]); Ge_add.ge_add(r, h, t); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r); Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r); Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r); Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r); Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r); } select(t, pre, e[0]); Ge_add.ge_add(r, h, t); Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r); }
//CONVERT #include "ge.h" /* * r = 2 * p */ public static void ge_p2_dbl(Ge_p1p1 r, Ge_p2 p) { int[] t0 = new int[10]; //CONVERT #include "ge_p2_dbl.h" /* qhasm: enter ge_p2_dbl */ /* qhasm: fe X1 */ /* qhasm: fe Y1 */ /* qhasm: fe Z1 */ /* qhasm: fe A */ /* qhasm: fe AA */ /* qhasm: fe XX */ /* qhasm: fe YY */ /* qhasm: fe B */ /* qhasm: fe X3 */ /* qhasm: fe Y3 */ /* qhasm: fe Z3 */ /* qhasm: fe T3 */ /* qhasm: XX=X1^2 */ /* asm 1: fe_sq.fe_sq(>XX=fe#1,<X1=fe#11); */ /* asm 2: fe_sq.fe_sq(>XX=r.X,<X1=p.X); */ Fe_sq.fe_sq(r.X, p.X); /* qhasm: YY=Y1^2 */ /* asm 1: fe_sq.fe_sq(>YY=fe#3,<Y1=fe#12); */ /* asm 2: fe_sq.fe_sq(>YY=r.Z,<Y1=p.Y); */ Fe_sq.fe_sq(r.Z, p.Y); /* qhasm: B=2*Z1^2 */ /* asm 1: fe_sq2.fe_sq2(>B=fe#4,<Z1=fe#13); */ /* asm 2: fe_sq2.fe_sq2(>B=r.T,<Z1=p.Z); */ Fe_sq2.fe_sq2(r.T, p.Z); /* qhasm: A=X1+Y1 */ /* asm 1: fe_add.fe_add(>A=fe#2,<X1=fe#11,<Y1=fe#12); */ /* asm 2: fe_add.fe_add(>A=r.Y,<X1=p.X,<Y1=p.Y); */ Fe_add.fe_add(r.Y, p.X, p.Y); /* qhasm: AA=A^2 */ /* asm 1: fe_sq.fe_sq(>AA=fe#5,<A=fe#2); */ /* asm 2: fe_sq.fe_sq(>AA=t0,<A=r.Y); */ Fe_sq.fe_sq(t0, r.Y); /* qhasm: Y3=YY+XX */ /* asm 1: fe_add.fe_add(>Y3=fe#2,<YY=fe#3,<XX=fe#1); */ /* asm 2: fe_add.fe_add(>Y3=r.Y,<YY=r.Z,<XX=r.X); */ Fe_add.fe_add(r.Y, r.Z, r.X); /* qhasm: Z3=YY-XX */ /* asm 1: fe_sub.fe_sub(>Z3=fe#3,<YY=fe#3,<XX=fe#1); */ /* asm 2: fe_sub.fe_sub(>Z3=r.Z,<YY=r.Z,<XX=r.X); */ Fe_sub.fe_sub(r.Z, r.Z, r.X); /* qhasm: X3=AA-Y3 */ /* asm 1: fe_sub.fe_sub(>X3=fe#1,<AA=fe#5,<Y3=fe#2); */ /* asm 2: fe_sub.fe_sub(>X3=r.X,<AA=t0,<Y3=r.Y); */ Fe_sub.fe_sub(r.X, t0, r.Y); /* qhasm: T3=B-Z3 */ /* asm 1: fe_sub.fe_sub(>T3=fe#4,<B=fe#4,<Z3=fe#3); */ /* asm 2: fe_sub.fe_sub(>T3=r.T,<B=r.T,<Z3=r.Z); */ Fe_sub.fe_sub(r.T, r.T, r.Z); /* qhasm: return */ }
//CONVERT #include "ge.h" /* * r = p */ public static void ge_p3_to_p2(Ge_p2 r, Ge_p3 p) { Fe_copy.fe_copy(r.X, p.X); Fe_copy.fe_copy(r.Y, p.Y); Fe_copy.fe_copy(r.Z, p.Z); }
//CONVERT #include "ge.h" /* * r = p */ public static void ge_p1p1_to_p2(Ge_p2 r, Ge_p1p1 p) { Fe_mul.fe_mul(r.X, p.X, p.T); Fe_mul.fe_mul(r.Y, p.Y, p.Z); Fe_mul.fe_mul(r.Z, p.Z, p.T); }
/* * r = a * A + b * B * where a = a[0]+256*a[1]+...+256^31 a[31]. * and b = b[0]+256*b[1]+...+256^31 b[31]. * B is the Ed25519 base point (x,4/5) with x positive. */ public static void ge_double_scalarmult_vartime(Ge_p2 r, byte[] a, Ge_p3 A, byte[] b) { sbyte[] aslide = new sbyte[256]; sbyte[] bslide = new sbyte[256]; Ge_cached[] Ai = new Ge_cached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ for (int count = 0; count < 8; count++) { Ai[count] = new Ge_cached(); } Ge_p1p1 t = new Ge_p1p1(); Ge_p3 u = new Ge_p3(); Ge_p3 A2 = new Ge_p3(); int i; slide(aslide, a); slide(bslide, b); Ge_p3_to_cached.ge_p3_to_cached(Ai[0], A); Ge_p3_dbl.ge_p3_dbl(t, A); Ge_p1p1_to_p3.ge_p1p1_to_p3(A2, t); Ge_add.ge_add(t, A2, Ai[0]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[1], u); Ge_add.ge_add(t, A2, Ai[1]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[2], u); Ge_add.ge_add(t, A2, Ai[2]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[3], u); Ge_add.ge_add(t, A2, Ai[3]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[4], u); Ge_add.ge_add(t, A2, Ai[4]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[5], u); Ge_add.ge_add(t, A2, Ai[5]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[6], u); Ge_add.ge_add(t, A2, Ai[6]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[7], u); Ge_p2_0.ge_p2_0(r); for (i = 255; i >= 0; --i) { if (aslide[i] != 0 || bslide[i] != 0) { break; } } for (; i >= 0; --i) { Ge_p2_dbl.ge_p2_dbl(t, r); if (aslide[i] > 0) { Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_add.ge_add(t, u, Ai[aslide[i] / 2]); } else if (aslide[i] < 0) { Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_sub.ge_sub(t, u, Ai[(-aslide[i]) / 2]); } if (bslide[i] > 0) { Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_madd.ge_madd(t, u, Bi[bslide[i] / 2]); } else if (bslide[i] < 0) { Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_msub.ge_msub(t, u, Bi[(-bslide[i]) / 2]); } Ge_p1p1_to_p2.ge_p1p1_to_p2(r, t); } }
//CONVERT #include "ge.h" public static void ge_p2_0(Ge_p2 h) { Fe_0.fe_0(h.X); Fe_1.fe_1(h.Y); Fe_1.fe_1(h.Z); }