public static unsafe void ge25519_add(ge25519 *r, ge25519 *p, ge25519 *q)
{
ge25519_p1p1 grp1p1;
add_p1p1(&grp1p1, p, q);
p1p1_to_p3(r, &grp1p1);
}
public static unsafe void ge25519_double(ge25519 *r, ge25519 *p)
{
ge25519_p1p1 grp1p1;
dbl_p1p1(&grp1p1, (ge25519_p2 *)p);
p1p1_to_p3(r, &grp1p1);
}
/* Constant-time version of: if(b) r = p */
static unsafe void cmov_p3(ge25519 *r, ge25519 *p, Byte b)
{
fe25519.fe25519_cmov(&r->x, &p->x, b);
fe25519.fe25519_cmov(&r->y, &p->y, b);
fe25519.fe25519_cmov(&r->z, &p->z, b);
fe25519.fe25519_cmov(&r->t, &p->t, b);
}
public static unsafe void ge25519_pack(Byte *r, ge25519 *p) //unsigned char r[32]
{
fe25519 tx, ty, zi;
fe25519.fe25519_invert(&zi, &p->z);
fe25519.fe25519_mul(&tx, &p->x, &zi);
fe25519.fe25519_mul(&ty, &p->y, &zi);
fe25519.fe25519_pack(r, &ty);
r[31] ^= (Byte)(fe25519.fe25519_getparity(&tx) << 7);
}
public unsafe static void ge25519_scalarmult_base(ge25519 *r, sc25519 *s)
{
/* XXX: Better algorithm for known-base-point scalar multiplication */
ge25519 t;
fixed(Byte *ge25519_base_xp = ge25519_base_x) fe25519.fe25519_unpack(&t.x, ge25519_base_xp);
fixed(Byte *ge25519_base_yp = ge25519_base_y) fe25519.fe25519_unpack(&t.y, ge25519_base_yp);
fixed(Byte *ge25519_base_zp = ge25519_base_z) fe25519.fe25519_unpack(&t.z, ge25519_base_zp);
fixed(Byte *ge25519_base_tp = ge25519_base_t) fe25519.fe25519_unpack(&t.t, ge25519_base_tp);
ge25519_scalarmult(r, &t, s);
}
/* ********************************************************************
* EXPORTED FUNCTIONS
******************************************************************** */
/* return 0 on success, -1 otherwise */
public unsafe static Boolean ge25519_unpack_vartime(ge25519 *r, Byte *p) //const unsigned char p[32]
{
Boolean ret;
fe25519 t, fd;
fe25519.fe25519_setone(&r->z);
fixed(Byte *ecdp = ecd) fe25519.fe25519_unpack(&fd, ecdp);
Byte par = (Byte)(p[31] >> 7);
fe25519.fe25519_unpack(&r->y, p);
fe25519.fe25519_square(&r->x, &r->y);
fe25519.fe25519_mul(&t, &r->x, &fd);
fe25519.fe25519_sub(&r->x, &r->x, &r->z);
fe25519.fe25519_add(&t, &r->z, &t);
fe25519.fe25519_invert(&t, &t);
fe25519.fe25519_mul(&r->x, &r->x, &t);
ret = fe25519.fe25519_sqrt_vartime(&r->x, &r->x, par);
fe25519.fe25519_mul(&r->t, &r->x, &r->y);
return(ret);
}
static unsafe void add_p1p1(ge25519_p1p1 *r, ge25519 *p, ge25519 *q)
{
fe25519 a, b, c, d, t, fd;
fixed(Byte *ecdp = ecd) fe25519.fe25519_unpack(&fd, ecdp);
fe25519.fe25519_sub(&a, &p->y, &p->x); // A = (Y1-X1)*(Y2-X2)
fe25519.fe25519_sub(&t, &q->y, &q->x);
fe25519.fe25519_mul(&a, &a, &t);
fe25519.fe25519_add(&b, &p->x, &p->y); // B = (Y1+X1)*(Y2+X2)
fe25519.fe25519_add(&t, &q->x, &q->y);
fe25519.fe25519_mul(&b, &b, &t);
fe25519.fe25519_mul(&c, &p->t, &q->t); //C = T1*k*T2
fe25519.fe25519_mul(&c, &c, &fd);
fe25519.fe25519_add(&c, &c, &c); //XXX: Can save this addition by precomputing 2*ecd
fe25519.fe25519_mul(&d, &p->z, &q->z); //D = Z1*2*Z2
fe25519.fe25519_add(&d, &d, &d);
fe25519.fe25519_sub(&r->x, &b, &a); // E = B-A
fe25519.fe25519_sub(&r->t, &d, &c); // F = D-C
fe25519.fe25519_add(&r->z, &d, &c); // G = D+C
fe25519.fe25519_add(&r->y, &b, &a); // H = B+A
}
public static unsafe void ge25519_scalarmult(ge25519 *r, ge25519 *p, sc25519 *s)
{
int i, j, k;
ge25519 g;
fixed(Byte *ge25519_neutral_xp = ge25519_neutral_x) fe25519.fe25519_unpack(&g.x, ge25519_neutral_xp);
fixed(Byte *ge25519_neutral_yp = ge25519_neutral_y) fe25519.fe25519_unpack(&g.y, ge25519_neutral_yp);
fixed(Byte *ge25519_neutral_zp = ge25519_neutral_z) fe25519.fe25519_unpack(&g.z, ge25519_neutral_zp);
fixed(Byte *ge25519_neutral_tp = ge25519_neutral_t) fe25519.fe25519_unpack(&g.t, ge25519_neutral_tp);
ge25519[] pre = new ge25519[(1 << WINDOWSIZE)];
ge25519 t;
ge25519_p1p1 tp1p1;
Byte w;
Byte * sb = stackalloc Byte[32];
sc25519.sc25519_to32bytes(sb, s);
// Precomputation
pre[0] = g;
pre[1] = *p;
for (i = 2; i < (1 << WINDOWSIZE); i += 2)
{
fixed(ge25519 *prep = pre)
{
dbl_p1p1(&tp1p1, (ge25519_p2 *)(prep + i / 2));
p1p1_to_p3(prep + i, &tp1p1);
add_p1p1(&tp1p1, prep + i, prep + 1);
p1p1_to_p3(prep + i + 1, &tp1p1);
}
}
// Fixed-window scalar multiplication
for (i = 32; i > 0; i--)
{
for (j = 8 - WINDOWSIZE; j >= 0; j -= WINDOWSIZE)
{
for (k = 0; k < WINDOWSIZE - 1; k++)
{
dbl_p1p1(&tp1p1, (ge25519_p2 *)&g);
p1p1_to_p2((ge25519_p2 *)&g, &tp1p1);
}
dbl_p1p1(&tp1p1, (ge25519_p2 *)&g);
p1p1_to_p3(&g, &tp1p1);
// Cache-timing resistant loading of precomputed value:
w = (Byte)((sb[i - 1] >> j) & WINDOWMASK);
t = pre[0];
for (k = 1; k < (1 << WINDOWSIZE); k++)
fixed(ge25519 *prekp = &pre[k]) cmov_p3(&t, prekp, (k == w) ? (Byte)1 : (Byte)0);
add_p1p1(&tp1p1, &g, &t);
if (j != 0)
{
p1p1_to_p2((ge25519_p2 *)&g, &tp1p1);
}
else
{
p1p1_to_p3(&g, &tp1p1); /* convert to p3 representation at the end */
}
}
}
r->x = g.x;
r->y = g.y;
r->z = g.z;
r->t = g.t;
}
static unsafe void p1p1_to_p3(ge25519 *r, ge25519_p1p1 *p)
{
p1p1_to_p2((ge25519_p2 *)r, p);
fe25519.fe25519_mul(&r->t, &p->x, &p->y);
}
