public static void select(Ge_cached t, Ge_cached[] pre, byte b)
{
Ge_cached minust = new Ge_cached();
int bnegative = negative((sbyte)b);
int babs = b - (((-bnegative) & b) << 1);
Fe_1.fe_1(t.YplusX);
Fe_1.fe_1(t.YminusX);
Fe_1.fe_1(t.Z);
Fe_1.fe_1(t.Z);
Fe_0.fe_0(t.T2d);
cmov(t, pre[0], equal((byte)babs, 1));
cmov(t, pre[1], equal((byte)babs, 2));
cmov(t, pre[2], equal((byte)babs, 3));
cmov(t, pre[3], equal((byte)babs, 4));
cmov(t, pre[4], equal((byte)babs, 5));
cmov(t, pre[5], equal((byte)babs, 6));
cmov(t, pre[6], equal((byte)babs, 7));
cmov(t, pre[7], equal((byte)babs, 8));
Fe_copy.fe_copy(minust.YplusX, t.YminusX);
Fe_copy.fe_copy(minust.YminusX, t.YplusX);
Fe_copy.fe_copy(minust.Z, t.Z);
Fe_neg.fe_neg(minust.T2d, t.T2d);
cmov(t, minust, bnegative);
}
public static void cmov(Ge_cached t, Ge_cached u, int b)
{
Fe_cmov.fe_cmov(t.YplusX, u.YplusX, b);
Fe_cmov.fe_cmov(t.YminusX, u.YminusX, b);
Fe_cmov.fe_cmov(t.Z, u.Z, b);
Fe_cmov.fe_cmov(t.T2d, u.T2d, b);
}
public static void ge_p3_to_cached(Ge_cached r, Ge_p3 p)
{
Fe_add.fe_add(r.YplusX, p.Y, p.X);
Fe_sub.fe_sub(r.YminusX, p.Y, p.X);
Fe_copy.fe_copy(r.Z, p.Z);
Fe_mul.fe_mul(r.T2d, p.T, d2);
}
//CONVERT #include "ge.h"
/*
* r = p + q
*/
public static void ge_add(Ge_p1p1 r, Ge_p3 p, Ge_cached q)
{
int[] t0 = new int[10];
//CONVERT #include "ge_add.h"
/* qhasm: enter ge_add */
/* qhasm: fe X1 */
/* qhasm: fe Y1 */
/* qhasm: fe Z1 */
/* qhasm: fe Z2 */
/* qhasm: fe T1 */
/* qhasm: fe ZZ */
/* qhasm: fe YpX2 */
/* qhasm: fe YmX2 */
/* qhasm: fe T2d2 */
/* qhasm: fe X3 */
/* qhasm: fe Y3 */
/* qhasm: fe Z3 */
/* qhasm: fe T3 */
/* qhasm: fe YpX1 */
/* qhasm: fe YmX1 */
/* qhasm: fe A */
/* qhasm: fe B */
/* qhasm: fe C */
/* qhasm: fe D */
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: Fe_add.fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: Fe_add.fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
Fe_add.fe_add(r.X, p.Y, p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: Fe_sub.fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: Fe_sub.fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
Fe_sub.fe_sub(r.Y, p.Y, p.X);
/* qhasm: A = YpX1*YpX2 */
/* asm 1: Fe_mul.fe_mul(>A=fe#3,<YpX1=fe#1,<YpX2=fe#15); */
/* asm 2: Fe_mul.fe_mul(>A=r.Z,<YpX1=r.X,<YpX2=q.YplusX); */
Fe_mul.fe_mul(r.Z, r.X, q.YplusX);
/* qhasm: B = YmX1*YmX2 */
/* asm 1: Fe_mul.fe_mul(>B=fe#2,<YmX1=fe#2,<YmX2=fe#16); */
/* asm 2: Fe_mul.fe_mul(>B=r.Y,<YmX1=r.Y,<YmX2=q.YminusX); */
Fe_mul.fe_mul(r.Y, r.Y, q.YminusX);
/* qhasm: C = T2d2*T1 */
/* asm 1: Fe_mul.fe_mul(>C=fe#4,<T2d2=fe#18,<T1=fe#14); */
/* asm 2: Fe_mul.fe_mul(>C=r.T,<T2d2=q.T2d,<T1=p.T); */
Fe_mul.fe_mul(r.T, q.T2d, p.T);
/* qhasm: ZZ = Z1*Z2 */
/* asm 1: Fe_mul.fe_mul(>ZZ=fe#1,<Z1=fe#13,<Z2=fe#17); */
/* asm 2: Fe_mul.fe_mul(>ZZ=r.X,<Z1=p.Z,<Z2=q.Z); */
Fe_mul.fe_mul(r.X, p.Z, q.Z);
/* qhasm: D = 2*ZZ */
/* asm 1: Fe_add.fe_add(>D=fe#5,<ZZ=fe#1,<ZZ=fe#1); */
/* asm 2: Fe_add.fe_add(>D=t0,<ZZ=r.X,<ZZ=r.X); */
Fe_add.fe_add(t0, r.X, r.X);
/* qhasm: X3 = A-B */
/* asm 1: Fe_sub.fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: Fe_sub.fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */
Fe_sub.fe_sub(r.X, r.Z, r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: Fe_add.fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: Fe_add.fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
Fe_add.fe_add(r.Y, r.Z, r.Y);
/* qhasm: Z3 = D+C */
/* asm 1: Fe_add.fe_add(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: Fe_add.fe_add(>Z3=r.Z,<D=t0,<C=r.T); */
Fe_add.fe_add(r.Z, t0, r.T);
/* qhasm: T3 = D-C */
/* asm 1: Fe_sub.fe_sub(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: Fe_sub.fe_sub(>T3=r.T,<D=t0,<C=r.T); */
Fe_sub.fe_sub(r.T, t0, r.T);
/* qhasm: return */
}
/*
* h = a * B
* where a = a[0]+256*a[1]+...+256^31 a[31]
* B is the Ed25519 base point (x,4/5) with x positive.
*
* Preconditions:
* a[31] <= 127
*/
public static void ge_scalarmult(Ge_p3 h, byte[] a, Ge_p3 A)
{
byte[] e = new byte[64];
byte carry;
Ge_p1p1 r = new Ge_p1p1();
Ge_p2 s = new Ge_p2();
Ge_p3 t0 = new Ge_p3();
Ge_p3 t1 = new Ge_p3();
Ge_p3 t2 = new Ge_p3();
Ge_cached t = new Ge_cached();
Ge_cached[] pre = new Ge_cached[8];
for (int count = 0; count < pre.Length; count++)
{
pre[count] = new Ge_cached();
}
int i;
for (i = 0; i < 32; ++i)
{
e[2 * i + 0] = (byte)((((uint)a[i]) >> 0) & 15);
e[2 * i + 1] = (byte)((((uint)a[i]) >> 4) & 15);
}
/* each e[i] is between 0 and 15 */
/* e[63] is between 0 and 7 */
carry = 0;
for (i = 0; i < 63; ++i)
{
e[i] += carry;
carry = (byte)(e[i] + 8);
carry >>= 4;
e[i] -= (byte)(carry << 4);
}
e[63] += carry;
/* each e[i] is between -8 and 8 */
// Precomputation:
Ge_p3_to_cached.ge_p3_to_cached(pre[0], A); // A
Ge_p3_dbl.ge_p3_dbl(r, A);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t0, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[1], t0); // 2A
Ge_add.ge_add(r, A, pre[1]);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t1, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[2], t1); // 3A
Ge_p3_dbl.ge_p3_dbl(r, t0);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t0, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[3], t0); // 4A
Ge_add.ge_add(r, A, pre[3]);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t2, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[4], t2); // 5A
Ge_p3_dbl.ge_p3_dbl(r, t1);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t1, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[5], t1); // 6A
Ge_add.ge_add(r, A, pre[5]);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t1, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[6], t1); // 7A
Ge_p3_dbl.ge_p3_dbl(r, t0);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t0, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[7], t0); // 8A
Ge_p3_0.ge_p3_0(h);
for (i = 63; i > 0; i--)
{
select(t, pre, e[i]);
Ge_add.ge_add(r, h, t);
Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r);
}
select(t, pre, e[0]);
Ge_add.ge_add(r, h, t);
Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r);
}
/*
* r = a * A + b * B
* where a = a[0]+256*a[1]+...+256^31 a[31].
* and b = b[0]+256*b[1]+...+256^31 b[31].
* B is the Ed25519 base point (x,4/5) with x positive.
*/
public static void ge_double_scalarmult_vartime(Ge_p2 r, byte[] a, Ge_p3 A, byte[] b)
{
sbyte[] aslide = new sbyte[256];
sbyte[] bslide = new sbyte[256];
Ge_cached[] Ai = new Ge_cached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
for (int count = 0; count < 8; count++)
{
Ai[count] = new Ge_cached();
}
Ge_p1p1 t = new Ge_p1p1();
Ge_p3 u = new Ge_p3();
Ge_p3 A2 = new Ge_p3();
int i;
slide(aslide, a);
slide(bslide, b);
Ge_p3_to_cached.ge_p3_to_cached(Ai[0], A);
Ge_p3_dbl.ge_p3_dbl(t, A); Ge_p1p1_to_p3.ge_p1p1_to_p3(A2, t);
Ge_add.ge_add(t, A2, Ai[0]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[1], u);
Ge_add.ge_add(t, A2, Ai[1]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[2], u);
Ge_add.ge_add(t, A2, Ai[2]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[3], u);
Ge_add.ge_add(t, A2, Ai[3]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[4], u);
Ge_add.ge_add(t, A2, Ai[4]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[5], u);
Ge_add.ge_add(t, A2, Ai[5]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[6], u);
Ge_add.ge_add(t, A2, Ai[6]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[7], u);
Ge_p2_0.ge_p2_0(r);
for (i = 255; i >= 0; --i)
{
if (aslide[i] != 0 || bslide[i] != 0)
{
break;
}
}
for (; i >= 0; --i)
{
Ge_p2_dbl.ge_p2_dbl(t, r);
if (aslide[i] > 0)
{
Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t);
Ge_add.ge_add(t, u, Ai[aslide[i] / 2]);
}
else if (aslide[i] < 0)
{
Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t);
Ge_sub.ge_sub(t, u, Ai[(-aslide[i]) / 2]);
}
if (bslide[i] > 0)
{
Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t);
Ge_madd.ge_madd(t, u, Bi[bslide[i] / 2]);
}
else if (bslide[i] < 0)
{
Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t);
Ge_msub.ge_msub(t, u, Bi[(-bslide[i]) / 2]);
}
Ge_p1p1_to_p2.ge_p1p1_to_p2(r, t);
}
}
