//CONVERT #include "ge.h"
/*
* r = p
*/
public static void ge_p1p1_to_p3(Ge_p3 r, Ge_p1p1 p)
{
Fe_mul.fe_mul(r.X, p.X, p.T);
Fe_mul.fe_mul(r.Y, p.Y, p.Z);
Fe_mul.fe_mul(r.Z, p.Z, p.T);
Fe_mul.fe_mul(r.T, p.X, p.Y);
}
//CONVERT #include "ge.h"
/*
* r = 2 * p
*/
public static void ge_p3_dbl(Ge_p1p1 r, Ge_p3 p)
{
Ge_p2 q = new Ge_p2();
Ge_p3_to_p2.ge_p3_to_p2(q, p);
Ge_p2_dbl.ge_p2_dbl(r, q);
}
/*
* return r = -p
*/
public static void ge_neg(Ge_p3 r, Ge_p3 p)
{
Fe_neg.fe_neg(r.X, p.X);
Fe_copy.fe_copy(r.Y, p.Y);
Fe_copy.fe_copy(r.Z, p.Z);
Fe_neg.fe_neg(r.T, p.T);
}
public static void ge_p3_to_cached(Ge_cached r, Ge_p3 p)
{
Fe_add.fe_add(r.YplusX, p.Y, p.X);
Fe_sub.fe_sub(r.YminusX, p.Y, p.X);
Fe_copy.fe_copy(r.Z, p.Z);
Fe_mul.fe_mul(r.T2d, p.T, d2);
}
//CONVERT #include "ge.h"
public static void ge_p3_0(Ge_p3 h)
{
Fe_0.fe_0(h.X);
Fe_1.fe_1(h.Y);
Fe_1.fe_1(h.Z);
Fe_0.fe_0(h.T);
}
/*
* return 1 if p is the neutral point
* return 0 otherwise
*/
public static int ge_isneutral(Ge_p3 p)
{
int[] zero = new int[10];
Fe_0.fe_0(zero);
/* Check if p == neutral element == (0, 1) */
return(Fe_isequal.fe_isequal(p.X, zero) & Fe_isequal.fe_isequal(p.Y, p.Z));
}
//CONVERT #include "ge.h"
public static void ge_p3_tobytes(byte[] s, Ge_p3 h)
{
int[] recip = new int[10];
int[] x = new int[10];
int[] y = new int[10];
Fe_invert.fe_invert(recip, h.Z);
Fe_mul.fe_mul(x, h.X, recip);
Fe_mul.fe_mul(y, h.Y, recip);
Fe_tobytes.fe_tobytes(s, y);
s[31] ^= (byte)(Fe_isnegative.fe_isnegative(x) << 7);
}
/*
* return 8 * p
*/
public static void ge_scalarmult_cofactor(Ge_p3 q, Ge_p3 p)
{
Ge_p1p1 p1p1 = new Ge_p1p1();
Ge_p2 p2 = new Ge_p2();
Ge_p3_dbl.ge_p3_dbl(p1p1, p);
Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1);
Ge_p2_dbl.ge_p2_dbl(p1p1, p2);
Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1);
Ge_p2_dbl.ge_p2_dbl(p1p1, p2);
Ge_p1p1_to_p3.ge_p1p1_to_p3(q, p1p1);
}
public static void curve25519_keygen(byte[] curve25519_pubkey_out, byte[] curve25519_privkey_in)
{
/* Perform a fixed-base multiplication of the Edwards base point,
* (which is efficient due to precalculated tables), then convert
* to the Curve25519 montgomery-format public key.
*
* NOTE: y=1 is converted to u=0 since fe_invert is mod-exp
*/
Ge_p3 ed = new Ge_p3(); /* Ed25519 pubkey point */
int[] u = new int[10];
Ge_scalarmult_base.ge_scalarmult_base(ed, curve25519_privkey_in);
Ge_p3_to_montx.ge_p3_to_montx(u, ed);
Fe_tobytes.fe_tobytes(curve25519_pubkey_out, u);
}
/*
* h = a * B
* where a = a[0]+256*a[1]+...+256^31 a[31]
* B is the Ed25519 base point (x,4/5) with x positive.
*
* Preconditions:
* a[31] <= 127
*/
public static void ge_scalarmult_base(Ge_p3 h, byte[] a)
{
byte[] e = new byte[64];
byte carry;
Ge_p1p1 r = new Ge_p1p1();
Ge_p2 s = new Ge_p2();
Ge_precomp t = new Ge_precomp();
int i;
for (i = 0; i < 32; ++i)
{
e[2 * i + 0] = (byte)((((uint)a[i]) >> 0) & 15);
e[2 * i + 1] = (byte)((((uint)a[i]) >> 4) & 15);
}
/* each e[i] is between 0 and 15 */
/* e[63] is between 0 and 7 */
carry = 0;
for (i = 0; i < 63; ++i)
{
e[i] += carry;
carry = (byte)(e[i] + 8);
carry >>= 4;
e[i] -= (byte)(carry << 4);
}
e[63] += carry;
/* each e[i] is between -8 and 8 */
Ge_p3_0.ge_p3_0(h);
for (i = 1; i < 64; i += 2)
{
select(t, i / 2, e[i]);
Ge_madd.ge_madd(r, h, t); Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r);
}
Ge_p3_dbl.ge_p3_dbl(r, h); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r);
for (i = 0; i < 64; i += 2)
{
select(t, i / 2, e[i]);
Ge_madd.ge_madd(r, h, t); Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r);
}
}
public static int ge_frombytes_negate_vartime(Ge_p3 h, byte[] s)
{
int[] u = new int[10];
int[] v = new int[10];
int[] v3 = new int[10];
int[] vxx = new int[10];
int[] check = new int[10];
Fe_frombytes.fe_frombytes(h.Y, s);
Fe_1.fe_1(h.Z);
Fe_sq.fe_sq(u, h.Y);
Fe_mul.fe_mul(v, u, d);
Fe_sub.fe_sub(u, u, h.Z); /* u = y^2-1 */
Fe_add.fe_add(v, v, h.Z); /* v = dy^2+1 */
Fe_sq.fe_sq(v3, v);
Fe_mul.fe_mul(v3, v3, v); /* v3 = v^3 */
Fe_sq.fe_sq(h.X, v3);
Fe_mul.fe_mul(h.X, h.X, v);
Fe_mul.fe_mul(h.X, h.X, u); /* x = uv^7 */
Fe_pow22523.fe_pow22523(h.X, h.X); /* x = (uv^7)^((q-5)/8) */
Fe_mul.fe_mul(h.X, h.X, v3);
Fe_mul.fe_mul(h.X, h.X, u); /* x = uv^3(uv^7)^((q-5)/8) */
Fe_sq.fe_sq(vxx, h.X);
Fe_mul.fe_mul(vxx, vxx, v);
Fe_sub.fe_sub(check, vxx, u); /* vx^2-u */
if (Fe_isnonzero.fe_isnonzero(check) != 0)
{
Fe_add.fe_add(check, vxx, u); /* vx^2+u */
if (Fe_isnonzero.fe_isnonzero(check) != 0)
{
return(-1);
}
Fe_mul.fe_mul(h.X, h.X, sqrtm1);
}
if (Fe_isnegative.fe_isnegative(h.X) == ((((uint)s[31]) >> 7) & 0x01))
{
Fe_neg.fe_neg(h.X, h.X);
}
Fe_mul.fe_mul(h.T, h.X, h.Y);
return(0);
}
public static void ge_p3_to_montx(int[] u, Ge_p3 ed)
{
/*
* u = (y + 1) / (1 - y)
* or
* u = (y + z) / (z - y)
*
* NOTE: y=1 is converted to u=0 since fe_invert is mod-exp
*/
int[] y_plus_one = new int[10];
int[] one_minus_y = new int[10];
int[] inv_one_minus_y = new int[10];
Fe_add.fe_add(y_plus_one, ed.Y, ed.Z);
Fe_sub.fe_sub(one_minus_y, ed.Z, ed.Y);
Fe_invert.fe_invert(inv_one_minus_y, one_minus_y);
Fe_mul.fe_mul(u, y_plus_one, inv_one_minus_y);
}
/*
* return 1 if f == g
* return 0 if f != g
*/
public static int ge_is_small_order(Ge_p3 p)
{
Ge_p1p1 p1p1 = new Ge_p1p1();
Ge_p2 p2 = new Ge_p2();
int[] zero = new int[10];
Ge_p3_dbl.ge_p3_dbl(p1p1, p);
Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1);
Ge_p2_dbl.ge_p2_dbl(p1p1, p2);
Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1);
Ge_p2_dbl.ge_p2_dbl(p1p1, p2);
Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1);
Fe_0.fe_0(zero);
/* Check if 8*p == neutral element == (0, 1) */
return(Fe_isequal.fe_isequal(p2.X, zero) & Fe_isequal.fe_isequal(p2.Y, p2.Z));
}
public void elligator_fast_test()
{
byte[] elligator_correct_output = new byte[]
{
0x5f, 0x35, 0x20, 0x00, 0x1c, 0x6c, 0x99, 0x36,
0xa3, 0x12, 0x06, 0xaf, 0xe7, 0xc7, 0xac, 0x22,
0x4e, 0x88, 0x61, 0x61, 0x9b, 0xf9, 0x88, 0x72,
0x44, 0x49, 0x15, 0x89, 0x9d, 0x95, 0xf4, 0x6e
};
byte[] hashtopoint_correct_output1 = new byte[]
{
0xce, 0x89, 0x9f, 0xb2, 0x8f, 0xf7, 0x20, 0x91,
0x5e, 0x14, 0xf5, 0xb7, 0x99, 0x08, 0xab, 0x17,
0xaa, 0x2e, 0xe2, 0x45, 0xb4, 0xfc, 0x2b, 0xf6,
0x06, 0x36, 0x29, 0x40, 0xed, 0x7d, 0xe7, 0xed
};
byte[] hashtopoint_correct_output2 = new byte[]
{
0xa0, 0x35, 0xbb, 0xa9, 0x4d, 0x30, 0x55, 0x33,
0x0d, 0xce, 0xc2, 0x7f, 0x83, 0xde, 0x79, 0xd0,
0x89, 0x67, 0x72, 0x4c, 0x07, 0x8d, 0x68, 0x9d,
0x61, 0x52, 0x1d, 0xf9, 0x2c, 0x5c, 0xba, 0x77
};
byte[] calculatev_correct_output = new byte[]
{
0x1b, 0x77, 0xb5, 0xa0, 0x44, 0x84, 0x7e, 0xb9,
0x23, 0xd7, 0x93, 0x18, 0xce, 0xc2, 0xc5, 0xe2,
0x84, 0xd5, 0x79, 0x6f, 0x65, 0x63, 0x1b, 0x60,
0x9b, 0xf1, 0xf8, 0xce, 0x88, 0x0b, 0x50, 0x9c,
};
int count;
int[] iIn = new int[10];
int[] iOut = new int[10];
byte[] bytes = new byte[32];
Fe_0.fe_0(iIn);
Fe_0.fe_0(iOut);
for (count = 0; count < 32; count++)
{
bytes[count] = (byte)count;
}
Fe_frombytes.fe_frombytes(iIn, bytes);
Elligator.elligator(iOut, iIn);
Fe_tobytes.fe_tobytes(bytes, iOut);
CollectionAssert.AreEqual(elligator_correct_output, bytes, "Elligator vector");
/* Elligator(0) == 0 test */
Fe_0.fe_0(iIn);
Elligator.elligator(iOut, iIn);
CollectionAssert.AreEqual(iOut, iIn, "Elligator(0) == 0");
/* ge_montx_to_p3(0) -> order2 point test */
int[] one = new int[10];
int[] negone = new int[10];
int[] zero = new int[10];
Fe_1.fe_1(one);
Fe_0.fe_0(zero);
Fe_sub.fe_sub(negone, zero, one);
Ge_p3 p3 = new Ge_p3();
Ge_montx_to_p3.ge_montx_to_p3(p3, zero, 0);
Assert.IsTrue(Fe_isequal.fe_isequal(p3.X, zero) != 0 &&
Fe_isequal.fe_isequal(p3.Y, negone) != 0 &&
Fe_isequal.fe_isequal(p3.Z, one) != 0 &&
Fe_isequal.fe_isequal(p3.T, zero) != 0,
"ge_montx_to_p3(0) == order 2 point");
/* Hash to point vector test */
byte[] htp = new byte[32];
for (count = 0; count < 32; count++)
{
htp[count] = (byte)count;
}
ISha512 sha512provider = new BouncyCastleDotNETSha512Provider();
Elligator.hash_to_point(sha512provider, p3, htp, 32);
Ge_p3_tobytes.ge_p3_tobytes(htp, p3);
CollectionAssert.AreEqual(hashtopoint_correct_output1, htp, "hash_to_point #1");
for (count = 0; count < 32; count++)
{
htp[count] = (byte)(count + 1);
}
Elligator.hash_to_point(sha512provider, p3, htp, 32);
Ge_p3_tobytes.ge_p3_tobytes(htp, p3);
CollectionAssert.AreEqual(hashtopoint_correct_output2, htp, "hash_to_point #2");
/* calculate_U vector test */
Ge_p3 Bv = new Ge_p3();
byte[] V = new byte[32];
byte[] Vbuf = new byte[200];
byte[] a = new byte[32];
byte[] A = new byte[32];
byte[] Vmsg = new byte[3];
Vmsg[0] = 0;
Vmsg[1] = 1;
Vmsg[2] = 2;
for (count = 0; count < 32; count++)
{
a[count] = (byte)(8 + count);
A[count] = (byte)(9 + count);
}
Sc_clamp.sc_clamp(a);
Elligator.calculate_Bv_and_V(sha512provider, Bv, V, Vbuf, a, A, Vmsg, 3);
CollectionAssert.AreEqual(calculatev_correct_output, V, "calculate_Bv_and_V vector");
}
//CONVERT #include "ge.h"
/*
* r = p + q
*/
public static void ge_add(Ge_p1p1 r, Ge_p3 p, Ge_cached q)
{
int[] t0 = new int[10];
//CONVERT #include "ge_add.h"
/* qhasm: enter ge_add */
/* qhasm: fe X1 */
/* qhasm: fe Y1 */
/* qhasm: fe Z1 */
/* qhasm: fe Z2 */
/* qhasm: fe T1 */
/* qhasm: fe ZZ */
/* qhasm: fe YpX2 */
/* qhasm: fe YmX2 */
/* qhasm: fe T2d2 */
/* qhasm: fe X3 */
/* qhasm: fe Y3 */
/* qhasm: fe Z3 */
/* qhasm: fe T3 */
/* qhasm: fe YpX1 */
/* qhasm: fe YmX1 */
/* qhasm: fe A */
/* qhasm: fe B */
/* qhasm: fe C */
/* qhasm: fe D */
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: Fe_add.fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: Fe_add.fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
Fe_add.fe_add(r.X, p.Y, p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: Fe_sub.fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: Fe_sub.fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
Fe_sub.fe_sub(r.Y, p.Y, p.X);
/* qhasm: A = YpX1*YpX2 */
/* asm 1: Fe_mul.fe_mul(>A=fe#3,<YpX1=fe#1,<YpX2=fe#15); */
/* asm 2: Fe_mul.fe_mul(>A=r.Z,<YpX1=r.X,<YpX2=q.YplusX); */
Fe_mul.fe_mul(r.Z, r.X, q.YplusX);
/* qhasm: B = YmX1*YmX2 */
/* asm 1: Fe_mul.fe_mul(>B=fe#2,<YmX1=fe#2,<YmX2=fe#16); */
/* asm 2: Fe_mul.fe_mul(>B=r.Y,<YmX1=r.Y,<YmX2=q.YminusX); */
Fe_mul.fe_mul(r.Y, r.Y, q.YminusX);
/* qhasm: C = T2d2*T1 */
/* asm 1: Fe_mul.fe_mul(>C=fe#4,<T2d2=fe#18,<T1=fe#14); */
/* asm 2: Fe_mul.fe_mul(>C=r.T,<T2d2=q.T2d,<T1=p.T); */
Fe_mul.fe_mul(r.T, q.T2d, p.T);
/* qhasm: ZZ = Z1*Z2 */
/* asm 1: Fe_mul.fe_mul(>ZZ=fe#1,<Z1=fe#13,<Z2=fe#17); */
/* asm 2: Fe_mul.fe_mul(>ZZ=r.X,<Z1=p.Z,<Z2=q.Z); */
Fe_mul.fe_mul(r.X, p.Z, q.Z);
/* qhasm: D = 2*ZZ */
/* asm 1: Fe_add.fe_add(>D=fe#5,<ZZ=fe#1,<ZZ=fe#1); */
/* asm 2: Fe_add.fe_add(>D=t0,<ZZ=r.X,<ZZ=r.X); */
Fe_add.fe_add(t0, r.X, r.X);
/* qhasm: X3 = A-B */
/* asm 1: Fe_sub.fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: Fe_sub.fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */
Fe_sub.fe_sub(r.X, r.Z, r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: Fe_add.fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: Fe_add.fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
Fe_add.fe_add(r.Y, r.Z, r.Y);
/* qhasm: Z3 = D+C */
/* asm 1: Fe_add.fe_add(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: Fe_add.fe_add(>Z3=r.Z,<D=t0,<C=r.T); */
Fe_add.fe_add(r.Z, t0, r.T);
/* qhasm: T3 = D-C */
/* asm 1: Fe_sub.fe_sub(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: Fe_sub.fe_sub(>T3=r.T,<D=t0,<C=r.T); */
Fe_sub.fe_sub(r.T, t0, r.T);
/* qhasm: return */
}
//CONVERT #include "ge.h"
/*
* r = p - q
*/
public static void ge_msub(Ge_p1p1 r, Ge_p3 p, Ge_precomp q)
{
int[] t0 = new int[10];
//CONVERT #include "ge_msub.h"
/* qhasm: enter ge_msub */
/* qhasm: fe X1 */
/* qhasm: fe Y1 */
/* qhasm: fe Z1 */
/* qhasm: fe T1 */
/* qhasm: fe ypx2 */
/* qhasm: fe ymx2 */
/* qhasm: fe xy2d2 */
/* qhasm: fe X3 */
/* qhasm: fe Y3 */
/* qhasm: fe Z3 */
/* qhasm: fe T3 */
/* qhasm: fe YpX1 */
/* qhasm: fe YmX1 */
/* qhasm: fe A */
/* qhasm: fe B */
/* qhasm: fe C */
/* qhasm: fe D */
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: fe_add.fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_add.fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
Fe_add.fe_add(r.X, p.Y, p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: fe_sub.fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_sub.fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
Fe_sub.fe_sub(r.Y, p.Y, p.X);
/* qhasm: A = YpX1*ymx2 */
/* asm 1: fe_mul.fe_mul(>A=fe#3,<YpX1=fe#1,<ymx2=fe#16); */
/* asm 2: fe_mul.fe_mul(>A=r.Z,<YpX1=r.X,<ymx2=q.yminusx); */
Fe_mul.fe_mul(r.Z, r.X, q.yminusx);
/* qhasm: B = YmX1*ypx2 */
/* asm 1: fe_mul.fe_mul(>B=fe#2,<YmX1=fe#2,<ypx2=fe#15); */
/* asm 2: fe_mul.fe_mul(>B=r.Y,<YmX1=r.Y,<ypx2=q.yplusx); */
Fe_mul.fe_mul(r.Y, r.Y, q.yplusx);
/* qhasm: C = xy2d2*T1 */
/* asm 1: fe_mul.fe_mul(>C=fe#4,<xy2d2=fe#17,<T1=fe#14); */
/* asm 2: fe_mul.fe_mul(>C=r.T,<xy2d2=q.xy2d,<T1=p.T); */
Fe_mul.fe_mul(r.T, q.xy2d, p.T);
/* qhasm: D = 2*Z1 */
/* asm 1: fe_add.fe_add(>D=fe#5,<Z1=fe#13,<Z1=fe#13); */
/* asm 2: fe_add.fe_add(>D=t0,<Z1=p.Z,<Z1=p.Z); */
Fe_add.fe_add(t0, p.Z, p.Z);
/* qhasm: X3 = A-B */
/* asm 1: fe_sub.fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: fe_sub.fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */
Fe_sub.fe_sub(r.X, r.Z, r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: fe_add.fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: fe_add.fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
Fe_add.fe_add(r.Y, r.Z, r.Y);
/* qhasm: Z3 = D-C */
/* asm 1: fe_sub.fe_sub(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: fe_sub.fe_sub(>Z3=r.Z,<D=t0,<C=r.T); */
Fe_sub.fe_sub(r.Z, t0, r.T);
/* qhasm: T3 = D+C */
/* asm 1: fe_add.fe_add(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: fe_add.fe_add(>T3=r.T,<D=t0,<C=r.T); */
Fe_add.fe_add(r.T, t0, r.T);
/* qhasm: return */
}
public static void ge_montx_to_p3(Ge_p3 p, int[] u, byte ed_sign_bit)
{
int[] x = new int[10];
int[] y = new int[10];
int[] A = new int[10];
int[] v = new int[10];
int[] v2 = new int[10];
int[] iv = new int[10];
int[] nx = new int[10];
Fe_frombytes.fe_frombytes(A, A_bytes);
/* given u, recover edwards y */
/* given u, recover v */
/* given u and v, recover edwards x */
Fe_montx_to_edy.fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */
Fe_mont_rhs.fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */
Fe_sqrt.fe_sqrt(v, v2); /* v = sqrt(v^2) */
Fe_mul.fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */
Fe_invert.fe_invert(iv, v); /* 1/v */
Fe_mul.fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */
Fe_neg.fe_neg(nx, x); /* negate x to match sign bit */
Fe_cmov.fe_cmov(x, nx, Fe_isnegative.fe_isnegative(x) ^ ed_sign_bit);
Fe_copy.fe_copy(p.X, x);
Fe_copy.fe_copy(p.Y, y);
Fe_1.fe_1(p.Z);
Fe_mul.fe_mul(p.T, p.X, p.Y);
/* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */
/* -x^2 + y^2 = 1 + dx^2y^2 */
//# ifndef NDEBUG
// {
// fe one, d, x2, y2, x2y2, dx2y2;
// unsigned char dbytes[32] = {
// 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
// 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
// 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
// 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
// };
// fe_frombytes(d, dbytes);
// fe_1(one);
// fe_sq(x2, p->X); /* x^2 */
// fe_sq(y2, p->Y); /* y^2 */
// fe_mul(dx2y2, x2, y2); /* x^2y^2 */
// fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */
// fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */
// fe_neg(x2y2, x2); /* -x^2 */
// fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */
// assert(fe_isequal(x2y2, dx2y2));
// }
//#endif
}
/*
* h = a * B
* where a = a[0]+256*a[1]+...+256^31 a[31]
* B is the Ed25519 base point (x,4/5) with x positive.
*
* Preconditions:
* a[31] <= 127
*/
public static void ge_scalarmult(Ge_p3 h, byte[] a, Ge_p3 A)
{
byte[] e = new byte[64];
byte carry;
Ge_p1p1 r = new Ge_p1p1();
Ge_p2 s = new Ge_p2();
Ge_p3 t0 = new Ge_p3();
Ge_p3 t1 = new Ge_p3();
Ge_p3 t2 = new Ge_p3();
Ge_cached t = new Ge_cached();
Ge_cached[] pre = new Ge_cached[8];
for (int count = 0; count < pre.Length; count++)
{
pre[count] = new Ge_cached();
}
int i;
for (i = 0; i < 32; ++i)
{
e[2 * i + 0] = (byte)((((uint)a[i]) >> 0) & 15);
e[2 * i + 1] = (byte)((((uint)a[i]) >> 4) & 15);
}
/* each e[i] is between 0 and 15 */
/* e[63] is between 0 and 7 */
carry = 0;
for (i = 0; i < 63; ++i)
{
e[i] += carry;
carry = (byte)(e[i] + 8);
carry >>= 4;
e[i] -= (byte)(carry << 4);
}
e[63] += carry;
/* each e[i] is between -8 and 8 */
// Precomputation:
Ge_p3_to_cached.ge_p3_to_cached(pre[0], A); // A
Ge_p3_dbl.ge_p3_dbl(r, A);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t0, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[1], t0); // 2A
Ge_add.ge_add(r, A, pre[1]);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t1, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[2], t1); // 3A
Ge_p3_dbl.ge_p3_dbl(r, t0);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t0, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[3], t0); // 4A
Ge_add.ge_add(r, A, pre[3]);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t2, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[4], t2); // 5A
Ge_p3_dbl.ge_p3_dbl(r, t1);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t1, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[5], t1); // 6A
Ge_add.ge_add(r, A, pre[5]);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t1, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[6], t1); // 7A
Ge_p3_dbl.ge_p3_dbl(r, t0);
Ge_p1p1_to_p3.ge_p1p1_to_p3(t0, r);
Ge_p3_to_cached.ge_p3_to_cached(pre[7], t0); // 8A
Ge_p3_0.ge_p3_0(h);
for (i = 63; i > 0; i--)
{
select(t, pre, e[i]);
Ge_add.ge_add(r, h, t);
Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p2.ge_p1p1_to_p2(s, r);
Ge_p2_dbl.ge_p2_dbl(r, s); Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r);
}
select(t, pre, e[0]);
Ge_add.ge_add(r, h, t);
Ge_p1p1_to_p3.ge_p1p1_to_p3(h, r);
}
/*
* r = a * A + b * B
* where a = a[0]+256*a[1]+...+256^31 a[31].
* and b = b[0]+256*b[1]+...+256^31 b[31].
* B is the Ed25519 base point (x,4/5) with x positive.
*/
public static void ge_double_scalarmult_vartime(Ge_p2 r, byte[] a, Ge_p3 A, byte[] b)
{
sbyte[] aslide = new sbyte[256];
sbyte[] bslide = new sbyte[256];
Ge_cached[] Ai = new Ge_cached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
for (int count = 0; count < 8; count++)
{
Ai[count] = new Ge_cached();
}
Ge_p1p1 t = new Ge_p1p1();
Ge_p3 u = new Ge_p3();
Ge_p3 A2 = new Ge_p3();
int i;
slide(aslide, a);
slide(bslide, b);
Ge_p3_to_cached.ge_p3_to_cached(Ai[0], A);
Ge_p3_dbl.ge_p3_dbl(t, A); Ge_p1p1_to_p3.ge_p1p1_to_p3(A2, t);
Ge_add.ge_add(t, A2, Ai[0]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[1], u);
Ge_add.ge_add(t, A2, Ai[1]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[2], u);
Ge_add.ge_add(t, A2, Ai[2]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[3], u);
Ge_add.ge_add(t, A2, Ai[3]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[4], u);
Ge_add.ge_add(t, A2, Ai[4]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[5], u);
Ge_add.ge_add(t, A2, Ai[5]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[6], u);
Ge_add.ge_add(t, A2, Ai[6]); Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t); Ge_p3_to_cached.ge_p3_to_cached(Ai[7], u);
Ge_p2_0.ge_p2_0(r);
for (i = 255; i >= 0; --i)
{
if (aslide[i] != 0 || bslide[i] != 0)
{
break;
}
}
for (; i >= 0; --i)
{
Ge_p2_dbl.ge_p2_dbl(t, r);
if (aslide[i] > 0)
{
Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t);
Ge_add.ge_add(t, u, Ai[aslide[i] / 2]);
}
else if (aslide[i] < 0)
{
Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t);
Ge_sub.ge_sub(t, u, Ai[(-aslide[i]) / 2]);
}
if (bslide[i] > 0)
{
Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t);
Ge_madd.ge_madd(t, u, Bi[bslide[i] / 2]);
}
else if (bslide[i] < 0)
{
Ge_p1p1_to_p3.ge_p1p1_to_p3(u, t);
Ge_msub.ge_msub(t, u, Bi[(-bslide[i]) / 2]);
}
Ge_p1p1_to_p2.ge_p1p1_to_p2(r, t);
}
}
//CONVERT #include "ge.h"
/*
* r = p
*/
public static void ge_p3_to_p2(Ge_p2 r, Ge_p3 p)
{
Fe_copy.fe_copy(r.X, p.X);
Fe_copy.fe_copy(r.Y, p.Y);
Fe_copy.fe_copy(r.Z, p.Z);
}
