/*
* r = p
*/
public static void ge_p3_to_cached(out GroupElementCached r, ref GroupElementP3 p)
{
FieldOperations.fe_add(out r.YplusX, ref p.Y, ref p.X);
FieldOperations.fe_sub(out r.YminusX, ref p.Y, ref p.X);
r.Z = p.Z;
FieldOperations.fe_mul(out r.T2d, ref p.T, ref LookupTables.d2);
}
/*
* r = p
*/
public static void ge_p1p1_to_p3(out GroupElementP3 r, ref GroupElementP1P1 p)
{
FieldOperations.fe_mul(out r.X, ref p.X, ref p.T);
FieldOperations.fe_mul(out r.Y, ref p.Y, ref p.Z);
FieldOperations.fe_mul(out r.Z, ref p.Z, ref p.T);
FieldOperations.fe_mul(out r.T, ref p.X, ref p.Y);
}
/*
* r = p + q
*/
public static void ge_madd(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementPreComp q)
{
FieldElement t0;
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_add(out r.X, ref p.Y, ref p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_sub(out r.Y, ref p.Y, ref p.X);
/* qhasm: A = YpX1*ypx2 */
/* asm 1: fe_mul(>A=fe#3,<YpX1=fe#1,<ypx2=fe#15); */
/* asm 2: fe_mul(>A=r.Z,<YpX1=r.X,<ypx2=q.yplusx); */
FieldOperations.fe_mul(out r.Z, ref r.X, ref q.yplusx);
/* qhasm: B = YmX1*ymx2 */
/* asm 1: fe_mul(>B=fe#2,<YmX1=fe#2,<ymx2=fe#16); */
/* asm 2: fe_mul(>B=r.Y,<YmX1=r.Y,<ymx2=q.yminusx); */
FieldOperations.fe_mul(out r.Y, ref r.Y, ref q.yminusx);
/* qhasm: C = xy2d2*T1 */
/* asm 1: fe_mul(>C=fe#4,<xy2d2=fe#17,<T1=fe#14); */
/* asm 2: fe_mul(>C=r.T,<xy2d2=q.xy2d,<T1=p.T); */
FieldOperations.fe_mul(out r.T, ref q.xy2d, ref p.T);
/* qhasm: D = 2*Z1 */
/* asm 1: fe_add(>D=fe#5,<Z1=fe#13,<Z1=fe#13); */
/* asm 2: fe_add(>D=t0,<Z1=p.Z,<Z1=p.Z); */
FieldOperations.fe_add(out t0, ref p.Z, ref p.Z);
/* qhasm: X3 = A-B */
/* asm 1: fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */
FieldOperations.fe_sub(out r.X, ref r.Z, ref r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
FieldOperations.fe_add(out r.Y, ref r.Z, ref r.Y);
/* qhasm: Z3 = D+C */
/* asm 1: fe_add(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: fe_add(>Z3=r.Z,<D=t0,<C=r.T); */
FieldOperations.fe_add(out r.Z, ref t0, ref r.T);
/* qhasm: T3 = D-C */
/* asm 1: fe_sub(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: fe_sub(>T3=r.T,<D=t0,<C=r.T); */
FieldOperations.fe_sub(out r.T, ref t0, ref r.T);
/* qhasm: return */
}
public static void ge_p3_tobytes(byte[] s, int offset, ref GroupElementP3 h)
{
FieldElement recip;
FieldElement x;
FieldElement y;
FieldOperations.fe_invert(out recip, ref h.Z);
FieldOperations.fe_mul(out x, ref h.X, ref recip);
FieldOperations.fe_mul(out y, ref h.Y, ref recip);
FieldOperations.fe_tobytes(s, offset, ref y);
s[offset + 31] ^= (byte)(FieldOperations.fe_isnegative(ref x) \
public static int ge_frombytes(out GroupElementP3 h, byte[] data, int offset)
{
FieldElement u;
FieldElement v;
FieldElement v3;
FieldElement vxx;
FieldElement check;
FieldOperations.fe_frombytes(out h.Y, data, offset);
FieldOperations.fe_1(out h.Z);
FieldOperations.fe_sq(out u, ref h.Y);
FieldOperations.fe_mul(out v, ref u, ref LookupTables.d);
FieldOperations.fe_sub(out u, ref u, ref h.Z); /* u = y^2-1 */
FieldOperations.fe_add(out v, ref v, ref h.Z); /* v = dy^2+1 */
FieldOperations.fe_sq(out v3, ref v);
FieldOperations.fe_mul(out v3, ref v3, ref v); /* v3 = v^3 */
FieldOperations.fe_sq(out h.X, ref v3);
FieldOperations.fe_mul(out h.X, ref h.X, ref v);
FieldOperations.fe_mul(out h.X, ref h.X, ref u); /* x = uv^7 */
FieldOperations.fe_pow22523(out h.X, ref h.X); /* x = (uv^7)^((q-5)/8) */
FieldOperations.fe_mul(out h.X, ref h.X, ref v3);
FieldOperations.fe_mul(out h.X, ref h.X, ref u); /* x = uv^3(uv^7)^((q-5)/8) */
FieldOperations.fe_sq(out vxx, ref h.X);
FieldOperations.fe_mul(out vxx, ref vxx, ref v);
FieldOperations.fe_sub(out check, ref vxx, ref u); /* vx^2-u */
if (FieldOperations.fe_isnonzero(ref check) != 0)
{
FieldOperations.fe_add(out check, ref vxx, ref u); /* vx^2+u */
if (FieldOperations.fe_isnonzero(ref check) != 0)
{
h = default(GroupElementP3);
return(-1);
}
FieldOperations.fe_mul(out h.X, ref h.X, ref LookupTables.sqrtm1);
FieldOperations.fe_reduce(out h.X, ref h.X);
}
if (FieldOperations.fe_isnegative(ref h.X) != (data[offset + 31] >> 7))
{
FieldOperations.fe_neg(out h.X, ref h.X);
}
FieldOperations.fe_mul(out h.T, ref h.X, ref h.Y);
return(0);
}
/*
* r = p + q
*/
internal static void ge_add(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q)
{
FieldElement t0;
/* qhasm: enter GroupElementadd */
/* qhasm: fe X1 */
/* qhasm: fe Y1 */
/* qhasm: fe Z1 */
/* qhasm: fe Z2 */
/* qhasm: fe T1 */
/* qhasm: fe ZZ */
/* qhasm: fe YpX2 */
/* qhasm: fe YmX2 */
/* qhasm: fe T2d2 */
/* qhasm: fe X3 */
/* qhasm: fe Y3 */
/* qhasm: fe Z3 */
/* qhasm: fe T3 */
/* qhasm: fe YpX1 */
/* qhasm: fe YmX1 */
/* qhasm: fe A */
/* qhasm: fe B */
/* qhasm: fe C */
/* qhasm: fe D */
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_add(out r.X, ref p.Y, ref p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_sub(out r.Y, ref p.Y, ref p.X);
/* qhasm: A = YpX1*YpX2 */
/* asm 1: fe_mul(>A=fe#3,<YpX1=fe#1,<YpX2=fe#15); */
/* asm 2: fe_mul(>A=r.Z,<YpX1=r.X,<YpX2=q.YplusX); */
FieldOperations.fe_mul(out r.Z, ref r.X, ref q.YplusX);
/* qhasm: B = YmX1*YmX2 */
/* asm 1: fe_mul(>B=fe#2,<YmX1=fe#2,<YmX2=fe#16); */
/* asm 2: fe_mul(>B=r.Y,<YmX1=r.Y,<YmX2=q.YminusX); */
FieldOperations.fe_mul(out r.Y, ref r.Y, ref q.YminusX);
/* qhasm: C = T2d2*T1 */
/* asm 1: fe_mul(>C=fe#4,<T2d2=fe#18,<T1=fe#14); */
/* asm 2: fe_mul(>C=r.T,<T2d2=q.T2d,<T1=p.T); */
FieldOperations.fe_mul(out r.T, ref q.T2d, ref p.T);
/* qhasm: ZZ = Z1*Z2 */
/* asm 1: fe_mul(>ZZ=fe#1,<Z1=fe#13,<Z2=fe#17); */
/* asm 2: fe_mul(>ZZ=r.X,<Z1=p.Z,<Z2=q.Z); */
FieldOperations.fe_mul(out r.X, ref p.Z, ref q.Z);
/* qhasm: D = 2*ZZ */
/* asm 1: fe_add(>D=fe#5,<ZZ=fe#1,<ZZ=fe#1); */
/* asm 2: fe_add(>D=t0,<ZZ=r.X,<ZZ=r.X); */
FieldOperations.fe_add(out t0, ref r.X, ref r.X);
/* qhasm: X3 = A-B */
/* asm 1: fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */
FieldOperations.fe_sub(out r.X, ref r.Z, ref r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
FieldOperations.fe_add(out r.Y, ref r.Z, ref r.Y);
/* qhasm: Z3 = D+C */
/* asm 1: fe_add(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: fe_add(>Z3=r.Z,<D=t0,<C=r.T); */
FieldOperations.fe_add(out r.Z, ref t0, ref r.T);
/* qhasm: T3 = D-C */
/* asm 1: fe_sub(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: fe_sub(>T3=r.T,<D=t0,<C=r.T); */
FieldOperations.fe_sub(out r.T, ref t0, ref r.T);
/* qhasm: return */
}
internal static void scalarmult(
out FieldElement q,
byte[] n, int noffset,
ref FieldElement p)
{
byte[] e = new byte[32]; //ToDo: remove allocation
UInt32 i;
FieldElement x1;
FieldElement x2;
FieldElement z2;
FieldElement x3;
FieldElement z3;
FieldElement tmp0;
FieldElement tmp1;
int pos;
UInt32 swap;
UInt32 b;
for (i = 0; i < 32; ++i)
{
e[i] = n[noffset + i];
}
ScalarOperations.sc_clamp(e, 0);
x1 = p;
FieldOperations.fe_1(out x2);
FieldOperations.fe_0(out z2);
x3 = x1;
FieldOperations.fe_1(out z3);
swap = 0;
for (pos = 254; pos >= 0; --pos)
{
b = (uint)(e[pos / 8] >> (pos & 7));
b &= 1;
swap ^= b;
FieldOperations.fe_cswap(ref x2, ref x3, swap);
FieldOperations.fe_cswap(ref z2, ref z3, swap);
swap = b;
/* qhasm: fe X2 */
/* qhasm: fe Z2 */
/* qhasm: fe X3 */
/* qhasm: fe Z3 */
/* qhasm: fe X4 */
/* qhasm: fe Z4 */
/* qhasm: fe X5 */
/* qhasm: fe Z5 */
/* qhasm: fe A */
/* qhasm: fe B */
/* qhasm: fe C */
/* qhasm: fe D */
/* qhasm: fe E */
/* qhasm: fe AA */
/* qhasm: fe BB */
/* qhasm: fe DA */
/* qhasm: fe CB */
/* qhasm: fe t0 */
/* qhasm: fe t1 */
/* qhasm: fe t2 */
/* qhasm: fe t3 */
/* qhasm: fe t4 */
/* qhasm: enter ladder */
/* qhasm: D = X3-Z3 */
/* asm 1: fe_sub(>D=fe#5,<X3=fe#3,<Z3=fe#4); */
/* asm 2: fe_sub(>D=tmp0,<X3=x3,<Z3=z3); */
FieldOperations.fe_sub(out tmp0, ref x3, ref z3);
/* qhasm: B = X2-Z2 */
/* asm 1: fe_sub(>B=fe#6,<X2=fe#1,<Z2=fe#2); */
/* asm 2: fe_sub(>B=tmp1,<X2=x2,<Z2=z2); */
FieldOperations.fe_sub(out tmp1, ref x2, ref z2);
/* qhasm: A = X2+Z2 */
/* asm 1: fe_add(>A=fe#1,<X2=fe#1,<Z2=fe#2); */
/* asm 2: fe_add(>A=x2,<X2=x2,<Z2=z2); */
FieldOperations.fe_add(out x2, ref x2, ref z2);
/* qhasm: C = X3+Z3 */
/* asm 1: fe_add(>C=fe#2,<X3=fe#3,<Z3=fe#4); */
/* asm 2: fe_add(>C=z2,<X3=x3,<Z3=z3); */
FieldOperations.fe_add(out z2, ref x3, ref z3);
/* qhasm: DA = D*A */
/* asm 1: fe_mul(>DA=fe#4,<D=fe#5,<A=fe#1); */
/* asm 2: fe_mul(>DA=z3,<D=tmp0,<A=x2); */
FieldOperations.fe_mul(out z3, ref tmp0, ref x2);
/* qhasm: CB = C*B */
/* asm 1: fe_mul(>CB=fe#2,<C=fe#2,<B=fe#6); */
/* asm 2: fe_mul(>CB=z2,<C=z2,<B=tmp1); */
FieldOperations.fe_mul(out z2, ref z2, ref tmp1);
/* qhasm: BB = B^2 */
/* asm 1: fe_sq(>BB=fe#5,<B=fe#6); */
/* asm 2: fe_sq(>BB=tmp0,<B=tmp1); */
FieldOperations.fe_sq(out tmp0, ref tmp1);
/* qhasm: AA = A^2 */
/* asm 1: fe_sq(>AA=fe#6,<A=fe#1); */
/* asm 2: fe_sq(>AA=tmp1,<A=x2); */
FieldOperations.fe_sq(out tmp1, ref x2);
/* qhasm: t0 = DA+CB */
/* asm 1: fe_add(>t0=fe#3,<DA=fe#4,<CB=fe#2); */
/* asm 2: fe_add(>t0=x3,<DA=z3,<CB=z2); */
FieldOperations.fe_add(out x3, ref z3, ref z2);
/* qhasm: assign x3 to t0 */
/* qhasm: t1 = DA-CB */
/* asm 1: fe_sub(>t1=fe#2,<DA=fe#4,<CB=fe#2); */
/* asm 2: fe_sub(>t1=z2,<DA=z3,<CB=z2); */
FieldOperations.fe_sub(out z2, ref z3, ref z2);
/* qhasm: X4 = AA*BB */
/* asm 1: fe_mul(>X4=fe#1,<AA=fe#6,<BB=fe#5); */
/* asm 2: fe_mul(>X4=x2,<AA=tmp1,<BB=tmp0); */
FieldOperations.fe_mul(out x2, ref tmp1, ref tmp0);
/* qhasm: E = AA-BB */
/* asm 1: fe_sub(>E=fe#6,<AA=fe#6,<BB=fe#5); */
/* asm 2: fe_sub(>E=tmp1,<AA=tmp1,<BB=tmp0); */
FieldOperations.fe_sub(out tmp1, ref tmp1, ref tmp0);
/* qhasm: t2 = t1^2 */
/* asm 1: fe_sq(>t2=fe#2,<t1=fe#2); */
/* asm 2: fe_sq(>t2=z2,<t1=z2); */
FieldOperations.fe_sq(out z2, ref z2);
/* qhasm: t3 = a24*E */
/* asm 1: fe_mul121666(>t3=fe#4,<E=fe#6); */
/* asm 2: fe_mul121666(>t3=z3,<E=tmp1); */
FieldOperations.fe_mul121666(out z3, ref tmp1);
/* qhasm: X5 = t0^2 */
/* asm 1: fe_sq(>X5=fe#3,<t0=fe#3); */
/* asm 2: fe_sq(>X5=x3,<t0=x3); */
FieldOperations.fe_sq(out x3, ref x3);
/* qhasm: t4 = BB+t3 */
/* asm 1: fe_add(>t4=fe#5,<BB=fe#5,<t3=fe#4); */
/* asm 2: fe_add(>t4=tmp0,<BB=tmp0,<t3=z3); */
FieldOperations.fe_add(out tmp0, ref tmp0, ref z3);
/* qhasm: Z5 = X1*t2 */
/* asm 1: fe_mul(>Z5=fe#4,x1,<t2=fe#2); */
/* asm 2: fe_mul(>Z5=z3,x1,<t2=z2); */
FieldOperations.fe_mul(out z3, ref x1, ref z2);
/* qhasm: Z4 = E*t4 */
/* asm 1: fe_mul(>Z4=fe#2,<E=fe#6,<t4=fe#5); */
/* asm 2: fe_mul(>Z4=z2,<E=tmp1,<t4=tmp0); */
FieldOperations.fe_mul(out z2, ref tmp1, ref tmp0);
/* qhasm: return */
}
FieldOperations.fe_cswap(ref x2, ref x3, swap);
FieldOperations.fe_cswap(ref z2, ref z3, swap);
FieldOperations.fe_invert(out z2, ref z2);
FieldOperations.fe_mul(out x2, ref x2, ref z2);
q = x2;
CryptoBytes.Wipe(e);
}
public static void ge_fromfe_frombytes_vartime(out GroupElementP2 r, byte[] s, int offset)
{
FieldElement u, v, w, x, y, z;
byte sign;
FieldOperations.fe_frombytes(out u, s, offset);
FieldOperations.fe_sq2(out v, ref u); /* 2 * u^2 */
FieldOperations.fe_1(out w);
FieldOperations.fe_add(out w, ref v, ref w); /* w = 2 * u^2 + 1 */
FieldOperations.fe_sq(out x, ref w); /* w^2 */
FieldOperations.fe_mul(out y, ref FieldOperations.fe_ma2, ref v); /* -2 * A^2 * u^2 */
FieldOperations.fe_add(out x, ref x, ref y); /* x = w^2 - 2 * A^2 * u^2 */
FieldOperations.fe_divpowm1(out r.X, ref w, ref x); /* (w / x)^(m + 1) */
FieldOperations.fe_sq(out y, ref r.X);
FieldOperations.fe_mul(out x, ref y, ref x);
FieldOperations.fe_sub(out y, ref w, ref x);
FieldOperations.fe_copy(out z, ref FieldOperations.fe_ma);
if (FieldOperations.fe_isnonzero(ref y) != 0)
{
FieldOperations.fe_add(out y, ref w, ref x);
if (FieldOperations.fe_isnonzero(ref y) != 0)
{
goto negative;
}
else
{
FieldOperations.fe_mul(out r.X, ref r.X, ref FieldOperations.fe_fffb1);
}
}
else
{
FieldOperations.fe_mul(out r.X, ref r.X, ref FieldOperations.fe_fffb2);
}
FieldOperations.fe_mul(out r.X, ref r.X, ref u); /* u * sqrt(2 * A * (A + 2) * w / x) */
FieldOperations.fe_mul(out z, ref z, ref v); /* -2 * A * u^2 */
sign = 0;
goto setsign;
negative:
FieldOperations.fe_mul(out x, ref x, ref FieldOperations.fe_sqrtm1);
FieldOperations.fe_sub(out y, ref w, ref x);
if (FieldOperations.fe_isnonzero(ref y) != 0)
{
//assert((fe_add(y, w, x), !fe_isnonzero(y)));
FieldOperations.fe_mul(out r.X, ref r.X, ref FieldOperations.fe_fffb3);
}
else
{
FieldOperations.fe_mul(out r.X, ref r.X, ref FieldOperations.fe_fffb4);
}
/* r->X = sqrt(A * (A + 2) * w / x) */
/* z = -A */
sign = 1;
setsign:
if (FieldOperations.fe_isnegative(ref r.X) != sign)
{
//assert(fe_isnonzero(r->X));
FieldOperations.fe_neg(out r.X, ref r.X);
}
FieldOperations.fe_add(out r.Z, ref z, ref w);
FieldOperations.fe_sub(out r.Y, ref z, ref w);
FieldOperations.fe_mul(out r.X, ref r.X, ref r.Z);
}
/*
* r = p
*/
internal static void ge_p1p1_to_p2(out GroupElementP2 r, ref GroupElementP1P1 p)
{
FieldOperations.fe_mul(out r.X, ref p.X, ref p.T);
FieldOperations.fe_mul(out r.Y, ref p.Y, ref p.Z);
FieldOperations.fe_mul(out r.Z, ref p.Z, ref p.T);
}