/*
* r = 2 * p
*/
public static void ge_p3_dbl(out GroupElementP1P1 r, ref GroupElementP3 p)
{
GroupElementP2 q;
ge_p3_to_p2(out q, ref p);
ge_p2_dbl(out r, ref q);
}
/*
r = p
*/
public static void ge_p1p1_to_p3(out GroupElementP3 r, ref GroupElementP1P1 p)
{
FieldOperations.fe_mul(out r.X, ref p.X, ref p.T);
FieldOperations.fe_mul(out r.Y, ref p.Y, ref p.Z);
FieldOperations.fe_mul(out r.Z, ref p.Z, ref p.T);
FieldOperations.fe_mul(out r.T, ref p.X, ref p.Y);
}
/*
* r = p
*/
public static void ge_p1p1_to_p3(out GroupElementP3 r, ref GroupElementP1P1 p)
{
FieldOperations.fe_mul(out r.X, ref p.X, ref p.T);
FieldOperations.fe_mul(out r.Y, ref p.Y, ref p.Z);
FieldOperations.fe_mul(out r.Z, ref p.Z, ref p.T);
FieldOperations.fe_mul(out r.T, ref p.X, ref p.Y);
}
public static void ge_p3_0(out GroupElementP3 h)
{
FieldOperations.fe_0(out h.X);
FieldOperations.fe_1(out h.Y);
FieldOperations.fe_1(out h.Z);
FieldOperations.fe_0(out h.T);
}
/*
* r = p
*/
internal static void ge_p3_to_cached(out GroupElementCached r, ref GroupElementP3 p)
{
FieldOperations.fe_add(out r.YplusX, ref p.Y, ref p.X);
FieldOperations.fe_sub(out r.YminusX, ref p.Y, ref p.X);
r.Z = p.Z;
FieldOperations.fe_mul(out r.T2d, ref p.T, ref LookupTables.d2);
}
/*
r = a * A + b * B
where a = a[0]+256*a[1]+...+256^31 a[31].
and b = b[0]+256*b[1]+...+256^31 b[31].
B is the Ed25519 base point (x,4/5) with x positive.
*/
public static void ge_double_scalarmult_vartime(out GroupElementP2 r, byte[] a, ref GroupElementP3 A, byte[] b)
{
GroupElementPreComp[] Bi = LookupTables.Base2;
sbyte[] aslide = new sbyte[256];
sbyte[] bslide = new sbyte[256];
GroupElementCached[] Ai = new GroupElementCached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
GroupElementP1P1 t;
GroupElementP3 u;
GroupElementP3 A2;
int i;
slide(aslide, a);
slide(bslide, b);
ge_p3_to_cached(out Ai[0], ref A);
ge_p3_dbl(out t, ref A); ge_p1p1_to_p3(out A2, ref t);
ge_add(out t, ref A2, ref Ai[0]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[1], ref u);
ge_add(out t, ref A2, ref Ai[1]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[2], ref u);
ge_add(out t, ref A2, ref Ai[2]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[3], ref u);
ge_add(out t, ref A2, ref Ai[3]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[4], ref u);
ge_add(out t, ref A2, ref Ai[4]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[5], ref u);
ge_add(out t, ref A2, ref Ai[5]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[6], ref u);
ge_add(out t, ref A2, ref Ai[6]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[7], ref u);
ge_p2_0(out r);
for (i = 255; i >= 0; --i)
{
if ((aslide[i] != 0) || (bslide[i] != 0)) break;
}
for (; i >= 0; --i)
{
ge_p2_dbl(out t, ref r);
if (aslide[i] > 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_add(out t, ref u, ref Ai[aslide[i] / 2]);
}
else if (aslide[i] < 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_sub(out t, ref u, ref Ai[(-aslide[i]) / 2]);
}
if (bslide[i] > 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_madd(out t, ref u, ref Bi[bslide[i] / 2]);
}
else if (bslide[i] < 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_msub(out t, ref u, ref Bi[(-bslide[i]) / 2]);
}
ge_p1p1_to_p2(out r, ref t);
}
}
internal static void ge_p3_0(out GroupElementP3 h)
{
FieldOperations.fe_0(out h.X);
FieldOperations.fe_1(out h.Y);
FieldOperations.fe_1(out h.Z);
FieldOperations.fe_0(out h.T);
}
/*
r = p
*/
public static void ge_p3_to_cached(out GroupElementCached r, ref GroupElementP3 p)
{
FieldOperations.fe_add(out r.YplusX, ref p.Y, ref p.X);
FieldOperations.fe_sub(out r.YminusX, ref p.Y, ref p.X);
r.Z = p.Z;
FieldOperations.fe_mul(out r.T2d, ref p.T, ref LookupTables.d2);
}
/*
r = p - q
*/
public static void ge_msub(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementPreComp q)
{
FieldElement t0;
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_add(out r.X, ref p.Y, ref p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_sub(out r.Y, ref p.Y, ref p.X);
/* qhasm: A = YpX1*ymx2 */
/* asm 1: fe_mul(>A=fe#3,<YpX1=fe#1,<ymx2=fe#16); */
/* asm 2: fe_mul(>A=r.Z,<YpX1=r.X,<ymx2=q.yminusx); */
FieldOperations.fe_mul(out r.Z, ref r.X, ref q.yminusx);
/* qhasm: B = YmX1*ypx2 */
/* asm 1: fe_mul(>B=fe#2,<YmX1=fe#2,<ypx2=fe#15); */
/* asm 2: fe_mul(>B=r.Y,<YmX1=r.Y,<ypx2=q.yplusx); */
FieldOperations.fe_mul(out r.Y, ref r.Y, ref q.yplusx);
/* qhasm: C = xy2d2*T1 */
/* asm 1: fe_mul(>C=fe#4,<xy2d2=fe#17,<T1=fe#14); */
/* asm 2: fe_mul(>C=r.T,<xy2d2=q.xy2d,<T1=p.T); */
FieldOperations.fe_mul(out r.T, ref q.xy2d, ref p.T);
/* qhasm: D = 2*Z1 */
/* asm 1: fe_add(>D=fe#5,<Z1=fe#13,<Z1=fe#13); */
/* asm 2: fe_add(>D=t0,<Z1=p.Z,<Z1=p.Z); */
FieldOperations.fe_add(out t0, ref p.Z, ref p.Z);
/* qhasm: X3 = A-B */
/* asm 1: fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */
FieldOperations.fe_sub(out r.X, ref r.Z, ref r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
FieldOperations.fe_add(out r.Y, ref r.Z, ref r.Y);
/* qhasm: Z3 = D-C */
/* asm 1: fe_sub(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: fe_sub(>Z3=r.Z,<D=t0,<C=r.T); */
FieldOperations.fe_sub(out r.Z, ref t0, ref r.T);
/* qhasm: T3 = D+C */
/* asm 1: fe_add(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: fe_add(>T3=r.T,<D=t0,<C=r.T); */
FieldOperations.fe_add(out r.T, ref t0, ref r.T);
/* qhasm: return */
}
/*
* r = p + q
*/
public static void ge_madd(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementPreComp q)
{
FieldElement t0;
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_add(out r.X, ref p.Y, ref p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_sub(out r.Y, ref p.Y, ref p.X);
/* qhasm: A = YpX1*ypx2 */
/* asm 1: fe_mul(>A=fe#3,<YpX1=fe#1,<ypx2=fe#15); */
/* asm 2: fe_mul(>A=r.Z,<YpX1=r.X,<ypx2=q.yplusx); */
FieldOperations.fe_mul(out r.Z, ref r.X, ref q.yplusx);
/* qhasm: B = YmX1*ymx2 */
/* asm 1: fe_mul(>B=fe#2,<YmX1=fe#2,<ymx2=fe#16); */
/* asm 2: fe_mul(>B=r.Y,<YmX1=r.Y,<ymx2=q.yminusx); */
FieldOperations.fe_mul(out r.Y, ref r.Y, ref q.yminusx);
/* qhasm: C = xy2d2*T1 */
/* asm 1: fe_mul(>C=fe#4,<xy2d2=fe#17,<T1=fe#14); */
/* asm 2: fe_mul(>C=r.T,<xy2d2=q.xy2d,<T1=p.T); */
FieldOperations.fe_mul(out r.T, ref q.xy2d, ref p.T);
/* qhasm: D = 2*Z1 */
/* asm 1: fe_add(>D=fe#5,<Z1=fe#13,<Z1=fe#13); */
/* asm 2: fe_add(>D=t0,<Z1=p.Z,<Z1=p.Z); */
FieldOperations.fe_add(out t0, ref p.Z, ref p.Z);
/* qhasm: X3 = A-B */
/* asm 1: fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */
FieldOperations.fe_sub(out r.X, ref r.Z, ref r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
FieldOperations.fe_add(out r.Y, ref r.Z, ref r.Y);
/* qhasm: Z3 = D+C */
/* asm 1: fe_add(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: fe_add(>Z3=r.Z,<D=t0,<C=r.T); */
FieldOperations.fe_add(out r.Z, ref t0, ref r.T);
/* qhasm: T3 = D-C */
/* asm 1: fe_sub(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: fe_sub(>T3=r.T,<D=t0,<C=r.T); */
FieldOperations.fe_sub(out r.T, ref t0, ref r.T);
/* qhasm: return */
}
public static void ge_p3_tobytes(byte[] s, int offset, ref GroupElementP3 h)
{
FieldElement recip;
FieldElement x, y;
FieldOperations.fe_invert(out recip, ref h.Z);
FieldOperations.fe_mul(out x, ref h.X, ref recip);
FieldOperations.fe_mul(out y, ref h.Y, ref recip);
FieldOperations.fe_tobytes(s, offset, ref y);
s[offset + 31] ^= (byte)(FieldOperations.fe_isnegative(ref x) << 7);
}
public static void ge_p3_tobytes(byte[] s, int offset, ref GroupElementP3 h)
{
FieldElement recip;
FieldElement x;
FieldElement y;
FieldOperations.fe_invert(out recip, ref h.Z);
FieldOperations.fe_mul(out x, ref h.X, ref recip);
FieldOperations.fe_mul(out y, ref h.Y, ref recip);
FieldOperations.fe_tobytes(s, offset, ref y);
s[offset + 31] ^= (byte)(FieldOperations.fe_isnegative(ref x) \
public static int ge_frombytes(out GroupElementP3 h, byte[] data, int offset)
{
FieldElement u;
FieldElement v;
FieldElement v3;
FieldElement vxx;
FieldElement check;
FieldOperations.fe_frombytes(out h.Y, data, offset);
FieldOperations.fe_1(out h.Z);
FieldOperations.fe_sq(out u, ref h.Y);
FieldOperations.fe_mul(out v, ref u, ref LookupTables.d);
FieldOperations.fe_sub(out u, ref u, ref h.Z); /* u = y^2-1 */
FieldOperations.fe_add(out v, ref v, ref h.Z); /* v = dy^2+1 */
FieldOperations.fe_sq(out v3, ref v);
FieldOperations.fe_mul(out v3, ref v3, ref v); /* v3 = v^3 */
FieldOperations.fe_sq(out h.X, ref v3);
FieldOperations.fe_mul(out h.X, ref h.X, ref v);
FieldOperations.fe_mul(out h.X, ref h.X, ref u); /* x = uv^7 */
FieldOperations.fe_pow22523(out h.X, ref h.X); /* x = (uv^7)^((q-5)/8) */
FieldOperations.fe_mul(out h.X, ref h.X, ref v3);
FieldOperations.fe_mul(out h.X, ref h.X, ref u); /* x = uv^3(uv^7)^((q-5)/8) */
FieldOperations.fe_sq(out vxx, ref h.X);
FieldOperations.fe_mul(out vxx, ref vxx, ref v);
FieldOperations.fe_sub(out check, ref vxx, ref u); /* vx^2-u */
if (FieldOperations.fe_isnonzero(ref check) != 0)
{
FieldOperations.fe_add(out check, ref vxx, ref u); /* vx^2+u */
if (FieldOperations.fe_isnonzero(ref check) != 0)
{
h = default(GroupElementP3);
return(-1);
}
FieldOperations.fe_mul(out h.X, ref h.X, ref LookupTables.sqrtm1);
FieldOperations.fe_reduce(out h.X, ref h.X);
}
if (FieldOperations.fe_isnegative(ref h.X) != (data[offset + 31] >> 7))
{
FieldOperations.fe_neg(out h.X, ref h.X);
}
FieldOperations.fe_mul(out h.T, ref h.X, ref h.Y);
return(0);
}
/*
h = a * B
where a = a[0]+256*a[1]+...+256^31 a[31]
B is the Ed25519 base point (x,4/5) with x positive.
Preconditions:
a[31] <= 127
*/
public static void ge_scalarmult_base(out GroupElementP3 h, byte[] a, int offset)
{
// todo: Perhaps remove this allocation
sbyte[] e = new sbyte[64];
sbyte carry;
GroupElementP1P1 r;
GroupElementP2 s;
GroupElementPreComp t;
int i;
for (i = 0; i < 32; ++i)
{
e[2 * i + 0] = (sbyte)((a[offset + i] >> 0) & 15);
e[2 * i + 1] = (sbyte)((a[offset + i] >> 4) & 15);
}
/* each e[i] is between 0 and 15 */
/* e[63] is between 0 and 7 */
carry = 0;
for (i = 0; i < 63; ++i)
{
e[i] += carry;
carry = (sbyte)(e[i] + 8);
carry >>= 4;
e[i] -= (sbyte)(carry << 4);
}
e[63] += carry;
/* each e[i] is between -8 and 8 */
ge_p3_0(out h);
for (i = 1; i < 64; i += 2)
{
select(out t, i / 2, e[i]);
ge_madd(out r, ref h, ref t); ge_p1p1_to_p3(out h, ref r);
}
ge_p3_dbl(out r, ref h); ge_p1p1_to_p2(out s, ref r);
ge_p2_dbl(out r, ref s); ge_p1p1_to_p2(out s, ref r);
ge_p2_dbl(out r, ref s); ge_p1p1_to_p2(out s, ref r);
ge_p2_dbl(out r, ref s); ge_p1p1_to_p3(out h, ref r);
for (i = 0; i < 64; i += 2)
{
select(out t, i / 2, e[i]);
ge_madd(out r, ref h, ref t); ge_p1p1_to_p3(out h, ref r);
}
}
/*
* h = a * B
* where a = a[0]+256*a[1]+...+256^31 a[31]
* B is the Ed25519 base point (x,4/5) with x positive.
*
* Preconditions:
* a[31] <= 127
*/
internal static void ge_scalarmult_base(out GroupElementP3 h, byte[] a, int offset)
{
// todo: Perhaps remove this allocation
sbyte[] e = new sbyte[64];
sbyte carry;
GroupElementP1P1 r;
GroupElementP2 s;
GroupElementPreComp t;
int i;
for (i = 0; i < 32; ++i)
{
e[2 * i + 0] = (sbyte)((a[offset + i] >> 0) & 15);
e[2 * i + 1] = (sbyte)((a[offset + i] >> 4) & 15);
}
/* each e[i] is between 0 and 15 */
/* e[63] is between 0 and 7 */
carry = 0;
for (i = 0; i < 63; ++i)
{
e[i] += carry;
carry = (sbyte)(e[i] + 8);
carry >>= 4;
e[i] -= (sbyte)(carry << 4);
}
e[63] += carry;
/* each e[i] is between -8 and 8 */
ge_p3_0(out h);
for (i = 1; i < 64; i += 2)
{
select(out t, i / 2, e[i]);
ge_madd(out r, ref h, ref t); ge_p1p1_to_p3(out h, ref r);
}
ge_p3_dbl(out r, ref h); ge_p1p1_to_p2(out s, ref r);
ge_p2_dbl(out r, ref s); ge_p1p1_to_p2(out s, ref r);
ge_p2_dbl(out r, ref s); ge_p1p1_to_p2(out s, ref r);
ge_p2_dbl(out r, ref s); ge_p1p1_to_p3(out h, ref r);
for (i = 0; i < 64; i += 2)
{
select(out t, i / 2, e[i]);
ge_madd(out r, ref h, ref t); ge_p1p1_to_p3(out h, ref r);
}
}
public static int ge_frombytes_negate_vartime(out GroupElementP3 h, byte[] data, int offset)
{
FieldElement u;
FieldElement v;
FieldElement v3;
FieldElement vxx;
FieldElement check;
FieldOperations.fe_frombytes(out h.Y, data, offset);
FieldOperations.fe_1(out h.Z);
FieldOperations.fe_sq(out u, ref h.Y);
FieldOperations.fe_mul(out v, ref u, ref LookupTables.d);
FieldOperations.fe_sub(out u, ref u, ref h.Z); /* u = y^2-1 */
FieldOperations.fe_add(out v, ref v, ref h.Z); /* v = dy^2+1 */
FieldOperations.fe_sq(out v3, ref v);
FieldOperations.fe_mul(out v3, ref v3, ref v); /* v3 = v^3 */
FieldOperations.fe_sq(out h.X, ref v3);
FieldOperations.fe_mul(out h.X, ref h.X, ref v);
FieldOperations.fe_mul(out h.X, ref h.X, ref u); /* x = uv^7 */
FieldOperations.fe_pow22523(out h.X, ref h.X); /* x = (uv^7)^((q-5)/8) */
FieldOperations.fe_mul(out h.X, ref h.X, ref v3);
FieldOperations.fe_mul(out h.X, ref h.X, ref u); /* x = uv^3(uv^7)^((q-5)/8) */
FieldOperations.fe_sq(out vxx, ref h.X);
FieldOperations.fe_mul(out vxx, ref vxx, ref v);
FieldOperations.fe_sub(out check, ref vxx, ref u); /* vx^2-u */
if (FieldOperations.fe_isnonzero(ref check) != 0)
{
FieldOperations.fe_add(out check, ref vxx, ref u); /* vx^2+u */
if (FieldOperations.fe_isnonzero(ref check) != 0)
{
h = default(GroupElementP3);
return -1;
}
FieldOperations.fe_mul(out h.X, ref h.X, ref LookupTables.sqrtm1);
}
if (FieldOperations.fe_isnegative(ref h.X) == (data[offset + 31] >> 7))
FieldOperations.fe_neg(out h.X, ref h.X);
FieldOperations.fe_mul(out h.T, ref h.X, ref h.Y);
return 0;
}
public static void ge_dsm_precomp(GroupElementCached[] r, ref GroupElementP3 s)
{
if (r == null)
{
throw new ArgumentNullException(nameof(r));
}
if (r.Length != 8)
{
throw new ArgumentOutOfRangeException(nameof(r), "Expected exactly 8 items");
}
ge_p3_to_cached(out r[0], ref s);
ge_p3_dbl(out GroupElementP1P1 t, ref s);
ge_p1p1_to_p3(out GroupElementP3 s2, ref t);
ge_add(out t, ref s2, ref r[0]); ge_p1p1_to_p3(out GroupElementP3 u, ref t); ge_p3_to_cached(out r[1], ref u);
ge_add(out t, ref s2, ref r[1]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out r[2], ref u);
ge_add(out t, ref s2, ref r[2]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out r[3], ref u);
ge_add(out t, ref s2, ref r[3]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out r[4], ref u);
ge_add(out t, ref s2, ref r[4]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out r[5], ref u);
ge_add(out t, ref s2, ref r[5]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out r[6], ref u);
ge_add(out t, ref s2, ref r[6]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out r[7], ref u);
}
/*
r = p - q
*/
public static void ge_msub(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementPreComp q)
{
FieldElement t0;
/*
* r = p
*/
public static void ge_p3_to_p2(out GroupElementP2 r, ref GroupElementP3 p)
{
r.X = p.X;
r.Y = p.Y;
r.Z = p.Z;
}
/*
r = 2 * p
*/
public static void ge_p3_dbl(out GroupElementP1P1 r, ref GroupElementP3 p)
{
GroupElementP2 q;
ge_p3_to_p2(out q, ref p);
ge_p2_dbl(out r, ref q);
}
/*
r = p
*/
public static void ge_p3_to_p2(out GroupElementP2 r, ref GroupElementP3 p)
{
r.X = p.X;
r.Y = p.Y;
r.Z = p.Z;
}
/*
r = p + q
*/
internal static void ge_add(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q)
{
FieldElement t0;
/*
r = p + q
*/
internal static void ge_add(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q)
{
FieldElement t0;
/* qhasm: enter GroupElementadd */
/* qhasm: fe X1 */
/* qhasm: fe Y1 */
/* qhasm: fe Z1 */
/* qhasm: fe Z2 */
/* qhasm: fe T1 */
/* qhasm: fe ZZ */
/* qhasm: fe YpX2 */
/* qhasm: fe YmX2 */
/* qhasm: fe T2d2 */
/* qhasm: fe X3 */
/* qhasm: fe Y3 */
/* qhasm: fe Z3 */
/* qhasm: fe T3 */
/* qhasm: fe YpX1 */
/* qhasm: fe YmX1 */
/* qhasm: fe A */
/* qhasm: fe B */
/* qhasm: fe C */
/* qhasm: fe D */
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_add(out r.X, ref p.Y, ref p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_sub(out r.Y, ref p.Y, ref p.X);
/* qhasm: A = YpX1*YpX2 */
/* asm 1: fe_mul(>A=fe#3,<YpX1=fe#1,<YpX2=fe#15); */
/* asm 2: fe_mul(>A=r.Z,<YpX1=r.X,<YpX2=q.YplusX); */
FieldOperations.fe_mul(out r.Z, ref r.X, ref q.YplusX);
/* qhasm: B = YmX1*YmX2 */
/* asm 1: fe_mul(>B=fe#2,<YmX1=fe#2,<YmX2=fe#16); */
/* asm 2: fe_mul(>B=r.Y,<YmX1=r.Y,<YmX2=q.YminusX); */
FieldOperations.fe_mul(out r.Y, ref r.Y, ref q.YminusX);
/* qhasm: C = T2d2*T1 */
/* asm 1: fe_mul(>C=fe#4,<T2d2=fe#18,<T1=fe#14); */
/* asm 2: fe_mul(>C=r.T,<T2d2=q.T2d,<T1=p.T); */
FieldOperations.fe_mul(out r.T, ref q.T2d, ref p.T);
/* qhasm: ZZ = Z1*Z2 */
/* asm 1: fe_mul(>ZZ=fe#1,<Z1=fe#13,<Z2=fe#17); */
/* asm 2: fe_mul(>ZZ=r.X,<Z1=p.Z,<Z2=q.Z); */
FieldOperations.fe_mul(out r.X, ref p.Z, ref q.Z);
/* qhasm: D = 2*ZZ */
/* asm 1: fe_add(>D=fe#5,<ZZ=fe#1,<ZZ=fe#1); */
/* asm 2: fe_add(>D=t0,<ZZ=r.X,<ZZ=r.X); */
FieldOperations.fe_add(out t0, ref r.X, ref r.X);
/* qhasm: X3 = A-B */
/* asm 1: fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */
FieldOperations.fe_sub(out r.X, ref r.Z, ref r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
FieldOperations.fe_add(out r.Y, ref r.Z, ref r.Y);
/* qhasm: Z3 = D+C */
/* asm 1: fe_add(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: fe_add(>Z3=r.Z,<D=t0,<C=r.T); */
FieldOperations.fe_add(out r.Z, ref t0, ref r.T);
/* qhasm: T3 = D-C */
/* asm 1: fe_sub(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: fe_sub(>T3=r.T,<D=t0,<C=r.T); */
FieldOperations.fe_sub(out r.T, ref t0, ref r.T);
/* qhasm: return */
}
public static void ge_scalarmult_p3(out GroupElementP3 r3, byte[] a, ref GroupElementP3 A)
{
sbyte[] e = new sbyte[64];
int carry, carry2, i;
GroupElementCached[] Ai = new GroupElementCached[8]; /* 1 * A, 2 * A, ..., 8 * A */
GroupElementP1P1 t;
GroupElementP3 u;
GroupElementP2 r;
carry = 0; /* 0..1 */
for (i = 0; i < 31; i++)
{
carry += a[i]; /* 0..256 */
carry2 = (carry + 8) >> 4; /* 0..16 */
e[2 * i] = (sbyte)(carry - (carry2 << 4)); /* -8..7 */
carry = (carry2 + 8) >> 4; /* 0..1 */
e[2 * i + 1] = (sbyte)(carry2 - (carry << 4)); /* -8..7 */
}
carry += a[31]; /* 0..128 */
carry2 = (carry + 8) >> 4; /* 0..8 */
e[62] = (sbyte)(carry - (carry2 << 4)); /* -8..7 */
e[63] = (sbyte)carry2; /* 0..8 */
ge_p3_to_cached(out Ai[0], ref A);
for (i = 0; i < 7; i++)
{
ge_add(out t, ref A, ref Ai[i]);
ge_p1p1_to_p3(out u, ref t);
ge_p3_to_cached(out Ai[i + 1], ref u);
}
ge_p2_0(out r);
GroupElementP3 resP3;
ge_p3_0(out resP3);
for (i = 63; i >= 0; i--)
{
sbyte b = e[i];
byte bnegative = negative(b);
byte babs = (byte)(b - (((-bnegative) & b) << 1));
GroupElementCached cur, minuscur;
ge_p2_dbl(out t, ref r);
ge_p1p1_to_p2(out r, ref t);
ge_p2_dbl(out t, ref r);
ge_p1p1_to_p2(out r, ref t);
ge_p2_dbl(out t, ref r);
ge_p1p1_to_p2(out r, ref t);
ge_p2_dbl(out t, ref r);
ge_p1p1_to_p3(out u, ref t);
ge_cached_0(out cur);
ge_cached_cmov(ref cur, ref Ai[0], equal(babs, 1));
ge_cached_cmov(ref cur, ref Ai[1], equal(babs, 2));
ge_cached_cmov(ref cur, ref Ai[2], equal(babs, 3));
ge_cached_cmov(ref cur, ref Ai[3], equal(babs, 4));
ge_cached_cmov(ref cur, ref Ai[4], equal(babs, 5));
ge_cached_cmov(ref cur, ref Ai[5], equal(babs, 6));
ge_cached_cmov(ref cur, ref Ai[6], equal(babs, 7));
ge_cached_cmov(ref cur, ref Ai[7], equal(babs, 8));
FieldOperations.fe_copy(out minuscur.YplusX, ref cur.YminusX);
FieldOperations.fe_copy(out minuscur.YminusX, ref cur.YplusX);
FieldOperations.fe_copy(out minuscur.Z, ref cur.Z);
FieldOperations.fe_neg(out minuscur.T2d, ref cur.T2d);
ge_cached_cmov(ref cur, ref minuscur, bnegative);
ge_add(out t, ref u, ref cur);
if (i == 0)
{
ge_p1p1_to_p3(out resP3, ref t);
}
else
{
ge_p1p1_to_p2(out r, ref t);
}
}
r3 = resP3;
}
public static void ge_double_scalarmult_precomp_vartime(out GroupElementP2 r, byte[] a, GroupElementP3 A, byte[] b, GroupElementCached[] Bi)
{
GroupElementCached[] Ai = new GroupElementCached[8]; /* A, 3A, 5A, 7A, 9A, 11A, 13A, 15A */
ge_dsm_precomp(Ai, ref A);
ge_double_scalarmult_precomp_vartime2(out r, a, Ai, b, Bi);
}
/*
* r = a * A + b * B
* where a = a[0]+256*a[1]+...+256^31 a[31].
* and b = b[0]+256*b[1]+...+256^31 b[31].
* B is the Ed25519 base point (x,4/5) with x positive.
*/
internal static void ge_double_scalarmult_vartime(out GroupElementP2 r, byte[] a, ref GroupElementP3 A, byte[] b)
{
GroupElementPreComp[] Bi = LookupTables.Base2;
// todo: Perhaps remove these allocations?
sbyte[] aslide = new sbyte[256];
sbyte[] bslide = new sbyte[256];
GroupElementCached[] Ai = new GroupElementCached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
GroupElementP1P1 t;
GroupElementP3 u;
GroupElementP3 A2;
int i;
slide(aslide, a);
slide(bslide, b);
ge_p3_to_cached(out Ai[0], ref A);
ge_p3_dbl(out t, ref A); ge_p1p1_to_p3(out A2, ref t);
ge_add(out t, ref A2, ref Ai[0]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[1], ref u);
ge_add(out t, ref A2, ref Ai[1]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[2], ref u);
ge_add(out t, ref A2, ref Ai[2]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[3], ref u);
ge_add(out t, ref A2, ref Ai[3]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[4], ref u);
ge_add(out t, ref A2, ref Ai[4]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[5], ref u);
ge_add(out t, ref A2, ref Ai[5]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[6], ref u);
ge_add(out t, ref A2, ref Ai[6]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[7], ref u);
ge_p2_0(out r);
for (i = 255; i >= 0; --i)
{
if ((aslide[i] != 0) || (bslide[i] != 0))
{
break;
}
}
for (; i >= 0; --i)
{
ge_p2_dbl(out t, ref r);
if (aslide[i] > 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_add(out t, ref u, ref Ai[aslide[i] / 2]);
}
else if (aslide[i] < 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_sub(out t, ref u, ref Ai[(-aslide[i]) / 2]);
}
if (bslide[i] > 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_madd(out t, ref u, ref Bi[bslide[i] / 2]);
}
else if (bslide[i] < 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_msub(out t, ref u, ref Bi[(-bslide[i]) / 2]);
}
ge_p1p1_to_p2(out r, ref t);
}
}
/*
* r = p + q
*/
internal static void ge_add(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q)
{
FieldElement t0;
/* qhasm: enter GroupElementadd */
/* qhasm: fe X1 */
/* qhasm: fe Y1 */
/* qhasm: fe Z1 */
/* qhasm: fe Z2 */
/* qhasm: fe T1 */
/* qhasm: fe ZZ */
/* qhasm: fe YpX2 */
/* qhasm: fe YmX2 */
/* qhasm: fe T2d2 */
/* qhasm: fe X3 */
/* qhasm: fe Y3 */
/* qhasm: fe Z3 */
/* qhasm: fe T3 */
/* qhasm: fe YpX1 */
/* qhasm: fe YmX1 */
/* qhasm: fe A */
/* qhasm: fe B */
/* qhasm: fe C */
/* qhasm: fe D */
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_add(out r.X, ref p.Y, ref p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_sub(out r.Y, ref p.Y, ref p.X);
/* qhasm: A = YpX1*YpX2 */
/* asm 1: fe_mul(>A=fe#3,<YpX1=fe#1,<YpX2=fe#15); */
/* asm 2: fe_mul(>A=r.Z,<YpX1=r.X,<YpX2=q.YplusX); */
FieldOperations.fe_mul(out r.Z, ref r.X, ref q.YplusX);
/* qhasm: B = YmX1*YmX2 */
/* asm 1: fe_mul(>B=fe#2,<YmX1=fe#2,<YmX2=fe#16); */
/* asm 2: fe_mul(>B=r.Y,<YmX1=r.Y,<YmX2=q.YminusX); */
FieldOperations.fe_mul(out r.Y, ref r.Y, ref q.YminusX);
/* qhasm: C = T2d2*T1 */
/* asm 1: fe_mul(>C=fe#4,<T2d2=fe#18,<T1=fe#14); */
/* asm 2: fe_mul(>C=r.T,<T2d2=q.T2d,<T1=p.T); */
FieldOperations.fe_mul(out r.T, ref q.T2d, ref p.T);
/* qhasm: ZZ = Z1*Z2 */
/* asm 1: fe_mul(>ZZ=fe#1,<Z1=fe#13,<Z2=fe#17); */
/* asm 2: fe_mul(>ZZ=r.X,<Z1=p.Z,<Z2=q.Z); */
FieldOperations.fe_mul(out r.X, ref p.Z, ref q.Z);
/* qhasm: D = 2*ZZ */
/* asm 1: fe_add(>D=fe#5,<ZZ=fe#1,<ZZ=fe#1); */
/* asm 2: fe_add(>D=t0,<ZZ=r.X,<ZZ=r.X); */
FieldOperations.fe_add(out t0, ref r.X, ref r.X);
/* qhasm: X3 = A-B */
/* asm 1: fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */
FieldOperations.fe_sub(out r.X, ref r.Z, ref r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
FieldOperations.fe_add(out r.Y, ref r.Z, ref r.Y);
/* qhasm: Z3 = D+C */
/* asm 1: fe_add(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: fe_add(>Z3=r.Z,<D=t0,<C=r.T); */
FieldOperations.fe_add(out r.Z, ref t0, ref r.T);
/* qhasm: T3 = D-C */
/* asm 1: fe_sub(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: fe_sub(>T3=r.T,<D=t0,<C=r.T); */
FieldOperations.fe_sub(out r.T, ref t0, ref r.T);
/* qhasm: return */
}
/*
r = p - q
*/
public static void ge_sub(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q)
{
FieldElement t0;