public static void ge_montx_to_p2(Ge_p2 p, int[] u, byte ed_sign_bit)
{
int[] x = new int[10];
int[] y = new int[10];
int[] A = new int[10];
int[] v = new int[10];
int[] v2 = new int[10];
int[] iv = new int[10];
int[] nx = new int[10];
Fe_frombytes.fe_frombytes(A, A_bytes);
/* given u, recover edwards y */
/* given u, recover v */
/* given u and v, recover edwards x */
Fe_montx_to_edy.fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */
Fe_mont_rhs.fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */
Fe_sqrt.fe_sqrt(v, v2); /* v = sqrt(v^2) */
Fe_mul.fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */
Fe_invert.fe_invert(iv, v); /* 1/v */
Fe_mul.fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */
Fe_neg.fe_neg(nx, x); /* negate x to match sign bit */
Fe_cmov.fe_cmov(x, nx, Fe_isnegative.fe_isnegative(x) ^ ed_sign_bit);
Fe_copy.fe_copy(p.X, x);
Fe_copy.fe_copy(p.Y, y);
Fe_1.fe_1(p.Z);
/* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */
/* -x^2 + y^2 = 1 + dx^2y^2 */
//#ifndef NDEBUG
//{
//fe one, d, x2, y2, x2y2, dx2y2;
//
//unsigned char dbytes[32] = {
//0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
//0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
//0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
//0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
//};
//
//fe_frombytes(d, dbytes);
//fe_1(one);
//fe_sq(x2, p->X); /* x^2 */
//fe_sq(y2, p->Y); /* y^2 */
//
//fe_mul(dx2y2, x2, y2); /* x^2y^2 */
//fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */
//fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */
//fe_neg(x2y2, x2); /* -x^2 */
//fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */
//
//assert(fe_isequal(x2y2, dx2y2));
//}
//#endif
}
public static void select(Ge_cached t, Ge_cached[] pre, byte b)
{
Ge_cached minust = new Ge_cached();
int bnegative = negative((sbyte)b);
int babs = b - (((-bnegative) & b) << 1);
Fe_1.fe_1(t.YplusX);
Fe_1.fe_1(t.YminusX);
Fe_1.fe_1(t.Z);
Fe_1.fe_1(t.Z);
Fe_0.fe_0(t.T2d);
cmov(t, pre[0], equal((byte)babs, 1));
cmov(t, pre[1], equal((byte)babs, 2));
cmov(t, pre[2], equal((byte)babs, 3));
cmov(t, pre[3], equal((byte)babs, 4));
cmov(t, pre[4], equal((byte)babs, 5));
cmov(t, pre[5], equal((byte)babs, 6));
cmov(t, pre[6], equal((byte)babs, 7));
cmov(t, pre[7], equal((byte)babs, 8));
Fe_copy.fe_copy(minust.YplusX, t.YminusX);
Fe_copy.fe_copy(minust.YminusX, t.YplusX);
Fe_copy.fe_copy(minust.Z, t.Z);
Fe_neg.fe_neg(minust.T2d, t.T2d);
cmov(t, minust, bnegative);
}
/*
* return r = -p
*/
public static void ge_neg(Ge_p3 r, Ge_p3 p)
{
Fe_neg.fe_neg(r.X, p.X);
Fe_copy.fe_copy(r.Y, p.Y);
Fe_copy.fe_copy(r.Z, p.Z);
Fe_neg.fe_neg(r.T, p.T);
}
public static void ge_p3_to_cached(Ge_cached r, Ge_p3 p)
{
Fe_add.fe_add(r.YplusX, p.Y, p.X);
Fe_sub.fe_sub(r.YminusX, p.Y, p.X);
Fe_copy.fe_copy(r.Z, p.Z);
Fe_mul.fe_mul(r.T2d, p.T, d2);
}
/* Preconditions: a is square or zero */
public static void fe_sqrt(int[] iOut, int[] a)
{
int[] exp = new int[10];
int[] b = new int[10];
int[] b2 = new int[10];
int[] bi = new int[10];
int[] i = new int[10];
Fe_frombytes.fe_frombytes(i, i_bytes);
Fe_pow22523.fe_pow22523(exp, a); /* b = a^(q-5)/8 */
/* PRECONDITION: legendre symbol == 1 (square) or 0 (a == zero) */
//#ifndef NDEBUG
//fe legendre, zero, one;
//fe_sq(legendre, exp); /* in^((q-5)/4) */
//fe_sq(legendre, legendre); /* in^((q-5)/2) */
//fe_mul(legendre, legendre, a); /* in^((q-3)/2) */
//fe_mul(legendre, legendre, a); /* in^((q-1)/2) */
//fe_0(zero);
//fe_1(one);
//assert(fe_isequal(legendre, zero) || fe_isequal(legendre, one));
//#endif
Fe_mul.fe_mul(b, a, exp); /* b = a * a^(q-5)/8 */
Fe_sq.fe_sq(b2, b); /* b^2 = a * a^(q-1)/4 */
/* note b^4 == a^2, so b^2 == a or -a
* if b^2 != a, multiply it by sqrt(-1) */
Fe_mul.fe_mul(bi, b, i);
Fe_cmov.fe_cmov(b, bi, 1 ^ Fe_isequal.fe_isequal(b2, a));
Fe_copy.fe_copy(iOut, b);
/* PRECONDITION: out^2 == a */
//#ifndef NDEBUG
//fe_sq(b2, out);
//assert(fe_isequal(a, b2));
//#endif
}
static void select(Ge_precomp t, int pos, byte b)
{
Ge_precomp[,] gepc_base = (pos <= 7 ? Ge_precomp_base_0_7.gepc_base :
(pos <= 15 ? Ge_precomp_base_8_15.gepc_base :
(pos <= 23 ? Ge_precomp_base_16_23.gepc_base : Ge_precomp_base_24_31.gepc_base)));
Ge_precomp minust = new Ge_precomp();
int bnegative = negative((sbyte)b);
int babs = b - (((-bnegative) & b) << 1);
Ge_precomp_0.ge_precomp_0(t);
cmov(t, gepc_base[pos, 0], equal((byte)babs, (byte)1));
cmov(t, gepc_base[pos, 1], equal((byte)babs, (byte)2));
cmov(t, gepc_base[pos, 2], equal((byte)babs, (byte)3));
cmov(t, gepc_base[pos, 3], equal((byte)babs, (byte)4));
cmov(t, gepc_base[pos, 4], equal((byte)babs, (byte)5));
cmov(t, gepc_base[pos, 5], equal((byte)babs, (byte)6));
cmov(t, gepc_base[pos, 6], equal((byte)babs, (byte)7));
cmov(t, gepc_base[pos, 7], equal((byte)babs, (byte)8));
Fe_copy.fe_copy(minust.yplusx, t.yminusx);
Fe_copy.fe_copy(minust.yminusx, t.yplusx);
Fe_neg.fe_neg(minust.xy2d, t.xy2d);
cmov(t, minust, bnegative);
}
//CONVERT #include "ge.h"
/*
* r = p
*/
public static void ge_p3_to_p2(Ge_p2 r, Ge_p3 p)
{
Fe_copy.fe_copy(r.X, p.X);
Fe_copy.fe_copy(r.Y, p.Y);
Fe_copy.fe_copy(r.Z, p.Z);
}
//CONVERT #include "crypto_scalarmult.h"
//CONVERT #include "fe.h"
public static int crypto_scalarmult(byte[] q,
byte[] n,
byte[] p)
{
byte[] e = new byte[32];
int i;
int[] x1 = new int[10];
int[] x2 = new int[10];
int[] z2 = new int[10];
int[] x3 = new int[10];
int[] z3 = new int[10];
int[] tmp0 = new int[10];
int[] tmp1 = new int[10];
int pos;
int swap;
int b;
for (i = 0; i < 32; ++i)
{
e[i] = n[i];
}
// e[0] &= 248;
// e[31] &= 127;
// e[31] |= 64;
Fe_frombytes.fe_frombytes(x1, p);
Fe_1.fe_1(x2);
Fe_0.fe_0(z2);
Fe_copy.fe_copy(x3, x1);
Fe_1.fe_1(z3);
swap = 0;
for (pos = 254; pos >= 0; --pos)
{
b = (int)(((uint)e[pos / 8]) >> (pos & 7));
b &= 1;
swap ^= b;
Fe_cswap.fe_cswap(x2, x3, swap);
Fe_cswap.fe_cswap(z2, z3, swap);
swap = b;
//CONVERT #include "montgomery.h"
/* qhasm: fe X2 */
/* qhasm: fe Z2 */
/* qhasm: fe X3 */
/* qhasm: fe Z3 */
/* qhasm: fe X4 */
/* qhasm: fe Z4 */
/* qhasm: fe X5 */
/* qhasm: fe Z5 */
/* qhasm: fe A */
/* qhasm: fe B */
/* qhasm: fe C */
/* qhasm: fe D */
/* qhasm: fe E */
/* qhasm: fe AA */
/* qhasm: fe BB */
/* qhasm: fe DA */
/* qhasm: fe CB */
/* qhasm: fe t0 */
/* qhasm: fe t1 */
/* qhasm: fe t2 */
/* qhasm: fe t3 */
/* qhasm: fe t4 */
/* qhasm: enter ladder */
/* qhasm: D = X3-Z3 */
/* asm 1: fe_sub.fe_sub(>D=fe#5,<X3=fe#3,<Z3=fe#4); */
/* asm 2: fe_sub.fe_sub(>D=tmp0,<X3=x3,<Z3=z3); */
Fe_sub.fe_sub(tmp0, x3, z3);
/* qhasm: B = X2-Z2 */
/* asm 1: fe_sub.fe_sub(>B=fe#6,<X2=fe#1,<Z2=fe#2); */
/* asm 2: fe_sub.fe_sub(>B=tmp1,<X2=x2,<Z2=z2); */
Fe_sub.fe_sub(tmp1, x2, z2);
/* qhasm: A = X2+Z2 */
/* asm 1: fe_add.fe_add(>A=fe#1,<X2=fe#1,<Z2=fe#2); */
/* asm 2: fe_add.fe_add(>A=x2,<X2=x2,<Z2=z2); */
Fe_add.fe_add(x2, x2, z2);
/* qhasm: C = X3+Z3 */
/* asm 1: fe_add.fe_add(>C=fe#2,<X3=fe#3,<Z3=fe#4); */
/* asm 2: fe_add.fe_add(>C=z2,<X3=x3,<Z3=z3); */
Fe_add.fe_add(z2, x3, z3);
/* qhasm: DA = D*A */
/* asm 1: fe_mul.fe_mul(>DA=fe#4,<D=fe#5,<A=fe#1); */
/* asm 2: fe_mul.fe_mul(>DA=z3,<D=tmp0,<A=x2); */
Fe_mul.fe_mul(z3, tmp0, x2);
/* qhasm: CB = C*B */
/* asm 1: fe_mul.fe_mul(>CB=fe#2,<C=fe#2,<B=fe#6); */
/* asm 2: fe_mul.fe_mul(>CB=z2,<C=z2,<B=tmp1); */
Fe_mul.fe_mul(z2, z2, tmp1);
/* qhasm: BB = B^2 */
/* asm 1: fe_sq.fe_sq(>BB=fe#5,<B=fe#6); */
/* asm 2: fe_sq.fe_sq(>BB=tmp0,<B=tmp1); */
Fe_sq.fe_sq(tmp0, tmp1);
/* qhasm: AA = A^2 */
/* asm 1: fe_sq.fe_sq(>AA=fe#6,<A=fe#1); */
/* asm 2: fe_sq.fe_sq(>AA=tmp1,<A=x2); */
Fe_sq.fe_sq(tmp1, x2);
/* qhasm: t0 = DA+CB */
/* asm 1: fe_add.fe_add(>t0=fe#3,<DA=fe#4,<CB=fe#2); */
/* asm 2: fe_add.fe_add(>t0=x3,<DA=z3,<CB=z2); */
Fe_add.fe_add(x3, z3, z2);
/* qhasm: assign x3 to t0 */
/* qhasm: t1 = DA-CB */
/* asm 1: fe_sub.fe_sub(>t1=fe#2,<DA=fe#4,<CB=fe#2); */
/* asm 2: fe_sub.fe_sub(>t1=z2,<DA=z3,<CB=z2); */
Fe_sub.fe_sub(z2, z3, z2);
/* qhasm: X4 = AA*BB */
/* asm 1: fe_mul.fe_mul(>X4=fe#1,<AA=fe#6,<BB=fe#5); */
/* asm 2: fe_mul.fe_mul(>X4=x2,<AA=tmp1,<BB=tmp0); */
Fe_mul.fe_mul(x2, tmp1, tmp0);
/* qhasm: E = AA-BB */
/* asm 1: fe_sub.fe_sub(>E=fe#6,<AA=fe#6,<BB=fe#5); */
/* asm 2: fe_sub.fe_sub(>E=tmp1,<AA=tmp1,<BB=tmp0); */
Fe_sub.fe_sub(tmp1, tmp1, tmp0);
/* qhasm: t2 = t1^2 */
/* asm 1: fe_sq.fe_sq(>t2=fe#2,<t1=fe#2); */
/* asm 2: fe_sq.fe_sq(>t2=z2,<t1=z2); */
Fe_sq.fe_sq(z2, z2);
/* qhasm: t3 = a24*E */
/* asm 1: fe_mul121666(>t3=fe#4,<E=fe#6); */
/* asm 2: fe_mul121666(>t3=z3,<E=tmp1); */
Fe_mul121666.fe_mul121666(z3, tmp1);
/* qhasm: X5 = t0^2 */
/* asm 1: fe_sq.fe_sq(>X5=fe#3,<t0=fe#3); */
/* asm 2: fe_sq.fe_sq(>X5=x3,<t0=x3); */
Fe_sq.fe_sq(x3, x3);
/* qhasm: t4 = BB+t3 */
/* asm 1: fe_add.fe_add(>t4=fe#5,<BB=fe#5,<t3=fe#4); */
/* asm 2: fe_add.fe_add(>t4=tmp0,<BB=tmp0,<t3=z3); */
Fe_add.fe_add(tmp0, tmp0, z3);
/* qhasm: Z5 = X1*t2 */
/* asm 1: fe_mul.fe_mul(>Z5=fe#4,x1,<t2=fe#2); */
/* asm 2: fe_mul.fe_mul(>Z5=z3,x1,<t2=z2); */
Fe_mul.fe_mul(z3, x1, z2);
/* qhasm: Z4 = E*t4 */
/* asm 1: fe_mul.fe_mul(>Z4=fe#2,<E=fe#6,<t4=fe#5); */
/* asm 2: fe_mul.fe_mul(>Z4=z2,<E=tmp1,<t4=tmp0); */
Fe_mul.fe_mul(z2, tmp1, tmp0);
/* qhasm: return */
}
Fe_cswap.fe_cswap(x2, x3, swap);
Fe_cswap.fe_cswap(z2, z3, swap);
Fe_invert.fe_invert(z2, z2);
Fe_mul.fe_mul(x2, x2, z2);
Fe_tobytes.fe_tobytes(q, x2);
return(0);
}
