/*
* r = p
*/
private static void P3ToCached(out GroupElementCached r, ref GroupElementP3 p)
{
FieldOperations.Add(out r.YplusX, ref p.Y, ref p.X);
FieldOperations.Subtract(out r.YminusX, ref p.Y, ref p.X);
r.Z = p.Z;
FieldOperations.Multiplication(out r.T2d, ref p.T, ref LookupTables.D2);
}
/*
* r = p
*/
public static void ge_p3_to_cached(out GroupElementCached r, ref GroupElementP3 p)
{
stellar_dotnet_sdk.chaos.nacl.Internal.Ed25519Ref10.FieldOperations.fe_add(out r.YplusX, ref p.Y, ref p.X);
stellar_dotnet_sdk.chaos.nacl.Internal.Ed25519Ref10.FieldOperations.fe_sub(out r.YminusX, ref p.Y, ref p.X);
r.Z = p.Z;
stellar_dotnet_sdk.chaos.nacl.Internal.Ed25519Ref10.FieldOperations.fe_mul(out r.T2d, ref p.T, ref stellar_dotnet_sdk.chaos.nacl.Internal.Ed25519Ref10.LookupTables.d2);
}
/*
* r = p
*/
internal static void ge_p3_to_cached(out GroupElementCached r, ref GroupElementP3 p)
{
FieldOperations.fe_add(out r.YplusX, ref p.Y, ref p.X);
FieldOperations.fe_sub(out r.YminusX, ref p.Y, ref p.X);
r.Z = p.Z;
FieldOperations.fe_mul(out r.T2d, ref p.T, ref LookupTables.d2);
}
public RingSignature[] Sign(byte[] msg, byte[] keyImage, IKey[] publicKeys, byte[] secretKey, int index)
{
RingSignature[] signatures = new RingSignature[publicKeys.Length];
byte[][] pubs = publicKeys.Select(pk => pk.Value.ToArray()).ToArray();
GroupOperations.ge_frombytes(out GroupElementP3 keyImageP3, keyImage, 0);
GroupElementCached[] image_pre = new GroupElementCached[8];
GroupOperations.ge_dsm_precomp(image_pre, ref keyImageP3);
byte[] sum = new byte[32], k = null, h = null;
IHash hasher = HashFactory.Crypto.SHA3.CreateKeccak256();
hasher.TransformBytes(msg);
for (int i = 0; i < publicKeys.Length; i++)
{
signatures[i] = new RingSignature();
if (i == index)
{
k = GetRandomSeed(true);
GroupOperations.ge_scalarmult_base(out GroupElementP3 tmp3, k, 0);
byte[] tmp3bytes = new byte[32];
GroupOperations.ge_p3_tobytes(tmp3bytes, 0, ref tmp3);
hasher.TransformBytes(tmp3bytes);
tmp3 = Hash2Point(pubs[i]);
GroupOperations.ge_scalarmult(out GroupElementP2 tmp2, k, ref tmp3);
byte[] tmp2bytes = new byte[32];
GroupOperations.ge_tobytes(tmp2bytes, 0, ref tmp2);
hasher.TransformBytes(tmp2bytes);
}
else
{
signatures[i].C = GetRandomSeed(true);
signatures[i].R = GetRandomSeed(true);
GroupOperations.ge_frombytes(out GroupElementP3 tmp3, pubs[i], 0);
GroupOperations.ge_double_scalarmult_vartime(out GroupElementP2 tmp2, signatures[i].C, ref tmp3, signatures[i].R);
byte[] tmp2bytes = new byte[32];
GroupOperations.ge_tobytes(tmp2bytes, 0, ref tmp2);
hasher.TransformBytes(tmp2bytes);
tmp3 = Hash2Point(pubs[i]);
GroupOperations.ge_double_scalarmult_precomp_vartime(out tmp2, signatures[i].R, tmp3, signatures[i].C, image_pre);
tmp2bytes = new byte[32];
GroupOperations.ge_tobytes(tmp2bytes, 0, ref tmp2);
hasher.TransformBytes(tmp2bytes);
ScalarOperations.sc_add(sum, sum, signatures[i].C);
}
}
h = hasher.TransformFinal().GetBytes();
ScalarOperations.sc_sub(signatures[index].C, h, sum);
ScalarOperations.sc_reduce32(signatures[index].C);
ScalarOperations.sc_mulsub(signatures[index].R, signatures[index].C, secretKey, k);
ScalarOperations.sc_reduce32(signatures[index].R);
return(signatures);
}
/*
* r = p - q
*/
private static void Subtract(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q)
{
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: Add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: Add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
FieldOperations.Add(out r.X, ref p.Y, ref p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: Subtract(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: Subtract(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
FieldOperations.Subtract(out r.Y, ref p.Y, ref p.X);
/* qhasm: A = YpX1*YmX2 */
/* asm 1: Multiplication(>A=fe#3,<YpX1=fe#1,<YmX2=fe#16); */
/* asm 2: Multiplication(>A=r.Z,<YpX1=r.X,<YmX2=q.YminusX); */
FieldOperations.Multiplication(out r.Z, ref r.X, ref q.YminusX);
/* qhasm: B = YmX1*YpX2 */
/* asm 1: Multiplication(>B=fe#2,<YmX1=fe#2,<YpX2=fe#15); */
/* asm 2: Multiplication(>B=r.Y,<YmX1=r.Y,<YpX2=q.YplusX); */
FieldOperations.Multiplication(out r.Y, ref r.Y, ref q.YplusX);
/* qhasm: C = T2d2*T1 */
/* asm 1: Multiplication(>C=fe#4,<T2d2=fe#18,<T1=fe#14); */
/* asm 2: Multiplication(>C=r.T,<T2d2=q.T2d,<T1=p.T); */
FieldOperations.Multiplication(out r.T, ref q.T2d, ref p.T);
/* qhasm: ZZ = Z1*Z2 */
/* asm 1: Multiplication(>ZZ=fe#1,<Z1=fe#13,<Z2=fe#17); */
/* asm 2: Multiplication(>ZZ=r.X,<Z1=p.Z,<Z2=q.Z); */
FieldOperations.Multiplication(out r.X, ref p.Z, ref q.Z);
/* qhasm: D = 2*ZZ */
/* asm 1: Add(>D=fe#5,<ZZ=fe#1,<ZZ=fe#1); */
/* asm 2: Add(>D=t0,<ZZ=r.X,<ZZ=r.X); */
FieldOperations.Add(out var t0, ref r.X, ref r.X);
/* qhasm: X3 = A-B */
/* asm 1: Subtract(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: Subtract(>X3=r.X,<A=r.Z,<B=r.Y); */
FieldOperations.Subtract(out r.X, ref r.Z, ref r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: Add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: Add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
FieldOperations.Add(out r.Y, ref r.Z, ref r.Y);
/* qhasm: Z3 = D-C */
/* asm 1: Subtract(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: Subtract(>Z3=r.Z,<D=t0,<C=r.T); */
FieldOperations.Subtract(out r.Z, ref t0, ref r.T);
/* qhasm: T3 = D+C */
/* asm 1: Add(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: Add(>T3=r.T,<D=t0,<C=r.T); */
FieldOperations.Add(out r.T, ref t0, ref r.T);
/* qhasm: return */
}
public bool Verify(byte[] msg, byte[] keyImage, IKey[] publicKeys, RingSignature[] signatures)
{
byte[][] pubs = publicKeys.Select(pk => pk.Value.ToArray()).ToArray();
GroupOperations.ge_frombytes(out GroupElementP3 image_unp, keyImage, 0);
GroupElementCached[] image_pre = new GroupElementCached[8];
GroupOperations.ge_dsm_precomp(image_pre, ref image_unp);
byte[] sum = new byte[32];
IHash hasher = HashFactory.Crypto.SHA3.CreateKeccak256();
hasher.TransformBytes(msg);
for (int i = 0; i < pubs.Length; i++)
{
if (ScalarOperations.sc_check(signatures[i].C) != 0 || ScalarOperations.sc_check(signatures[i].R) != 0)
{
return(false);
}
GroupOperations.ge_frombytes(out GroupElementP3 tmp3, pubs[i], 0);
GroupOperations.ge_double_scalarmult_vartime(out GroupElementP2 tmp2, signatures[i].C, ref tmp3, signatures[i].R);
byte[] tmp2bytes = new byte[32];
GroupOperations.ge_tobytes(tmp2bytes, 0, ref tmp2);
hasher.TransformBytes(tmp2bytes);
tmp3 = Hash2Point(pubs[i]);
GroupOperations.ge_double_scalarmult_precomp_vartime(out tmp2, signatures[i].R, tmp3, signatures[i].C, image_pre);
tmp2bytes = new byte[32];
GroupOperations.ge_tobytes(tmp2bytes, 0, ref tmp2);
hasher.TransformBytes(tmp2bytes);
ScalarOperations.sc_add(sum, sum, signatures[i].C);
}
byte[] h = hasher.TransformFinal().GetBytes();
ScalarOperations.sc_reduce32(h);
ScalarOperations.sc_sub(h, h, sum);
int res = ScalarOperations.sc_isnonzero(h);
return(res == 0);
}
public static void DoubleScalarMult(out GroupElementP2 r, byte[] a, ref GroupElementP3 A, byte[] b)
{
var Bi = LookupTables.Base2;
// todo: Perhaps remove these allocations?
var aslide = new sbyte[256];
var bslide = new sbyte[256];
var Ai = new GroupElementCached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
GroupElementP1P1 t;
GroupElementP3 u;
GroupElementP3 A2;
int i;
Slide(aslide, a);
Slide(bslide, b);
P3ToCached(out Ai[0], ref A);
GetP3Dbl(out t, ref A);
P1P1ConvertToP3(out A2, ref t);
Add(out t, ref A2, ref Ai[0]);
P1P1ConvertToP3(out u, ref t);
P3ToCached(out Ai[1], ref u);
Add(out t, ref A2, ref Ai[1]);
P1P1ConvertToP3(out u, ref t);
P3ToCached(out Ai[2], ref u);
Add(out t, ref A2, ref Ai[2]);
P1P1ConvertToP3(out u, ref t);
P3ToCached(out Ai[3], ref u);
Add(out t, ref A2, ref Ai[3]);
P1P1ConvertToP3(out u, ref t);
P3ToCached(out Ai[4], ref u);
Add(out t, ref A2, ref Ai[4]);
P1P1ConvertToP3(out u, ref t);
P3ToCached(out Ai[5], ref u);
Add(out t, ref A2, ref Ai[5]);
P1P1ConvertToP3(out u, ref t);
P3ToCached(out Ai[6], ref u);
Add(out t, ref A2, ref Ai[6]);
P1P1ConvertToP3(out u, ref t);
P3ToCached(out Ai[7], ref u);
GetP2(out r);
for (i = 255; i >= 0; --i)
{
if (aslide[i] != 0 || bslide[i] != 0)
{
break;
}
}
for (; i >= 0; --i)
{
GetP2Dbl(out t, ref r);
if (aslide[i] > 0)
{
P1P1ConvertToP3(out u, ref t);
Add(out t, ref u, ref Ai[aslide[i] / 2]);
}
else if (aslide[i] < 0)
{
P1P1ConvertToP3(out u, ref t);
Subtract(out t, ref u, ref Ai[-aslide[i] / 2]);
}
if (bslide[i] > 0)
{
P1P1ConvertToP3(out u, ref t);
Madd(out t, ref u, ref Bi[bslide[i] / 2]);
}
else if (bslide[i] < 0)
{
P1P1ConvertToP3(out u, ref t);
Msub(out t, ref u, ref Bi[-bslide[i] / 2]);
}
P1P1ConvertToP2(out r, ref t);
}
}
/*
* r = p + q
*/
internal static void ge_add(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q)
{
/* qhasm: enter GroupElementadd */
/* qhasm: fe X1 */
/* qhasm: fe Y1 */
/* qhasm: fe Z1 */
/* qhasm: fe Z2 */
/* qhasm: fe T1 */
/* qhasm: fe ZZ */
/* qhasm: fe YpX2 */
/* qhasm: fe YmX2 */
/* qhasm: fe T2d2 */
/* qhasm: fe X3 */
/* qhasm: fe Y3 */
/* qhasm: fe Z3 */
/* qhasm: fe T3 */
/* qhasm: fe YpX1 */
/* qhasm: fe YmX1 */
/* qhasm: fe A */
/* qhasm: fe B */
/* qhasm: fe C */
/* qhasm: fe D */
/* qhasm: YpX1 = Y1+X1 */
/* asm 1: fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_add(out r.X, ref p.Y, ref p.X);
/* qhasm: YmX1 = Y1-X1 */
/* asm 1: fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */
/* asm 2: fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */
FieldOperations.fe_sub(out r.Y, ref p.Y, ref p.X);
/* qhasm: A = YpX1*YpX2 */
/* asm 1: fe_mul(>A=fe#3,<YpX1=fe#1,<YpX2=fe#15); */
/* asm 2: fe_mul(>A=r.Z,<YpX1=r.X,<YpX2=q.YplusX); */
FieldOperations.fe_mul(out r.Z, ref r.X, ref q.YplusX);
/* qhasm: B = YmX1*YmX2 */
/* asm 1: fe_mul(>B=fe#2,<YmX1=fe#2,<YmX2=fe#16); */
/* asm 2: fe_mul(>B=r.Y,<YmX1=r.Y,<YmX2=q.YminusX); */
FieldOperations.fe_mul(out r.Y, ref r.Y, ref q.YminusX);
/* qhasm: C = T2d2*T1 */
/* asm 1: fe_mul(>C=fe#4,<T2d2=fe#18,<T1=fe#14); */
/* asm 2: fe_mul(>C=r.T,<T2d2=q.T2d,<T1=p.T); */
FieldOperations.fe_mul(out r.T, ref q.T2d, ref p.T);
/* qhasm: ZZ = Z1*Z2 */
/* asm 1: fe_mul(>ZZ=fe#1,<Z1=fe#13,<Z2=fe#17); */
/* asm 2: fe_mul(>ZZ=r.X,<Z1=p.Z,<Z2=q.Z); */
FieldOperations.fe_mul(out r.X, ref p.Z, ref q.Z);
/* qhasm: D = 2*ZZ */
/* asm 1: fe_add(>D=fe#5,<ZZ=fe#1,<ZZ=fe#1); */
/* asm 2: fe_add(>D=t0,<ZZ=r.X,<ZZ=r.X); */
FieldOperations.fe_add(out FieldElement t0, ref r.X, ref r.X);
/* qhasm: X3 = A-B */
/* asm 1: fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */
/* asm 2: fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */
FieldOperations.fe_sub(out r.X, ref r.Z, ref r.Y);
/* qhasm: Y3 = A+B */
/* asm 1: fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */
/* asm 2: fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */
FieldOperations.fe_add(out r.Y, ref r.Z, ref r.Y);
/* qhasm: Z3 = D+C */
/* asm 1: fe_add(>Z3=fe#3,<D=fe#5,<C=fe#4); */
/* asm 2: fe_add(>Z3=r.Z,<D=t0,<C=r.T); */
FieldOperations.fe_add(out r.Z, ref t0, ref r.T);
/* qhasm: T3 = D-C */
/* asm 1: fe_sub(>T3=fe#4,<D=fe#5,<C=fe#4); */
/* asm 2: fe_sub(>T3=r.T,<D=t0,<C=r.T); */
FieldOperations.fe_sub(out r.T, ref t0, ref r.T);
/* qhasm: return */
}
/*
* r = a * A + b * B
* where a = a[0]+256*a[1]+...+256^31 a[31].
* and b = b[0]+256*b[1]+...+256^31 b[31].
* B is the Ed25519 base point (x,4/5) with x positive.
*/
public static void ge_double_scalarmult_vartime(out GroupElementP2 r, byte[] a, ref GroupElementP3 A, byte[] b)
{
GroupElementPreComp[] Bi = LookupTables.Base2;
sbyte[] aslide = new sbyte[256];
sbyte[] bslide = new sbyte[256];
GroupElementCached[] ai = new GroupElementCached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
int i;
Slide(aslide, a);
Slide(bslide, b);
ge_p3_to_cached(out ai[0], ref A);
ge_p3_dbl(out GroupElementP1P1 t, ref A);
ge_p1p1_to_p3(out GroupElementP3 A2, ref t);
ge_add(out t, ref A2, ref ai[0]);
ge_p1p1_to_p3(out GroupElementP3 u, ref t);
ge_p3_to_cached(out ai[1], ref u);
ge_add(out t, ref A2, ref ai[1]);
ge_p1p1_to_p3(out u, ref t);
ge_p3_to_cached(out ai[2], ref u);
ge_add(out t, ref A2, ref ai[2]);
ge_p1p1_to_p3(out u, ref t);
ge_p3_to_cached(out ai[3], ref u);
ge_add(out t, ref A2, ref ai[3]);
ge_p1p1_to_p3(out u, ref t);
ge_p3_to_cached(out ai[4], ref u);
ge_add(out t, ref A2, ref ai[4]);
ge_p1p1_to_p3(out u, ref t);
ge_p3_to_cached(out ai[5], ref u);
ge_add(out t, ref A2, ref ai[5]);
ge_p1p1_to_p3(out u, ref t);
ge_p3_to_cached(out ai[6], ref u);
ge_add(out t, ref A2, ref ai[6]);
ge_p1p1_to_p3(out u, ref t);
ge_p3_to_cached(out ai[7], ref u);
ge_p2_0(out r);
for (i = 255; i >= 0; --i)
{
if (aslide[i] != 0 || bslide[i] != 0)
{
break;
}
}
for (; i >= 0; --i)
{
ge_p2_dbl(out t, ref r);
if (aslide[i] > 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_add(out t, ref u, ref ai[aslide[i] / 2]);
}
else if (aslide[i] < 0)
{
ge_p1p1_to_p3(out u, ref t);
GeSub(out t, ref u, ref ai[-aslide[i] / 2]);
}
if (bslide[i] > 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_madd(out t, ref u, ref Bi[bslide[i] / 2]);
}
else if (bslide[i] < 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_msub(out t, ref u, ref Bi[-bslide[i] / 2]);
}
ge_p1p1_to_p2(out r, ref t);
}
}
/*
* r = a * A + b * B
* where a = a[0]+256*a[1]+...+256^31 a[31].
* and b = b[0]+256*b[1]+...+256^31 b[31].
* B is the Ed25519 base point (x,4/5) with x positive.
*/
internal static void ge_double_scalarmult_vartime(out GroupElementP2 r, byte[] a, ref GroupElementP3 A, byte[] b)
{
GroupElementPreComp[] Bi = LookupTables.Base2;
// TODO: Perhaps remove these allocations?
var aslide = new sbyte[256];
var bslide = new sbyte[256];
var Ai = new GroupElementCached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
int i;
slide(aslide, a);
slide(bslide, b);
ge_p3_to_cached(out Ai[0], ref A);
ge_p3_dbl(out GroupElementP1P1 t, ref A); ge_p1p1_to_p3(out GroupElementP3 A2, ref t);
ge_add(out t, ref A2, ref Ai[0]); ge_p1p1_to_p3(out GroupElementP3 u, ref t); ge_p3_to_cached(out Ai[1], ref u);
ge_add(out t, ref A2, ref Ai[1]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[2], ref u);
ge_add(out t, ref A2, ref Ai[2]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[3], ref u);
ge_add(out t, ref A2, ref Ai[3]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[4], ref u);
ge_add(out t, ref A2, ref Ai[4]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[5], ref u);
ge_add(out t, ref A2, ref Ai[5]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[6], ref u);
ge_add(out t, ref A2, ref Ai[6]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[7], ref u);
ge_p2_0(out r);
for (i = 255; i >= 0; --i)
{
if ((aslide[i] != 0) || (bslide[i] != 0))
{
break;
}
}
for (; i >= 0; --i)
{
ge_p2_dbl(out t, ref r);
if (aslide[i] > 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_add(out t, ref u, ref Ai[aslide[i] / 2]);
}
else if (aslide[i] < 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_sub(out t, ref u, ref Ai[(-aslide[i]) / 2]);
}
if (bslide[i] > 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_madd(out t, ref u, ref Bi[bslide[i] / 2]);
}
else if (bslide[i] < 0)
{
ge_p1p1_to_p3(out u, ref t);
ge_msub(out t, ref u, ref Bi[(-bslide[i]) / 2]);
}
ge_p1p1_to_p2(out r, ref t);
}
}
/*
* r = a * A + b * B
* where a = a[0]+256*a[1]+...+256^31 a[31].
* and b = b[0]+256*b[1]+...+256^31 b[31].
* B is the Ed25519 base point (x,4/5) with x positive.
*/
public static void ge_double_scalarmult_vartime(out GroupElementP2 r, byte[] a, ref GroupElementP3 A, byte[] b)
{
var Bi = stellar_dotnet_sdk.chaos.nacl.Internal.Ed25519Ref10.LookupTables.Base2;
var aslide = new sbyte[256];
var bslide = new sbyte[256];
var ai = new GroupElementCached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
int i;
Slide(aslide, a);
Slide(bslide, b);
GroupOperations.ge_p3_to_cached(out ai[0], ref A);
GroupOperations.ge_p3_dbl(out var t, ref A);
GroupOperations.ge_p1p1_to_p3(out var A2, ref t);
ge_add(out t, ref A2, ref ai[0]);
GroupOperations.ge_p1p1_to_p3(out var u, ref t);
GroupOperations.ge_p3_to_cached(out ai[1], ref u);
ge_add(out t, ref A2, ref ai[1]);
GroupOperations.ge_p1p1_to_p3(out u, ref t);
GroupOperations.ge_p3_to_cached(out ai[2], ref u);
ge_add(out t, ref A2, ref ai[2]);
GroupOperations.ge_p1p1_to_p3(out u, ref t);
GroupOperations.ge_p3_to_cached(out ai[3], ref u);
ge_add(out t, ref A2, ref ai[3]);
GroupOperations.ge_p1p1_to_p3(out u, ref t);
GroupOperations.ge_p3_to_cached(out ai[4], ref u);
ge_add(out t, ref A2, ref ai[4]);
GroupOperations.ge_p1p1_to_p3(out u, ref t);
GroupOperations.ge_p3_to_cached(out ai[5], ref u);
ge_add(out t, ref A2, ref ai[5]);
GroupOperations.ge_p1p1_to_p3(out u, ref t);
GroupOperations.ge_p3_to_cached(out ai[6], ref u);
ge_add(out t, ref A2, ref ai[6]);
GroupOperations.ge_p1p1_to_p3(out u, ref t);
GroupOperations.ge_p3_to_cached(out ai[7], ref u);
GroupOperations.ge_p2_0(out r);
for (i = 255; i >= 0; --i)
{
if (aslide[i] != 0 || bslide[i] != 0)
{
break;
}
}
for (; i >= 0; --i)
{
GroupOperations.ge_p2_dbl(out t, ref r);
if (aslide[i] > 0)
{
GroupOperations.ge_p1p1_to_p3(out u, ref t);
ge_add(out t, ref u, ref ai[aslide[i] / 2]);
}
else if (aslide[i] < 0)
{
GroupOperations.ge_p1p1_to_p3(out u, ref t);
GroupOperations.GeSub(out t, ref u, ref ai[-aslide[i] / 2]);
}
if (bslide[i] > 0)
{
GroupOperations.ge_p1p1_to_p3(out u, ref t);
GroupOperations.ge_madd(out t, ref u, ref Bi[bslide[i] / 2]);
}
else if (bslide[i] < 0)
{
GroupOperations.ge_p1p1_to_p3(out u, ref t);
GroupOperations.ge_msub(out t, ref u, ref Bi[-bslide[i] / 2]);
}
GroupOperations.ge_p1p1_to_p2(out r, ref t);
}
}
/* * r = p */ public static void ge_p3_to_cached(out GroupElementCached r, in GroupElementP3 p)
